Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 8): Bug 1868432
```text Description of problem: Unhandled Python exception in '/usr/libexec/ipa/ipa-pki-retrieve-key
Version-Release number of selected component (if applicable): ipa-server-4.8.7-7.module+el8.3.0+7376+c83e4fcd.x86_64 ipa-selinux-4.8.7-7.module+el8.3.0+7376+c83e4fcd.noarch selinux-policy-3.14.3-49.el8.noarch
How reproducible: Always
Steps to Reproduce: 1. 2. 3.
Actual results: Jul 24 17:42:48 replica.testrelm.test dbus-daemon[728]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd' Jul 24 17:42:48 replica.testrelm.test dbus-daemon[728]: [system] Activating service name='org.fedoraproject.SetroubleshootPrivileged' requested by ':1.301' (uid=995 pid=32378 comm="/usr/libexec/platform-python -Es /usr/sbin/setroub" label="system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023") (using servicehelper) Jul 24 17:42:48 replica.testrelm.test dbus-daemon[32391]: [system] Failed to reset fd limit before activating service: org.freedesktop.DBus.Error.AccessDenied: Failed to restore old fd limit: Operation not permitted Jul 24 17:42:49 replica.testrelm.test dbus-daemon[728]: [system] Successfully activated service 'org.fedoraproject.SetroubleshootPrivileged' Jul 24 17:42:49 replica.testrelm.test platform-python[32372]: detected unhandled Python exception in '/usr/libexec/ipa/ipa-pki-retrieve-key' Jul 24 17:42:49 replica.testrelm.test server[31444]: Traceback (most recent call last): Jul 24 17:42:49 replica.testrelm.test server[31444]: File "/usr/libexec/ipa/ipa-pki-retrieve-key", line 54, in main Jul 24 17:42:49 replica.testrelm.test server[31444]: resp = client.fetch_key(path, store=False) Jul 24 17:42:49 replica.testrelm.test server[31444]: File "/usr/lib/python3.6/site-packages/ipaserver/secrets/client.py", line 120, in fetch_key Jul 24 17:42:49 replica.testrelm.test server[31444]: r.raise_for_status() Jul 24 17:42:49 replica.testrelm.test server[31444]: File "/usr/lib/python3.6/site-packages/requests/models.py", line 940, in raise_for_status Jul 24 17:42:49 replica.testrelm.test server[31444]: raise HTTPError(http_error_msg, response=self) Jul 24 17:42:49 replica.testrelm.test server[31444]: requests.exceptions.HTTPError: 404 Client Error: Not Found for url: https://mas ter.testrelm.test/ipa/keys/ca_wrapped/caSigningCert%20cert-pki-ca%20b0394d40-93 b2-4f5e-a3a3-ac6136915f95/2.16.840.1.101.3.4.1.2?type=kem&value=eyJhbGciOiJSU0E tT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOm51bGx9.fWFV5auRitWflK0fMB47Hj35p QirhDtsjgcEAQdteY_Qw0WylLpjtCIpIbpwXFVKo9A4Sp6SE5ziJGyT3_yxW8HTE6gBea1EZPJlY33g