#23 Write new SELinux policy
Opened 4 years ago by jdennis. Modified 2 years ago

The server has a number of problems with SELinux AVC denials. The process was running with the effective uid/gid of ipsilon. If SELinux is enabled things fail silently and mysteriously, mostly because ipsilon's persistent storage cannot be updated.

4517:type=AVC msg=audit(1420410243.355:4229): avc:  denied  { write } for  pid=9789 comm="httpd" name="adminconfig.sqlite" dev="dm-1" ino=5657 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0  
4545:type=AVC msg=audit(1420410292.644:4257): avc:  denied  { write } for  pid=9789 comm="httpd" name="userprefs.sqlite" dev="dm-1" ino=5203 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0

Fields changed

milestone: => 1.0 m3
owner: simo => jdennis
status: new => assigned

I could not reproduce the original AVC's. The directory /var/lib/ipsilion is correctly labeled with httpd_var_lib_t (set in RPM %post).

However we are getting an AVC for httpd connecting to LDAP. This can be fixed with:

setsebool -P httpd_can_connect_ldap on

I will patch the spec file and post a review.

In my personal git repo under the httpd_avc topic branch

Fields changed

resolution: => fixed
status: assigned => closed

Fields changed

resolution: fixed =>
status: closed => reopened

The fedora spec files are not in sync with the spec file in the git repo, they are missing the SELinux updates in %post

I am personally very opposed to doing SELinux in RPM spec files.

Relabeling in the spec file is very bad and it should just be added to the Fedora SELinux policy.
Reason being that you should always be able to relabel the entire filesystem without breaking services.
Please file a bug on the SELinux policy component in Bugzilla.

Setting the boolean is also something we should not do in the spec file, and we should just document this somewhere.

owner: jdennis => puiterwijk
patch_available: => 0
status: reopened => assigned

I can see the argument for correct labeling in the OS policy.

As for not setting the boolean, mysterious mostly silent failures are not user/customer friendly. People do not want to use software that makes them read arcane documentation and perform obtuse actions when after installation the package does not work. We should be focused on providing the best customer experience we can.

If we don't set the boolean in the spec file then we need to set it in the installer which is probably the better place to set it. The boolean shouldn't be set just by virtue of installing the package, but once you configure a node to be an ipsilon server it should run with the boolean being set.

Are you OK with setting the boolean in the installer? This is what IPA does. I'll do a new patch that sets the boolean in ipsilon-server-install

Yes, setting it from the installer when you actually enable the function makes some sense.

Although I would prefer it if it's stated clearly in the output (maybe a summary at the end with a high-level overview what the installation did?) and/or a question during installation itself.

But do note that there are situations where other flags might be required.
For example, if you use another database, you will need httpd_can_network_connect_db as well.
Also, AuthPAM requires httpd_mod_auth_pam and httpd_tmp_exec (which are already set in its installer, should also be added to any summary we provide).

I'm probably missing some entries as well for specific cases.

I opened bug https://bugzilla.redhat.com/show_bug.cgi?id=1186046 with a request to label ipsilon's /var/lib files.

new patch submitted


This exactly echoes what is done elsewhere currently in ipsilon.

We should look into having httpd transition into our own type for Ipsilon. There may be some issues to figure out around getting the transition to take place with the way that mod_wsgi works.

We also need to set the 'httpd_dbus_sssd' boolean to allow the SSSD info plugin to work.

Fix for httpd_dbus_sssd:

master: b6cf2a5

design_link: =>

Fix for httpd_can_connect_ldap:

master: c95d083

Fields changed

milestone: 1.0 m3 => 1.0 m4

Fields changed

cc: => fedora@obfusc8.org

Fields changed

milestone: 1.0 m4 => 1.0

Fields changed

milestone: 1.0 => Backlog

This has made it into Fedora 22 0-day updates.
Going to bug the selinux people more about F21/rawhide.

Fields changed

milestone: Backlog => 1.1

This has now also been applied in Rawhide, which leaves just F21.

Fields changed

rhbz: =>
summary: SELinux AVC denials => Write new SELinux policy

Fields changed

milestone: 1.1 => 1.2

Fields changed

milestone: 1.2 => Backlog

Metadata Update from @nkinder:
- Issue assigned to puiterwijk
- Issue set to the milestone: Backlog

2 years ago

Login to comment on this ticket.