Bug 979379 - FreeIPA's PKI cannot write to CRL publishing directory
Summary: FreeIPA's PKI cannot write to CRL publishing directory
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 19
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
: 984169 (view as bug list)
Depends On: 976308
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-06-28 11:22 UTC by Martin Kosek
Modified: 2013-07-26 23:07 UTC (History)
7 users (show)

Fixed In Version: selinux-policy-3.12.1-66.fc19
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-07-26 23:07:05 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Martin Kosek 2013-06-28 11:22:00 UTC
Description of problem:

This is a follow up for Bug 976308. FreeIPA Identity Management solution configures PKI/Dogtag to store CRL files in IPA-owned directory /var/lib/ipa/pki-ca/publish/ which is then mapped to one httpd address so that clients can download the CRL and validate a certificate:

# openssl x509 -text -in /tmp/1
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 12 (0xc)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=IDM.LAB.BOS.REDHAT.COM, CN=Certificate Authority
...
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://ipa-ca.idm.lab.bos.redhat.com/ipa/crl/MasterCRL.bin
                CRL Issuer:
                  DirName: O = ipaca, CN = Certificate Authority


Historically, there used be our custom SELinux subpackage which added a policy to mark this directory with cert_t label and then allowed httpd to read this label. However, this directory was dropped as we use system SELinux policy only.

Original policy:
https://git.fedorahosted.org/cgit/freeipa.git/tree/selinux/ipa_dogtag/ipa_dogtag.te?h=ipa-3-2

Changes to selinux-policy in Bug 976308 properly marked the CRL directory with cert_t label, however, PKI still cannot write to this directory and this leads to the following AVC:

type=AVC msg=audit(1372363810.078:7970): avc:  denied  { write } for  pid=23292 comm="java"             name="publish" dev="dm-0" ino=1685 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:    object_r:cert_t:s0 tclass=dir

Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-57.fc19.noarch
selinux-policy-targeted-3.12.1-57.fc19.noarch

How reproducible:
Always

Steps to Reproduce:
1. Install latest FreeIPA 3.3 development version which has the freeipa-server-selinux subpackage removed, i.e. freeipa-server from http://jdennis.fedorapeople.org/ipa-devel/fedora/19/x86_64/os/
2. Run ipa-server-install
3.

Actual results:
Install succeeds, but there is no CRL in /var/lib/ipa/pki-ca/publish/ and AVC is logged.

Expected results:
Install succeeds, there are CRLs in /var/lib/ipa/pki-ca/publish/ and no AVC is logged.

Additional info:

Comment 1 Daniel Walsh 2013-06-28 11:56:56 UTC
Rob should we allow this?  IE pki_tomcat_t manage_cert_perms.

Comment 2 Martin Kosek 2013-06-28 12:17:24 UTC
I am not Rob, but this I think so.

If this is not an option, a second approach would be to change label for /var/lib/ipa/pki-ca/publish/ added in Bug 976308 from cert_t to some specific label which would be writable by PKI and readable by apache (who serves the CRLs via HTTP).

Comment 3 Miroslav Grepl 2013-06-28 12:23:26 UTC
So /var/lib/ipa/pki-ca/publish/ is read by apache and pki* only?

Comment 4 Martin Kosek 2013-06-28 12:29:13 UTC
Yes, I am not aware of any other service that would read it.

Note that pki also needs write access to this directory and needs to be able create symlinks in it (as defined in the deprecated freeipa-server-selinux subpackage: https://git.fedorahosted.org/cgit/freeipa.git/tree/selinux/ipa_dogtag/ipa_dogtag.te?h=ipa-3-2).

Comment 5 Rob Crittenden 2013-07-01 13:51:12 UTC
Martin and I are in agreement.

Comment 6 Miroslav Grepl 2013-07-01 16:06:51 UTC
So how about

chcon -R -t pki_tomcat_cert_t /var/lib/ipa/pki-ca/publish/

Comment 7 Martin Kosek 2013-07-15 11:59:32 UTC
Back from 2-week-long PTO. I tried the change and I still see an issue with PKI being unable to create symlinks:

type=AVC msg=audit(1373845814.366:164): avc:  denied  { create } for  pid=4773 comm="ln" name="MasterCRL.bin.new" scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=lnk_file

Otherwise it looked OK - PKI was able to write CRL file and httpd was able to read&publish them to users.

Can the link lnk_file create ability be added for PKI or we need to take another approach?

Comment 8 Miroslav Grepl 2013-07-15 13:09:53 UTC
No, this should a part of the policy package. But how about labeling? I should probably drop the change to cert_t per another bug where we are discussing it.

Comment 9 Miroslav Grepl 2013-07-15 13:26:43 UTC
*** Bug 984169 has been marked as a duplicate of this bug. ***

Comment 10 Martin Kosek 2013-07-18 06:39:29 UTC
Me and Miroslav worked on this one, freeipa-server-3.2.2-1.f19 + selinux-policy-3.12.1-65.fc19 should fix this issue.

Comment 12 Niki Guldbrand 2013-07-18 06:50:41 UTC
Sounds good, is freeipa-server-selinux being deprecated/obsoleted now, instead of in the freeipa-3.3 time frame ?

Comment 13 Martin Kosek 2013-07-18 07:09:56 UTC
Yes, FreeIPA team decided to backport the obsoleting patches and remove the SELinux subpackage in FreeIPA 3.2.2 as all policy we need is now kept in system policy.

The latest update in Fedora 19 already contains this change:
https://admin.fedoraproject.org/updates/FEDORA-2013-13224/freeipa-3.2.2-1.fc19

Comment 14 Fedora Update System 2013-07-24 14:14:57 UTC
selinux-policy-3.12.1-66.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-66.fc19

Comment 15 Fedora Update System 2013-07-25 00:36:15 UTC
Package selinux-policy-3.12.1-66.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-66.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-13543/selinux-policy-3.12.1-66.fc19
then log in and leave karma (feedback).

Comment 16 Fedora Update System 2013-07-26 23:07:05 UTC
selinux-policy-3.12.1-66.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.