veufhCEp80gDpi0oDwS4uR0iYWUVPfdEKMfowcmseg7W9Q9nm9OP7g2LzcAKHUPPcBAlciPzdhVYnB- wJXMxBHE5jFjAurQYun0cDuyqURwn_6uoByyl4RmOLRGH4X7BMPDVZwYCF21Ae5NMy9DlvILlbkyBwK QuwInzvVAi6Yb5K9FUYvlywX0FAMWrFvYlq5x_kFYjNp0U9t6-gyQmmbjaa7BdnbZ4GNVd-dd8vUPzw A.FI_xg-UAYNTThGSwQQPkqw.B74SHXA0axK88CU0k9YYEVPBCR6Bbz3O0lfVveaP9WEqQ7UTBthTB1 jcLmXtEXsuGqdDNRTqhxmw1BvmTQIs-lUmZO4riJlZyPZ3Biqm5YsvCa3RH69PrNy103lLygCKD7FUN esUmSfSxZhF31qE1b4xKTmfOt9Hi0GAz7jrLyWAzZhyfC0MkrAm_xpAa2ceXjUTKPLRM23VBmi9Qb8A 7DGhwPzPJxL740vikfchPpK4r-GZFlKA24yDQOUnh7dqGVuAD2z4ycLLeAKWxB7YTD1PyQHuFe2odOi CJ9r8rtLblXu17kOZ1RIwhnbk5ma2ZZy2FPs5wATcqYjXe3F3Gue5kSu46u3MlpPmITbaYLCKPPo31r 7RoG8ZnNdkXDYLrECgSBrnUA1YcxpQmfLg-ZxM02RcmUxi3d235j0amoGRmNQeu37qSvRuYxiOm36mZ nwLbWlasd83jnYISzIoq_c0FLpWtZAhcuPYs9HuP1Njs8uPeEAuAoNciEGnR3P7-fTDt5z0m0uUg7Tl 7PuyjncxgOkXO1GglsoCnsUOmtvKUju8AtRSwV_O4-5GEH7IAnkGHAXO5wN4pC763FQpNc40tBK1XvI 8p3bIhlAqexjb6y_arlVtEKe_GdVu2RE8H4Jfhy3lAvodaZk85GZEf4OllyjyPftbOIakAG_ZvTeQ_o 1OXtmC4ILNtCaF9-TZUuxBV7czLY9xRtIRNetglDcsSZhsx-KjHiOHbAtLYU97wQoTb9uCb9Y339YVA SHgsjFmSuiYSIFGJA7uJSDumjwCk3HmHXp4e0bnRt8__LA.ay3AP4cXl-v8CBLRHGAJnPsJekrBFLku 33DdPgko6Zw Jul 24 17:42:49 replica.testrelm.test server[31444]: During handling of the above exception, another exception occurred: Jul 24 17:42:49 replica.testrelm.test server[31444]: Traceback (most recent call last): Jul 24 17:42:49 replica.testrelm.test server[31444]: File "/usr/libexec/ipa/ipa-pki-retrieve-key", line 81, in <module> Jul 24 17:42:49 replica.testrelm.test server[31444]: main() Jul 24 17:42:49 replica.testrelm.test server[31444]: File "/usr/libexec/ipa/ipa-pki-retrieve-key", line 71, in main Jul 24 17:42:49 replica.testrelm.test server[31444]: resp = client.fetch_key(keyname, store=False) Jul 24 17:42:49 replica.testrelm.test server[31444]: File "/usr/lib/python3.6/site-packages/ipaserver/secrets/client.py", line 120, in fetch_key Jul 24 17:42:49 replica.testrelm.test server[31444]: r.raise_for_status() Jul 24 17:42:49 replica.testrelm.test server[31444]: File "/usr/lib/python3.6/site-packages/requests/models.py", line 940, in raise_for_status Jul 24 17:42:49 replica.testrelm.test server[31444]: raise HTTPError(http_error_msg, response=self) Jul 24 17:42:49 replica.testrelm.test server[31444]: requests.exceptions.HTTPError: 404 Client Error: Not Found for url: https://mas ter.testrelm.test/ipa/keys/ca_wrapped/caSigningCert%20cert-pki-ca%20b0394d40-93 b2-4f5e-a3a3-ac6136915f95?type=kem&value=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNT ZDQkMtSFM1MTIiLCJraWQiOm51bGx9.feMDgxWiJcLX0oj8Riu9XlugM83_Uh-JIL_Wor8LWDQijFbQ NOnAPctidyXHJtUq34uVJS_JS-0E7khZcvKLlp7zflY5XsR3JkkYP8-bOf2w6D9GLjUSTKhXBBZV5KB eyXAhARNoaURGc4UIn2qCwepzuxCIO86XNwoEncC09C6hxPXDO7Dn48p9BPVr_Jr43Mm2_IN72b4QqR w4pY_C484o8crT3KaoYD-THBT9KvLWx8BHZ938o8JukejH-2JkXXtiywsGypQXk6pbZeh1WPc8dPUP7 GgiiJWa5f2lP9gxS8XiqlmAq7gkSWWNov4mX0I0dCyumIbqyR_EcptWMA.8FDmzkm7CbQz6Ka9ENQ3d Q.0Fr9ir33n-eUsfdsgBRnYTrdyQeIkg44D8_QCTCYXP1KOhEbDDI4zU5klYmtZtGCdu0VcH9lvlUbx VsoZ21dbNr8y_hqaKrLrwL4LGllZhsRYHZn6BfaE9ZjLe5MZu0aQrCUf6yZDtng_LPLQQRbvIk0bILf uRSauAELP4-ehQRb6NqhFV1rGA5vi0o76oUsL65hRwAkG6zPQqyeaKtNanVkDtCDA1R4iG1qrDO3Lwj -yvtUKY-L7h9mEwLAXhfbRWSfqQxJYDaty2X6TkMvQuRA9n_BJVW9pXLuRhItG3jpjQrHa3V8lDZA-v GNKGtXcz_iSamjeXEoMyzsPLCLEyG9dP07_qOoaH28X2cKuXpd6UQutSvse0qKKzSCeophsXjgxOi2Y BUqRGjBqqLfV6PJTlkNGqAGwqWcJVXjnKMQRrPAnRuaEfPD3DLKqa1wFM1xbkF7tvM208oj6JoaKA13 Y3f0H791yC9gg5g3BzMVFjY9K8_uRI2XB9m6y6LxJXC_Kc86Ds4_ClWOf0iJvYvnVPtmCJBpb7FkCe6 5U7HsaHQXmd_2sghgo0DiNinBMrn8t-gm_AR9kqYj-gURMFFwx6KFILOxdBATIU9ySh4k7jiSRnjshJ 0qtL7vCwyhN9uGdzqmg9XHNCRvFphhKoLDSKKMD5CCDq_u2RBLNLHzzZt8crG52mnOC14aBqK9zMuHi jSldUhp-EV1VQ6kMowAfVMkQdFsZBWh_veQh7F3eafxy3tdwXuQyTDB759K.bo97qxXB4ECBnD_D69K KF3wb_org0_5Qgiq0JpiqDjc Jul 24 17:42:50 replica.testrelm.test dbus-daemon[728]: [system] Activating service name='org.freedesktop.problems' requested by ':1.305' (uid=0 pid=32418 comm="/usr/libexec/platform-python /usr/bin/abrt-action-" label="system_u:system_r:abrt_t:s0-s0:c0.c1023") (using servicehelper) Jul 24 17:42:50 replica.testrelm.test dbus-daemon[32420]: [system] Failed to reset fd limit before activating service: org.freedesktop.DBus.Error.AccessDenied: Failed to restore old fd limit: Operation not permitted Jul 24 17:42:50 replica.testrelm.test dbus-daemon[728]: [system] Successfully activated service 'org.freedesktop.problems' Jul 24 17:42:50 replica.testrelm.test abrt-server[32394]: /bin/sh: reporter-systemd-journal: command not found Jul 24 17:42:50 replica.testrelm.test setroubleshoot[32378]: SELinux is preventing /usr/libexec/platform-python3.6 from search access on the directory krb5. For complete SELinux messages run: sealert -l e3514db6-a4fb-4acc-ac69-03e17e028844 Jul 24 17:42:50 replica.testrelm.test platform-python[32378]: SELinux is preventing /usr/libexec/platform-python3.6 from search access on the directory krb5.
Metadata Update from @fcami: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1868432
Metadata Update from @fcami: - Issue assigned to fcami
Minimal reproducer:
on master: $ kinit admin $ ipa ca-add test_subca_master --subject cn=test_subca_master --desc subca $ ipa ca-show test_subca_master
on replica: $ kinit admin $ ipa ca-show test_subca_master $ /usr/bin/certutil -d /etc/pki/pki-tomcat/alias -L -n "caSigningCert cert-pki-ca <ID>" $ echo $?
