980143 – semanage never reloads policy

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 980143 - semanage never reloads policy

Summary: semanage never reloads policy

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	policycoreutils
Sub Component:
Version:	7.0
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Daniel Walsh
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-07-01 14:16 UTC by Kaleem
Modified:	2015-11-02 13:52 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-06-13 11:32:17 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
configuration file (473 bytes, text/plain) 2013-07-01 14:16 UTC, Kaleem	no flags	Details
semanage-port.patch (2.38 KB, patch) 2013-07-18 20:13 UTC, Miroslav Grepl	no flags	Details \| Diff
View All

Description Kaleem 2013-07-01 14:16:29 UTC

Created attachment 767412 [details]
configuration file

Description of problem:
instance creation on RHEL 7.0 failed when selinux mode is enforcing and different port other than 389 is used. 

When port 389 is used , instance creation is successful. 

Version-Release number of selected component (if applicable):
[root@rhel70-ipa-client ~]# rpm -qa|grep 389
389-ds-base-libs-1.3.1.2-1.el7.x86_64
389-ds-base-1.3.1.2-1.el7.x86_64
[root@rhel70-ipa-client ~]#


How reproducible:
Always

Steps to Reproduce:
1.Add a port 3389 for ldap_port_t in selinux db.

[root@rhel70-ipa-client ~]# semanage port -l|grep ldap_port_t
ldap_port_t                    tcp      3389, 389, 636, 3268, 7389
ldap_port_t                    udp      3389, 389, 636
[root@rhel70-ipa-client ~]# getenforce
Enforcing
[root@rhel70-ipa-client ~]#

2.Use attached configuration file for instance creation

[root@rhel70-ipa-client ~]# /usr/sbin/setup-ds.pl --silent --file=/tmp/instance.inf
Job for dirsrv failed. See 'systemctl status dirsrv' and 'journalctl -xn' for details.
[01/Jul/2013:17:47:33 +051800] createprlistensockets - PR_Bind() on All Interfaces port 3389 failed: Netscape Portable Runtime error -5966 (Access Denied.)
Could not start the directory server using command '/bin/systemctl start dirsrv'.  The last line from the error log was '[01/Jul/2013:17:47:33 +051800] createprlistensockets - PR_Bind() on All Interfaces port 3389 failed: Netscape Portable Runtime error -5966 (Access Denied.)
'.  Error: Unknown error 256
Error: Could not create directory server instance 'instance1'.
Exiting . . .
Log file is '/tmp/setupeMDoaG.log'

[root@rhel70-ipa-client ~]# 

Actual results:
Instance creation failed.

Expected results:
Instance creation should be successful.

Additional info:
1.Please find the attached configuration file (instance.inf) for instance creation.

2.  
When selinux mode is changed to permissive, instance creation is successful.

[root@rhel70-ipa-client ~]# setenforce 0
[root@rhel70-ipa-client ~]# getenforce
Permissive
[root@rhel70-ipa-client ~]#

[root@rhel70-ipa-client ~]# remove-ds.pl -i slapd-instance1
Instance slapd-instance1 removed.
[root@rhel70-ipa-client ~]#

[root@rhel70-ipa-client ~]# /usr/sbin/setup-ds.pl --silent --file=/tmp/instance.inf
Your new DS instance 'instance1' was successfully created.
Exiting . . .
Log file is '/tmp/setupg_ifHP.log'
[root@rhel70-ipa-client ~]#

Comment 2 Nathan Kinder 2013-07-01 14:39:20 UTC

We need to see the AVC messages from /var/log/audit/audit when you attempt to create an instance on a non-default port.  Please do this with SELinux in Permissive mode.

