freeipa

Clone
Source Code
GIT

#4923 ipa-client-install changes the label on various files which causes SELinux denials
Closed: Fixed None Opened 9 years ago by pvoborni.

Closed: Fixed
Reopen Issue

Read bz comment 6 for more details - race between SSSD and file move with restorecon call.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1195339

Description of problem:
The following AVC debial appeared during testing:
----
time->Fri Feb 20 14:54:26 2015
type=SYSCALL msg=audit(1424440466.677:692): arch=c000003e syscall=21 success=no
exit=-13 a0=7fb175c03338 a1=4 a2=10 a3=fffffffffffff558 items=0 ppid=15957
pid=15958 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="sssd_be"
exe="/usr/libexec/sssd/sssd_be" subj=system_u:system_r:sssd_t:s0 key=(null)
type=AVC msg=audit(1424440466.677:692): avc:  denied  { read } for  pid=15958
comm="sssd_be" name="krb5.conf" dev="dm-0" ino=203775716
scontext=system_u:system_r:sssd_t:s0
tcontext=system_u:object_r:realmd_var_lib_t:s0 tclass=file
----
time->Fri Feb 20 14:54:26 2015
type=SYSCALL msg=audit(1424440466.677:693): arch=c000003e syscall=4 success=no
exit=-13 a0=7fb175c2c4a8 a1=7fffb8a58000 a2=7fffb8a58000 a3=0 items=0
ppid=15957 pid=15958 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sssd_be"
exe="/usr/libexec/sssd/sssd_be" subj=system_u:system_r:sssd_t:s0 key=(null)
type=AVC msg=audit(1424440466.677:693): avc:  denied  { getattr } for
pid=15958 comm="sssd_be" pa

The issue could not been reproduced.
Not sure if anything can be done with it if there is no reproducer; feel free
to close it, if the root cause can not be found.

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-23.el7
sssd-1.12.2-58.el7
ipa-client-4.1.0-18.el7

How reproducible:
appeared only once


Some additional info:

# semanage fcontext -l |grep realmd_var_lib_t
/var/lib/ipa-client(/.*)?                          all files
system_u:object_r:realmd_var_lib_t:s0
# rpm -qf /var/lib/ipa-client
ipa-client-4.1.0-18.el7.s390x
# ls -la /var/lib/ipa-client/
total 4
drwxr-xr-x.  3 root root   23 Feb 23 05:16 .
drwxr-xr-x. 42 root root 4096 Feb 23 05:47 ..
drwxr-xr-x.  2 root root    6 Jan 30 10:47 sysrestore
# ls -la /var/lib/ipa-client/sysrestore/
# ls -la /var/lib/ipa-client/sysrestore/
total 0
drwxr-xr-x. 2 root root  6 Jan 30 10:47 .
drwxr-xr-x. 3 root root 23 Feb 23 05:16 ..

we could use following approach for all affected files to avoid the race:

     mv -Z /etc/krb5.conf.ipanew /etc/krb5.conf

instead of:

    mv /etc/krb5.conf.ipanew /etc/krb5.conf
    /sbin/restorecon /etc/krb5.conf

Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1127211 (Red Hat Enterprise Linux 6)

This ticket is not critical for 4.2 GA and can be done in follow-up stabilization release - postponing.

Make sure to check if selinux is present on the system otherwise there might not be -Z option.

master:

  • 9f70128 sysrestore: copy files instead of moving them to avoind SELinux issues

ipa-4-2:

  • 92a73e8 sysrestore: copy files instead of moving them to avoind SELinux issues

master:

  • 45c7091 Use 'mv -Z' in specfile to restore SELinux context

ipa-4-2:

  • 21d3122 Use 'mv -Z' in specfile to restore SELinux context

Metadata Update from @pvoborni:
- Issue assigned to mbasti
- Issue set to the milestone: FreeIPA 4.2.1
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
defect
None
None
Installation
None
1
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=1195339, https://bugzilla.redhat.com/show_bug.cgi?id=1127211
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.