#5203 ipa-client/server-install should not execute daemons directly
Closed: fixed 3 years ago by abbra. Opened 8 years ago by pvoborni.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1251526

Description of problem:

The ipa-client-install seems to execute at least ntpd and sshd directly - in
the case of ntpd, it's on a custom config file in /tmp, in case of sshd, it's
to check "dynamically loading authorized user keys" support.

This causes various issues with selinux - not only it doesn't work under the
MLS policy (sysadm_r role), it has a potential to break things in the targeted
policy as well - ie. by creating pid/lock/log files as unconfined_t.

The only supported (AFAIK) way to run daemons is via sysvinit / systemd where
the daemon is executed with correct context according to appropriate selinux
transition rules. Anything else (even a simple daemon --help) can cause issues.

Therefore please modify the ipa-*-install scripts to only interact with
services/daemons using service(8) or systemctl(1).

Example alternatives covering the use cases currently used by
ipa-client-install:

- ntpd: modify /etc/ntpd.conf directly, if you need to do only one-time
synchronization, use ntpdate, if you need to just check if a NTP server is
working, use 'ntpdate -q'

- sshd: modify /etc/ssh/ssh(d)_config directly, restart sshd and see if it
fails on missing support - the live ssh sessions won't be killed on sshd
restart

I've also noticed ipa-client-install has 'services' and
'services.knownservices' classes - these also need to use
service(8)/systemctl(1) if they aren't using it already.


Version-Release number of selected component (if applicable):
ipa-client-4.1.0-18.el7

How reproducible:
always

Steps to Reproduce:
1. switch the system to selinux-policy-mls (see RH knowledgebase, RHEL7 /
"SELinux User's and Administrator's Guide", section 4.11.2)
2. semodule -d sysadm_secadm
3. login under the sysadm_r role
4. try ipa-client-install

Actual results:
ipa-*-install executes services/daemons directly

Expected results:
ipa-*-install uses service(8) or systemctl(1) to launch daemons

Additional info:
Upgrading to ipa-4.2.0-3.el7 still shows the same issue.

Metadata Update from @pvoborni:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.5 backlog

7 years ago

FreeIPA 4.8 already has rewritten NTP configuration management and now addresses all services through systemctl .. commands.
This bug is therefore already fixed.

Metadata Update from @abbra:
- Issue close_status updated to: fixed
- Issue set to the milestone: None (was: FreeIPA 4.5 backlog)
- Issue status updated to: Closed (was: Open)

3 years ago

Login to comment on this ticket.

Metadata