Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-40376

SID generation task is failing when SELinux is in Enforcing mode.

    • ipa-4.12.2-2.el9
    • None
    • Moderate
    • 8
    • sst_idm_ipa
    • ssg_idm
    • 10
    • 12
    • 3
    • QE ack, Dev ack
    • False
    • Hide

      None

      Show
      None
    • No
    • 2024-Q3-Alpha-S2, 2024-Q3-Alpha-S3, 2024-Q3-Alpha-S4, 2024-Q3-Alpha-S5, 2024-Q3-Alpha-S6, 2024-Q4-Alpha-S1, 2024-Q4-Alpha-S2, 2024-Q4-Alpha-S3
    • Unspecified Release Note Type - Unknown
    • None

      What were you trying to do that didn't work?

      The SID generation task fails when SELinux is in Enforcing mode.

      Please provide the package NVR for which bug is seen:

      #  cat /etc/redhat-release
      Red Hat Enterprise Linux release 9.3 (Plow)
      #
      #  rpm -qa | grep ^ipa
      ipa-client-common-4.10.2-4.el9_3.1.noarch
      ipa-selinux-4.10.2-4.el9_3.1.noarch
      ipa-common-4.10.2-4.el9_3.1.noarch
      ipa-server-common-4.10.2-4.el9_3.1.noarch
      ipa-healthcheck-core-0.12-4.el9.noarch
      ipa-client-4.10.2-4.el9_3.1.x86_64
      ipa-server-4.10.2-4.el9_3.1.x86_64
      ipa-server-dns-4.10.2-4.el9_3.1.noarch
      ipa-healthcheck-0.12-4.el9.noarch
      # 

      How reproducible:

      Always.

      Steps to reproduce

      1. Make sure SELinux is enforced:

      # getenforce
      Enforcing
      #

      2. Run the SID task:

      # ipa config-mod --enable-sid --add-sids
      ipa: ERROR: Configuration of SID failed. See details in the error log
      # 

      3. After enabling DBus debugging:

       string "[Errno 13] Permission denied: '/var/log/ipaserver-enable-sid.log'
      The ipa-enable-sid command failed.
      " 

      4. Check the SELinux alert message:

      # sealert -a /var/log/audit/audit.log
      ...
      --------------------------------------------------------------------------------SELinux is preventing /usr/bin/python3.9 from open access on the file /var/log/ipaserver-enable-sid.log.*****  Plugin catchall (100. confidence) suggests   **************************If you believe that python3.9 should be allowed open access on the ipaserver-enable-sid.log file by default.
      Then you should report this as a bug.
      You can generate a local policy module to allow this access.
      Do
      allow this access for now by executing:
      # ausearch -c 'org.freeipa.ser' --raw | audit2allow -M my-orgfreeipaser
      # semodule -X 300 -i my-orgfreeipaser.pp
      Additional Information:
      Source Context                system_u:system_r:ipa_helper_t:s0
      Target Context                unconfined_u:object_r:var_log_t:s0
      Target Objects                /var/log/ipaserver-enable-sid.log [ file ]
      Source                        org.freeipa.ser
      Source Path                   /usr/bin/python3.9
      Port                          <Unknown>
      Host                          <Unknown>
      Source RPM Packages           python3-3.9.18-1.el9_3.x86_64
      Target RPM Packages           
      SELinux Policy RPM            selinux-policy-targeted-38.1.23-1.el9.noarch
      Local Policy RPM              ipa-selinux-4.10.2-4.el9_3.1.noarch
      Selinux Enabled               True
      Policy Type                   targeted
      Enforcing Mode                Enforcing
      Host Name                     <HOST>
      Platform                      Linux <HOST>
                                    5.14.0-362.8.1.el9_3.x86_64 #1 SMP PREEMPT_DYNAMIC
                                    Tue Oct 3 11:12:36 EDT 2023 x86_64 x86_64
      Alert Count                   6
      First Seen                    2024-03-19 15:19:35 CET
      Last Seen                     2024-05-13 18:29:12 CEST
      Local ID                      5cdd2e98-cb7f-4b9e-aa31-915236371de9Raw Audit Messages
      type=AVC msg=audit(1715617752.463:7478): avc:  denied  { open } for  pid=393419 comm="org.freeipa.ser" path="/var/log/ipaserver-enable-sid.log" dev="dm-0" ino=642 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file permissive=1
      

      5. Settings for the SID log file:

      # ls -lZ /var/log/ipaserver-enable-sid.log
      -rw-------. 1 root root system_u:object_r:var_log_t:s0 10495 Jun  7 09:29 /var/log/ipaserver-enable-sid.log
      #
      # matchpathcon -V /var/log/ipaserver-enable-sid.log
      /var/log/ipaserver-enable-sid.log verified.
      # 

      Expected results

      Working SID generation task.

      Actual results

      The SID generation task is failing.

            twoerner Thomas Woerner
            rhn-support-tmihinto Têko Mihinto
            Florence Renaud Florence Renaud
            Rizwan Shaikh Rizwan Shaikh
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated: