freeipa

Clone
Source Code
GIT

#8488 SELinux blocks custodia key replication / retrieval for sub-CAs
Closed: fixed 3 years ago by fcami. Opened 3 years ago by fcami.

Closed: fixed
Reopen Issue

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 8): Bug 1868432

```text
Description of problem: Unhandled Python exception in
'/usr/libexec/ipa/ipa-pki-retrieve-key

Version-Release number of selected component (if applicable):
ipa-server-4.8.7-7.module+el8.3.0+7376+c83e4fcd.x86_64
ipa-selinux-4.8.7-7.module+el8.3.0+7376+c83e4fcd.noarch
selinux-policy-3.14.3-49.el8.noarch

How reproducible:
Always

Steps to Reproduce:
1.
2.
3.

Actual results:
Jul 24 17:42:48 replica.testrelm.test dbus-daemon[728]: [system] Successfully
activated service 'org.fedoraproject.Setroubleshootd'
Jul 24 17:42:48 replica.testrelm.test dbus-daemon[728]: [system] Activating
service name='org.fedoraproject.SetroubleshootPrivileged' requested by ':1.301'
(uid=995 pid=32378 comm="/usr/libexec/platform-python -Es /usr/sbin/setroub"
label="system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023") (using
servicehelper)
Jul 24 17:42:48 replica.testrelm.test dbus-daemon[32391]: [system] Failed to
reset fd limit before activating service:
org.freedesktop.DBus.Error.AccessDenied: Failed to restore old fd limit:
Operation not permitted
Jul 24 17:42:49 replica.testrelm.test dbus-daemon[728]: [system] Successfully
activated service 'org.fedoraproject.SetroubleshootPrivileged'
Jul 24 17:42:49 replica.testrelm.test platform-python[32372]: detected
unhandled Python exception in '/usr/libexec/ipa/ipa-pki-retrieve-key'
Jul 24 17:42:49 replica.testrelm.test server[31444]: Traceback (most recent
call last):
Jul 24 17:42:49 replica.testrelm.test server[31444]: File
"/usr/libexec/ipa/ipa-pki-retrieve-key", line 54, in main
Jul 24 17:42:49 replica.testrelm.test server[31444]: resp =
client.fetch_key(path, store=False)
Jul 24 17:42:49 replica.testrelm.test server[31444]: File
"/usr/lib/python3.6/site-packages/ipaserver/secrets/client.py", line 120, in
fetch_key
Jul 24 17:42:49 replica.testrelm.test server[31444]: r.raise_for_status()
Jul 24 17:42:49 replica.testrelm.test server[31444]: File
"/usr/lib/python3.6/site-packages/requests/models.py", line 940, in
raise_for_status
Jul 24 17:42:49 replica.testrelm.test server[31444]: raise
HTTPError(http_error_msg, response=self)
Jul 24 17:42:49 replica.testrelm.test server[31444]:
requests.exceptions.HTTPError: 404 Client Error: Not Found for url: https://mas
ter.testrelm.test/ipa/keys/ca_wrapped/caSigningCert%20cert-pki-ca%20b0394d40-93
b2-4f5e-a3a3-ac6136915f95/2.16.840.1.101.3.4.1.2?type=kem&value=eyJhbGciOiJSU0E
tT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOm51bGx9.fWFV5auRitWflK0fMB47Hj35p
