#6788 Run ipa-custodia with custom SELinux context
Opened 2 years ago by cheimes. Modified 2 years ago

A standard Custodia daemon can work with limited permission and as non-root user. However a ipa-custodia instance requires more privileges and access to very sensitive files in order to provide functionality for ipa-replica-install. Therefore it must run as root user with a different SELinux context.

Custodia must be able to read:

  • /etc/pki/pki-tomcat/alias
  • /var/lib/ipa/ra-agent.pem
  • /var/lib/ipa/ra-agent.key

Additional resources:

  • /run/httpd/ipa-custodia.sock UNIX socket bind
  • /var/log/ipa-custodia.audit.log create and write
  • /etc/ipa/custodia/server.keys CRUD
  • /etc/ipa/custodia/* read
  • /var/run/slapd-socket UNIX socket connect

For reference, here is an old Custodia ticket that explains the SELinux policies in greater details, https://github.com/latchset/custodia/issues/56

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1434032

2 years ago

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1434032

2 years ago

Metadata Update from @pvoborni:
- Issue priority set to: 1
- Issue set to the milestone: FreeIPA 4.5.1

2 years ago

Metadata Update from @pvoborni:
- Issue assigned to cheimes

2 years ago

Metadata Update from @pvoborni:
- Issue tagged with: integration, rfe

2 years ago

ipa-4-5:

  • 403263d Use Custodia 0.3.1 features
    master:

  • f5bf546 Use Custodia 0.3.1 features

Metadata Update from @pvomacka:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

2 years ago

simple policy

sepolicy generate --init -u system_u -r system_r -n ipa_custodia -w /etc/ipa/custodia -- /usr/libexec/ipa/ipa-custodia

Service start

type=SERVICE_START msg=audit(1492619860.221:1135): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=ipa-custodia comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1492619860.226:1136): avc:  denied  { execute } for  pid=32681 comm="ipa-custodia" path="/usr/bin/python2.7" dev="vda3" ino=99582 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492619860.234:1137): avc:  denied  { read } for  pid=32681 comm="ipa-custodia" name="passwd" dev="vda3" ino=4302880 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492619860.234:1138): avc:  denied  { open } for  pid=32681 comm="ipa-custodia" path="/etc/passwd" dev="vda3" ino=4302880 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492619860.234:1139): avc:  denied  { getattr } for  pid=32681 comm="ipa-custodia" path="/etc/passwd" dev="vda3" ino=4302880 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492619860.361:1140): avc:  denied  { execute } for  pid=32682 comm="ipa-custodia" name="ldconfig" dev="vda3" ino=4273573 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492619860.361:1141): avc:  denied  { read open } for  pid=32682 comm="ipa-custodia" path="/usr/sbin/ldconfig" dev="vda3" ino=4273573 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492619860.361:1142): avc:  denied  { execute_no_trans } for  pid=32682 comm="ipa-custodia" path="/usr/sbin/ldconfig" dev="vda3" ino=4273573 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492619860.386:1143): avc:  denied  { getattr } for  pid=32681 comm="ipa-custodia" path="/run/httpd/ipa-custodia.sock" dev="tmpfs" ino=126130 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1492619860.386:1144): avc:  denied  { write } for  pid=32681 comm="ipa-custodia" name="httpd" dev="tmpfs" ino=18434 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1492619860.386:1145): avc:  denied  { remove_name } for  pid=32681 comm="ipa-custodia" name="ipa-custodia.sock" dev="tmpfs" ino=126130 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1492619860.386:1146): avc:  denied  { unlink } for  pid=32681 comm="ipa-custodia" name="ipa-custodia.sock" dev="tmpfs" ino=126130 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1492619860.386:1147): avc:  denied  { add_name } for  pid=32681 comm="ipa-custodia" name="ipa-custodia.sock" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1492619860.386:1148): avc:  denied  { create } for  pid=32681 comm="ipa-custodia" name="ipa-custodia.sock" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=sock_file permissive=1

