[Freeipa-users] certmonger selinux issue and freeipa dns database error problem

Tue Nov 9 14:46:50 UTC 2010

Rob Crittenden wrote:
> Uzor Ide wrote:
>>
>> We have a network that relies on kerberos, 389-ds, bind and nfs4. I am
>> currently testing out the freeipa version 2 to see if we can use it to
>> consolidate the various configuration into one interface. For the most
>> part it works great apart from the obvious area where it has not been
>> completed. However there are somethings that I have noticed.
>
> Hey, sorry we didn't forget about you. Ticket
> https://fedorahosted.org/freeipa/ticket/409 was opened for your DNS
> problem.
>
> Do you get this query error frequently? Do you know what triggers it? I
> haven't been able to reproduce it myself yet. I wonder if this happens
> when logs roll.
>
> For the certmonger problem this looks like a new one to me, I'll file a
> bug.
>
> regards
>
> rob
>
>> 1.) The DNS logging always logs database error every time it access the
>> ldap. even though the query returns okay and the dns reply is fine.
>>
>> here is an excerpt of the log named.run
>>
>> 24-Oct-2010 10:32:33.025 edns-disabled: info: success resolving
>> 'www.mailscanner.tv/A <http://www.mailscanner.tv/A>' (in 'mailscanner.tv
>> <http://mailscanner.tv>'?) after reducing the advertised EDNS UDP packet
>> size to 512 octets
>> 24-Oct-2010 10:34:41.137 database: error: querying 'idnsName=wpad,
>> idnsname=uzdomain.ca <http://uzdomain.ca>,cn=dns,dc=uzdomain,dc=ca' with
>> '(objectClass=idnsRecord)'
>> 24-Oct-2010 10:34:41.140 database: error: querying 'idnsname=uzdomain.ca
>> <http://uzdomain.ca>,cn=dns,dc=uzdomain,dc=ca' with
>> '(objectClass=idnsRecord)'
>> 24-Oct-2010 10:34:41.143 database: error: entry count: 1
>> 24-Oct-2010 10:34:41.146 database: error: querying 'idnsName=wpad,
>> idnsname=uzdomain.ca <http://uzdomain.ca>,cn=dns,dc=uzdomain,dc=ca' with
>> '(objectClass=idnsRecord)'
>> 24-Oct-2010 10:39:43.581 database: error: querying 'idnsName=wpad,
>> idnsname=uzdomain.ca <http://uzdomain.ca>,cn=dns,dc=uzdomain,dc=ca' with
>> '(objectClass=idnsRecord)'
>> 24-Oct-2010 10:39:43.583 database: error: querying 'idnsname=uzdomain.ca
>> <http://uzdomain.ca>,cn=dns,dc=uzdomain,dc=ca' with
>> '(objectClass=idnsRecord)'
>> 24-Oct-2010 10:39:43.586 database: error: entry count: 1
>> 24-Oct-2010 10:39:43.589 database: error: querying 'idnsName=wpad,
>> idnsname=uzdomain.ca <http://uzdomain.ca>,cn=dns,dc=uzdomain,dc=ca' with
>> '(objectClass=idnsRecord)'
>>
>> here is our logging configuration
>>
>> // *******************
>> // Logging definitions
>> // *******************
>>
>> // Logging
>> logging {
>> channel "named_log" {
>> file "data/log/named.run" versions 5 size 4m;
>> severity dynamic;
>> print-category yes;
>> print-severity yes;
>> print-time yes;
>> };
>>
>> channel "security_log" {
>> file "data/log/security.log" versions 5 size 10m;
>> severity dynamic;
>> print-category yes;
>> print-severity yes;
>> print-time yes;
>> };
>>
>> channel "query_log" {
>> file "data/log/query.log" versions 5 size 50m;
>> #severity dynamic;
>> severity debug;
>> print-category yes;
>> print-severity yes;
>> print-time yes;
>> };
>>
>> channel "transfer_log" {
>> file "data/log/transfer.log" versions 5 size 10m;
>> severity dynamic;
>> print-category yes;
>> print-severity yes;
>> };
>>
>> category "default" {
>> "named_log";
>> "default_syslog";
>> "default_debug";
>> };
>>
>> category "general" {
>> "named_log";
>> };
>>
>> category "queries" {
>> "query_log";
>> };
>>
>> category "lame-servers" {
>> null;
>> };
>>
>> category "security" {
>> "security_log";
>> };
>>
>> category "config" {
>> "named_log";
>> };
>>
>> category "resolver" {
>> "query_log";
>> };
>>
>> category "xfer-in" {
>> "transfer_log";
>> };
>>
>> category "xfer-out" {
>> "transfer_log";
>> };
>>
>> category "notify" {
>> "transfer_log";
>> };
>>
>> category "client" {
>> "query_log";
>> };
>>
>> category "network" {
>> "named_log";
>> };
>>
>> category "update" {
>> "transfer_log";
>> };
>>
>> category "dnssec" {
>> "security_log";
>> };
>>
>> category "dispatch" {
