From 52929cbadf0252fcac1019b74663a2808061ea1b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Thu, 17 Sep 2020 11:30:45 +0200 Subject: [PATCH] ipatests: enhance TestSubCAkeyReplication MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit enhance the test suite so that it covers: - deleting subCAs (disabling them first) - checking what happens when creating a dozen+ subCAs at a time - adding a subCA that already exists and expect failure Related: https://pagure.io/freeipa/issue/8488 Signed-off-by: François Cami Reviewed-By: Alexander Bokovoy Reviewed-By: Christian Heimes Reviewed-By: Rob Crittenden Reviewed-By: Ondrej Mosnacek Reviewed-By: Lukas Vrabec Reviewed-By: Zdenek Pytela Reviewed-By: Thomas Woerner Reviewed-By: Alexander Bokovoy Reviewed-By: Christian Heimes Reviewed-By: Rob Crittenden Reviewed-By: Ondrej Mosnacek Reviewed-By: Lukas Vrabec Reviewed-By: Zdenek Pytela Reviewed-By: Thomas Woerner --- .../test_replica_promotion.py | 52 +++++++++++++++++-- 1 file changed, 47 insertions(+), 5 deletions(-) diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py index 82117054f..f0b72e1f8 100644 --- a/ipatests/test_integration/test_replica_promotion.py +++ b/ipatests/test_integration/test_replica_promotion.py @@ -474,17 +474,35 @@ class TestSubCAkeyReplication(IntegrationTest): SERVER_CERT_NICK: 'u,u,u', } - def add_subca(self, host, name, subject): + def add_subca(self, host, name, subject, raiseonerr=True): result = host.run_command([ 'ipa', 'ca-add', name, '--subject', subject, - '--desc', self.SUBCA_DESC, + '--desc', self.SUBCA_DESC], + raiseonerr=raiseonerr + ) + if raiseonerr: + assert "ipa: ERROR:" not in result.stderr_text + auth_id = "".join(re.findall(AUTH_ID_RE, result.stdout_text)) + return '{} {}'.format(IPA_CA_NICKNAME, auth_id) + else: + assert "ipa: ERROR:" in result.stderr_text + assert result.returncode != 0 + return result + + def del_subca(self, host, name): + host.run_command([ + 'ipa', 'ca-disable', name ]) - auth_id = "".join(re.findall(AUTH_ID_RE, result.stdout_text)) - return '{} {}'.format(IPA_CA_NICKNAME, auth_id) + result = host.run_command([ + 'ipa', 'ca-del', name + ]) + assert "Deleted CA \"{}\"".format(name) in result.stdout_text def check_subca(self, host, name, cert_nick): - host.run_command(['ipa', 'ca-show', name]) + result = host.run_command(['ipa', 'ca-show', name]) + # ipa ca-show returns 0 even if the cert cannot be found locally. + assert "ipa: ERROR:" not in result.stderr_text tasks.run_certutil( host, ['-L', '-n', cert_nick], paths.PKI_TOMCAT_ALIAS_DIR ) @@ -627,6 +645,30 @@ class TestSubCAkeyReplication(IntegrationTest): ssl = replica.run_command(ssl_cmd) assert 'Issuer: CN = {}'.format(self.SUBCA_MASTER) in ssl.stdout_text + def test_del_subca_master_on_replica(self): + self.del_subca(self.replicas[0], self.SUBCA_MASTER) + + def test_del_subca_replica(self): + self.del_subca(self.replicas[0], self.SUBCA_REPLICA) + + def test_scale_add_subca(self): + master = self.master + replica = self.replicas[0] + + subcas = {} + for i in range(0, 16): + name = "_".join((self.SUBCA_MASTER, str(i))) + cn = "_".join((self.SUBCA_MASTER_CN, str(i))) + subcas[name] = self.add_subca(master, name, cn) + self.add_subca(master, name, cn, raiseonerr=False) + + # give replication some time + time.sleep(15) + + for name in subcas: + self.check_subca(replica, name, subcas[name]) + self.del_subca(replica, name) + class TestReplicaInstallCustodia(IntegrationTest): """ -- 2.26.2 From 5a5962426d8174212f0b7efef1a9e53aaecb5901 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Fri, 18 Sep 2020 11:55:37 +0200 Subject: [PATCH] SELinux: Add dedicated policy for ipa-pki-retrieve-key MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add proper labeling, transition and policy for ipa-pki-retrieve-key. Make sure tomcat_t can execute ipa-pki-retrieve-key. Fixes: https://pagure.io/freeipa/issue/8488 Signed-off-by: Christian Heimes Signed-off-by: François Cami Reviewed-By: Alexander Bokovoy Reviewed-By: Christian Heimes Reviewed-By: Rob Crittenden Reviewed-By: Ondrej Mosnacek Reviewed-By: Lukas Vrabec Reviewed-By: Zdenek Pytela Reviewed-By: Thomas Woerner Reviewed-By: Alexander Bokovoy Reviewed-By: Christian Heimes Reviewed-By: Rob Crittenden Reviewed-By: Ondrej Mosnacek Reviewed-By: Lukas Vrabec Reviewed-By: Zdenek Pytela Reviewed-By: Thomas Woerner --- selinux/ipa.fc | 1 + selinux/ipa.te | 28 ++++++++++++++++++++++++++++ 2 files changed, 29 insertions(+) diff --git a/selinux/ipa.fc b/selinux/ipa.fc index a98cc4665..1176f383c 100644 --- a/selinux/ipa.fc +++ b/selinux/ipa.fc @@ -30,5 +30,6 @@ /usr/libexec/ipa/custodia/ipa-custodia-pki-tomcat -- gen_context(system_u:object_r:ipa_custodia_pki_tomcat_exec_t,s0) /usr/libexec/ipa/custodia/ipa-custodia-pki-tomcat-wrapped -- gen_context(system_u:object_r:ipa_custodia_pki_tomcat_exec_t,s0) /usr/libexec/ipa/custodia/ipa-custodia-ra-agent -- gen_context(system_u:object_r:ipa_custodia_ra_agent_exec_t,s0) +/usr/libexec/ipa/ipa-pki-retrieve-key -- gen_context(system_u:object_r:ipa_pki_retrieve_key_exec_t,s0) /var/log/ipa-custodia.audit.log(/.*)? -- gen_context(system_u:object_r:ipa_custodia_log_t,s0) diff --git a/selinux/ipa.te b/selinux/ipa.te index 3fa4ba980..26daed293 100644 --- a/selinux/ipa.te +++ b/selinux/ipa.te @@ -75,6 +75,9 @@ files_tmp_file(ipa_custodia_tmp_t) type pki_tomcat_cert_t; type node_t; +type ipa_pki_retrieve_key_exec_t; +init_script_file(ipa_pki_retrieve_key_exec_t) + ######################################## # # ipa_otpd local policy @@ -412,3 +415,28 @@ optional_policy(` optional_policy(` systemd_private_tmp(ipa_custodia_tmp_t) ') + +optional_policy(` + gen_require(` + type tomcat_t; + ') + can_exec(tomcat_t, ipa_pki_retrieve_key_exec_t) + pki_manage_tomcat_etc_rw(ipa_pki_retrieve_key_exec_t) +') + +optional_policy(` + gen_require(` + type devlog_t; + ') + + dontaudit ipa_custodia_t devlog_t:lnk_file read_lnk_file_perms; +') + +optional_policy(` + java_exec(ipa_custodia_pki_tomcat_exec_t) + # allow Java to read system status and RNG + dev_read_urand(ipa_custodia_t) + dev_read_rand(ipa_custodia_t) + kernel_read_network_state(ipa_custodia_t) + dev_read_sysfs(ipa_custodia_t) +') -- 2.26.2 From c126610ea6605a1ff36cecf2e2f5b2cb97130831 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Fri, 18 Sep 2020 17:45:39 +0200 Subject: [PATCH] SELinux Policy: let custodia_t map custodia_tmp_t MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is used by the JVM perf counters. Related: https://pagure.io/freeipa/issue/8488 Signed-off-by: François Cami Reviewed-By: Alexander Bokovoy Reviewed-By: Christian Heimes Reviewed-By: Rob Crittenden Reviewed-By: Ondrej Mosnacek Reviewed-By: Lukas Vrabec Reviewed-By: Zdenek Pytela Reviewed-By: Thomas Woerner Reviewed-By: Alexander Bokovoy Reviewed-By: Christian Heimes Reviewed-By: Rob Crittenden Reviewed-By: Ondrej Mosnacek Reviewed-By: Lukas Vrabec Reviewed-By: Zdenek Pytela Reviewed-By: Thomas Woerner --- selinux/ipa.te | 1 + 1 file changed, 1 insertion(+) diff --git a/selinux/ipa.te b/selinux/ipa.te index 26daed293..0a9ccaf83 100644 --- a/selinux/ipa.te +++ b/selinux/ipa.te @@ -347,6 +347,7 @@ logging_log_filetrans(ipa_custodia_t, ipa_custodia_log_t, { dir file }) manage_dirs_pattern(ipa_custodia_t, ipa_custodia_tmp_t, ipa_custodia_tmp_t) manage_files_pattern(ipa_custodia_t, ipa_custodia_tmp_t, ipa_custodia_tmp_t) +mmap_exec_files_pattern(ipa_custodia_t, ipa_custodia_tmp_t, ipa_custodia_tmp_t) files_tmp_filetrans(ipa_custodia_t, ipa_custodia_tmp_t, { dir file }) kernel_dgram_send(ipa_custodia_t) -- 2.26.2 From 310dbd6eec337f0747d73fa87363083a742fc5dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Mon, 21 Sep 2020 11:32:52 +0200 Subject: [PATCH] SELinux Policy: ipa_pki_retrieve_key_exec_t => ipa_pki_retrieve_key_t MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Grant pki_manage_tomcat_etc_rw to ipa_pki_retrieve_key_t instead of ipa_pki_retrieve_key_exec_t. As suggested by Ondrej Mosnáček. Fixes: https://pagure.io/freeipa/issue/8488 Signed-off-by: François Cami Reviewed-By: Alexander Bokovoy Reviewed-By: Christian Heimes Reviewed-By: Rob Crittenden Reviewed-By: Ondrej Mosnacek Reviewed-By: Lukas Vrabec Reviewed-By: Zdenek Pytela Reviewed-By: Thomas Woerner Reviewed-By: Alexander Bokovoy Reviewed-By: Christian Heimes Reviewed-By: Rob Crittenden Reviewed-By: Ondrej Mosnacek Reviewed-By: Lukas Vrabec Reviewed-By: Zdenek Pytela Reviewed-By: Thomas Woerner --- selinux/ipa.te | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/selinux/ipa.te b/selinux/ipa.te index 0a9ccaf83..92a3b2359 100644 --- a/selinux/ipa.te +++ b/selinux/ipa.te @@ -78,6 +78,8 @@ type node_t; type ipa_pki_retrieve_key_exec_t; init_script_file(ipa_pki_retrieve_key_exec_t) +type ipa_pki_retrieve_key_t; + ######################################## # # ipa_otpd local policy @@ -422,7 +424,7 @@ optional_policy(` type tomcat_t; ') can_exec(tomcat_t, ipa_pki_retrieve_key_exec_t) - pki_manage_tomcat_etc_rw(ipa_pki_retrieve_key_exec_t) + pki_manage_tomcat_etc_rw(ipa_pki_retrieve_key_t) ') optional_policy(` -- 2.26.2 From 0518c63768b50973f3d3129547f5b4b95335f4a8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Mon, 21 Sep 2020 11:37:12 +0200 Subject: [PATCH] SELinux Policy: ipa_custodia_pki_tomcat_exec_t => ipa_custodia_pki_tomcat_t MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ipa_custodia_pki_tomcat_exec_t was granted java_exec by mistake ; replace by