Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1063827

Summary: selinux avc for httpd accessing KEYRING ccache type
Product: [Fedora] Fedora Reporter: Alexander Bokovoy <abokovoy>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 21CC: amessina, dominick.grift, dpal, dwalsh, jpazdziora, j, lvrabec, mgrepl, mkosek, pviktori, rcritten
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-105.3.fc21 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1073492 (view as bug list) Environment:
Last Closed: 2015-02-15 03:29:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1001703, 1073492    

Description Alexander Bokovoy 2014-02-11 13:40:33 UTC
Installing FreeIPA git master fails in Fedora 20 due to SELinux AVC:

type=AVC msg=audit(1392124881.379:2688): avc:  denied  { read } for  pid=32271 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=key

	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1392124881.379:2689): avc:  denied  { read } for  pid=32271 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=key

	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

This is due to default /etc/krb5.conf using 
   default_ccache_name = KEYRING:persistent:%{uid}
and therefore mod_auth_kerb defaulting to KEYRING ccache type.

We need to enable this access, including (read, view, write, delete).

Comment 1 Alexander Bokovoy 2014-02-11 13:43:22 UTC
Note that I see two AVCs: for read and view, I assume there will be more on write and delete once we allow accessing the KEYRING ccache.

type=AVC msg=audit(1392124881.379:2690): avc:  denied  { view } for  pid=32271 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=key

	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

Comment 2 Alexander Bokovoy 2014-02-11 14:12:20 UTC
# LANG=en_US.utf8 yum info selinux-policy
Loaded plugins: langpacks, refresh-packagekit
Installed Packages
Name        : selinux-policy
Arch        : noarch
Version     : 3.12.1
Release     : 122.fc20
Size        : 103  
Repo        : installed
From repo   : updates-testing
Summary     : SELinux policy configuration
URL         : http://oss.tresys.com/repos/refpolicy/
License     : GPLv2+
Description : SELinux Reference Policy - modular.
            : Based off of reference policy: Checked out revision  2.20091117

Comment 4 Miroslav Grepl 2014-02-13 10:56:38 UTC
I added some patches to F20/RHEL7 to allow it for now until we get better solution.

Comment 5 Miroslav Grepl 2014-02-17 09:19:56 UTC
(In reply to Miroslav Grepl from comment #4)
> I added some patches to F20/RHEL7 to allow it for now until we get better
> solution.

Reverted.

Comment 6 Martin Kosek 2014-03-03 12:18:16 UTC
Adding Petr Viktorin to CC list, he most probably reproducted this issue in our CI system. Petr, please confirm.

Miroslav, Alexander - any plan with this bug? It seems to be stuck. Thank you.

Comment 7 Petr Viktorin 2014-03-03 12:38:29 UTC
Yes, this is the error I'm getting in CI.

Comment 8 Dmitri Pal 2014-03-04 01:14:11 UTC
(In reply to Miroslav Grepl from comment #5)
> (In reply to Miroslav Grepl from comment #4)
> > I added some patches to F20/RHEL7 to allow it for now until we get better
> > solution.
> 
> Reverted.

Why?

Comment 9 Martin Kosek 2014-03-04 07:47:15 UTC
Mirek?

Comment 10 Miroslav Grepl 2014-03-04 21:00:26 UTC
I need to fix the reverted fix which was not correct. Will have done ASAP.

Comment 11 Martin Kosek 2014-03-05 09:34:04 UTC
Thanks Mirek.

Comment 13 Martin Kosek 2014-03-05 11:05:22 UTC
Petr, would it be possible to test these new packages with our CI (and SELinux enforced)?

Comment 14 Petr Viktorin 2014-03-05 11:06:46 UTC
Yes; I'll get on it.

Comment 15 Petr Viktorin 2014-03-05 12:06:47 UTC
Yup, with these packages tests pass in enforcing. Thanks Mirek!

Comment 16 Anthony Messina 2014-03-07 23:28:41 UTC
(In reply to Miroslav Grepl from comment #12)
>  http://kojipkgs.fedoraproject.org//packages/selinux-policy/3.12.1/130.fc20/
> noarch/selinux-policy-3.12.1-130.fc20.noarch.rpm
>  http://kojipkgs.fedoraproject.org//packages/selinux-policy/3.12.1/130.fc20/
> noarch/selinux-policy-devel-3.12.1-130.fc20.noarch.rpm
>  http://kojipkgs.fedoraproject.org//packages/selinux-policy/3.12.1/130.fc20/
> noarch/selinux-policy-targeted-3.12.1-130.fc20.noarch.rpm

Miroslav, will these updates also resolve the related issue when ssh'ing to a machine with KRB5/NFSv4.1 mounted /home directories?