>> "security_log";
>> };
>> };
>>
>> This error message keeps triggering our monitoring systems.
>>
>> 2.) I currently have only one ipa-client; and certmonger keeps getting
>> seliux AVC denials
>>
>> Oct 24 10:57:24 ulasi setroubleshoot: SELinux is preventing
>> /usr/sbin/certmonger "execute" access on
>> /usr/libexec/certmonger/ipa-submit. For complete SELinux messages. run
>> sealert -l 8db766a3-6100-4be5-aec6-2a3a713290e2
>> Oct 24 10:57:56 ulasi setroubleshoot: SELinux is preventing
>> /usr/sbin/certmonger "execute" access on
>> /usr/libexec/certmonger/ipa-submit. For complete SELinux messages. run
>> sealert -l 8db766a3-6100-4be5-aec6-2a3a713290e2
>> Oct 24 10:58:26 ulasi setroubleshoot: SELinux is preventing
>> /usr/sbin/certmonger "execute" access on
>> /usr/libexec/certmonger/ipa-submit. For complete SELinux messages. run
>> sealert -l 8db766a3-6100-4be5-aec6-2a3a713290e2
>> Oct 24 10:58:57 ulasi setroubleshoot: SELinux is preventing
>> /usr/sbin/certmonger "execute" access on
>> /usr/libexec/certmonger/ipa-submit. For complete SELinux messages. run
>> sealert -l 8db766a3-6100-4be5-aec6-2a3a713290e2
>>
>>
>> Summary:
>>
>> SELinux is preventing /usr/sbin/certmonger "execute" access on
>> /usr/libexec/certmonger/ipa-submit.
>>
>> Detailed Description:
>>
>> SELinux denied access requested by certmonger. It is not expected that
>> this
>> access is required by certmonger and this access may signal an intrusion
>> attempt. It is also possible that the specific version or configuration
>> of the
>> application is causing it to require additional access.
>>
>> Allowing Access:
>>
>> You can generate a local policy module to allow this access - see FAQ
>> (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file
>> a bug
>> report.
>>
>> Additional Information:
>>
>> Source Context system_u:system_r:certmonger_t:s0
>> Target Context system_u:object_r:bin_t:s0
>> Target Objects /usr/libexec/certmonger/ipa-submit [ file ]
>> Source certmonger
>> Source Path /usr/sbin/certmonger
>> Port <Unknown>
>> Host ulasi.uzdomain.ca <http://ulasi.uzdomain.ca>
>> Source RPM Packages certmonger-0.32-0.2010101515git5920eca.fc13
>> Target RPM Packages certmonger-0.32-0.2010101515git5920eca.fc13
>> Policy RPM selinux-policy-3.7.19-65.fc13
>> Selinux Enabled True
>> Policy Type targeted
>> Enforcing Mode Enforcing
>> Plugin Name catchall
>> Host Name ulasi.uzdomain.ca <http://ulasi.uzdomain.ca>
>> Platform Linux ulasi.uzdomain.ca
>> <http://ulasi.uzdomain.ca> 2.6.34.7-61.fc13.i686.PAE
>> #1 SMP Tue Oct 19 04:24:06 UTC 2010 i686 i686
>> Alert Count 1646
>> First Seen Sat Oct 23 15:48:48 2010
>> Last Seen Sun Oct 24 10:59:52 2010
>> Local ID 8db766a3-6100-4be5-aec6-2a3a713290e2
>> Line Numbers
>>
>> Raw Audit Messages
>>
>> node=ulasi.uzdomain.ca <http://ulasi.uzdomain.ca> type=AVC
>> msg=audit(1287932392.282:21690): avc: denied { execute } for pid=3472
>> comm="certmonger" name="ipa-submit" dev=dm-0 ino=790251
>> scontext=system_u:system_r:certmonger_t:s0
>> tcontext=system_u:object_r:bin_t:s0 tclass=file
>>
>> node=ulasi.uzdomain.ca <http://ulasi.uzdomain.ca> type=SYSCALL
>> msg=audit(1287932392.282:21690): arch=40000003 syscall=11 success=no
>> exit=-13 a0=9f99490 a1=9f99450 a2=9f98e60 a3=9f99450 items=0 ppid=1555
>> pid=3472 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
>> fsgid=0 tty=(none) ses=4294967295 comm="certmonger"
>> exe="/usr/sbin/certmonger" subj=system_u:system_r:certmonger_t:s0
>> key=(null)
>>
>> I was using certmonger-0.30-1.fc13.i686 from source [ freeipa-devel ]
>> because of the problem I updated to the nightly build
>> certmonger-0.32-0.2010101515git5920eca.fc13 but the problem continues.
>>
>> These are the selinux rpms
>> selinux-policy-targeted-3.7.19-65.fc13.noarch
>> selinux-policy-3.7.19-65.fc13.noarch
>> libselinux-python-2.0.94-2.fc13.i686
>> libselinux-utils-2.0.94-2.fc13.i686

Uzor, the SELinux guys have updated the bug asking this:

Can you execute:

# semanage permissive -a certmonger_t

and re-test it. After that execute

# ausearch -m avc -ts recent

I just want to see if you get another AVC messages. Thanks.

rob