Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 2115691

Summary: selinux-policy AVC during ipa trust-add using selinux-policy-36.13-3.fc36
Product: [Fedora] Fedora Reporter: anuja <amore>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 36CC: dwalsh, grepl.miroslav, lvrabec, mmalik, omosnace, pkoncity, vmojzis, zpytela
Target Milestone: ---Keywords: Reopened, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-36.15-1.fc36 selinux-policy-36.16-1.fc36 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-10-12 13:01:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2114902    

Description anuja 2022-08-05 07:11:30 UTC
Description of problem:

selinux-policy-36.13-3.fc36.noarch denies { sendto } to command smbcontrol.
The consequence is that running ipa trust-add leaves the user with a kerberos credential cache containing a ticket for cifs/<server> instead of the original one for admin.

Version-Release number of selected component (if applicable):
Fedora 36
freeipa-server-4.11.0.dev-0.fc36.x86_64
selinux-policy-36.13-3.fc36.noarch

How reproducible:

Systematic

Steps to Reproduce:
1. install IPA server with 
ipa-server-install -n ipa.test -r IPA.TEST -p Secret.123 -a Secret.123 --domain-level=1 -U --setup-dns --auto-forwarders --auto-reverse
2. configure as trust domain controller with
ipa-adtrust-install -U --enable-compat --netbios-name IPA -a Secret.123 --add-sids
3. obtain an admin  ticket with
kinit admin
4. add a trust with AD:
ipa trust-add --type ad ad.test --admin Administrator --password
5. check the credential cache, it contains a ticket for cifs/master.ipa.test instead of admin

This is reproducible in our nightly tests, see for instance PR #6394 [1] with the test test_sssd [2]. The AVCs can be seen in the audit.log [3].

[1] https://github.com/freeipa/freeipa/pull/6394
[2] http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/9e38f40a-13d2-11ed-8d3d-fa163e04db38
[3] http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/9e38f40a-13d2-11ed-8d3d-fa163e04db38/test_integration-test_sssd.py-TestSSSDWithAdTrust-install/master.ipa.test/var/log/audit/audit.log.gz

Comment 2 Zdenek Pytela 2022-08-05 07:39:09 UTC
It seems dontaudit rules were in place, but full auditing was not enabled.

This one looks like the only relevant denial:
type=AVC msg=audit(08/04/2022 05:41:05.693:4233) : avc:  denied  { search } for  pid=23438 comm=samba-dcerpcd name=pki dev="vda5" ino=5610 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=0

Could you try the following local module:

  # cat local_winbindrpcd_krb.cil
(allow winbind_rpcd_t krb5_keytab_t (dir (getattr open search)))
(allow winbind_rpcd_t krb5_keytab_t (dir (getattr open read ioctl lock)))
  # semodule -i local_winbindrpcd_krb.cil

and run the test again?

Comment 3 Zdenek Pytela 2022-08-05 07:42:16 UTC
I actually meant this particular one:
----
type=AVC msg=audit(08/04/2022 05:41:05.785:4234) : avc:  denied  { search } for  pid=23438 comm=samba-dcerpcd name=krb5 dev="vda5" ino=12519 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=0


List of all denials run through audit2allow:

#============= NetworkManager_dispatcher_console_t ==============
allow NetworkManager_dispatcher_console_t default_context_t:dir search;

#!!!! This avc is allowed in the current policy
allow NetworkManager_dispatcher_console_t etc_t:dir remove_name;

#!!!! This avc is allowed in the current policy
allow NetworkManager_dispatcher_console_t etc_t:file { setattr unlink };
allow NetworkManager_dispatcher_console_t file_context_t:dir search;
allow NetworkManager_dispatcher_console_t file_context_t:file { getattr open read };

#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow NetworkManager_dispatcher_console_t file_context_t:file map;
allow NetworkManager_dispatcher_console_t security_t:dir read;
allow NetworkManager_dispatcher_console_t security_t:file write;
allow NetworkManager_dispatcher_console_t security_t:security compute_create;
allow NetworkManager_dispatcher_console_t self:process setfscreate;

#============= httpd_t ==============

#!!!! This avc has a dontaudit rule in the current policy
allow httpd_t self:capability net_admin;

#============= krb5kdc_t ==============

#!!!! This avc has a dontaudit rule in the current policy
allow krb5kdc_t selinux_config_t:file read;

#============= oddjob_t ==============

#!!!! This avc has a dontaudit rule in the current policy
allow oddjob_t ipa_helper_t:process { rlimitinh siginh };

#============= smbd_t ==============

#!!!! This avc has a dontaudit rule in the current policy
allow smbd_t winbind_rpcd_t:process { noatsecure rlimitinh siginh };

#============= winbind_rpcd_t ==============

#!!!! This avc has a dontaudit rule in the current policy
allow winbind_rpcd_t cert_t:dir search;
allow winbind_rpcd_t krb5_keytab_t:dir search;

Comment 7 Fedora Update System 2022-09-14 16:33:02 UTC
FEDORA-2022-096f7730be has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-096f7730be

Comment 8 Fedora Update System 2022-09-15 02:21:29 UTC
FEDORA-2022-096f7730be has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-096f7730be`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-096f7730be

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 9 Fedora Update System 2022-09-22 01:17:22 UTC
FEDORA-2022-096f7730be has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 11 Zdenek Pytela 2022-09-23 14:22:49 UTC
I backported all relevant commits so that the policy is synchronized with rawhide:
https://github.com/fedora-selinux/selinux-policy/pull/1409

Comment 12 Fedora Update System 2022-09-30 08:49:55 UTC
FEDORA-2022-0c59a07653 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-0c59a07653

Comment 13 Fedora Update System 2022-10-01 02:13:00 UTC
FEDORA-2022-0c59a07653 has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-0c59a07653`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-0c59a07653

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 14 anuja 2022-10-03 07:29:05 UTC
Using : selinux-policy-36.16-1.fc36.noarch

Tested with latest build its working as expected.

Comment 15 Fedora Update System 2022-10-12 13:01:39 UTC
FEDORA-2022-0c59a07653 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.