ipa_custodia_pki_tomcat_t. As suggested by Ondrej Mosnáček. Fixes: https://pagure.io/freeipa/issue/8488 Signed-off-by: François Cami Reviewed-By: Alexander Bokovoy Reviewed-By: Christian Heimes Reviewed-By: Rob Crittenden Reviewed-By: Ondrej Mosnacek Reviewed-By: Lukas Vrabec Reviewed-By: Zdenek Pytela Reviewed-By: Thomas Woerner Reviewed-By: Alexander Bokovoy Reviewed-By: Christian Heimes Reviewed-By: Rob Crittenden Reviewed-By: Ondrej Mosnacek Reviewed-By: Lukas Vrabec Reviewed-By: Zdenek Pytela Reviewed-By: Thomas Woerner --- selinux/ipa.te | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/selinux/ipa.te b/selinux/ipa.te index 92a3b2359..b2c618a53 100644 --- a/selinux/ipa.te +++ b/selinux/ipa.te @@ -63,6 +63,8 @@ init_script_file(ipa_custodia_dmldap_exec_t) type ipa_custodia_pki_tomcat_exec_t; init_script_file(ipa_custodia_pki_tomcat_exec_t) +type ipa_custodia_pki_tomcat_t; + type ipa_custodia_ra_agent_exec_t; init_script_file(ipa_custodia_ra_agent_exec_t) @@ -436,7 +438,7 @@ optional_policy(` ') optional_policy(` - java_exec(ipa_custodia_pki_tomcat_exec_t) + java_exec(ipa_custodia_pki_tomcat_t) # allow Java to read system status and RNG dev_read_urand(ipa_custodia_t) dev_read_rand(ipa_custodia_t) -- 2.26.2 From 25cf7af0d41bbd34621f37c95802675b42baeae9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Tue, 22 Sep 2020 11:36:13 +0200 Subject: [PATCH] SELinux Policy: flag ipa_pki_retrieve_key_exec_t as domain_type MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: https://pagure.io/freeipa/issue/8488 Signed-off-by: François Cami Reviewed-By: Alexander Bokovoy Reviewed-By: Christian Heimes Reviewed-By: Rob Crittenden Reviewed-By: Ondrej Mosnacek Reviewed-By: Lukas Vrabec Reviewed-By: Zdenek Pytela Reviewed-By: Thomas Woerner Reviewed-By: Alexander Bokovoy Reviewed-By: Christian Heimes Reviewed-By: Rob Crittenden Reviewed-By: Ondrej Mosnacek Reviewed-By: Lukas Vrabec Reviewed-By: Zdenek Pytela Reviewed-By: Thomas Woerner --- selinux/ipa.te | 1 + 1 file changed, 1 insertion(+) diff --git a/selinux/ipa.te b/selinux/ipa.te index b2c618a53..42b010133 100644 --- a/selinux/ipa.te +++ b/selinux/ipa.te @@ -78,6 +78,7 @@ type pki_tomcat_cert_t; type node_t; type ipa_pki_retrieve_key_exec_t; +domain_type(ipa_pki_retrieve_key_exec_t) init_script_file(ipa_pki_retrieve_key_exec_t) type ipa_pki_retrieve_key_t; -- 2.26.2 From 7ad04841245668e3126cb1718ef7ec1b744526e8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Tue, 22 Sep 2020 13:12:05 +0200 Subject: [PATCH] SELinux Policy: make interfaces for kernel modules non-optional MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Interfaces for kernel modules do not need to be in an optional module. Also make sure ipa_custodia_t can log. Suggested by Lukas Vrabec. Fixes: https://pagure.io/freeipa/issue/8488 Signed-off-by: François Cami Reviewed-By: Alexander Bokovoy Reviewed-By: Christian Heimes Reviewed-By: Rob Crittenden Reviewed-By: Ondrej Mosnacek Reviewed-By: Lukas Vrabec Reviewed-By: Zdenek Pytela Reviewed-By: Thomas Woerner Reviewed-By: Alexander Bokovoy Reviewed-By: Christian Heimes Reviewed-By: Rob Crittenden Reviewed-By: Ondrej Mosnacek