The following module on the master side fixes the issue:
################# module local 1.0; require { type pki_tomcat_cert_t; type ipa_custodia_t; type node_t; class tcp_socket { bind create node_bind }; class process execmem; class file { create unlink }; class dir remove_name; } #============= ipa_custodia_t ============== allow ipa_custodia_t self:tcp_socket { bind create }; allow ipa_custodia_t node_t:tcp_socket node_bind; allow ipa_custodia_t pki_tomcat_cert_t:dir remove_name; allow ipa_custodia_t pki_tomcat_cert_t:file create; allow ipa_custodia_t pki_tomcat_cert_t:file unlink; allow ipa_custodia_t self:process execmem; #################
Metadata Update from @fcami: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/5083
AVCs on master:
type=AVC msg=audit(1599676180.202:97): avc: denied { create } for pid=1930 comm="platform-python" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=tcp_socket permissive=1 type=AVC msg=audit(1599676180.202:98): avc: denied { bind } for pid=1930 comm="platform-python" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=tcp_socket permissive=1 type=AVC msg=audit(1599676180.202:98): avc: denied { node_bind } for pid=1930 comm="platform-python" saddr=::1 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=tcp_socket permissive=1 type=AVC msg=audit(1599676180.233:99): avc: denied { read } for pid=1932 comm="java" name="cpu" dev="sysfs" ino=33 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1599676180.234:100): avc: denied { map } for pid=1932 comm="java" path="/tmp/hsperfdata_pkiuser/1932" dev="dm-0" ino=25633010 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:ipa_custodia_tmp_t:s0 tclass=file permissive=1 type=AVC msg=audit(1599676180.235:101): avc: denied { execmem } for pid=1932 comm="java" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=process permissive=1 type=AVC msg=audit(1599676181.071:102): avc: denied { read } for pid=1932 comm="java" name="if_inet6" dev="proc" ino=4026532230 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1 type=AVC msg=audit(1599676181.071:102): avc: denied { open } for pid=1932 comm="java" path="/proc/1932/net/if_inet6" dev="proc" ino=4026532230 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1 type=AVC msg=audit(1599676181.071:103): avc: denied { getattr } for pid=1932 comm="java" path="/proc/1932/net/if_inet6" dev="proc" ino=4026532230 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1 type=AVC msg=audit(1599676181.182:104): avc: denied { read } for pid=1932 comm="java" name="random" dev="devtmpfs" ino=9223 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(1599676181.182:105): avc: denied { open } for pid=1932 comm="java" path="/dev/random" dev="devtmpfs" ino=9223 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(1599676181.182:106): avc: denied { getattr } for pid=1932 comm="java" path="/dev/random" dev="devtmpfs" ino=9223 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(1599676182.196:107): avc: denied { read } for pid=1959 comm="java" name="cpu" dev="sysfs" ino=33 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1599676183.278:108): avc: denied { create } for pid=1959 comm="java" name="key4.db-journal" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=file permissive=1 type=AVC msg=audit(1599676183.324:109): avc: denied { remove_name } for pid=1959 comm="java" name="key4.db-journal" dev="dm-0" ino=8642791 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=unconfined_u:object_r:pki_tomcat_cert_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1599676183.324:109): avc: denied { unlink } for pid=1959 comm="java" name="key4.db-journal" dev="dm-0" ino=8642791 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=file permissive=1
AVCs on replica:
type=AVC msg=audit(1599676179.434:97): avc: denied { search } for pid=1836 comm="ipa-pki-retriev" name="krb5" dev="dm-0" ino=8620822 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1
master:
ipa-4-8:
Metadata Update from @fcami: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @fcami: - Custom field affects_doc adjusted to on - Custom field knownissue adjusted to on - Issue status updated to: Open (was: Closed)
reopening as the fix is not complete.
AI: enhance the test suite so that it covers: - deleting subCAs (disabling them first) - checking what happens when creating a dozen+ subCAs at a time - adding a subCA that already exists and expect failure
Metadata Update from @fcami: - Custom field changelog adjusted to SELinux: Make sure ipa_custodia_t has the necessary rights. Add a dedicated policy for ipa-pki-retrieve-key.
Metadata Update from @fcami: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/5083 https://github.com/freeipa/freeipa/pull/5109 (was: https://github.com/freeipa/freeipa/pull/5083)
Note additional AVC, pretty harmless, that can be fixed but not tested for:
type=AVC msg=audit(1600441840.558:3102): avc: denied { map } for pid=25014 comm="java" path="/tmp/hsperfdata_pkiuser/25014" dev="vda1" ino=1441863 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:ipa_custodia_tmp_t:s0 tclass=file permissive=0
Metadata Update from @abbra: - Custom field knownissue reset (from on)
Metadata Update from @fcami: - Custom field changelog adjusted to SELinux: Make sure ipa_custodia_t has the necessary rights ; add dedicated policy rules for ipa-pki-retrieve-key. (was: SELinux: Make sure ipa_custodia_t has the necessary rights. Add a dedicated policy for ipa-pki-retrieve-key.) - Custom field knownissue reset (from false)
Login to comment on this ticket.