Comment 3 Kaleem 2013-07-01 14:55:00 UTC

extract from audit logs:
=======================

type=USER_AVC msg=audit(1372690070.577:650): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=AVC msg=audit(1372690070.679:651): avc:  denied  { name_bind } for  pid=25338 comm="ns-slapd" src=3389 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1372690070.679:651): arch=c000003e syscall=49 success=yes exit=0 a0=6 a1=7fff5b449740 a2=1c a3=7fff5b449500 items=0 ppid=1 pid=25338 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=system_u:system_r:dirsrv_t:s0 key=(null)
type=SERVICE_START msg=audit(1372690070.686:652): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg=' comm="dirsrv@instance1" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'

Comment 4 Sankar Ramalingam 2013-07-01 19:43:36 UTC

AVC error messages in selinux enforcing mode when creating the instance.

type=AVC msg=audit(1372707310.496:993): avc:  denied  { name_bind } for  pid=28010 comm="ns-slapd" src=1989 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1372707310.496:993): arch=c000003e syscall=49 success=no exit=-13 a0=6 a1=7fff8a21c120 a2=1c a3=7fff8a21bee0 items=0 ppid=1 pid=28010 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=system_u:system_r:dirsrv_t:s0 key=(null)
type=SERVICE_START msg=audit(1372707310.520:994): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg=' comm="dirsrv@testsnewew" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'


AVC error messages when starting the DS instance in enforcing mode.

type=AVC msg=audit(1372707405.218:995): avc:  denied  { name_bind } for  pid=28054 comm="ns-slapd" src=1989 scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1372707405.218:995): arch=c000003e syscall=49 success=no exit=-13 a0=6 a1=7fff259c3b50 a2=1c a3=7fff259c3910 items=0 ppid=28014 pid=28054 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=12 tty=(none) comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null)


Error messages observed for selinux permissive. With permissive mode, there was no problem starting/creating the DS instance.

type=AVC msg=audit(1372707557.590:998): avc:  denied  { name_bind } for  pid=28181 comm="ns-slapd" src=1389 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1372707557.590:998): arch=c000003e syscall=49 success=yes exit=0 a0=6 a1=7fffb3e80900 a2=1c a3=7fffb3e806c0 items=0 ppid=1 pid=28181 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=system_u:system_r:dirsrv_t:s0 key=(null)
type=SERVICE_START msg=audit(1372707557.595:999): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg=' comm="dirsrv@selinperm" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1372707627.950:1000): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg=' comm="dirsrv@selinperm" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'

type=AVC msg=audit(1372707628.775:1001): avc:  denied  { name_bind } for  pid=28357 comm="ns-slapd" src=1389 scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1372707628.775:1001): arch=c000003e syscall=49 success=yes exit=0 a0=6 a1=7fff17e287f0 a2=1c a3=7fff17e285b0 items=0 ppid=28315 pid=28357 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=12 tty=pts1 comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null)

Comment 5 Nathan Kinder 2013-07-05 17:37:02 UTC

I see the same AVC message mentioned in comment#4 on a RHEL7 system using the following package versions:

  389-ds-base-1.3.1.2-1.el7.x86_64
  selinux-policy-3.12.1-56.el7.noarch

This problem does not exist on F19 systems.  There is likely some difference in the SELinux policy between the two distributions, but I didn't notice anything obviously missing in the selinux-policy source on RHEL7.

Comment 6 Nathan Kinder 2013-07-05 18:57:26 UTC

I also noticed that this only happens when you use a non-standard port.  If I create a DS instance on a port that is labelled as ldap_port_t by the base policy (like port 389), the instance starts up without any AVC messages.  If I select a non-standard port (like port 4370), I encounter the AVC.  The interesting thing is that the port is labelled as ldap_port_t if I check immediately after the DS installer errors out:

  [root@server SOURCES]# semanage port -l | grep 4370
  ldap_port_t                    tcp      4370, 389, 636, 3268, 7389

The port labelling is done by the DS installer calling semanage.  This is obviously working since the port is labelled according to semanage, yet there is clearly some difference between using port 389 and a non-standard port.

I also disabled the dontaudit rules, but there is only the one AVC related to name_bind.

Once thing that seems odd is that I don't see any MAC_POLICY_LOAD messages in /var/log/audit/audit.log when the DS installer is running.  I am used to seeing these messages in the audit log when we label ports via semanage.

Comment 7 Nathan Kinder 2013-07-10 21:26:44 UTC

Is there an update on this?  This is blocking our QE group from testing 389-ds-base for RHEL 7.0.