ipa-replica-install on other machine

type=AVC msg=audit(1492619971.570:1165): avc:  denied  { connectto } for  pid=32033 comm="httpd" path="/run/httpd/ipa-custodia.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_
r:ipa_custodia_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1492619971.615:1166): avc:  denied  { read } for  pid=32707 comm="ipa-custodia" name="resolv.conf" dev="vda3" ino=4302896 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=s
ystem_u:object_r:net_conf_t:s0 tclass=lnk_file permissive=1
type=AVC msg=audit(1492619971.615:1167): avc:  denied  { read } for  pid=32707 comm="ipa-custodia" name="resolv.conf" dev="tmpfs" ino=21863 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=sy
stem_u:object_r:net_conf_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492619971.616:1168): avc:  denied  { open } for  pid=32707 comm="ipa-custodia" path="/run/NetworkManager/resolv.conf" dev="tmpfs" ino=21863 scontext=system_u:system_r:ipa_custo
dia_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492619971.616:1169): avc:  denied  { getattr } for  pid=32707 comm="ipa-custodia" path="/run/NetworkManager/resolv.conf" dev="tmpfs" ino=21863 scontext=system_u:system_r:ipa_cu
stodia_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492619971.616:1170): avc:  denied  { write } for  pid=32707 comm="ipa-custodia" name="slapd-IPA-EXAMPLE.socket" dev="tmpfs" ino=138276 scontext=system_u:system_r:ipa_custodia_t
:s0 tcontext=system_u:object_r:dirsrv_var_run_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1492619971.617:1171): avc:  denied  { connectto } for  pid=32707 comm="ipa-custodia" path="/run/slapd-IPA-EXAMPLE.socket" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=s
ystem_u:system_r:dirsrv_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1492619971.623:1172): avc:  denied  { dac_override } for  pid=32707 comm="ipa-custodia" capability=1  scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa
_custodia_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1492619971.624:1173): avc:  denied  { search } for  pid=32707 comm="ipa-custodia" name="pki-tomcat" dev="vda3" ino=4194412 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=
system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1492619971.624:1174): avc:  denied  { read } for  pid=32707 comm="ipa-custodia" name="password.conf" dev="vda3" ino=4561084 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext
=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492619971.624:1175): avc:  denied  { open } for  pid=32707 comm="ipa-custodia" path="/etc/pki/pki-tomcat/password.conf" dev="vda3" ino=4561084 scontext=system_u:system_r:ipa_cu
stodia_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492619971.624:1176): avc:  denied  { getattr } for  pid=32707 comm="ipa-custodia" path="/etc/pki/pki-tomcat/password.conf" dev="vda3" ino=4561084 scontext=system_u:system_r:ipa
_custodia_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492619971.625:1177): avc:  denied  { write } for  pid=32707 comm="ipa-custodia" name="tmp" dev="tmpfs" ino=145482 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u
:object_r:tmp_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1492619971.625:1178): avc:  denied  { add_name } for  pid=32707 comm="ipa-custodia" name="tmp1NDOoL" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:tmp_
t:s0 tclass=dir permissive=1
type=AVC msg=audit(1492619971.626:1179): avc:  denied  { create } for  pid=32707 comm="ipa-custodia" name="tmp1NDOoL" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:tmp_t:
s0 tclass=dir permissive=1  
type=AVC msg=audit(1492619971.626:1180): avc:  denied  { create } for  pid=32707 comm="ipa-custodia" name="nsspwfile" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:tmp_t:
s0 tclass=file permissive=1 
type=AVC msg=audit(1492619971.626:1181): avc:  denied  { write open } for  pid=32707 comm="ipa-custodia" path="/tmp/tmp1NDOoL/nsspwfile" dev="tmpfs" ino=145681 scontext=system_u:system_r:ipa_custo