Reviewed-By: Lukas Vrabec Reviewed-By: Zdenek Pytela Reviewed-By: Thomas Woerner --- selinux/ipa.te | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/selinux/ipa.te b/selinux/ipa.te index 42b010133..f984a0f94 100644 --- a/selinux/ipa.te +++ b/selinux/ipa.te @@ -78,10 +78,9 @@ type pki_tomcat_cert_t; type node_t; type ipa_pki_retrieve_key_exec_t; -domain_type(ipa_pki_retrieve_key_exec_t) -init_script_file(ipa_pki_retrieve_key_exec_t) - type ipa_pki_retrieve_key_t; +domain_type(ipa_pki_retrieve_key_t) +init_script_file(ipa_pki_retrieve_key_exec_t) ######################################## # @@ -356,6 +355,7 @@ mmap_exec_files_pattern(ipa_custodia_t, ipa_custodia_tmp_t, ipa_custodia_tmp_t) files_tmp_filetrans(ipa_custodia_t, ipa_custodia_tmp_t, { dir file }) kernel_dgram_send(ipa_custodia_t) +kernel_read_network_state(ipa_custodia_t) auth_read_passwd(ipa_custodia_t) @@ -366,6 +366,10 @@ can_exec(ipa_custodia_t, ipa_custodia_ra_agent_exec_t) corecmd_exec_bin(ipa_custodia_t) corecmd_mmap_bin_files(ipa_custodia_t) +dev_read_urand(ipa_custodia_t) +dev_read_rand(ipa_custodia_t) +dev_read_sysfs(ipa_custodia_t) + domain_use_interactive_fds(ipa_custodia_t) files_mmap_usr_files(ipa_custodia_t) @@ -377,6 +381,8 @@ files_read_etc_files(ipa_custodia_t) libs_exec_ldconfig(ipa_custodia_t) libs_ldconfig_exec_entry_type(ipa_custodia_t) +logging_send_syslog_msg(ipa_custodia_t) + miscfiles_read_generic_certs(ipa_custodia_t) miscfiles_read_localization(ipa_custodia_t) @@ -441,8 +447,4 @@ optional_policy(` optional_policy(` java_exec(ipa_custodia_pki_tomcat_t) # allow Java to read system status and RNG - dev_read_urand(ipa_custodia_t) - dev_read_rand(ipa_custodia_t) - kernel_read_network_state(ipa_custodia_t) - dev_read_sysfs(ipa_custodia_t) ') -- 2.26.2 From 6a31605c1d249416ed7627755bca23a1cc45a581 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Tue, 22 Sep 2020 13:34:40 +0200 Subject: [PATCH] SELinux Policy: Allow tomcat_t to read kerberos keytabs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is required to fix: avc: denied { search } for pid=1930 comm="ipa-pki-retriev" name="krb5" dev="dm-0" ino=8620822 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=0 Macros suggested by: Ondrej Mosnacek Fixes: https://pagure.io/freeipa/issue/8488 Signed-off-by: François Cami Reviewed-By: Alexander Bokovoy Reviewed-By: Christian Heimes Reviewed-By: Rob Crittenden Reviewed-By: Ondrej Mosnacek Reviewed-By: Lukas Vrabec Reviewed-By: Zdenek Pytela Reviewed-By: Thomas Woerner Reviewed-By: Alexander Bokovoy Reviewed-By: Christian Heimes Reviewed-By: Rob Crittenden Reviewed-By: Ondrej Mosnacek Reviewed-By: Lukas Vrabec Reviewed-By: Zdenek Pytela Reviewed-By: Thomas Woerner --- selinux/ipa.te | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/selinux/ipa.te b/selinux/ipa.te index f984a0f94..fa577191c 100644 --- a/selinux/ipa.te +++ b/selinux/ipa.te @@ -448,3 +448,11 @@ optional_policy(` java_exec(ipa_custodia_pki_tomcat_t) # allow Java to read system status and RNG ') + +optional_policy(` + gen_require(` + type tomcat_t; + ') + kerberos_read_config(tomcat_t) + kerberos_read_keytab(tomcat_t) +') -- 2.26.2