I am not sure how to further troubleshoot the issue, so any assistance would be great.  Please let me know if there is any other info that I can provide.

Comment 8 Miroslav Grepl 2013-07-12 11:37:45 UTC

I probably missed your points. 

You use non-standard ports which are labeled using semanage but you are still getting

type=AVC msg=audit(1372707557.590:998): avc:  denied  { name_bind } for  pid=28181 comm="ns-slapd" src=1389 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1372707557.590:998): arch=c000003e syscall=49 success=yes exit=0 a0=6 a1=7fffb3e80900 a2=1c a3=7fffb3e806c0 items=0 ppid=1 pid=28181 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=system_u:system_r:dirsrv_t:s0 key=(null)

Comment 9 Nathan Kinder 2013-07-12 14:51:00 UTC

(In reply to Miroslav Grepl from comment #8)
> I probably missed your points. 
> 
> You use non-standard ports which are labeled using semanage but you are
> still getting
> 
> type=AVC msg=audit(1372707557.590:998): avc:  denied  { name_bind } for 
> pid=28181 comm="ns-slapd" src=1389 scontext=system_u:system_r:dirsrv_t:s0
> tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
> type=SYSCALL msg=audit(1372707557.590:998): arch=c000003e syscall=49
> success=yes exit=0 a0=6 a1=7fffb3e80900 a2=1c a3=7fffb3e806c0 items=0 ppid=1
> pid=28181 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 ses=4294967295 tty=(none) comm="ns-slapd" exe="/usr/sbin/ns-slapd"
> subj=system_u:system_r:dirsrv_t:s0 key=(null)

Yes, that is correct.

Comment 10 Nathan Kinder 2013-07-12 18:30:49 UTC

Here is what I am seeing on a RHEL 7 system from the most recent compose (20130712.n.0):

---------------------------------------------------------------
[root@hp-bl460c-02 ~]# semanage port -l | grep ldap
ldap_port_t                    tcp      389, 636, 3268, 7389
ldap_port_t                    udp      389, 636
[root@hp-bl460c-02 ~]# setup-ds.pl
...
<go through install selecting port 1389, defaults for the rest>
...
Job for dirsrv failed. See 'systemctl status dirsrv' and 'journalctl -xn' for details.
[12/Jul/2013:14:24:06 -0400] createprlistensockets - PR_Bind() on All Interfaces port 1389 failed: Netscape Portable Runtime error -5966 (Access Denied.)
Could not start the directory server using command '/bin/systemctl start dirsrv'.  The last line from the error log was '[12/Jul/2013:14:24:06 -0400] createprlistensockets - PR_Bind() on All Interfaces port 1389 failed: Netscape Portable Runtime error -5966 (Access Denied.)
'.  Error: Unknown error 256
Error: Could not create directory server instance 'hp-bl460c-02'.
Exiting . . .
Log file is '/tmp/setupndY_rg.log'

[root@hp-bl460c-02 ~]# semanage port -l | grep ldap
ldap_port_t                    tcp      1389, 389, 636, 3268, 7389
ldap_port_t                    udp      389, 636
[root@hp-bl460c-02 ~]#
---------------------------------------------------------------

The AVC is the same as mentioned in comment#8.

Comment 11 Miroslav Grepl 2013-07-16 13:25:00 UTC

Then the install process failed.

Comment 12 Miroslav Grepl 2013-07-16 13:48:03 UTC

I mean there will be a bug in setup-ds.pl.

Comment 13 Nathan Kinder 2013-07-16 16:34:07 UTC

(In reply to Miroslav Grepl from comment #12)
> I mean there will be a bug in setup-ds.pl.

In setup-ds.pl, we simply do the following to label the port:

    semanage port -a -t ldap_port_t -p tcp <portnum>

We can see that this is successful by checking the port label after the 389 DS instance creation fails.  We haven't changed anything here, and this same code is working on F19.

Was there any sort of timing change with regards to the policy being loaded when running semanage?  Does semanage exit before the policy is reloaded now?

Comment 14 Nathan Kinder 2013-07-16 17:40:06 UTC

I have narrowed down the problem further.  I have to manually force the policy to be reloaded after labelling a port before the new label is taking into account when evaluating rules.  The behavior is consistently reproducible.

This works without any AVC messages:

----------------------------------------------
semanage port -a -t ldap_port_t -p tcp 1389
semodule -R
setup-ds.pl (using port 1389)
----------------------------------------------

This fails with the name_bind AVC mentioned above:

----------------------------------------------
semanage port -a -t ldap_port_t -p tcp 1389
setup-ds.pl (using port 1389)
----------------------------------------------

Why isn't the policy being reloaded automatically when the port is labelled with semanage?  It has always been reloaded in the past, but that doesn't appear to be the case on RHEL 7.0.

Comment 15 Nathan Kinder 2013-07-16 19:41:29 UTC

The problem appears to be in /usr/sbin/semanage.  If you look at setupPortParser(), you will see the following for the -N/--noreload option:

-----------------------------------------------------------------------
    portParser.add_argument('-N', '--noreload', action='store_false', default=False, help=_('Do not reload policy after commit'))
-----------------------------------------------------------------------

The problem with this is that the value with be False when -N is specified as well as when it is not specified.  This means the policy will If I change this code like below, things work as expected:

-----------------------------------------------------------------------
    portParser.add_argument('-N', '--noreload', action='store_false', default=True, help=_('Do not reload policy after commit'))
-----------------------------------------------------------------------

In this case, specifying -N causes the policy to not be reloaded.  If I don't specify -N, the policy is properly reloaded.

This same problem is found for all of the other semanage subcommands that I saw, not just the "port" subcommand.

I looked at the semanage code from F19, and it is completely different than RHEL7.0.  This explains why the problem was only seen on RHEL 7.0.

Comment 16 Daniel Walsh 2013-07-17 17:24:21 UTC

fixed in policycoreutils-2.1.14-66.el7

Comment 18 Nathan Kinder 2013-07-18 18:53:52 UTC

I installed policycoreutils-2.1.14-66.el7, but semanage is more broken now.  It seems that argument parsing is not working correctly:

[root@hp-bl460c-02 ~]# semanage port -l
list option can not be used with --range

[root@hp-bl460c-02 ~]# semanage port -a -t ldap_port_t -p tcp 1389
usage: semanage port [-h] [-n] [-N] [-s STORE] [ --add -t TYPE -p PROTOCOL -r RANGE port_name | port_range | --delete -p PROTOCOL port_name | port_range | --deleteall  | --extract  | --list -C | --modify -t TYPE -p PROTOCOL -r RANGE port_name | port_range ]
semanage port: error: argument -t/--type: not allowed with argument -a/--add

[root@hp-bl460c-02 ~]# semanage port -d -t ldap_port_t -p tcp 1389
usage: semanage port [-h] [-n] [-N] [-s STORE] [ --add -t TYPE -p PROTOCOL -r RANGE port_name | port_range | --delete -p PROTOCOL port_name | port_range | --deleteall  | --extract  | --list -C | --modify -t TYPE -p PROTOCOL -r RANGE port_name | port_range ]
semanage port: error: argument -t/--type: not allowed with argument -d/--delete

Comment 19 Miroslav Grepl 2013-07-18 20:13:39 UTC

Created attachment 775497 [details]
semanage-port.patch

Comment 20 Daniel Walsh 2013-07-22 19:58:00 UTC

Fixed in policycoreutils-2.1.14-67.fc20

Comment 22 Milos Malik 2013-07-23 08:00:36 UTC

If there are no objections I will switch the bug to verified.

Comment 23 Nathan Kinder 2013-07-23 14:50:36 UTC

(In reply to Milos Malik from comment #22)
> If there are no objections I will switch the bug to verified.

That is fine with me.  I tested the original issue by installing 389-ds-base on a non-default port, and everything is working correctly when using policycoreutils-python-2.1.14-67.el7.x86_64.

Comment 24 Ludek Smid 2014-06-13 11:32:17 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.