dia_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492619971.628:1182): avc:  denied  { execute } for  pid=32708 comm="ipa-custodia" name="pk12util" dev="vda3" ino=105109 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492619971.628:1183): avc:  denied  { execute_no_trans } for  pid=32708 comm="ipa-custodia" path="/usr/bin/pk12util" dev="vda3" ino=105109 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492619971.631:1184): avc:  denied  { getattr } for  pid=32708 comm="pk12util" path="/etc/pki/pki-tomcat/alias/secmod.db" dev="vda3" ino=12660086 scontext=system_u:system_r:ipa custodia_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492619971.631:1185): avc:  denied  { read } for  pid=32708 comm="pk12util" name="secmod.db" dev="vda3" ino=12660086 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492619971.631:1186): avc:  denied  { open } for  pid=32708 comm="pk12util" path="/etc/pki/pki-tomcat/alias/secmod.db" dev="vda3" ino=12660086 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492619971.631:1187): avc:  denied  { getattr } for  pid=32708 comm="pk12util" path="/etc/passwd" dev="vda3" ino=4302880 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492619971.631:1188): avc:  denied  { read } for  pid=32708 comm="pk12util" name="passwd" dev="vda3" ino=4302880 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492619971.631:1189): avc:  denied  { open } for  pid=32708 comm="pk12util" path="/etc/passwd" dev="vda3" ino=4302880 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492619971.632:1190): avc:  denied  { read } for  pid=32708 comm="pk12util" name="tmp" dev="tmpfs" ino=145482 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1492619971.632:1191): avc:  denied  { write } for  pid=32708 comm="pk12util" name="cert8.db" dev="vda3" ino=12660087 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492619971.639:1192): avc:  denied  { remove_name } for  pid=32707 comm="ipa-custodia" name="pk12file" dev="tmpfs" ino=145686 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1492619971.639:1193): avc:  denied  { unlink } for  pid=32707 comm="ipa-custodia" name="pk12file" dev="tmpfs" ino=145686 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492619971.639:1194): avc:  denied  { rmdir } for  pid=32707 comm="ipa-custodia" name="tmp1NDOoL" dev="tmpfs" ino=145680 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1492619971.641:1195): avc:  denied  { write } for  pid=32707 comm="ipa-custodia" name="/" dev="vda3" ino=96 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1492619971.641:1196): avc:  denied  { add_name } for  pid=32707 comm="ipa-custodia" name="custodia.audit.log" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1492619971.642:1197): avc:  denied  { create } for  pid=32707 comm="ipa-custodia" name="custodia.audit.log" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492619971.642:1198): avc:  denied  { read append } for  pid=32707 comm="ipa-custodia" name="custodia.audit.log" dev="vda3" ino=337570 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492619971.642:1199): avc:  denied  { open } for  pid=32707 comm="ipa-custodia" path="/custodia.audit.log" dev="vda3" ino=337570 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492619971.642:1200): avc:  denied  { getattr } for  pid=32707 comm="ipa-custodia" path="/custodia.audit.log" dev="vda3" ino=337570 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492619973.033:1201): avc:  denied  { read } for  pid=32716 comm="openssl" name="openssl.cnf" dev="vda3" ino=4274427 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492619973.033:1202): avc:  denied  { open } for  pid=32716 comm="openssl" path="/etc/pki/tls/openssl.cnf" dev="vda3" ino=4274427 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492619973.033:1203): avc:  denied  { getattr } for  pid=32716 comm="openssl" path="/etc/pki/tls/openssl.cnf" dev="vda3" ino=4274427 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492619973.033:1204): avc:  denied  { read } for  pid=32716 comm="openssl" name="ra-agent.pem" dev="vda3" ino=4593205 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:ipa_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492619973.033:1205): avc:  denied  { open } for  pid=32716 comm="openssl" path="/var/lib/ipa/ra-agent.pem" dev="vda3" ino=4593205 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:ipa_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492619973.033:1206): avc:  denied  { getattr } for  pid=32716 comm="openssl" path="/var/lib/ipa/ra-agent.key" dev="vda3" ino=4593204 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:ipa_var_lib_t:s0 tclass=file permissive=1

ipa-ca-install (remote)

No AVA?

ipa-kra-install (remote)

type=AVC msg=audit(1492620275.833:1207): avc:  denied  { write } for  pid=369 comm="ipa-custodia" name="slapd-IPA-EXAMPLE.socket" dev="tmpfs" ino=138276 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:dirsrv_var_run_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1492620275.854:1208): avc:  denied  { read append } for  pid=369 comm="ipa-custodia" name="custodia.audit.log" dev="vda3" ino=337570 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492620275.854:1209): avc:  denied  { open } for  pid=369 comm="ipa-custodia" path="/custodia.audit.log" dev="vda3" ino=337570 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492620275.854:1210): avc:  denied  { getattr } for  pid=369 comm="ipa-custodia" path="/custodia.audit.log" dev="vda3" ino=337570 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492620275.960:1220): avc:  denied  { connectto } for  pid=371 comm="ipa-custodia" path="/run/slapd-IPA-EXAMPLE.socket" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:dirsrv_t:s0 tclass=unix_stream_socket permissive=1

ipa ca-add (remote or local)

type=AVC msg=audit(1492620422.930:1224): avc:  denied  { connectto } for  pid=32037 comm="httpd" path="/run/httpd/ipa-custodia.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1492620422.990:1225): avc:  denied  { write } for  pid=426 comm="ipa-custodia" name="tmp" dev="tmpfs" ino=145482 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1492620422.990:1226): avc:  denied  { add_name } for  pid=426 comm="ipa-custodia" name="tmpXRGWNf" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1492620422.990:1227): avc:  denied  { create } for  pid=426 comm="ipa-custodia" name="tmpXRGWNf" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1492620422.990:1228): avc:  denied  { create } for  pid=426 comm="ipa-custodia" name="nsspwfile" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492620422.990:1229): avc:  denied  { write open } for  pid=426 comm="ipa-custodia" path="/tmp/tmpXRGWNf/nsspwfile" dev="tmpfs" ino=147831 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492620423.021:1230): avc:  denied  { execute } for  pid=428 comm="pki" name="ldconfig" dev="vda3" ino=4273573 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492620423.021:1231): avc:  denied  { read open } for  pid=428 comm="pki" path="/usr/sbin/ldconfig" dev="vda3" ino=4273573 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492620423.021:1232): avc:  denied  { execute_no_trans } for  pid=428 comm="pki" path="/usr/sbin/ldconfig" dev="vda3" ino=4273573 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492620423.040:1233): avc:  denied  { execute } for  pid=429 comm="pki" name="bash" dev="vda3" ino=54879 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492620423.040:1234): avc:  denied  { execute_no_trans } for  pid=429 comm="pki" path="/usr/bin/bash" dev="vda3" ino=54879 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492620423.049:1235): avc:  denied  { read } for  pid=433 comm="java" name="cpu" dev="sysfs" ino=37 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1492620423.050:1236): avc:  denied  { read } for  pid=433 comm="java" name="hsperfdata_root" dev="tmpfs" ino=147840 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1492620423.050:1237): avc:  denied  { execmem } for  pid=433 comm="java" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=process permissive=1
type=AVC msg=audit(1492620423.252:1238): avc:  denied  { create } for  pid=433 comm="java" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=tcp_socket permissive=1
type=AVC msg=audit(1492620423.252:1239): avc:  denied  { read } for  pid=433 comm="java" name="if_inet6" dev="proc" ino=4026532096 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492620423.252:1240): avc:  denied  { open } for  pid=433 comm="java" path="/proc/433/net/if_inet6" dev="proc" ino=4026532096 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492620423.252:1241): avc:  denied  { getattr } for  pid=433 comm="java" path="/proc/433/net/if_inet6" dev="proc" ino=4026532096 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492620423.255:1242): avc:  denied  { getattr } for  pid=433 comm="java" path="/etc/pki/pki-tomcat/alias" dev="vda3" ino=12660069 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1492620423.288:1243): avc:  denied  { read } for  pid=433 comm="java" name="random" dev="devtmpfs" ino=1032 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1492620423.288:1244): avc:  denied  { open } for  pid=433 comm="java" path="/dev/random" dev="devtmpfs" ino=1032 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1492620423.288:1245): avc:  denied  { getattr } for  pid=433 comm="java" path="/dev/random" dev="devtmpfs" ino=1032 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1492620423.338:1246): avc:  denied  { read } for  pid=433 comm="java" name="cacerts" dev="vda3" ino=74910 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=lnk_file permissive=1
type=AVC msg=audit(1492620423.339:1247): avc:  denied  { getattr } for  pid=433 comm="java" path="/etc/pki/ca-trust/extracted/java/cacerts" dev="vda3" ino=8711278 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=unconfined_u:object_r:cert_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492620423.339:1248): avc:  denied  { read } for  pid=433 comm="java" name="cacerts" dev="vda3" ino=8711278 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=unconfined_u:object_r:cert_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492620423.339:1249): avc:  denied  { open } for  pid=433 comm="java" path="/etc/pki/ca-trust/extracted/java/cacerts" dev="vda3" ino=8711278 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=unconfined_u:object_r:cert_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492620423.756:1250): avc:  denied  { remove_name } for  pid=433 comm="java" name="433" dev="tmpfs" ino=147841 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1492620423.756:1251): avc:  denied  { unlink } for  pid=433 comm="java" name="433" dev="tmpfs" ino=147841 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492620423.770:1252): avc:  denied  { rmdir } for  pid=426 comm="ipa-custodia" name="tmpXRGWNf" dev="tmpfs" ino=147830 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1492620450.606:1253): avc:  denied  { execute } for  pid=482 comm="ipa-custodia" name="pki" dev="vda3" ino=830563 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492620450.606:1254): avc:  denied  { execute_no_trans } for  pid=482 comm="ipa-custodia" path="/usr/bin/pki" dev="vda3" ino=830563 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1

