AVC denials and errors are seen for IPA Server installed on Fedora28
Error messages and AVC Denials May 3 16:39:41 master systemd[1]: Started One-time temporary TLS key generation for httpd.service. May 3 16:39:41 master systemd[1]: Starting The Apache HTTP Server... May 3 16:39:42 master ipa-httpd-kdcproxy[2735]: ipa: INFO: KDC proxy enabled May 3 16:39:42 master ipa-httpd-kdcproxy[2735]: ipa-httpd-kdcproxy: INFO KDC proxy enabled May 3 16:39:42 master httpd[2738]: [Thu May 03 16:39:42.433673 2018] [auth_gssapi:error] [pid 2738:tid 140610847561984] Failed to create key file /etc/httpd/alias/ipasession.key: No such file or directory May 3 16:39:42 master httpd[2738]: [Thu May 03 16:39:42.433924 2018] [auth_gssapi:error] [pid 2738:tid 140610847561984] Failed to open key file /etc/httpd/alias/ipasession.key May 3 16:39:42 master httpd[2738]: [Thu May 03 16:39:42.434043 2018] [auth_gssapi:error] [pid 2738:tid 140610847561984] Failed to create key file /etc/httpd/alias/ipasession.key: No such file or directory May 3 16:39:42 master httpd[2738]: [Thu May 03 16:39:42.434082 2018] [auth_gssapi:error] [pid 2738:tid 140610847561984] Failed to open key file /etc/httpd/alias/ipasession.key May 3 16:39:42 master systemd[1]: Started The Apache HTTP Server.
AVC Denials related to gssproxy May 3 16:39:42 master audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=httpd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' May 3 16:40:07 master audit[728]: AVC avc: denied { sys_ptrace } for pid=728 comm="gssproxy" capability=19 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=capability permissive=0 May 3 16:40:07 master gssproxy[704]: gssproxy[728]: Unexpected failure in realpath: 13 (Permission denied) May 3 16:40:07 master audit[728]: AVC avc: denied { sys_ptrace } for pid=728 comm="gssproxy" capability=19 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=capability permissive=0 May 3 16:40:07 master gssproxy[704]: gssproxy[728]: Unexpected failure in realpath: 13 (Permission denied) May 3 16:40:07 master audit[728]: AVC avc: denied { sys_ptrace } for pid=728 comm="gssproxy" capability=19 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=capability permissive=0 May 3 16:40:07 master gssproxy[704]: gssproxy[728]: Unexpected failure in realpath: 13 (Permission denied) May 3 16:42:48 master audit[728]: AVC avc: denied { sys_ptrace } for pid=728 comm="gssproxy" capability=19 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=capability permissive=0 May 3 16:42:48 master gssproxy[704]: gssproxy[728]: Unexpected failure in realpath: 13 (Permission denied)
Fix the AVC and error messages.
freeipa-server-4.6.90.pre1-6.1.fc28.x86_64 freeipa-client-4.6.90.pre1-6.1.fc28.x86_64 package ipa-server is not installed package ipa-client is not installed 389-ds-base-1.4.0.6-2.fc28.x86_64 pki-ca-10.6.0-1.fc28.noarch krb5-server-1.16-21.fc28.x86_64
The directory /etc/httpd/alias is created by mod_nss. Either we have to create the directory in the installer or move the file to /var/lib/ipa/private/.
/etc/httpd/alias
/var/lib/ipa/private/
I think the latter is preferred.
I tried /var/lib/ipa/private/ipasession.key, /var/lib/ipa/ipasession.key, and /var/lib/httpd/ipasession.key. In all cases, SELinux prevents httpd to create the file.
/var/lib/ipa/private/ipasession.key
/var/lib/ipa/ipasession.key
/var/lib/httpd/ipasession.key
I don't think we'll get a new SELinux policy for session file in time. I'm going to create /etc/httpd/alias for now and we can move the file in 4.7.1.
4.7.1
Metadata Update from @cheimes: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/1905 - Issue assigned to cheimes - Issue priority set to: important - Issue set to the milestone: FreeIPA 4.7
/etc/httpd/alias is owned by mod_nss, would this not cause confusion?
master:
The gssproxy AVCs are a red herring, apparently related to NFS not being enabled/used.
Metadata Update from @rcritten: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
(The gssproxy messages are tracked in https://bugzilla.redhat.com/show_bug.cgi?id=1578097 )
Login to comment on this ticket.