Issue #2160: selinux rules block ipa_kpasswd access to ldap and urandom - freeipa

freeipa

#2160 selinux rules block ipa_kpasswd access to ldap and urandom

Closed: Fixed None Opened 12 years ago by sin.

This are the AVCs:

type=AVC msg=audit(1322872499.463:79140): avc:  denied  { read } for  pid=29716 comm="ipa_kpasswd" name="urandom" dev=devtmpfs ino=1048 scontext=system_u:system_r:ipa_kpasswd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1322872499.463:79140): arch=c000003e syscall=2 success=no exit=-13 a0=7ffc7e83bd06 a1=0 a2=0 a3=7fffd942e0e0 items=0 ppid=29474 pid=29716 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ipa_kpasswd" exe="/usr/sbin/ipa_kpasswd" subj=system_u:system_r:ipa_kpasswd_t:s0 key=(null)
type=AVC msg=audit(1322872499.493:79141): avc:  denied  { read } for  pid=29716 comm="ipa_kpasswd" name="urandom" dev=devtmpfs ino=1048 scontext=system_u:system_r:ipa_kpasswd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1322872499.493:79141): arch=c000003e syscall=2 success=no exit=-13 a0=7ffc7e83bd06 a1=0 a2=0 a3=7fffd942ba50 items=0 ppid=29474 pid=29716 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ipa_kpasswd" exe="/usr/sbin/ipa_kpasswd" subj=system_u:system_r:ipa_kpasswd_t:s0 key=(null)
type=AVC msg=audit(1322872499.669:79142): avc:  denied  { name_connect } for  pid=29716 comm="ipa_kpasswd" dest=389 scontext=system_u:system_r:ipa_kpasswd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1322872499.669:79142): arch=c000003e syscall=42 success=no exit=-13 a0=9 a1=170f960 a2=10 a3=7fffd942d760 items=0 ppid=29474 pid=29716 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ipa_kpasswd" exe="/usr/sbin/ipa_kpasswd" subj=system_u:system_r:ipa_kpasswd_t:s0 key=(null)
type=ANOM_ABEND msg=audit(1322872499.670:79143): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=system_u:system_r:ipa_kpasswd_t:s0 pid=29716 comm="ipa_kpasswd" sig=11

This is what audit2allow suggests:

#============= ipa_kpasswd_t ==============
#!!!! This avc can be allowed using one of the these booleans:
#     authlogin_nsswitch_use_ldap, allow_ypbind

allow ipa_kpasswd_t ldap_port_t:tcp_socket name_connect;
#!!!! This avc can be allowed using one of the these booleans:
#     authlogin_nsswitch_use_ldap, global_ssp

allow ipa_kpasswd_t urandom_device_t:chr_file read;

Fedora bug: https://bugzilla.redhat.com/show_bug.cgi?id=759679

sin commented 12 years ago

Create commit with updated selinux policy:[[BR]]
http://git.etersoft.ru/people/sin/packages/freeipa.git (branch ipa-2-1)[[BR]]
on commit 04137ed07936430bd6d0f4084465ec21082903a0

sin commented 12 years ago

So, temporary workaround is:

/usr/sbin/setsebool authlogin_nsswitch_use_ldap on

No urandom access really needed, work fine only with ldap policy rule:[[BR]]
b91d3270b4724b2ae6fae68b72e065bbace22cb8

rcritten commented 12 years ago

master 89d9ad4

Metadata Update from @sin:
- Issue assigned to rcritten
- Issue set to the milestone: FreeIPA 2.1.4 (bug fixing)

7 years ago

Metadata

Assignee

rcritten

Tags

None

Blocking

None

Depending on

None

Priority

normal

Milestone

FreeIPA 2.1.4 (bug fixing)

None

affects_doc

None

source

None

knownissue

None

type

defect

blockedby

None

test_case

None

component

Kpasswd

blocking

None

on_review

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=759679

tester

None

changelog

None

design

None

freeipa

Source Code

#2160 selinux rules block ipa_kpasswd access to ldap and urandom Closed: Fixed None Opened 12 years ago by sin.

Metadata

#2160 selinux rules block ipa_kpasswd access to ldap and urandom

Closed: Fixed None Opened 12 years ago by sin.