| Summary: | RHEL7 ipa-client-install AVC denial for ipa-submit | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Scott Poore <spoore> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED DUPLICATE | QA Contact: | Milos Malik <mmalik> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.0 | CC: | jcholast, jpazdziora, jstancek, mgrepl, mkosek, mmalik, rcritten |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-10-03 09:02:24 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
ipa-submit is a certmonger component.
# rpm -ql certmonger | grep ipa-submit
/usr/libexec/certmonger/ipa-submit
/usr/share/doc/certmonger-0.67/ipa-submit.txt
/usr/share/man/man8/certmonger-ipa-submit.8.gz
I tried to run ipa-client-install and hit the same bug:
# rpm -q selinux-policy
selinux-policy-3.12.1-80.el7.noarch
# ipa-client-install
WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd
Discovery was successful!
Hostname: vm-052.idm.lab.bos.redhat.com
Realm: IDM.LAB.BOS.REDHAT.COM
DNS Domain: idm.lab.bos.redhat.com
IPA Server: vm-086.idm.lab.bos.redhat.com
BaseDN: dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
Continue to configure the system with these values? [no]: ^C[root@vm-052 ~]# truncate -s 0 /var/log/audit/audit.log
[root@vm-052 ~]# ipa-client-install ^C
[root@vm-052 ~]# getenforce
Enforcing
[root@vm-052 ~]# ipa-client-install
...
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.
# ipa-getcert list
Number of certificates and requests being tracked: 1.
Request ID '20130918081005':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (HTTP response code is 401, not 200).
stuck: yes
key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate - vm-052.idm.lab.bos.redhat.com',token='NSS Certificate DB'
certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate - vm-052.idm.lab.bos.redhat.com'
CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes
# ausearch -m avc -ts today
----
time->Wed Sep 18 04:10:05 2013
type=SYSCALL msg=audit(1379491805.335:131): arch=c000003e syscall=248 success=no exit=-13 a0=7fb6e47afb83 a1=7fb6e704b3f0 a2=0 a3=0 items=0 ppid=14368 pid=14384 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ipa-submit" exe="/usr/libexec/certmonger/ipa-submit" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1379491805.335:131): avc: denied { write } for pid=14384 comm="ipa-submit" scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:certmonger_t:s0 tclass=key
# cat /var/log/audit/audit.log | audit2allow
#============= certmonger_t ==============
allow certmonger_t self:key write;
# rpm -q selinux-policy
selinux-policy-3.12.1-80.el7.noarch
Moving to selinux-policy component.
Note that there is another potentially related bug from IPA team: Bug 1007606. Did it work with this local policy? It does indeed work with the local policy. So does that mean this needs to be added to selinux-policy? Yes - Jan verified in Comment 6 that the policy fixes it. Now I assume the ball is on Mirek's playground to update the policy. I added fixes. *** Bug 1010992 has been marked as a duplicate of this bug. *** (In reply to Miroslav Grepl from comment #9) > I added fixes. to Fedora. Will back port them. *** This bug has been marked as a duplicate of bug 1012109 *** |
Description of problem: During automated testing, I see this when ipa-client-install is run: time->Tue Sep 17 16:56:52 2013 type=SYSCALL msg=audit(1379451412.344:120): arch=c000003e syscall=248 success=yes exit=704914934 a0=7f3760054b83 a1=7f376174a950 a2=0 a3=0 items=0 ppid=12612 pid=12655 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ipa-submit" exe="/usr/libexec/certmonger/ipa-submit" subj=system_u:system_r:certmonger_t:s0 key=(null) type=AVC msg=audit(1379451412.344:120): avc: denied { write } for pid=12655 comm="ipa-submit" scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:certmonger_t:s0 tclass=key ---- time->Tue Sep 17 16:56:52 2013 type=SYSCALL msg=audit(1379451412.344:121): arch=c000003e syscall=250 success=yes exit=0 a0=b a1=2a0425f6 a2=0 a3=0 items=0 ppid=12612 pid=12655 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ipa-submit" exe="/usr/libexec/certmonger/ipa-submit" subj=system_u:system_r:certmonger_t:s0 key=(null) type=AVC msg=audit(1379451412.344:121): avc: denied { read } for pid=12655 comm="ipa-submit" scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:certmonger_t:s0 tclass=key Version-Release number of selected component (if applicable): selinux-policy-3.12.1-80.el7.noarch How reproducible: yet unknown Steps to Reproduce: 1. Install IPA Master 2. Install IPA Client (w/ ipa-client-install) 3. ausearch -m avc Actual results: lists AVC denial from above. Expected results: no denials expected. Additional info: