Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1559677 - SELinux denials for FreeIPA in Fedora 28
Summary: SELinux denials for FreeIPA in Fedora 28
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 28
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Ben Levenson
URL:
Whiteboard: AcceptedFreezeException
Depends On:
Blocks: F28BetaFreezeException
TreeView+ depends on / blocked
 
Reported: 2018-03-23 01:49 UTC by Adam Williamson
Modified: 2018-03-26 22:31 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-03-26 22:31:01 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Adam Williamson 2018-03-23 01:49:13 UTC 
In testing of FreeIPA on Fedora 28, the following SELinux denials are seen:

----
time->Thu Mar 22 18:16:03 2018
type=AVC msg=audit(1521756963.093:152): avc:  denied  { map } for  pid=17159 comm="java" path="/tmp/hsperfdata_pkiuser/17159" dev="tmpfs" ino=339175 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_tmp_t:s0 tclass=file permissive=0
----
time->Thu Mar 22 18:16:28 2018
type=AVC msg=audit(1521756988.533:164): avc:  denied  { getattr } for  pid=17591 comm="gssproxy" path="/proc/17618" dev="proc" ino=341800 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=dir permissive=0
----
time->Thu Mar 22 18:17:14 2018
type=AVC msg=audit(1521757034.445:180): avc:  denied  { map } for  pid=18441 comm="java" path="/tmp/hsperfdata_pkiuser/18441" dev="tmpfs" ino=346884 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_tmp_t:s0 tclass=file permissive=0
----
time->Thu Mar 22 18:18:12 2018
type=AVC msg=audit(1521757092.225:196): avc:  denied  { map } for  pid=18940 comm="java" path="/tmp/hsperfdata_pkiuser/18940" dev="tmpfs" ino=352009 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_tmp_t:s0 tclass=file permissive=0
----
time->Thu Mar 22 18:18:27 2018
type=AVC msg=audit(1521757107.891:204): avc:  denied  { getattr } for  pid=17591 comm="gssproxy" path="/proc/19138" dev="proc" ino=355578 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=dir permissive=0
----
time->Thu Mar 22 18:20:43 2018
type=AVC msg=audit(1521757243.481:100): avc:  denied  { getattr } for  pid=785 comm="gssproxy" path="/proc/800" dev="proc" ino=23814 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:gssd_t:s0 tclass=dir permissive=0
----
time->Thu Mar 22 18:20:53 2018
type=AVC msg=audit(1521757253.818:189): avc:  denied  { getattr } for  pid=785 comm="gssproxy" path="/proc/1426" dev="proc" ino=29955 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=dir permissive=0
----
time->Thu Mar 22 18:21:01 2018
type=AVC msg=audit(1521757261.950:208): avc:  denied  { map } for  pid=1931 comm="java" path="/tmp/hsperfdata_pkiuser/1931" dev="tmpfs" ino=32077 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_tmp_t:s0 tclass=file permissive=0

None of these leads to an obvious failure in the tests, but of course they could be affecting non-tested functionality, or have a subtle effect. The gssproxy one at least seems related to error messages from gssproxy:

Mar 22 15:18:27 ipa001.domain.local audit[17591]: AVC avc:  denied  { getattr } for  pid=17591 comm="gssproxy" path="/proc/19138" dev="proc" ino=355578 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=dir permissive=0
Mar 22 15:18:27 ipa001.domain.local gssproxy[17590]: gssproxy[17591]: Unexpected failure in realpath: 13 (Permission denied)
Mar 22 15:18:27 ipa001.domain.local gssproxy[17591]: Unexpected failure in realpath: 13 (Permission denied)

The Java ones appear to happen on certificate import, though no obvious errors are shown:

Mar 22 15:16:02 ipa001.domain.local pkidaemon[17013]: Exporting SSL server certificate and key into keystore.
Mar 22 15:16:03 ipa001.domain.local audit[17159]: AVC avc:  denied  { map } for  pid=17159 comm="java" path="/tmp/hsperfdata_pkiuser/17159" dev="tmpfs" ino=339175 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_tmp_t:s0 tclass=file permissive=0
Mar 22 15:16:03 ipa001.domain.local pkidaemon[17013]: ----------------------------------------------
Mar 22 15:16:03 ipa001.domain.local pkidaemon[17013]: Imported certificate "Server-Cert cert-pki-ca"
Mar 22 15:16:03 ipa001.domain.local pkidaemon[17013]: ----------------------------------------------

Proposing as a freeze exception issue for Beta, it'd be nice to clean these up for the release.
Comment 1 Fedora Update System 2018-03-26 17:31:35 UTC 
selinux-policy-3.14.1-17.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-b8cb71b345
Comment 2 Geoffrey Marr 2018-03-26 18:56:19 UTC 
Discussed during the 2018-03-26 blocker review meeting: [1]

The decision to classify this bug as an AcceptedFreezeException was made as it's desirable to avoid SELinux denials to a blocker path function (FreeIPA server), and SELinux policy easing is a very safe activity.

[1] https://meetbot.fedoraproject.org/fedora-blocker-review/2018-03-26/f28-blocker-review.2018-03-26-16.01.txt
Comment 3 Fedora Update System 2018-03-26 21:50:09 UTC 
selinux-policy-3.14.1-18.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-7821b2e7c4
Comment 4 Fedora Update System 2018-03-26 22:31:01 UTC 
selinux-policy-3.14.1-18.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.