Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1356428 - SELinux context for IPA log files mismatch
Summary: SELinux context for IPA log files mismatch
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Kaleem
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-07-14 06:13 UTC by Abhijeet Kasurde
Modified: 2016-08-23 04:28 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-08-23 04:28:05 UTC


Attachments (Terms of Use)

Description Abhijeet Kasurde 2016-07-14 06:13:42 UTC
Description of problem:
There is a mismatch in IPA log files related SELinux context. This behavior is seen on Master and Replicas.

[root@server1 ~]# ls -lZ /var/log/ipa*
-rw-------  root root ?                                /var/log/ipabackup.log
-rw-------. root root unconfined_u:object_r:var_log_t:s0 /var/log/ipaclient-install.log
-rw-------. root root unconfined_u:object_r:var_log_t:s0 /var/log/ipaclient-uninstall.log
-rw-------  root root ?                                /var/log/ipareplica-conncheck.log
-rw-------. root root unconfined_u:object_r:var_log_t:s0 /var/log/ipaserver-install.log
-rw-------. root root unconfined_u:object_r:var_log_t:s0 /var/log/ipaserver-uninstall.log

/var/log/ipa:
-rw-r--r--  root root ?                                default.log
-rw-r--r--. root root unconfined_u:object_r:var_log_t:s0 ipactl.log
-rw-------  root root ?                                renew.log

[root@replica1 ~]# ls -lZ /var/log/ipa*
-rw------- root root ?                                /var/log/ipaclient-install.log
-rw------- root root ?                                /var/log/ipaclient-uninstall.log
-rw------- root root ?                                /var/log/ipareplica-conncheck.log
-rw------- root root ?                                /var/log/ipareplica-install.log
-rw------- root root ?                                /var/log/ipaserver-uninstall.log

/var/log/ipa:
-rw-r--r-- root root ?                                default.log
-rw-r--r-- root root ?                                ipactl.log
-rw------- root root ?                                renew.log

[root@replica2 ~]# ls -lZ /var/log/ipa*
-rw------- root root ?                                /var/log/ipaclient-install.log
-rw------- root root ?                                /var/log/ipaclient-uninstall.log
-rw------- root root ?                                /var/log/ipareplica-conncheck.log
-rw------- root root ?                                /var/log/ipareplica-install.log
-rw------- root root ?                                /var/log/ipaserver-uninstall.log

/var/log/ipa:
-rw-r--r-- root root ?                                default.log
-rw-r--r-- root root ?                                ipactl.log
-rw------- root root ?                                renew.log

Version-Release number of selected component (if applicable):
ipa-server-4.4.0-1.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Install 1 Master and multiple Replicas
2. Get SELinux Context for IPA log files

Actual results:
Mismatch in SELinux context in IPA log files across master and replicas

Expected results:
There should be a single SELinux context to IPA log files.

Comment 2 Petr Vobornik 2016-07-15 10:55:21 UTC
Abhijeet, are you pointing out the presence of "?" in output of `ls -lZ /var/log/ipa*`?

I'm not a SELinux guru, but it seems to me that `ls` fails to get the SELinux context on replica and thus shows `?`. Could it be that SELinux is disabled there and not just in permissive mode?

A bit related ticket(fixed in 4.4.0-1), to not be surprised in a future: https://fedorahosted.org/freeipa/ticket/5757

Comment 3 Abhijeet Kasurde 2016-07-15 11:44:33 UTC
Petr, 

SELinux is disabled due to BZ1350957 , But even after enabling SELinux permission differ

[root@server1 ~]# ls -lZ /var/log/ipa*
-rw-------. root root system_u:object_r:var_log_t:s0   /var/log/ipabackup.log
-rw-------. root root unconfined_u:object_r:var_log_t:s0 /var/log/ipaclient-install.log
-rw-------. root root unconfined_u:object_r:var_log_t:s0 /var/log/ipaclient-uninstall.log
-rw-------. root root system_u:object_r:ipa_log_t:s0   /var/log/ipareplica-conncheck.log
-rw-------. root root unconfined_u:object_r:var_log_t:s0 /var/log/ipaserver-install.log
-rw-------. root root unconfined_u:object_r:var_log_t:s0 /var/log/ipaserver-uninstall.log

/var/log/ipa:
-rw-r--r--. root root unconfined_u:object_r:var_log_t:s0 default.log
-rw-r--r--. root root unconfined_u:object_r:var_log_t:s0 ipactl.log
-rw-------. root root system_u:object_r:var_log_t:s0   renew.log
[root@server1 ~]# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

Comment 4 Petr Vobornik 2016-07-19 11:26:06 UTC
Various context on individual logs on a single machine are expected - application which produce these logs may run under different user.