Could not chdir to home directory /home/amessina: Permission denied
-bash: /home/amessina/.bash_profile: Permission denied

SELinux is preventing /usr/sbin/sshd from read access on the key .

type=AVC msg=audit(1394234798.858:4259): avc:  denied  { read } for  pid=27888 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:gssd_t:s0 tclass=key


type=SYSCALL msg=audit(1394234798.858:4259): arch=x86_64 syscall=keyctl success=yes exit=ENODEV a0=b a1=27034e6f a2=0 a3=0 items=0 ppid=1853 pid=27888 auid=4294967295 uid=0 gid=0 euid=1136600007 suid=0 fsuid=1136600007 egid=1136600007 sgid=0 fsgid=1136600007 ses=4294967295 tty=(none) comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)

Hash: sshd,sshd_t,gssd_t,key,read

Comment 18 Fedora Update System 2014-03-12 07:19:10 UTC
selinux-policy-3.12.1-135.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-135.fc20

Comment 19 Fedora Update System 2014-03-13 05:10:10 UTC
Package selinux-policy-3.12.1-135.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-135.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-3813/selinux-policy-3.12.1-135.fc20
then log in and leave karma (feedback).

Comment 20 Fedora Update System 2014-03-21 09:25:08 UTC
selinux-policy-3.12.1-135.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 21 Jason Tibbitts 2015-01-30 23:10:50 UTC
I am running into exactly the denials from comment 16:

time->Fri Jan 30 16:42:12 2015
type=AVC msg=audit(1422657732.720:1562): avc:  denied  { read } for  pid=25802 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:gssd_t:s0 tclass=key permissive=0
----
time->Fri Jan 30 16:42:12 2015
type=AVC msg=audit(1422657732.720:1563): avc:  denied  { write } for  pid=25802 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:gssd_t:s0 tclass=key permissive=0

and I'm in the same situation:  ssh -K into a host, so that I can see my NFS4 sec=krb5p mounted home directory.  The primary difference is that I'm on current F21: selinux-policy-3.13.1-103.fc21.noarch and kernel-3.18.3-201.fc21.x86_64.

It appears that you have to get the machine into a particular state for this to start happening; most of the time it's OK.  But if I try to ssh in without forwarding my credentials, or with expired or limited use credentials, my directory gets mounted but of course I can't see it, and from then on I see these denials.  Leaving the machine alone for a while usually fixes it, as does a reboot. (Unmounting my homedir and letting autofs re-mount it doesn't help.)

If you want me to open a separate ticket and clean this one up, I'll be happy to do so.  I'm going to dig into what changed in those F20 updates above and see if there's something that's missing from the F21 packages.

Comment 22 Daniel Walsh 2015-02-01 12:08:25 UTC
Fixed in 1aa35ae78e2d8cc2a0de0c4063ab876d51ff4b3d in git.

Comment 23 Lukas Vrabec 2015-02-02 10:39:15 UTC
commit b8d0d76100f7b5aaf0cde32b2bf16e479fd60240
Author: Dan Walsh <dwalsh>
Date:   Sat Jan 31 06:45:31 2015 -0500

    Allow sshd_t to manage gssd keyring

Comment 24 Jason Tibbitts 2015-02-02 17:08:53 UTC
I'm confused.  Current F21 selinux-policy is 3.13.1-103.  3.12.1-150.2 seems to go backwards.  I can install and test if you'd like, but I'm not sure what else would happen if the policy version goes down.

Comment 25 Lukas Vrabec 2015-02-02 17:20:54 UTC
Sorry I add wrong version numbers.

Comment 26 Jason Tibbitts 2015-02-02 19:16:00 UTC
Cool, thanks; when a build appears I'll test it out.

Comment 27 Lukas Vrabec 2015-02-02 19:27:24 UTC
This is update-candidate, you can try it.
http://koji.fedoraproject.org/koji/buildinfo?buildID=608635

Comment 28 Jason Tibbitts 2015-02-02 19:40:25 UTC
Yeah, I can't reproduce my problem at all with that build.

Comment 29 Jason Tibbitts 2015-02-02 20:55:03 UTC
Sorry for spamming.

I just dropped those packages into my repository and let a few hosts update.  I note the following in the yum log:

  Cleanup    : selinux-policy-targeted-3.13.1-103.fc21.noarch               4/6 
warning: file /etc/selinux/targeted/modules/active/modules/vbetool.pp: remove failed: No such file or directory

Not sure if that's a problem or not.

Comment 30 Jason Tibbitts 2015-02-03 06:51:26 UTC
And for some super fun, I'm now getting the same denials but with "ssh" and "gss" reversed:

time->Tue Feb  3 00:45:14 2015
type=AVC msg=audit(1422945914.784:225): avc:  denied  { read } for  pid=1507 comm="rpc.gssd" scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=key permissive=0
----
time->Tue Feb  3 00:45:14 2015
type=AVC msg=audit(1422945914.786:226): avc:  denied  { write } for  pid=1507 comm="rpc.gssd" scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=key permissive=0

So in this case, I guess sshd won the race to create the keyring, and now gssd can't do what it needs to do.  This is kind of crazy.

Comment 31 Fedora Update System 2015-02-05 13:15:18 UTC
selinux-policy-3.13.1-105.3.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.3.fc21

Comment 32 Fedora Update System 2015-02-06 04:03:52 UTC
Package selinux-policy-3.13.1-105.3.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.3.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-1768/selinux-policy-3.13.1-105.3.fc21
then log in and leave karma (feedback).

Comment 33 Anthony Messina 2015-02-09 23:32:56 UTC
When ssh'ing into a box with NFSv4/KRB5 mounted /home:

Source Context                system_u:system_r:gssd_t:s0
Target Context                system_u:system_r:sshd_t:s0-s0:c0.c1023
Target Objects                Unknown [ key ]
Source                        rpc.gssd
Source Path                   /usr/sbin/rpc.gssd
Port                          <Unknown>
Host                          example.com
Source RPM Packages           nfs-utils-1.3.1-6.0.fc21.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-105.3.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     example.com
Platform                      Linux example.com 3.18.5-201.fc21.x86_64
                              #1 SMP Mon Feb 2 21:00:58 UTC 2015 x86_64 x86_64
Alert Count                   62
First Seen                    2015-01-17 19:37:59 CST
Last Seen                     2015-02-09 17:27:38 CST
Local ID                      4f76d5c9-904e-41d1-a566-6e406d8a487f

Raw Audit Messages
type=AVC msg=audit(1423524458.86:5957): avc:  denied  { read } for  pid=27767 comm="rpc.gssd" scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=key permissive=0


type=SYSCALL msg=audit(1423524458.86:5957): arch=x86_64 syscall=keyctl success=yes exit=ENODEV a0=b a1=3e6ecbe6 a2=7f59c4362080 a3=13 items=0 ppid=914 pid=27767 auid=4294967295 uid=1136600007 gid=1136600007 euid=1136600007 suid=0 fsuid=1136600007 egid=1136600007 sgid=0 fsgid=1136600007 tty=(none) ses=4294967295 comm=rpc.gssd exe=/usr/sbin/rpc.gssd subj=system_u:system_r:gssd_t:s0 key=(null)

Hash: rpc.gssd,gssd_t,sshd_t,key,read





Source Context                system_u:system_r:gssd_t:s0
Target Context                system_u:system_r:sshd_t:s0-s0:c0.c1023
Target Objects                Unknown [ key ]
Source                        rpc.gssd
Source Path                   /usr/sbin/rpc.gssd
Port                          <Unknown>
Host                          example.com
Source RPM Packages           nfs-utils-1.3.1-6.0.fc21.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-105.3.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     example.com
Platform                      Linux example.com 3.18.5-201.fc21.x86_64
                              #1 SMP Mon Feb 2 21:00:58 UTC 2015 x86_64 x86_64
Alert Count                   16
First Seen                    2015-01-17 19:37:59 CST
Last Seen                     2015-02-09 17:27:38 CST
Local ID                      a40cb096-dc84-41e8-8af1-6932c12e3b82

Raw Audit Messages
type=AVC msg=audit(1423524458.97:5984): avc:  denied  { write } for  pid=27767 comm="rpc.gssd" scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=key permissive=0


type=SYSCALL msg=audit(1423524458.97:5984): arch=x86_64 syscall=add_key success=no exit=EACCES a0=7f59c2ef89c4 a1=7f59c438bfd0 a2=7f59c438d0c0 a3=1fd items=0 ppid=914 pid=27767 auid=4294967295 uid=1136600007 gid=1136600007 euid=1136600007 suid=0 fsuid=1136600007 egid=1136600007 sgid=0 fsgid=1136600007 tty=(none) ses=4294967295 comm=rpc.gssd exe=/usr/sbin/rpc.gssd subj=system_u:system_r:gssd_t:s0 key=(null)

Hash: rpc.gssd,gssd_t,sshd_t,key,write

Comment 34 Fedora Update System 2015-02-15 03:29:14 UTC
selinux-policy-3.13.1-105.3.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.