This problem blocks SELinux confinement of ipa-custodia. Dan Walsh explains DAC_OVERRIDE in his blog posting http://danwalsh.livejournal.com/69478.html . TL;DR it allows root to access files although user/group ownership and permission bits say otherwise.
ipa-custodia runs as root. The process or some subprocesses (pki, certutil) are accessing files that are not readable by root. ipa-custodia wants to read:
# ls -lahZ /var/lib/ipa/ra-agent.pem /var/lib/ipa/ra-agent.key /etc/pki/pki-tomcat/alias /etc/pki/pki-tomcat/password.conf -rw-rw----. 1 pkiuser pkiuser system_u:object_r:pki_tomcat_etc_rw_t:s0 77 Apr 20 17:13 /etc/pki/pki-tomcat/password.conf -r--r-----. 1 root ipaapi system_u:object_r:ipa_var_lib_t:s0 1,7K Apr 20 16:10 /var/lib/ipa/ra-agent.key -r--r-----. 1 root ipaapi system_u:object_r:ipa_var_lib_t:s0 1,4K Apr 20 16:10 /var/lib/ipa/ra-agent.pem /etc/pki/pki-tomcat/alias: total 116K drwxrwx---. 2 pkiuser pkiuser system_u:object_r:pki_tomcat_cert_t:s0 4,0K Apr 20 17:13 . drwxrwx---. 6 pkiuser pkiuser system_u:object_r:pki_tomcat_etc_rw_t:s0 4,0K Apr 20 22:56 .. -rw-------. 1 pkiuser pkiuser system_u:object_r:pki_tomcat_cert_t:s0 64K Apr 20 22:56 cert8.db -rw-------. 1 pkiuser pkiuser system_u:object_r:pki_tomcat_cert_t:s0 36K Apr 20 22:56 key3.db -r--------. 1 pkiuser pkiuser system_u:object_r:pki_tomcat_cert_t:s0 42 Apr 20 16:10 pwdfile.txt -rw-------. 1 pkiuser pkiuser system_u:object_r:pki_tomcat_cert_t:s0 16K Apr 20 16:09 secmod.db
I see two possible solutions:
1) chgrp root and chmod g+r the files and directories /etc/pki/pki-tomcat/alias /etc/pki/pki-tomcat/alias/* /etc/pki/pki-tomcat/password.conf 2) introduce an ipa-custodia user with groups ipapi, pkiuser, chmod g+r all files and run ipa-custodia as that user.
chgrp root
chmod g+r
/etc/pki/pki-tomcat/alias /etc/pki/pki-tomcat/alias/* /etc/pki/pki-tomcat/password.conf
ipa-custodia
ipapi, pkiuser
Option (2) is more secure as we would drop a privileged service and replace it with a more confined service. On the other hand it's also more work. ipa-custodia uses LDAPI to authenticate and bind uid=0,gid=0 via LDAPI auto-bind. It would be necessary to replace it with different bindings, e.g. an ipa-custodia service keytab or static allocated uid/gid.
uid=0,gid=0
Metadata Update from @cheimes: - Custom field blocking adjusted to 6788 - Issue marked as blocking: #6788
The changes listed in (1) are not enough. It's also necessary to change /etc/pki/pki-tomcat to group root and allow g+x. The alias directory and *.db must be group read/writeable because ipa-custodia also writes to the files.
/etc/pki/pki-tomcat
root
g+x
*.db
The script https://github.com/latchset/ipa-custodia-selinux/blob/master/fix_perm.sh tends to all permissions and SELinux context. I'm able to run ipa-replica-install, ipa-ca-install, ipa-kra-install and ipa ca-add without AVC.
More details about ipa-custodia policy are in issue #6788 (in later comments)
Option (2) has an additional gotcha. ipa-custodia reads and writes the DM password hash from cn=config, attribute nsslapd-rootpw. By default root / Directory Manager are allowed to read or change the password hash.
cn=config
nsslapd-rootpw
Required permission changes:
drwxrwx---. pkiuser pkiuser /etc/pki/pki-tomcat drwxrwx---. pkiuser pkiuser /etc/pki/pki-tomcat/alias -rw-------. pkiuser pkiuser /etc/pki/pki-tomcat/alias/cert8.db -rw-------. pkiuser pkiuser /etc/pki/pki-tomcat/alias/key3.db -r--------. pkiuser pkiuser /etc/pki/pki-tomcat/alias/pwdfile.txt -rw-------. pkiuser pkiuser /etc/pki/pki-tomcat/alias/secmod.db -rw-rw----. pkiuser pkiuser /etc/pki/pki-tomcat/password.conf
drwxrwx---. pkiuser root /etc/pki/pki-tomcat drwxrwx---. pkiuser root /etc/pki/pki-tomcat/alias -rw-rw----. pkiuser root /etc/pki/pki-tomcat/alias/cert8.db -rw-rw----. pkiuser root /etc/pki/pki-tomcat/alias/key3.db -r--------. pkiuser pkiuser /etc/pki/pki-tomcat/alias/pwdfile.txt -rw-rw----. pkiuser root /etc/pki/pki-tomcat/alias/secmod.db -rw-r-----. pkiuser root /etc/pki/pki-tomcat/password.conf
Metadata Update from @pvoborni: - Issue priority set to: major - Issue set to the milestone: FreeIPA 4.7
master:
Metadata Update from @rcritten: - Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)
FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone
Log in to comment on this ticket.