type=AVC msg=audit(1492620601.214:1255): avc:  denied  { read } for  pid=592 comm="java" name="if_inet6" dev="proc" ino=4026532096 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492620601.214:1256): avc:  denied  { open } for  pid=592 comm="java" path="/proc/592/net/if_inet6" dev="proc" ino=4026532096 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492620601.214:1257): avc:  denied  { getattr } for  pid=592 comm="java" path="/proc/592/net/if_inet6" dev="proc" ino=4026532096 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1

type=AVC msg=audit(1492620638.926:1258): avc:  denied  { read } for  pid=617 comm="ipa-custodia" name="resolv.conf" dev="tmpfs" ino=21863 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492620638.926:1259): avc:  denied  { open } for  pid=617 comm="ipa-custodia" path="/run/NetworkManager/resolv.conf" dev="tmpfs" ino=21863 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492620638.926:1260): avc:  denied  { getattr } for  pid=617 comm="ipa-custodia" path="/run/NetworkManager/resolv.conf" dev="tmpfs" ino=21863 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=1
type=AVC msg=audit(1492620638.995:1261): avc:  denied  { execmem } for  pid=624 comm="java" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=process permissive=1
type=AVC msg=audit(1492620639.221:1262): avc:  denied  { create } for  pid=624 comm="java" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=tcp_socket permissive=1
type=AVC msg=audit(1492620639.250:1263): avc:  denied  { read } for  pid=624 comm="java" name="random" dev="devtmpfs" ino=1032 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1492620639.250:1264): avc:  denied  { open } for  pid=624 comm="java" path="/dev/random" dev="devtmpfs" ino=1032 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1492620639.250:1265): avc:  denied  { getattr } for  pid=624 comm="java" path="/dev/random" dev="devtmpfs" ino=1032 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1492620639.299:1266): avc:  denied  { read } for  pid=624 comm="java" name="cacerts" dev="vda3" ino=74910 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=lnk_file permissive=1

Cheimes,
I added almost all AVCs from your log. Could you repeat the scenario with the new policy?

Thanks.

ipa-custodia-selinux.tar.gz

Metadata Update from @cheimes:
- Issue status updated to: Open (was: Closed)

2 years ago

PS: So far I have tested the policy on F25 only. It needs to be tested on F26 and RHEL 7.4, too.

I have released a first version of the SELinux policy for ipa-custodia. The policy won't work until /usr/libexec/ipa/ipa-custodia-fixperm.sh is executed after ipa-server-install or ipa-replica-install.

https://github.com/latchset/ipa-custodia-selinux/releases/tag/v0.1.0

As discussed in other channel, finishing this bug in 4.5.1 is out of scope.

Metadata Update from @pvoborni:
- Issue priority set to: critical (was: blocker)
- Issue set to the milestone: FreeIPA 4.7 (was: FreeIPA 4.5.1)

2 years ago

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)

2 years ago

FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone

Login to comment on this ticket.

Metadata
Attachments 2