selinux: allow oddjobd to set up ipa_helper_t context for execution

[abbra]

On Fedora 32+ and RHEL 8.3.0+ SELinux policy requires explicit process
transition from httpd_t context. In addition, a setup of a helper
execution needs permission to use 'noatsecure', 'rlimitinh', and
'siginh'. These operations invoked during execve() setup by glibc.

Fixes: https://pagure.io/freeipa/issue/8395
Signed-off-by: Alexander Bokovoy abokovoy@redhat.com

[abbra]

Please see http://blog.siphos.be/2011/04/selinux-and-noatsecure-or-why-portage-complains-about-ld_preload-and-libsandbox-so/ for explanation about noatsecure appearance.

This fix should make fetching of trust topology information working again. The denials are part of don't audit rules and thus were not visible otherwise, causing weird issue with Samba Python bindings not being able to discover proper current kerberos configuration.

As a result, the code went with assumption that the current principal (trusted domain object's credential from AD realm) in a credentials cache belongs to the default realm (IPA). This caused an attempt to request a cross-realm referral to AD domain controller and since the trust is one-way by default (and into an opposite direction), it was rejected by KDC.

[abbra]

After discussing with @zpytela and others, we came to the following conclusion:

• we need to extend oddjob policy interface to provide a way to tell ipa_helper_t is allowed to use noatsecure when when transitioning from oddjob_t
• we need to add a call to this interface to ipa policy.

Additionally I found that there is an attempt to load selinux policy from ipa-getkeytab, most likely due to libkrb5 initialization. This is denied for ipa_helper_exec_t context and needs to be extended.

Full set of AVCs on a fresh F32 is the following. We don't need to allow rlimitinh and siginh, they aren't really required, according to my testing with a custom policy:

type=AVC msg=audit(1593698019.970:2915): avc:  denied  { noatsecure } for  pid=33476 comm="oddjobd" scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ipa_helper_t:s0 tclass=process permissive=1
type=AVC msg=audit(1593698019.971:2916): avc:  denied  { rlimitinh } for  pid=33476 comm="com.redhat.idm." scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ipa_helper_t:s0 tclass=process permissive=1
type=AVC msg=audit(1593698019.971:2917): avc:  denied  { siginh } for  pid=33476 comm="com.redhat.idm." scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ipa_helper_t:s0 tclass=process permissive=1
type=AVC msg=audit(1593698022.000:2918): avc:  denied  { read } for  pid=33479 comm="ipa-getkeytab" name="config" dev="vda1" ino=156614 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file permissive=1
type=AVC msg=audit(1593698022.001:2919): avc:  denied  { open } for  pid=33479 comm="ipa-getkeytab" path="/etc/selinux/config" dev="vda1" ino=156614 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file permissive=1
type=AVC msg=audit(1593698022.001:2920): avc:  denied  { getattr } for  pid=33479 comm="ipa-getkeytab" path="/etc/selinux/config" dev="vda1" ino=156614 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file permissive=1

[abbra]

SELinux policy change: fedora-selinux/selinux-policy-contrib#292

[zpytela]

selinux-policy counterpart:
fedora-selinux/selinux-policy-contrib#293

[tiran]

SELinux team agrees with the changeset. 👍

[abbra]

master:

• f6055e6 selinux: allow oddjobd to set up ipa_helper_t context for execution
• 91713f4 selinux: support running ipa-custodia with PrivateTmp=yes