#8412 AVC: httpd cannot connect to ipa-custodia.sock
Closed: fixed 2 years ago by frenaud. Opened 3 years ago by cheimes.

Issue

SELinux policy module ipa.te is missing a rule from apache.te for ipa_custodia_stream_connect interface. The missing policy causes a AVC and failing installation:

type=AVC msg=audit(1594745346.857:2709): avc:  denied  { connectto } for  pid=32294 comm="httpd" path="/run/httpd/ipa-custodia.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=unix_stream_socket permissive=0

Steps to Reproduce

  1. install FreeIPA master and replica
  2. check for AVC

Actual behavior

HTTPd is unable to connect to ipa-custodia Unix socket.

Expected behavior

No AVC

Version/Release/Distribution

Current master and latest 4.8 release on RHEL

Additional info:

Any additional information, configuration, data or log snippets that is needed for reproduction or investigation of the issue.

Log file locations: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/config-files-logs.html
Troubleshooting guide: https://www.freeipa.org/page/Troubleshooting


Metadata Update from @cheimes:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/4920

3 years ago

With decentralized SELinux policy it might be necessary to pull some more rules into the ipa domain policy:

apache.te:    ipa_read_lib(httpd_t)
apache.te:    ipa_manage_pid_files(httpd_t)
apache.te:    ipa_custodia_stream_connect(httpd_t)
apache.te:        ipa_domtrans_helper(httpd_t)
apache.te:    ipa_cert_filetrans_named_content(httpd_t)
bind.te:    ipa_manage_lib(named_t)
certmonger.te:    ipa_manage_lib(certmonger_t)
certmonger.te:    ipa_manage_log(certmonger_t)
certmonger.te:    ipa_manage_pid_files(certmonger_t)
certmonger.te:    ipa_filetrans_pid(certmonger_t,"renewal.lock")
certmonger.te:  ipa_named_filetrans_log_dir(certmonger_t)
gssproxy.te:    ipa_read_lib(gssproxy_t)
kerberos.te:    ipa_stream_connect_otpd(krb5kdc_t)
oddjob.te:ifdef(`ipa_helper_noatsecure',`
oddjob.te:              ipa_helper_noatsecure(oddjob_t)
opendnssec.te:    ipa_manage_lib(opendnssec_t)
opendnssec.te:    ipa_stream_connect_ods_exporter(opendnssec_t)
pki.te:    ipa_read_lib(pki_tomcat_t)
tomcat.te:      ipa_read_lib(tomcat_t)
tomcat.te:      ipa_read_tmp(tomcat_t)

Metadata Update from @ksiddiqu:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1857157

3 years ago

master:

  • 69da03b Add missing SELinux rule for ipa-custodia.sock

ipa-4-8:

  • d83b760 Add missing SELinux rule for ipa-custodia.sock

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue set to the milestone: None (was: FreeIPA 4.8.8)
- Issue status updated to: Closed (was: Open)

2 years ago

Login to comment on this ticket.

Metadata