But having the same log files on different machines with different context is something we should avoid because it may be a cause for bugs. Is this the case?

Comment 5 Abhijeet Kasurde 2016-07-19 12:39:28 UTC
(In reply to Petr Vobornik from comment #4)
> Various context on individual logs on a single machine are expected -
> application which produce these logs may run under different user.
> 
Agreed.
> But having the same log files on different machines with different context
> is something we should avoid because it may be a cause for bugs. Is this the
> case?
Yes. On replica server,

[ master1 ]# ls -lZ /var/log/ipa*
-rw-------. root root system_u:object_r:var_log_t:s0   /var/log/ipabackup.log
-rw-------. root root unconfined_u:object_r:var_log_t:s0 /var/log/ipaclient-install.log
-rw-------. root root unconfined_u:object_r:var_log_t:s0 /var/log/ipaclient-uninstall.log
-rw-------. root root system_u:object_r:ipa_log_t:s0   /var/log/ipareplica-conncheck.log
-rw-------. root root unconfined_u:object_r:var_log_t:s0 /var/log/ipaserver-install.log
-rw-------. root root unconfined_u:object_r:var_log_t:s0 /var/log/ipaserver-uninstall.log

/var/log/ipa:
-rw-r--r--. root root unconfined_u:object_r:var_log_t:s0 default.log
-rw-r--r--. root root unconfined_u:object_r:var_log_t:s0 ipactl.log
-rw-------. root root system_u:object_r:var_log_t:s0   renew.log


[ replica1 ]# ls -lZ /var/log/ipa*
-rw-------. root root system_u:object_r:var_log_t:s0   /var/log/ipaclient-install.log
-rw-------. root root system_u:object_r:var_log_t:s0   /var/log/ipaclient-uninstall.log
-rw-------. root root system_u:object_r:ipa_log_t:s0   /var/log/ipareplica-conncheck.log
-rw-------. root root system_u:object_r:var_log_t:s0   /var/log/ipareplica-install.log
-rw-------. root root system_u:object_r:var_log_t:s0   /var/log/ipaserver-uninstall.log

/var/log/ipa:
-rw-r--r--. root root system_u:object_r:var_log_t:s0   default.log
-rw-r--r--. root root system_u:object_r:var_log_t:s0   ipactl.log
-rw-------. root root system_u:object_r:var_log_t:s0   renew.log


There is a difference in SELinux User in SELinux context for all log files across machines.

On Master server, it is 'unconfined_u' verses 'system_u' on replica server.

Comment 6 Martin Bašti 2016-08-05 14:28:19 UTC
All of my logs have user context unconfined_u. I asked selinux guys and read more about SELinux and my findings are:

1) system_u context have files created by system serviceshttps://wiki.gentoo.org/wiki/SELinux/Tutorials/Linux_services_and_the_system_u_SELinux_user

2) uncofined_u are all users by default on RHEL
https://wiki.gentoo.org/wiki/SELinux/Tutorials/Linux_services_and_the_system_u_SELinux_user

So I have questions, did you install master manually and replica using a provisioning system?

On master I see, conncheck log with system_u, but it was created by script executed by oddjob.

Anyway I propose wontfix :), this will work with both user contexts.

Comment 7 Abhijeet Kasurde 2016-08-23 04:28:05 UTC
(In reply to Martin Bašti from comment #6)
> All of my logs have user context unconfined_u. I asked selinux guys and read
> more about SELinux and my findings are:
> 
> 1) system_u context have files created by system
> serviceshttps://wiki.gentoo.org/wiki/SELinux/Tutorials/
> Linux_services_and_the_system_u_SELinux_user
> 
> 2) uncofined_u are all users by default on RHEL
> https://wiki.gentoo.org/wiki/SELinux/Tutorials/
> Linux_services_and_the_system_u_SELinux_user
> 
OK
> So I have questions, did you install master manually and replica using a
> provisioning system?
> 
I think, this may be machine specific issue.
> On master I see, conncheck log with system_u, but it was created by script
> executed by oddjob.
> 
> Anyway I propose wontfix :), this will work with both user contexts.

Closing as WORKSFORME.


Note You need to log in before you can comment on or make changes to this bug.