Bug 1216090 - MicroOS, selinux is preventing nfsv4 upcall request-key, nfsidmap
Summary: MicroOS, selinux is preventing nfsv4 upcall request-key, nfsidmap
Status: RESOLVED FIXED
Alias: None
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: MicroOS (show other bugs)
Version: Current
Hardware: VMWare openSUSE Tumbleweed
: P5 - None : Normal with 5 votes (vote)
Target Milestone: ---
Assignee: Cathy Hu
QA Contact: E-mail List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-10-10 10:49 UTC by Oliver Mössinger
Modified: 2023-12-08 10:41 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
cathy.hu: needinfo? (olivpass)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Oliver Mössinger 2023-10-10 10:49:46 UTC 
Hi,

i want use the kernel upcall idmapper documented here:


https://www.kernel.org/doc/html/v6.5/admin-guide/nfs/nfs-idmapper.html
https://www.kernel.org/doc/html/v6.5/security/keys/request-key.html

Following my configuration:

swarm-4:~ # cat /proc/version
Linux version 6.5.4-1-default (geeko@buildhost) (gcc (SUSE Linux) 13.2.1 20230912 [revision b96e66fd4ef3e36983969fb8cdd1956f551a074b], GNU ld (GNU Binutils; openSUSE Tumbleweed) 2.40.0.20230412-5) #1 SMP PREEMPT_DYNAMIC Wed Sep 20 05:07:04 UTC 2023 (fdd7e9e)
swarm-4:~ # cat /etc/os-release 
NAME="openSUSE MicroOS"
# VERSION="20231006"
ID="opensuse-microos"
ID_LIKE="suse opensuse opensuse-tumbleweed"
VERSION_ID="20231006"
PRETTY_NAME="openSUSE MicroOS"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:opensuse:microos:20231006"
BUG_REPORT_URL="https://bugzilla.opensuse.org"
SUPPORT_URL="https://bugs.opensuse.org"
HOME_URL="https://www.opensuse.org/"
DOCUMENTATION_URL="https://en.opensuse.org/Portal:MicroOS"
LOGO="distributor-logo-MicroOS"

# DEFAULT
swarm-4:~ # cat /etc/idmapd.conf 
[General]

Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = localdomain

[Mapping]

Nobody-User = nobody
Nobody-Group = nobody

# DEFAULT
swarm-4:~ # cat /etc/request-key.conf 
...
# multiple -v for journald debugging
create  id_resolver    *        *               /usr/sbin/nfsidmap -v -v -v -v %k %d -t 600

# DEFAULT
swarm-4:~ # cat /sys/module/nfs/parameters/nfs4_disable_idmapping
Y
swarm-4:~ # mount -o vers=4.0 172.x.y.z:/test mnt
swarm-4:~ # touch mnt/must_be_root
swarm-4:~ # ls -lan mnt/must_be_root 
-rw-r--r--. 1 4294967294 4294967294 0 Oct 10 10:21 mnt/must_be_root
swarm-4:~ # cat /proc/keys | grep id_resolv
09c769ad I--Q-N-     1  59s 3b010000     0     0 id_resolv gid:root@localdomain
19ec1865 I--Q-N-     1  59s 3b010000     0     0 id_resolv uid:root@localdomain
26368c3e I------     1 perm 1f030000     0     0 keyring   .id_resolver: 4
swarm-4:~ # nfsidmap -l
4 .id_resolver keys found:
  gid:root@localdomain
  gid:root@localdomain
  uid:root@localdomain
  uid:root@localdomain

##########################################
Problem upcall for nfsidmap does not work. I get 4294967294 as user_id and group_id and not 0 I expected.
There are no idmap debug information in journal. I guess /usr/sbin/nfsidmap is never executed. The same configuration
on openSUSE 15.5 is working and I get idmap debug messages in journal.
##########################################