QirhDtsjgcEAQdteY_Qw0WylLpjtCIpIbpwXFVKo9A4Sp6SE5ziJGyT3_yxW8HTE6gBea1EZPJlY33g
veufhCEp80gDpi0oDwS4uR0iYWUVPfdEKMfowcmseg7W9Q9nm9OP7g2LzcAKHUPPcBAlciPzdhVYnB-
wJXMxBHE5jFjAurQYun0cDuyqURwn_6uoByyl4RmOLRGH4X7BMPDVZwYCF21Ae5NMy9DlvILlbkyBwK
QuwInzvVAi6Yb5K9FUYvlywX0FAMWrFvYlq5x_kFYjNp0U9t6-gyQmmbjaa7BdnbZ4GNVd-dd8vUPzw
A.FI_xg-UAYNTThGSwQQPkqw.B74SHXA0axK88CU0k9YYEVPBCR6Bbz3O0lfVveaP9WEqQ7UTBthTB1
jcLmXtEXsuGqdDNRTqhxmw1BvmTQIs-lUmZO4riJlZyPZ3Biqm5YsvCa3RH69PrNy103lLygCKD7FUN
esUmSfSxZhF31qE1b4xKTmfOt9Hi0GAz7jrLyWAzZhyfC0MkrAm_xpAa2ceXjUTKPLRM23VBmi9Qb8A
7DGhwPzPJxL740vikfchPpK4r-GZFlKA24yDQOUnh7dqGVuAD2z4ycLLeAKWxB7YTD1PyQHuFe2odOi
CJ9r8rtLblXu17kOZ1RIwhnbk5ma2ZZy2FPs5wATcqYjXe3F3Gue5kSu46u3MlpPmITbaYLCKPPo31r
7RoG8ZnNdkXDYLrECgSBrnUA1YcxpQmfLg-ZxM02RcmUxi3d235j0amoGRmNQeu37qSvRuYxiOm36mZ
nwLbWlasd83jnYISzIoq_c0FLpWtZAhcuPYs9HuP1Njs8uPeEAuAoNciEGnR3P7-fTDt5z0m0uUg7Tl
7PuyjncxgOkXO1GglsoCnsUOmtvKUju8AtRSwV_O4-5GEH7IAnkGHAXO5wN4pC763FQpNc40tBK1XvI
8p3bIhlAqexjb6y_arlVtEKe_GdVu2RE8H4Jfhy3lAvodaZk85GZEf4OllyjyPftbOIakAG_ZvTeQ_o
1OXtmC4ILNtCaF9-TZUuxBV7czLY9xRtIRNetglDcsSZhsx-KjHiOHbAtLYU97wQoTb9uCb9Y339YVA
SHgsjFmSuiYSIFGJA7uJSDumjwCk3HmHXp4e0bnRt8__LA.ay3AP4cXl-v8CBLRHGAJnPsJekrBFLku
33DdPgko6Zw
Jul 24 17:42:49 replica.testrelm.test server[31444]: During handling of the
above exception, another exception occurred:
Jul 24 17:42:49 replica.testrelm.test server[31444]: Traceback (most recent
call last):
Jul 24 17:42:49 replica.testrelm.test server[31444]: File
"/usr/libexec/ipa/ipa-pki-retrieve-key", line 81, in <module>
Jul 24 17:42:49 replica.testrelm.test server[31444]: main()
Jul 24 17:42:49 replica.testrelm.test server[31444]: File
"/usr/libexec/ipa/ipa-pki-retrieve-key", line 71, in main
Jul 24 17:42:49 replica.testrelm.test server[31444]: resp =
client.fetch_key(keyname, store=False)
Jul 24 17:42:49 replica.testrelm.test server[31444]: File
"/usr/lib/python3.6/site-packages/ipaserver/secrets/client.py", line 120, in
fetch_key
Jul 24 17:42:49 replica.testrelm.test server[31444]: r.raise_for_status()
Jul 24 17:42:49 replica.testrelm.test server[31444]: File
"/usr/lib/python3.6/site-packages/requests/models.py", line 940, in
raise_for_status
Jul 24 17:42:49 replica.testrelm.test server[31444]: raise
HTTPError(http_error_msg, response=self)
Jul 24 17:42:49 replica.testrelm.test server[31444]:
requests.exceptions.HTTPError: 404 Client Error: Not Found for url: https://mas
ter.testrelm.test/ipa/keys/ca_wrapped/caSigningCert%20cert-pki-ca%20b0394d40-93
b2-4f5e-a3a3-ac6136915f95?type=kem&value=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNT
ZDQkMtSFM1MTIiLCJraWQiOm51bGx9.feMDgxWiJcLX0oj8Riu9XlugM83_Uh-JIL_Wor8LWDQijFbQ
NOnAPctidyXHJtUq34uVJS_JS-0E7khZcvKLlp7zflY5XsR3JkkYP8-bOf2w6D9GLjUSTKhXBBZV5KB
eyXAhARNoaURGc4UIn2qCwepzuxCIO86XNwoEncC09C6hxPXDO7Dn48p9BPVr_Jr43Mm2_IN72b4QqR
w4pY_C484o8crT3KaoYD-THBT9KvLWx8BHZ938o8JukejH-2JkXXtiywsGypQXk6pbZeh1WPc8dPUP7
GgiiJWa5f2lP9gxS8XiqlmAq7gkSWWNov4mX0I0dCyumIbqyR_EcptWMA.8FDmzkm7CbQz6Ka9ENQ3d
Q.0Fr9ir33n-eUsfdsgBRnYTrdyQeIkg44D8_QCTCYXP1KOhEbDDI4zU5klYmtZtGCdu0VcH9lvlUbx
VsoZ21dbNr8y_hqaKrLrwL4LGllZhsRYHZn6BfaE9ZjLe5MZu0aQrCUf6yZDtng_LPLQQRbvIk0bILf
uRSauAELP4-ehQRb6NqhFV1rGA5vi0o76oUsL65hRwAkG6zPQqyeaKtNanVkDtCDA1R4iG1qrDO3Lwj
-yvtUKY-L7h9mEwLAXhfbRWSfqQxJYDaty2X6TkMvQuRA9n_BJVW9pXLuRhItG3jpjQrHa3V8lDZA-v
GNKGtXcz_iSamjeXEoMyzsPLCLEyG9dP07_qOoaH28X2cKuXpd6UQutSvse0qKKzSCeophsXjgxOi2Y
BUqRGjBqqLfV6PJTlkNGqAGwqWcJVXjnKMQRrPAnRuaEfPD3DLKqa1wFM1xbkF7tvM208oj6JoaKA13
Y3f0H791yC9gg5g3BzMVFjY9K8_uRI2XB9m6y6LxJXC_Kc86Ds4_ClWOf0iJvYvnVPtmCJBpb7FkCe6
5U7HsaHQXmd_2sghgo0DiNinBMrn8t-gm_AR9kqYj-gURMFFwx6KFILOxdBATIU9ySh4k7jiSRnjshJ
0qtL7vCwyhN9uGdzqmg9XHNCRvFphhKoLDSKKMD5CCDq_u2RBLNLHzzZt8crG52mnOC14aBqK9zMuHi
jSldUhp-EV1VQ6kMowAfVMkQdFsZBWh_veQh7F3eafxy3tdwXuQyTDB759K.bo97qxXB4ECBnD_D69K
KF3wb_org0_5Qgiq0JpiqDjc
Jul 24 17:42:50 replica.testrelm.test dbus-daemon[728]: [system] Activating
service name='org.freedesktop.problems' requested by ':1.305' (uid=0 pid=32418
comm="/usr/libexec/platform-python /usr/bin/abrt-action-"
label="system_u:system_r:abrt_t:s0-s0:c0.c1023") (using servicehelper)
Jul 24 17:42:50 replica.testrelm.test dbus-daemon[32420]: [system] Failed to
reset fd limit before activating service:
org.freedesktop.DBus.Error.AccessDenied: Failed to restore old fd limit:
Operation not permitted
Jul 24 17:42:50 replica.testrelm.test dbus-daemon[728]: [system] Successfully
activated service 'org.freedesktop.problems'
Jul 24 17:42:50 replica.testrelm.test abrt-server[32394]: /bin/sh:
reporter-systemd-journal: command not found
Jul 24 17:42:50 replica.testrelm.test setroubleshoot[32378]: SELinux is
preventing /usr/libexec/platform-python3.6 from search access on the directory
krb5. For complete SELinux messages run: sealert -l
e3514db6-a4fb-4acc-ac69-03e17e028844
Jul 24 17:42:50 replica.testrelm.test platform-python[32378]: SELinux is
preventing /usr/libexec/platform-python3.6 from search access on the directory
krb5.

Metadata Update from @fcami:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1868432
3 years ago

Metadata Update from @fcami:
- Issue assigned to fcami
3 years ago

Minimal reproducer:

  • on master:
    $ kinit admin
    $ ipa ca-add test_subca_master --subject cn=test_subca_master --desc subca
    $ ipa ca-show test_subca_master

  • on replica:
    $ kinit admin
    $ ipa ca-show test_subca_master
    $ /usr/bin/certutil -d /etc/pki/pki-tomcat/alias -L -n "caSigningCert cert-pki-ca <ID>"
    $ echo $?

