freeipa

Clone
Source Code
GIT

#6958 [tracker] SELinux policy denies IPA framework to perform anonymous PKINIT on localhost during FAST armoring
Closed: fixed 6 years ago Opened 6 years ago by mbabinsk.

Closed: fixed
Reopen Issue

This issue is a tracker for SELinux policy:

Description of problem:

When installing/upgrading to ipa-server-4.5.0-9.el7, the password authentication to IPA framework (r.g. through WebUI login) fails due to the following SELinux denial visible only after setting 'semanage dontaudit off' on the host:

type=PROCTITLE msg=audit(1494934341.770:412): proctitle=2F7573722F62696E2F6B696E6974002D6E002D63002F7661722F72756E2F6970612F636361636865732F61726D6F725F3130333234002D5800583530395F616E63686F72730046494C453A2F7661722F6B65726265726F732F6B7262356B64632F6361636572742E70656D
type=PATH msg=audit(1494934341.770:412): item=0 name="/var/kerberos/krb5kdc/cacert.pem" inode=50484290 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:krb5kdc_conf_t:s0 objtype=NORMAL
type=CWD msg=audit(1494934341.770:412):  cwd="/"
type=SYSCALL msg=audit(1494934341.770:412): arch=c000003e syscall=2 success=no exit=-13 a0=55da8eed5de5 a1=0 a2=1b6 a3=24 items=1 ppid=10324 pid=14635 auid=4294967295 uid=387 gid=387 euid=387 suid=387 fsuid=387 egid=387 sgid=387 fsgid=387 tty=(none) ses=4294967295 comm="kinit" exe="/usr/bin/kinit" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1494934341.770:412): avc:  denied  { read } for  pid=14635 comm="kinit" name="cacert.pem" dev="dm-0" ino=50484290 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:krb5kdc_conf_t:s0 tclass=file

The reason is that to armor client AS_REQ performed during password auth, IPA framework must peform anonymous PKINIT using local KDC's CA anchors (/var/kerberos/krb5kdc/cacert.pem). That's why 'kinit' is running with httpd_t context, it is spawned from within the apache process serving the framework.

Since it is difficult to move the anchor file to a place accessible to both KDC and the framework, not speaking about maintaining multiple copies of the file, we would like to allow this domain transition in RHEL 7.4 SELinux policy.

Version-Release number of selected component (if applicable):

ipa-server-4.5.0-9.el7

How reproducible:

Always

Steps to Reproduce:
1. run 'semanage dontaudit off'
2. run ipa-server-install or upgrade from RHEL 7.3 ipa-server
3. try to login to WebUI or perform password auth against the framework e.g. using curl

Actual results:

The authentication fails. ausearch -m avc displays audit trail reported above.

Expected results:

Authentication succeeds and the session is established. No denials are observed in audit log.

Additional info:

See https://bugzilla.redhat.com/show_bug.cgi?id=1438729#c17 and later (may be private) for more info on the issue.

Metadata Update from @mbabinsk:
- Custom field external_tracker adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1438729
6 years ago

The bz is fixed, closing.

Metadata Update from @pvoborni:
- Issue close_status updated to: fixed
- Issue priority set to: critical
- Issue set to the milestone: FreeIPA 4.5.2
- Issue status updated to: Closed (was: Open)
6 years ago

Login to comment on this ticket.

Metadata
None
None
None
None
important
None
None
None
None
None
None
None
None
None
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=1438729
None
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.