New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
selinux: allow oddjobd to set up ipa_helper_t context for execution #4882
Conversation
Please see http://blog.siphos.be/2011/04/selinux-and-noatsecure-or-why-portage-complains-about-ld_preload-and-libsandbox-so/ for explanation about noatsecure appearance. This fix should make fetching of trust topology information working again. The denials are part of don't audit rules and thus were not visible otherwise, causing weird issue with Samba Python bindings not being able to discover proper current kerberos configuration. As a result, the code went with assumption that the current principal (trusted domain object's credential from AD realm) in a credentials cache belongs to the default realm (IPA). This caused an attempt to request a cross-realm referral to AD domain controller and since the trust is one-way by default (and into an opposite direction), it was rejected by KDC. |
After discussing with @zpytela and others, we came to the following conclusion:
Additionally I found that there is an attempt to load selinux policy from Full set of AVCs on a fresh F32 is the following. We don't need to allow
|
SELinux policy change: fedora-selinux/selinux-policy-contrib#292 |
ad374e9
to
f5fe5ae
Compare
selinux-policy counterpart: |
On Fedora 32+ and RHEL 8.3.0+ execution of ipa_helper_t context requires SELinux policy permission to use 'noatsecure'. This comes most likely from execve() setup by glibc. Add SELinux interface ipa_helper_noatsecure() that can be called by oddjob's SELinux policy definition. In addition, if ipa_helper_t runs ipa-getkeytab, libkrb5 will attempt to access SELinux configuration and produce AVC for that. Allow reading general userspace SELinux configuration. Fixes: https://pagure.io/freeipa/issue/8395 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
f5fe5ae
to
ac74c40
Compare
Related: https://pagure.io/freeipa/issue/8395 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
e7ee1be
to
343212b
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SELinux team agrees with the changeset. 👍
On Fedora 32+ and RHEL 8.3.0+ SELinux policy requires explicit process
transition from httpd_t context. In addition, a setup of a helper
execution needs permission to use 'noatsecure', 'rlimitinh', and
'siginh'. These operations invoked during execve() setup by glibc.
Fixes: https://pagure.io/freeipa/issue/8395
Signed-off-by: Alexander Bokovoy abokovoy@redhat.com