The following module on the master side fixes the issue:

#################
module local 1.0;

require {
    type pki_tomcat_cert_t;
    type ipa_custodia_t;
    type node_t;
    class tcp_socket { bind create node_bind };
    class process execmem;
    class file { create unlink };
    class dir remove_name;
}

#============= ipa_custodia_t ==============

allow ipa_custodia_t self:tcp_socket { bind create };
allow ipa_custodia_t node_t:tcp_socket node_bind;
allow ipa_custodia_t pki_tomcat_cert_t:dir remove_name;
allow ipa_custodia_t pki_tomcat_cert_t:file create;
allow ipa_custodia_t pki_tomcat_cert_t:file unlink;
allow ipa_custodia_t self:process execmem;
#################
Edited 3 years ago by fcami

Metadata Update from @fcami:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/5083
3 years ago

AVCs on master:

type=AVC msg=audit(1599676180.202:97): avc:  denied  { create } for  pid=1930 comm="platform-python" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=tcp_socket permissive=1
type=AVC msg=audit(1599676180.202:98): avc:  denied  { bind } for  pid=1930 comm="platform-python" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=tcp_socket permissive=1
type=AVC msg=audit(1599676180.202:98): avc:  denied  { node_bind } for  pid=1930 comm="platform-python" saddr=::1 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=tcp_socket permissive=1
type=AVC msg=audit(1599676180.233:99): avc:  denied  { read } for  pid=1932 comm="java" name="cpu" dev="sysfs" ino=33 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1599676180.234:100): avc:  denied  { map } for  pid=1932 comm="java" path="/tmp/hsperfdata_pkiuser/1932" dev="dm-0" ino=25633010 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:ipa_custodia_tmp_t:s0 tclass=file permissive=1
type=AVC msg=audit(1599676180.235:101): avc:  denied  { execmem } for  pid=1932 comm="java" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=process permissive=1
type=AVC msg=audit(1599676181.071:102): avc:  denied  { read } for  pid=1932 comm="java" name="if_inet6" dev="proc" ino=4026532230 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1
type=AVC msg=audit(1599676181.071:102): avc:  denied  { open } for  pid=1932 comm="java" path="/proc/1932/net/if_inet6" dev="proc" ino=4026532230 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1
type=AVC msg=audit(1599676181.071:103): avc:  denied  { getattr } for  pid=1932 comm="java" path="/proc/1932/net/if_inet6" dev="proc" ino=4026532230 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1
type=AVC msg=audit(1599676181.182:104): avc:  denied  { read } for  pid=1932 comm="java" name="random" dev="devtmpfs" ino=9223 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1599676181.182:105): avc:  denied  { open } for  pid=1932 comm="java" path="/dev/random" dev="devtmpfs" ino=9223 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1599676181.182:106): avc:  denied  { getattr } for  pid=1932 comm="java" path="/dev/random" dev="devtmpfs" ino=9223 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1599676182.196:107): avc:  denied  { read } for  pid=1959 comm="java" name="cpu" dev="sysfs" ino=33 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1599676183.278:108): avc:  denied  { create } for  pid=1959 comm="java" name="key4.db-journal" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=file permissive=1
type=AVC msg=audit(1599676183.324:109): avc:  denied  { remove_name } for  pid=1959 comm="java" name="key4.db-journal" dev="dm-0" ino=8642791 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=unconfined_u:object_r:pki_tomcat_cert_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1599676183.324:109): avc:  denied  { unlink } for  pid=1959 comm="java" name="key4.db-journal" dev="dm-0" ino=8642791 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=file permissive=1

AVCs on replica:

type=AVC msg=audit(1599676179.434:97): avc:  denied  { search } for  pid=1836 comm="ipa-pki-retriev" name="krb5" dev="dm-0" ino=8620822 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1

master:

  • 6832829 SELinux Policy: let custodia replicate keys

ipa-4-8:

  • 4382854 SELinux Policy: let custodia replicate keys

Metadata Update from @fcami:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
3 years ago

Metadata Update from @fcami:
- Custom field affects_doc adjusted to on
- Custom field knownissue adjusted to on
- Issue status updated to: Open (was: Closed)
3 years ago

reopening as the fix is not complete.

