#8436 AVCs when promoting replicas to trust agents
Closed: worksforme 3 years ago by abbra. Opened 3 years ago by abbra.

From @sorlov in bug https://bugzilla.redhat.com/show_bug.cgi?id=1859213, when configuring an AD trust agent, the command ipa-adtrust-install --add-agents is unable to configure the additional agent even when the very recent selinux-policy is used:

[root@master vagrant]# getenforce 
Permissive

[root@replica vagrant]# getenforce 
Permissive

On master there are no AVC failures (as it was before).
On replica there are following failures now:

----
time->Wed Jul 29 14:03:16 2020
type=PROCTITLE msg=audit(1596024196.115:1117): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002D49002F7573722F6C6962657865632F6970612F6F64646A6F622F6F72672E667265656970612E7365727665722E74727573742D656E61626C652D6167656E74002D2D656E61626C652D636F6D706174
type=SYSCALL msg=audit(1596024196.115:1117): arch=c000003e syscall=4 success=yes exit=0 a0=7fc9655573f8 a1=7ffcee3aaaf0 a2=7ffcee3aaaf0 a3=1 items=0 ppid=21605 pid=22159 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="org.freeipa.ser" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:ipa_helper_t:s0 key=(null)
type=AVC msg=audit(1596024196.115:1117): avc:  denied  { getattr } for  pid=22159 comm="org.freeipa.ser" path="/usr/lib/systemd/system/dirsrv@.service" dev="vda2" ino=748719 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:dirsrv_unit_file_t:s0 tclass=file permissive=1
----
time->Wed Jul 29 14:03:16 2020
type=PROCTITLE msg=audit(1596024196.117:1118): proctitle=2F62696E2F73797374656D63746C00726573746172740064697273727640544553542D4950412E73657276696365
type=PATH msg=audit(1596024196.117:1118): item=0 name="/lib64/ld-linux-x86-64.so.2" inode=25169382 dev=fd:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1596024196.117:1118): cwd="/"
type=EXECVE msg=audit(1596024196.117:1118): argc=3 a0="/bin/systemctl" a1="restart" a2="dirsrv@TEST-IPA.service"
type=SYSCALL msg=audit(1596024196.117:1118): arch=c000003e syscall=59 success=yes exit=0 a0=7fc98a086fd0 a1=7fc977509fd0 a2=7fc964f94b20 a3=18 items=1 ppid=22159 pid=22163 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemctl" exe="/usr/bin/systemctl" subj=system_u:system_r:ipa_helper_t:s0 key=(null)
type=AVC msg=audit(1596024196.117:1118): avc:  denied  { map } for  pid=22163 comm="systemctl" path="/usr/bin/systemctl" dev="vda2" ino=17621828 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1596024196.117:1118): avc:  denied  { execute_no_trans } for  pid=22163 comm="org.freeipa.ser" path="/usr/bin/systemctl" dev="vda2" ino=17621828 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1596024196.117:1118): avc:  denied  { read open } for  pid=22163 comm="org.freeipa.ser" path="/usr/bin/systemctl" dev="vda2" ino=17621828 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1596024196.117:1118): avc:  denied  { execute } for  pid=22163 comm="org.freeipa.ser" name="systemctl" dev="vda2" ino=17621828 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1
----
time->Wed Jul 29 14:03:16 2020
type=PROCTITLE msg=audit(1596024196.123:1119): proctitle=2F62696E2F73797374656D63746C00726573746172740064697273727640544553542D4950412E73657276696365
type=PATH msg=audit(1596024196.123:1119): item=0 name="/proc/1/environ" inode=72470 dev=00:04 mode=0100400 ouid=0 ogid=0 rdev=00:00 obj=system_u:system_r:init_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(1596024196.123:1119): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=7ffed26cd900 a2=80000 a3=0 items=1 ppid=22159 pid=22163 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemctl" exe="/usr/bin/systemctl" subj=system_u:system_r:ipa_helper_t:s0 key=(null)
type=AVC msg=audit(1596024196.123:1119): avc:  denied  { open } for  pid=22163 comm="systemctl" path="/proc/1/environ" dev="proc" ino=72470 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1
type=AVC msg=audit(1596024196.123:1119): avc:  denied  { read } for  pid=22163 comm="systemctl" name="environ" dev="proc" ino=72470 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1
type=AVC msg=audit(1596024196.123:1119): avc:  denied  { search } for  pid=22163 comm="systemctl" name="1" dev="proc" ino=11231 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=1
----
time->Wed Jul 29 14:03:16 2020
type=PROCTITLE msg=audit(1596024196.123:1120): proctitle=2F62696E2F73797374656D63746C00726573746172740064697273727640544553542D4950412E73657276696365
type=SYSCALL msg=audit(1596024196.123:1120): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7ffed26cd7d0 a2=7ffed26cd7d0 a3=0 items=0 ppid=22159 pid=22163 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemctl" exe="/usr/bin/systemctl" subj=system_u:system_r:ipa_helper_t:s0 key=(null)
type=AVC msg=audit(1596024196.123:1120): avc:  denied  { getattr } for  pid=22163 comm="systemctl" path="/proc/1/environ" dev="proc" ino=72470 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1
----
time->Wed Jul 29 14:03:16 2020
type=PROCTITLE msg=audit(1596024196.123:1121): proctitle=2F62696E2F73797374656D63746C00726573746172740064697273727640544553542D4950412E73657276696365
type=PATH msg=audit(1596024196.123:1121): item=0 name="/proc/1/root" inode=128 dev=fd:02 mode=040555 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:root_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(1596024196.123:1121): arch=c000003e syscall=262 success=yes exit=0 a0=ffffff9c a1=7f2638a4a3a1 a2=7ffed26ce090 a3=0 items=1 ppid=22159 pid=22163 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemctl" exe="/usr/bin/systemctl" subj=system_u:system_r:ipa_helper_t:s0 key=(null)
type=AVC msg=audit(1596024196.123:1121): avc:  denied  { read } for  pid=22163 comm="systemctl" name="root" dev="proc" ino=72472 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=lnk_file permissive=1
----
time->Wed Jul 29 14:03:16 2020
type=PROCTITLE msg=audit(1596024196.123:1122): proctitle=2F62696E2F73797374656D63746C00726573746172740064697273727640544553542D4950412E73657276696365
type=SYSCALL msg=audit(1596024196.123:1122): arch=c000003e syscall=42 success=yes exit=0 a0=3 a1=55e74a2ebeb0 a2=16 a3=7ffed26cde30 items=0 ppid=22159 pid=22163 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemctl" exe="/usr/bin/systemctl" subj=system_u:system_r:ipa_helper_t:s0 key=(null)
type=AVC msg=audit(1596024196.123:1122): avc:  denied  { connectto } for  pid=22163 comm="systemctl" path="/run/systemd/private" scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1596024196.123:1122): avc:  denied  { write } for  pid=22163 comm="systemctl" name="private" dev="tmpfs" ino=17477 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=sock_file permissive=1
----
time->Wed Jul 29 14:03:19 2020
type=PROCTITLE msg=audit(1596024199.069:1128): proctitle=2F62696E2F73797374656D63746C0069732D6163746976650064697273727640544553542D4950412E73657276696365
type=SYSCALL msg=audit(1596024199.069:1128): arch=c000003e syscall=42 success=yes exit=0 a0=3 a1=55a5c1ff8eb0 a2=16 a3=7ffd67ab8fe0 items=0 ppid=22159 pid=22202 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemctl" exe="/usr/bin/systemctl" subj=system_u:system_r:ipa_helper_t:s0 key=(null)
type=AVC msg=audit(1596024199.069:1128): avc:  denied  { connectto } for  pid=22202 comm="systemctl" path="/run/systemd/private" scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=1
----
time->Wed Jul 29 14:03:19 2020
type=PROCTITLE msg=audit(1596024199.090:1129): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002D49002F7573722F6C6962657865632F6970612F6F64646A6F622F6F72672E667265656970612E7365727665722E74727573742D656E61626C652D6167656E74002D2D656E61626C652D636F6D706174
type=SYSCALL msg=audit(1596024199.090:1129): arch=c000003e syscall=4 success=yes exit=0 a0=7fc96539cc68 a1=7ffcee3aae40 a2=7ffcee3aae40 a3=1 items=0 ppid=21605 pid=22159 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="org.freeipa.ser" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:ipa_helper_t:s0 key=(null)
type=AVC msg=audit(1596024199.090:1129): avc:  denied  { getattr } for  pid=22159 comm="org.freeipa.ser" path="/usr/lib/systemd/system/sssd.service" dev="vda2" ino=398404 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:sssd_unit_file_t:s0 tclass=file permissive=1
----
time->Wed Jul 29 14:03:19 2020
type=PROCTITLE msg=audit(1596024199.564:1135): proctitle=2F62696E2F73797374656D63746C0069732D61637469766500737373642E73657276696365
type=PATH msg=audit(1596024199.564:1135): item=0 name="/lib64/ld-linux-x86-64.so.2" inode=25169382 dev=fd:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1596024199.564:1135): cwd="/"
type=EXECVE msg=audit(1596024199.564:1135): argc=3 a0="/bin/systemctl" a1="is-active" a2="sssd.service"
type=SYSCALL msg=audit(1596024199.564:1135): arch=c000003e syscall=59 success=yes exit=0 a0=7fc98a086fd0 a1=7fc977509fd0 a2=7fc96514c440 a3=18 items=1 ppid=22159 pid=22215 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemctl" exe="/usr/bin/systemctl" subj=system_u:system_r:ipa_helper_t:s0 key=(null)
type=AVC msg=audit(1596024199.564:1135): avc:  denied  { map } for  pid=22215 comm="systemctl" path="/usr/bin/systemctl" dev="vda2" ino=17621828 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1596024199.564:1135): avc:  denied  { execute_no_trans } for  pid=22215 comm="org.freeipa.ser" path="/usr/bin/systemctl" dev="vda2" ino=17621828 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1596024199.564:1135): avc:  denied  { read open } for  pid=22215 comm="org.freeipa.ser" path="/usr/bin/systemctl" dev="vda2" ino=17621828 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1596024199.564:1135): avc:  denied  { execute } for  pid=22215 comm="org.freeipa.ser" name="systemctl" dev="vda2" ino=17621828 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1
----
time->Wed Jul 29 14:03:19 2020
type=PROCTITLE msg=audit(1596024199.571:1136): proctitle=2F62696E2F73797374656D63746C0069732D61637469766500737373642E73657276696365
type=PATH msg=audit(1596024199.571:1136): item=0 name="/proc/1/root" inode=128 dev=fd:02 mode=040555 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:root_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(1596024199.571:1136): arch=c000003e syscall=262 success=yes exit=0 a0=ffffff9c a1=7f135d50d3a1 a2=7ffeadfb6a00 a3=0 items=1 ppid=22159 pid=22215 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemctl" exe="/usr/bin/systemctl" subj=system_u:system_r:ipa_helper_t:s0 key=(null)
type=AVC msg=audit(1596024199.571:1136): avc:  denied  { read } for  pid=22215 comm="systemctl" name="root" dev="proc" ino=72472 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=lnk_file permissive=1

On Fedora 32 this means the following:

#============= ipa_helper_t ==============
allow ipa_helper_t dirsrv_unit_file_t:file getattr;
allow ipa_helper_t init_t:dir search;
allow ipa_helper_t init_t:file { getattr open read };
allow ipa_helper_t init_t:lnk_file read;

#!!!! This avc is allowed in the current policy
allow ipa_helper_t init_t:unix_stream_socket connectto;

#!!!! This avc is allowed in the current policy
allow ipa_helper_t init_var_run_t:sock_file write;
allow ipa_helper_t sssd_unit_file_t:file getattr;

#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow ipa_helper_t systemd_systemctl_exec_t:file map;
allow ipa_helper_t systemd_systemctl_exec_t:file { execute execute_no_trans open read };

Looks like there is still some discrepancy between F32 and RHEL 8.3 selinux policies.

Since all these are in IPA side, we should be adding them to the custom policy we have. I am not going to use 'domain_can_mmap_files' boolean as that would enable mmap for all domains.


I'm checking with SELinux policy developers whether it is selinux-policy difference between the distributions or we actually need to do changes in FreeIPA.

With the latest selinux-policy 3.14.3-49.el8, I am getting down to this list:

#============= ipa_helper_t ==============
allow ipa_helper_t dirsrv_unit_file_t:file getattr;
allow ipa_helper_t init_t:dir search;
allow ipa_helper_t init_t:file { getattr open read };
allow ipa_helper_t init_t:lnk_file read;
allow ipa_helper_t init_t:unix_stream_socket connectto;
allow ipa_helper_t init_var_run_t:sock_file write;
allow ipa_helper_t sssd_unit_file_t:file getattr;

#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow ipa_helper_t systemd_systemctl_exec_t:file map;
allow ipa_helper_t systemd_systemctl_exec_t:file { execute execute_no_trans open read };

the gettattr parts should be covered by dirsrv_systemctl() and sssd_systemctl() SELinux policy interfaces so this is quite surprise to see.

With SELinux people we found that a number of policy changes weren't backported to RHEL 8.3 beta. So they all exist in upstream but not in the downstream.

I'll close this ticket since the work is purely on RHEL side.

Metadata Update from @abbra:
- Issue close_status updated to: worksforme
- Issue status updated to: Closed (was: Open)

3 years ago

Login to comment on this ticket.

Metadata