If i use the legacy rpc.idmap daemon for the id mapping, it is working:
swarm-4:~ # umount mnt
swarm-4:~ # nfsidmap -c
swarm-4:~ # nfsidmap -l
No .id_resolver keys found.
swarm-4:~ # cat /proc/keys | grep id_resolv
26368c3e I------     1 perm 1f030000     0     0 keyring   .id_resolver: empty
# nfs-idmapd.service start without nfs-server
swarm-4:~ # systemctl cat nfs-idmapd.service
# /etc/systemd/system/nfs-idmapd.service
[Unit]
Description=NFSv4 ID-name mapping service
DefaultDependencies=no
Requires=rpc_pipefs.target
After=rpc_pipefs.target local-fs.target

[Service]
Type=forking
ExecStart=/usr/sbin/rpc.idmapd
swarm-4:~ # ps auxf | grep rpc.idmapd
root      6151  0.0  0.0   3964  1920 pts/0    S+   10:28   0:00          \_ grep --color=auto rpc.idmapd
root      6148  0.0  0.0   2968  2176 ?        Ss   10:27   0:00 /usr/sbin/rpc.idmapd
swarm-4:~ # mount -o vers=4.0 172.x.y.z:/test mnt
swarm-4:~ # ls -lan mnt/must_be_root
-rw-r--r--. 1 0 0 0 Oct 10 10:21 mnt/must_be_root


Can you figure out, why the call to /sbin/request-key fails? My installation is mostly default and the same configuration on openSUSE leap 15.5 is working.

Thank you,
Oliver Mössinger
Comment 1 Oliver Mössinger 2023-10-20 07:05:28 UTC 
Hi,

after more research we found following log:

swarm-4:~ # cat /var/log/audit/audit.log
...
type=AVC msg=audit(1697613095.657:32565): avc:  denied  { view } for  pid=29707 comm="request-key" scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=0
type=AVC msg=audit(1697613095.657:32566): avc:  denied  { view } for  pid=29707 comm="request-key" scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=0
type=AVC msg=audit(1697613095.657:32567): avc:  denied  { read } for  pid=29707 comm="request-key" scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=0
type=AVC msg=audit(1697613095.657:32568): avc:  denied  { read } for  pid=29707 comm="request-key" scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=0
type=AVC msg=audit(1697613095.657:32569): avc:  denied  { execute } for  pid=29707 comm="request-key" name="nfsidmap" dev="sda3" ino=33762 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:nfsidmap_exec_t:s0 tclass=file permissive=0
type=AVC msg=audit(1697613095.657:32570): avc:  denied  { create } for  pid=29707 comm="request-key" scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:system_r:kernel_generic_helper_t:s0 tclass=unix_dgram_socket permissive=0
...

After disable selinux the kernel upcall idmapper is working!

swarm-4:~ # grep ^SELINUX /etc/selinux/config 
SELINUX=disabled
SELINUXTYPE=targeted

It is a selinux related problem and a similar issue is tracked here:
* https://bugzilla.redhat.com/show_bug.cgi?id=2188074


Thank you,
Oliver Mössinger
Comment 2 Cathy Hu 2023-10-31 09:00:32 UTC 
Hi, 

i just wanted to give quick update. I am still struggling to reproduce this issue. 

However, we have had some recent fixes in the same area, so it could be that yours could be resolved with one.
I staged an update here: https://build.opensuse.org/package/show/security:SELinux/selinux-policy
Please try to add the repository and update to the selinux-policy and selinux-policy-targeted to the latest version on there.

(If you don't want to add the repository, please wait until the following request is accepted and released, then you can just do a regular update:
https://build.opensuse.org/request/show/1121154 )

If after that the issue is still not resolved, could you please send me the following things:
- SELinux policy version: zypper info selinux-policy 
- Output of: restorecon -Rvn /
- The AVCs that came out of the failed test

Thanks a lot!
Comment 3 Johannes Segitz 2023-11-13 12:40:03 UTC 
we please need the information Cathy requested to work on this. Thanks
Comment 4 Cathy Hu 2023-11-22 14:09:58 UTC 
The last update did not fix this, i queued another one:
https://build.opensuse.org/request/show/1128144
Comment 5 Cathy Hu 2023-12-08 10:41:19 UTC 
Closing done, please reopen if you still encounter the issues.