AI: enhance the test suite so that it covers:
- deleting subCAs (disabling them first)
- checking what happens when creating a dozen+ subCAs at a time
- adding a subCA that already exists and expect failure

Metadata Update from @fcami:
- Custom field changelog adjusted to SELinux: Make sure ipa_custodia_t has the necessary rights. Add a dedicated policy for ipa-pki-retrieve-key.
3 years ago

Metadata Update from @fcami:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/5083 https://github.com/freeipa/freeipa/pull/5109 (was: https://github.com/freeipa/freeipa/pull/5083)
3 years ago

Note additional AVC, pretty harmless, that can be fixed but not tested for:

type=AVC msg=audit(1600441840.558:3102): avc:  denied  { map } for  pid=25014 comm="java" path="/tmp/hsperfdata_pkiuser/25014" dev="vda1" ino=1441863 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:ipa_custodia_tmp_t:s0 tclass=file permissive=0

master:

  • dfeea16 ipatests: enhance TestSubCAkeyReplication
  • 7823da0 SELinux: Add dedicated policy for ipa-pki-retrieve-key
  • ea9db4a SELinux Policy: let custodia_t map custodia_tmp_t
  • 820beca SELinux Policy: ipa_pki_retrieve_key_exec_t => ipa_pki_retrieve_key_t
  • 09816f4 SELinux Policy: ipa_custodia_pki_tomcat_exec_t => ipa_custodia_pki_tomcat_t
  • 4b3c4b8 SELinux Policy: flag ipa_pki_retrieve_key_exec_t as domain_type
  • f774642 SELinux Policy: make interfaces for kernel modules non-optional
  • 2f2bce4 SELinux Policy: Allow tomcat_t to read kerberos keytabs

ipa-4-8:

  • 52929cb ipatests: enhance TestSubCAkeyReplication
  • 5a59624 SELinux: Add dedicated policy for ipa-pki-retrieve-key
  • c126610 SELinux Policy: let custodia_t map custodia_tmp_t
  • 310dbd6 SELinux Policy: ipa_pki_retrieve_key_exec_t => ipa_pki_retrieve_key_t
  • 0518c63 SELinux Policy: ipa_custodia_pki_tomcat_exec_t => ipa_custodia_pki_tomcat_t
  • 25cf7af SELinux Policy: flag ipa_pki_retrieve_key_exec_t as domain_type
  • 7ad0484 SELinux Policy: make interfaces for kernel modules non-optional
  • 6a31605 SELinux Policy: Allow tomcat_t to read kerberos keytabs

Metadata Update from @fcami:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
3 years ago

master:

  • 7651d33 Add ipa_pki_retrieve_key_exec() interface

ipa-4-8:

  • c029eb7 Add ipa_pki_retrieve_key_exec() interface

Metadata Update from @abbra:
- Custom field knownissue reset (from on)
3 years ago

Metadata Update from @fcami:
- Custom field changelog adjusted to SELinux: Make sure ipa_custodia_t has the necessary rights ; add dedicated policy rules for ipa-pki-retrieve-key. (was: SELinux: Make sure ipa_custodia_t has the necessary rights. Add a dedicated policy for ipa-pki-retrieve-key.)
- Custom field knownissue reset (from false)
3 years ago

master:

  • fbb6484 Check ca_wrapped in ipa-custodia-check
  • 9a9cd30 Verify freeipa-selinux's ipa module is loaded

ipa-4-8:

  • 0bbd61d Check ca_wrapped in ipa-custodia-check
  • 7d3ce22 Verify freeipa-selinux's ipa module is loaded

Login to comment on this ticket.

Metadata
None
None
None
None
None
None
on
None
false
None
None
None
None
None
https://github.com/freeipa/freeipa/pull/5083 https://github.com/freeipa/freeipa/pull/5109
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=1868432
None
SELinux: Make sure ipa_custodia_t has the necessary rights ; add dedicated policy rules for ipa-pki-retrieve-key.
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.