Issue #7529: AVC denials and errors for IPA server installed on Fedora28 - freeipa

freeipa

#7529 AVC denials and errors for IPA server installed on Fedora28

Closed: fixed 5 years ago Opened 5 years ago by sumenon.

Request for enhancement

Issue

AVC denials and errors are seen for IPA Server installed on Fedora28

Steps to Reproduce

Install IPA Server
Added debug=true in ipa.conf and restarted httpd.service
Check the messages and error_log file.

Actual behavior

Error messages and AVC Denials
May 3 16:39:41 master systemd[1]: Started One-time temporary TLS key generation for httpd.service.
May 3 16:39:41 master systemd[1]: Starting The Apache HTTP Server...
May 3 16:39:42 master ipa-httpd-kdcproxy[2735]: ipa: INFO: KDC proxy enabled
May 3 16:39:42 master ipa-httpd-kdcproxy[2735]: ipa-httpd-kdcproxy: INFO KDC proxy enabled
May 3 16:39:42 master httpd[2738]: [Thu May 03 16:39:42.433673 2018] [auth_gssapi:error] [pid 2738:tid 140610847561984] Failed to create key file /etc/httpd/alias/ipasession.key: No such file or directory
May 3 16:39:42 master httpd[2738]: [Thu May 03 16:39:42.433924 2018] [auth_gssapi:error] [pid 2738:tid 140610847561984] Failed to open key file /etc/httpd/alias/ipasession.key
May 3 16:39:42 master httpd[2738]: [Thu May 03 16:39:42.434043 2018] [auth_gssapi:error] [pid 2738:tid 140610847561984] Failed to create key file /etc/httpd/alias/ipasession.key: No such file or directory
May 3 16:39:42 master httpd[2738]: [Thu May 03 16:39:42.434082 2018] [auth_gssapi:error] [pid 2738:tid 140610847561984] Failed to open key file /etc/httpd/alias/ipasession.key
May 3 16:39:42 master systemd[1]: Started The Apache HTTP Server.
AVC Denials related to gssproxy
May 3 16:39:42 master audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=httpd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
May 3 16:40:07 master audit[728]: AVC avc: denied { sys_ptrace } for pid=728 comm="gssproxy" capability=19 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=capability permissive=0
May 3 16:40:07 master gssproxy[704]: gssproxy[728]: Unexpected failure in realpath: 13 (Permission denied)
May 3 16:40:07 master audit[728]: AVC avc: denied { sys_ptrace } for pid=728 comm="gssproxy" capability=19 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=capability permissive=0
May 3 16:40:07 master gssproxy[704]: gssproxy[728]: Unexpected failure in realpath: 13 (Permission denied)
May 3 16:40:07 master audit[728]: AVC avc: denied { sys_ptrace } for pid=728 comm="gssproxy" capability=19 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=capability permissive=0
May 3 16:40:07 master gssproxy[704]: gssproxy[728]: Unexpected failure in realpath: 13 (Permission denied)
May 3 16:42:48 master audit[728]: AVC avc: denied { sys_ptrace } for pid=728 comm="gssproxy" capability=19 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=capability permissive=0
May 3 16:42:48 master gssproxy[704]: gssproxy[728]: Unexpected failure in realpath: 13 (Permission denied)

Expected behavior

Fix the AVC and error messages.

Version/Release/Distribution

freeipa-server-4.6.90.pre1-6.1.fc28.x86_64
freeipa-client-4.6.90.pre1-6.1.fc28.x86_64
package ipa-server is not installed
package ipa-client is not installed
389-ds-base-1.4.0.6-2.fc28.x86_64
pki-ca-10.6.0-1.fc28.noarch
krb5-server-1.16-21.fc28.x86_64

Additional info:

cheimes commented 5 years ago

The directory /etc/httpd/alias is created by mod_nss. Either we have to create the directory in the installer or move the file to /var/lib/ipa/private/.

abbra commented 5 years ago

I think the latter is preferred.

cheimes commented 5 years ago

I tried /var/lib/ipa/private/ipasession.key, /var/lib/ipa/ipasession.key, and /var/lib/httpd/ipasession.key. In all cases, SELinux prevents httpd to create the file.

I don't think we'll get a new SELinux policy for session file in time. I'm going to create /etc/httpd/alias for now and we can move the file in 4.7.1.

Metadata Update from @cheimes:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/1905
- Issue assigned to cheimes
- Issue priority set to: important
- Issue set to the milestone: FreeIPA 4.7

5 years ago

rcritten commented 5 years ago

/etc/httpd/alias is owned by mod_nss, would this not cause confusion?

cheimes commented 5 years ago

master:

49b4a05 Create missing /etc/httpd/alias for ipasession.key

rcritten commented 5 years ago

The gssproxy AVCs are a red herring, apparently related to NFS not being enabled/used.

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

5 years ago

rharwood commented 5 years ago

(The gssproxy messages are tracked in https://bugzilla.redhat.com/show_bug.cgi?id=1578097 )

Metadata

Assignee

cheimes

Tags

None

Blocking

None

Depending on

None

Priority

important

Milestone

FreeIPA 4.7

None

affects_doc

None

source

None

knownissue

None

type

None

blockedby

None

test_case

None

component

None

blocking

None

on_review

https://github.com/freeipa/freeipa/pull/1905

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

None

tester

None

changelog

None

design

None

freeipa

Source Code

#7529 AVC denials and errors for IPA server installed on Fedora28 Closed: fixed 5 years ago Opened 5 years ago by sumenon.

Request for enhancement

Issue

Steps to Reproduce

Actual behavior

Expected behavior

Version/Release/Distribution

Additional info:

Metadata

#7529 AVC denials and errors for IPA server installed on Fedora28

Closed: fixed 5 years ago Opened 5 years ago by sumenon.