Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-56250

AVC prevents installation of an ipa replica in FIPS mode

Linking RHIVOS CVEs to...Migration: Automation ...RHELPRIO AssignedTeam ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • selinux-policy-40.13.25-1.el10
    • No
    • Moderate
    • 1
    • rhel-security-selinux
    • ssg_security
    • 26
    • 1
    • False
    • False
    • Hide

      None

      Show
      None
    • No
    • SELINUX 250219: 2
    • Release Note Not Required
    • None

      What were you trying to do that didn't work?

      Installation of an IPA replica fails in FIPS mode if the server and replica are in SE Linux enforcing mode.

      Please provide the package NVR for which bug is seen:

      rpm -qa ipa-server selinux-policy
      selinux-policy-40.13.8-1.el10.noarch
      ipa-server-4.12.1-3.el10.x86_64

      How reproducible:

      Always

      Steps to reproduce

      1. Provision 2 machines in fips mode (master and replica) with SElinux enforcing
      2. install ipa server with
      dnf install -y ipa-server-dns
ipa-server-install --domain ipa.test --realm IPA.TEST --setup-dns --auto-forwarders -a Secret123 -p Secret123 -U
      1. install replica with
      dnf install -y ipa-server-dns
ipa-replica-install --domain ipa.test --realm IPA.TEST --principal admin --password Secret123 --server server.ipa.test -U

      Expected results

      Replica installation should process successfully

      Actual results

      Replica installation is stopped because the replica wrongly detects the server as non-FIPS.

       # ipa-replica-install --domain ipa.test --realm IPA.TEST --principal admin --password Secret123 --server server.ipa.test -U
Configuring client side components
This program will set up IPA client.
Version 4.12.1Client hostname: replica.ipa.test
Realm: IPA.TEST
DNS Domain: ipa.test
IPA Server: server.ipa.test
BaseDN: dc=ipa,dc=testSynchronizing time
No SRV records of NTP servers found and no NTP server or pool address was provided.
Using default chrony configuration.
Attempting to sync time with chronyc.
Process chronyc waitsync failed to sync time!
Unable to sync time with chrony server, assuming the time is in sync. Please check that 123 UDP port is opened, and any time server is on network.
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=IPA.TEST
    Issuer:      CN=Certificate Authority,O=IPA.TEST
    Valid From:  2024-08-27 11:46:23+00:00
    Valid Until: 2044-08-27 11:46:23+00:00Enrolled in IPA realm IPA.TEST
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Systemwide CA database updated.
Hostname (replica.ipa.test) does not have A/AAAA record.
Failed to update DNS records.
Missing A/AAAA record(s) for host replica.ipa.test: 10.0.186.253, 2620:52:0:bb:f816:3eff:fe48:8089.
Missing reverse record(s) for address(es): 2620:52:0:bb:f816:3eff:fe48:8089.
Incorrect reverse record(s):
10.0.186.253 is pointing to vm-10-0-186-253.hosted.upshift.rdu2.redhat.com. instead of replica.ipa.test.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config.d/04-ipa.conf
Configuring ipa.test as NIS domain.
Configured /etc/krb5.conf for IPA realm IPA.TEST
Client configuration complete.
The ipa-client-install command was successfulRemoving client side components
Unenrolling client from IPA server
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
Restoring client configuration files
Unconfiguring the NIS domain.
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Systemwide CA database updated.
Client uninstall complete.
The ipa-client-install command was successfulYour system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Cannot join FIPS-enabled replica into existing topology: FIPS is not enabled on the master server.
The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

       
      The replica is making a call to the server in order to find if it is FIPS-enabled, and the server answers it is not. I suspect it's because it cannot access the file /proc/sys/crypto/fips_enabled:

      ausearch -m AVC reports the following issue:

      type=AVC msg=audit(1724759306.861:1992): avc:  denied  { mounton } for  pid=13712 comm="(httpd)" path="/run/systemd/mount-rootfs/proc/sys/crypto/fips_enabled" dev="proc" ino=43258 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=0

      After moving the server to SE linux permissive + systemctl restart httpd, the replica installation can start.

      # ls -lZ /proc/sys/crypto/fips_enabled
-rw-r--r--. 1 root root system_u:object_r:sysctl_crypto_t:s0 2 Aug 27 07:42 /proc/sys/crypto/fips_enabled
# ps -aefZ | grep httpd
system_u:system_r:httpd_t:s0    root       15786       1  0 09:04 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0    apache     15788   15786  0 09:04 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0    kdcproxy   15789   15786  0 09:04 ?        00:00:00 (wsgi:kdcproxy) -DFOREGROUND
system_u:system_r:httpd_t:s0    kdcproxy   15790   15786  0 09:04 ?        00:00:00 (wsgi:kdcproxy) -DFOREGROUND
system_u:system_r:httpd_t:s0    ipaapi     15791   15786  0 09:04 ?        00:00:01 (wsgi:ipa)      -DFOREGROUND
system_u:system_r:httpd_t:s0    ipaapi     15792   15786  0 09:04 ?        00:00:01 (wsgi:ipa)      -DFOREGROUND
system_u:system_r:httpd_t:s0    ipaapi     15793   15786  0 09:04 ?        00:00:01 (wsgi:ipa)      -DFOREGROUND
system_u:system_r:httpd_t:s0    ipaapi     15794   15786  0 09:04 ?        00:00:01 (wsgi:ipa)      -DFOREGROUND
system_u:system_r:httpd_t:s0    apache     15795   15786  0 09:04 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0    apache     15796   15786  0 09:04 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0    apache     15865   15786  0 09:04 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:httpd_t:s0    apache     16024   15786  0 09:05 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND

      We also see a lot of AVC issues with denied { signull } as reported in RHEL-55991

      avc:  denied  { signull } for  pid=292 comm="systemd-journal" scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=1

      The output of audit2allow:

      # audit2allow -a
#============= init_t ==============
allow init_t sysctl_crypto_t:file mounton;
#============= kernel_t ==============
allow kernel_t NetworkManager_t:process signull;
allow kernel_t auditd_t:process signull;
allow kernel_t certmonger_t:process signull;
allow kernel_t crond_t:process signull;
allow kernel_t httpd_t:process signull;
allow kernel_t irqbalance_t:process signull;
allow kernel_t sshd_t:process signull;
allow kernel_t syslogd_t:process signull;
allow kernel_t systemd_hostnamed_t:process signull;
allow kernel_t systemd_logind_t:process signull;
allow kernel_t udev_t:process signull;
allow kernel_t unconfined_t:process signull;
#============= systemd_rc_local_generator_t ==============
allow systemd_rc_local_generator_t etc_t:file execute;

              rhn-support-zpytela Zdenek Pytela
              frenaud@redhat.com Florence Renaud
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: