Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1063827
Summary: | selinux avc for httpd accessing KEYRING ccache type | |||
---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Alexander Bokovoy <abokovoy> | |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
Severity: | unspecified | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 21 | CC: | amessina, dominick.grift, dpal, dwalsh, jpazdziora, j, lvrabec, mgrepl, mkosek, pviktori, rcritten | |
Target Milestone: | --- | Keywords: | Reopened | |
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | selinux-policy-3.13.1-105.3.fc21 | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1073492 (view as bug list) | Environment: | ||
Last Closed: | 2015-02-15 03:29:14 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1001703, 1073492 |
Description
Alexander Bokovoy
2014-02-11 13:40:33 UTC
Note that I see two AVCs: for read and view, I assume there will be more on write and delete once we allow accessing the KEYRING ccache. type=AVC msg=audit(1392124881.379:2690): avc: denied { view } for pid=32271 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=key Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. # LANG=en_US.utf8 yum info selinux-policy Loaded plugins: langpacks, refresh-packagekit Installed Packages Name : selinux-policy Arch : noarch Version : 3.12.1 Release : 122.fc20 Size : 103 Repo : installed From repo : updates-testing Summary : SELinux policy configuration URL : http://oss.tresys.com/repos/refpolicy/ License : GPLv2+ Description : SELinux Reference Policy - modular. : Based off of reference policy: Checked out revision 2.20091117 I added some patches to F20/RHEL7 to allow it for now until we get better solution. (In reply to Miroslav Grepl from comment #4) > I added some patches to F20/RHEL7 to allow it for now until we get better > solution. Reverted. Adding Petr Viktorin to CC list, he most probably reproducted this issue in our CI system. Petr, please confirm. Miroslav, Alexander - any plan with this bug? It seems to be stuck. Thank you. Yes, this is the error I'm getting in CI. (In reply to Miroslav Grepl from comment #5) > (In reply to Miroslav Grepl from comment #4) > > I added some patches to F20/RHEL7 to allow it for now until we get better > > solution. > > Reverted. Why? Mirek? I need to fix the reverted fix which was not correct. Will have done ASAP. Thanks Mirek. http://kojipkgs.fedoraproject.org//packages/selinux-policy/3.12.1/130.fc20/noarch/selinux-policy-3.12.1-130.fc20.noarch.rpm http://kojipkgs.fedoraproject.org//packages/selinux-policy/3.12.1/130.fc20/noarch/selinux-policy-devel-3.12.1-130.fc20.noarch.rpm http://kojipkgs.fedoraproject.org//packages/selinux-policy/3.12.1/130.fc20/noarch/selinux-policy-targeted-3.12.1-130.fc20.noarch.rpm Petr, would it be possible to test these new packages with our CI (and SELinux enforced)? Yes; I'll get on it. Yup, with these packages tests pass in enforcing. Thanks Mirek! (In reply to Miroslav Grepl from comment #12) > http://kojipkgs.fedoraproject.org//packages/selinux-policy/3.12.1/130.fc20/ > noarch/selinux-policy-3.12.1-130.fc20.noarch.rpm > http://kojipkgs.fedoraproject.org//packages/selinux-policy/3.12.1/130.fc20/ > noarch/selinux-policy-devel-3.12.1-130.fc20.noarch.rpm > http://kojipkgs.fedoraproject.org//packages/selinux-policy/3.12.1/130.fc20/ > noarch/selinux-policy-targeted-3.12.1-130.fc20.noarch.rpm Miroslav, will these updates also resolve the related issue when ssh'ing to a machine with KRB5/NFSv4.1 mounted /home directories? Could not chdir to home directory /home/amessina: Permission denied -bash: /home/amessina/.bash_profile: Permission denied SELinux is preventing /usr/sbin/sshd from read access on the key . type=AVC msg=audit(1394234798.858:4259): avc: denied { read } for pid=27888 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:gssd_t:s0 tclass=key type=SYSCALL msg=audit(1394234798.858:4259): arch=x86_64 syscall=keyctl success=yes exit=ENODEV a0=b a1=27034e6f a2=0 a3=0 items=0 ppid=1853 pid=27888 auid=4294967295 uid=0 gid=0 euid=1136600007 suid=0 fsuid=1136600007 egid=1136600007 sgid=0 fsgid=1136600007 ses=4294967295 tty=(none) comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) Hash: sshd,sshd_t,gssd_t,key,read I added an additional workaround fix for now http://kojipkgs.fedoraproject.org//packages/selinux-policy/3.12.1/133.fc20/noarch/selinux-policy-3.12.1-133.fc20.noarch.rpm http://kojipkgs.fedoraproject.org//packages/selinux-policy/3.12.1/133.fc20/noarch/selinux-policy-devel-3.12.1-133.fc20.noarch.rpm http://kojipkgs.fedoraproject.org//packages/selinux-policy/3.12.1/133.fc20/noarch/selinux-policy-doc-3.12.1-133.fc20.noarch.rpm http://kojipkgs.fedoraproject.org//packages/selinux-policy/3.12.1/133.fc20/noarch/selinux-policy-targeted-3.12.1-133.fc20.noarch.rpm should fix it. selinux-policy-3.12.1-135.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-135.fc20 Package selinux-policy-3.12.1-135.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-135.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-3813/selinux-policy-3.12.1-135.fc20 then log in and leave karma (feedback). selinux-policy-3.12.1-135.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. I am running into exactly the denials from comment 16: time->Fri Jan 30 16:42:12 2015 type=AVC msg=audit(1422657732.720:1562): avc: denied { read } for pid=25802 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:gssd_t:s0 tclass=key permissive=0 ---- time->Fri Jan 30 16:42:12 2015 type=AVC msg=audit(1422657732.720:1563): avc: denied { write } for pid=25802 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:gssd_t:s0 tclass=key permissive=0 and I'm in the same situation: ssh -K into a host, so that I can see my NFS4 sec=krb5p mounted home directory. The primary difference is that I'm on current F21: selinux-policy-3.13.1-103.fc21.noarch and kernel-3.18.3-201.fc21.x86_64. It appears that you have to get the machine into a particular state for this to start happening; most of the time it's OK. But if I try to ssh in without forwarding my credentials, or with expired or limited use credentials, my directory gets mounted but of course I can't see it, and from then on I see these denials. Leaving the machine alone for a while usually fixes it, as does a reboot. (Unmounting my homedir and letting autofs re-mount it doesn't help.) If you want me to open a separate ticket and clean this one up, I'll be happy to do so. I'm going to dig into what changed in those F20 updates above and see if there's something that's missing from the F21 packages. Fixed in 1aa35ae78e2d8cc2a0de0c4063ab876d51ff4b3d in git. commit b8d0d76100f7b5aaf0cde32b2bf16e479fd60240 Author: Dan Walsh <dwalsh> Date: Sat Jan 31 06:45:31 2015 -0500 Allow sshd_t to manage gssd keyring I'm confused. Current F21 selinux-policy is 3.13.1-103. 3.12.1-150.2 seems to go backwards. I can install and test if you'd like, but I'm not sure what else would happen if the policy version goes down. Sorry I add wrong version numbers. Cool, thanks; when a build appears I'll test it out. This is update-candidate, you can try it. http://koji.fedoraproject.org/koji/buildinfo?buildID=608635 Yeah, I can't reproduce my problem at all with that build. Sorry for spamming. I just dropped those packages into my repository and let a few hosts update. I note the following in the yum log: Cleanup : selinux-policy-targeted-3.13.1-103.fc21.noarch 4/6 warning: file /etc/selinux/targeted/modules/active/modules/vbetool.pp: remove failed: No such file or directory Not sure if that's a problem or not. And for some super fun, I'm now getting the same denials but with "ssh" and "gss" reversed: time->Tue Feb 3 00:45:14 2015 type=AVC msg=audit(1422945914.784:225): avc: denied { read } for pid=1507 comm="rpc.gssd" scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=key permissive=0 ---- time->Tue Feb 3 00:45:14 2015 type=AVC msg=audit(1422945914.786:226): avc: denied { write } for pid=1507 comm="rpc.gssd" scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=key permissive=0 So in this case, I guess sshd won the race to create the keyring, and now gssd can't do what it needs to do. This is kind of crazy. selinux-policy-3.13.1-105.3.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.3.fc21 Package selinux-policy-3.13.1-105.3.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.3.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-1768/selinux-policy-3.13.1-105.3.fc21 then log in and leave karma (feedback). When ssh'ing into a box with NFSv4/KRB5 mounted /home: Source Context system_u:system_r:gssd_t:s0 Target Context system_u:system_r:sshd_t:s0-s0:c0.c1023 Target Objects Unknown [ key ] Source rpc.gssd Source Path /usr/sbin/rpc.gssd Port <Unknown> Host example.com Source RPM Packages nfs-utils-1.3.1-6.0.fc21.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-105.3.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name example.com Platform Linux example.com 3.18.5-201.fc21.x86_64 #1 SMP Mon Feb 2 21:00:58 UTC 2015 x86_64 x86_64 Alert Count 62 First Seen 2015-01-17 19:37:59 CST Last Seen 2015-02-09 17:27:38 CST Local ID 4f76d5c9-904e-41d1-a566-6e406d8a487f Raw Audit Messages type=AVC msg=audit(1423524458.86:5957): avc: denied { read } for pid=27767 comm="rpc.gssd" scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=key permissive=0 type=SYSCALL msg=audit(1423524458.86:5957): arch=x86_64 syscall=keyctl success=yes exit=ENODEV a0=b a1=3e6ecbe6 a2=7f59c4362080 a3=13 items=0 ppid=914 pid=27767 auid=4294967295 uid=1136600007 gid=1136600007 euid=1136600007 suid=0 fsuid=1136600007 egid=1136600007 sgid=0 fsgid=1136600007 tty=(none) ses=4294967295 comm=rpc.gssd exe=/usr/sbin/rpc.gssd subj=system_u:system_r:gssd_t:s0 key=(null) Hash: rpc.gssd,gssd_t,sshd_t,key,read Source Context system_u:system_r:gssd_t:s0 Target Context system_u:system_r:sshd_t:s0-s0:c0.c1023 Target Objects Unknown [ key ] Source rpc.gssd Source Path /usr/sbin/rpc.gssd Port <Unknown> Host example.com Source RPM Packages nfs-utils-1.3.1-6.0.fc21.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-105.3.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name example.com Platform Linux example.com 3.18.5-201.fc21.x86_64 #1 SMP Mon Feb 2 21:00:58 UTC 2015 x86_64 x86_64 Alert Count 16 First Seen 2015-01-17 19:37:59 CST Last Seen 2015-02-09 17:27:38 CST Local ID a40cb096-dc84-41e8-8af1-6932c12e3b82 Raw Audit Messages type=AVC msg=audit(1423524458.97:5984): avc: denied { write } for pid=27767 comm="rpc.gssd" scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=key permissive=0 type=SYSCALL msg=audit(1423524458.97:5984): arch=x86_64 syscall=add_key success=no exit=EACCES a0=7f59c2ef89c4 a1=7f59c438bfd0 a2=7f59c438d0c0 a3=1fd items=0 ppid=914 pid=27767 auid=4294967295 uid=1136600007 gid=1136600007 euid=1136600007 suid=0 fsuid=1136600007 egid=1136600007 sgid=0 fsgid=1136600007 tty=(none) ses=4294967295 comm=rpc.gssd exe=/usr/sbin/rpc.gssd subj=system_u:system_r:gssd_t:s0 key=(null) Hash: rpc.gssd,gssd_t,sshd_t,key,write selinux-policy-3.13.1-105.3.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. |