SELinux ddclient and ca-certificates

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

SELinux ddclient and ca-certificates

Robert Sharp

I have been enforcing on my SELinux box for a while without incident, until yesterday. Ddclient started spamming me with emails about SSL connect failures. I checked the audit log for AVCs and found the one below. The context for /etc/ssl/certs/ca-certificates is cert_t and it looks like the interface needed to access this type is "miscfiles_manage_generic_cert_files". I can test if this is the right approach? May take a while cos I am not sure how to force ddclient into attempting an update.

Thanks,
Robert

type=AVC msg=audit(1497448811.326:13013): avc:  denied  { search } for  pid=3311 
  comm=6464636C69656E74202D20636F6E6E name="ca-certificates" dev="dm-0" ino=2630168 
  scontext=system_u:system_r:ddclient_t tcontext=system_u:object_r:cert_t tclass=dir 
  permissive=0


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SELinux ddclient and ca-certificates

Sven Vermeulen
On Thu, Jun 15, 2017 at 11:58:49AM +0100, Robert Sharp wrote:

> I have been enforcing on my SELinux box for a while without incident,
> until yesterday. Ddclient started spamming me with emails about SSL
> connect failures. I checked the audit log for AVCs and found the one
> below. The context for /etc/ssl/certs/ca-certificates is cert_t and it
> looks like the interface needed to access this type is
> "miscfiles_manage_generic_cert_files". I can test if this is the right
> approach? May take a while cos I am not sure how to force ddclient into
> attempting an update.
>
>    Thanks,
>    Robert
> type=AVC msg=audit(1497448811.326:13013): avc:  denied  { search } for  pid=3311
>
>   comm=6464636C69656E74202D20636F6E6E name="ca-certificates" dev="dm-0" ino=2630
> 168
>   scontext=system_u:system_r:ddclient_t tcontext=system_u:object_r:cert_t tclass
> =dir
>   permissive=0

I generally try to make sure that it is the right domain before adding the
privilege. In the denial, the command that is being denied access is
"ca-certificates". Is that a script from ddclient, or does ddclient trigger
an (external) script and should we perhaps look at a potential domain
transition here?

Wkr,
        Sven Vermeulen

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SELinux ddclient and ca-certificates

Robert Sharp
On 17/06/17 11:47, Sven Vermeulen wrote:
I generally try to make sure that it is the right domain before adding the
privilege. In the denial, the command that is being denied access is
"ca-certificates". Is that a script from ddclient, or does ddclient trigger
an (external) script and should we perhaps look at a potential domain
transition here?

Hi and thanks for the reply.

I had assumed this was the file of that name in /etc/ssl/certs but your comment made me check the inode and I was wrong. It is actually a directory "/usr/share/ca-certificates" which also has the "cert_t" context. There is no script by that name associated with ddclient so I guess ddclient is trying to (via openssl) access this directory/path?

Robert

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SELinux ddclient and ca-certificates

Sven Vermeulen
On Sat, Jun 17, 2017 at 06:20:40PM +0100, Robert Sharp wrote:
>    I had assumed this was the file of that name in /etc/ssl/certs but your
>    comment made me check the inode and I was wrong. It is actually a
>    directory "/usr/share/ca-certificates" which also has the "cert_t"
>    context. There is no script by that name associated with ddclient so I
>    guess ddclient is trying to (via openssl) access this directory/path?

The context on that directory is correct. If it is indeed ddclient that is
trying to manipulate that directory content, then by all means, add in the
privilege to do so.

Now, if I look at the current description of ddclient (i.e. perl client used
to update dynamic DNS entries) then I personally wonder if ddclient is
actually trying to *manipulate* the certificates (or add certificates to it)
rather than just use it.

It's okay to use it. Manipulating the directory seems to be something I
would want to verify with the application itself first. If it is a Perl
script, then it might be easy to find out why.

Wkr,
        Sven Vermeulen

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SELinux ddclient and ca-certificates

Robert Sharp
On 18/06/17 17:29, Sven Vermeulen wrote:
It's okay to use it. Manipulating the directory seems to be something I
would want to verify with the application itself first. If it is a Perl
script, then it might be easy to find out why.

Looking at the error messages and the script itself the problem occurs within the Perl module IO::Socket::SSL. Looks like if a call to new does not work then ddclient raises the message. A quick search led me to http://search.cpan.org/~sullr/IO-Socket-SSL-2.049/lib/IO/Socket/SSL.pod and a little way down there is a good description of "Essential Information About SSL/TLS". Seems to me that the module is acting as expected and I cannot see that ddclient is doing anything else that might be suspect.

So I will add the privilege and try to force ddclient to update to see what happens.

Best,
Robert

Loading...