| Summary: | Missing self:key write policy crashes IPA installation | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Martin Kosek <mkosek> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED DUPLICATE | QA Contact: | Milos Malik <mmalik> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.0 | CC: | mmalik, spoore |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-10-03 09:00:50 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
*** Bug 1012060 has been marked as a duplicate of this bug. *** #============= httpd_t ==============
#!!!! This avc is allowed in the current policy
allow httpd_t self:key { read write };
#============= named_t ==============
#!!!! This avc is allowed in the current policy
allow named_t self:key { write read };
*** This bug has been marked as a duplicate of bug 1012109 *** |
Description of problem: IPA server installation crashes due to missing SELinux policy. All AVCs when installing in permissive mode: # ausearch -m avc -ts today ---- time->Wed Sep 25 11:33:46 2013 type=SYSCALL msg=audit(1380123226.223:266): arch=c000003e syscall=248 success=yes exit=202370179 a0=7f3f05ac4b2e a1=7f3efc3320d0 a2=0 a3=0 items=0 ppid=15518 pid=15521 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="named" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key=(null) type=AVC msg=audit(1380123226.223:266): avc: denied { write } for pid=15521 comm="named" scontext=system_u:system_r:named_t:s0 tcontext=system_u:system_r:named_t:s0 tclass=key ---- time->Wed Sep 25 11:33:46 2013 type=SYSCALL msg=audit(1380123226.224:267): arch=c000003e syscall=250 success=yes exit=4 a0=b a1=c0fec83 a2=0 a3=0 items=0 ppid=15518 pid=15521 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="named" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key=(null) type=AVC msg=audit(1380123226.224:267): avc: denied { read } for pid=15521 comm="named" scontext=system_u:system_r:named_t:s0 tcontext=system_u:system_r:named_t:s0 tclass=key ---- time->Wed Sep 25 11:33:56 2013 type=SYSCALL msg=audit(1380123236.402:273): arch=c000003e syscall=250 success=yes exit=4 a0=b a1=3cc9d5db a2=0 a3=0 items=0 ppid=15543 pid=15549 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1380123236.402:273): avc: denied { read } for pid=15549 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=key ---- time->Wed Sep 25 11:33:56 2013 type=SYSCALL msg=audit(1380123236.402:272): arch=c000003e syscall=248 success=yes exit=1019860443 a0=7fbb87a40b2e a1=7fbb96ce2ed0 a2=0 a3=0 items=0 ppid=15543 pid=15549 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1380123236.402:272): avc: denied { write } for pid=15549 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=key audit2allow: # ausearch -m avc -ts today | audit2allow #============= httpd_t ============== allow httpd_t self:key { read write }; #============= named_t ============== allow named_t self:key { write read }; Version-Release number of selected component (if applicable): policycoreutils-2.1.14-81.el7.x86_64 selinux-policy-3.12.1-80.el7.noarch ipa-server-3.3.1-5.el7.x86_64 How reproducible: Always Steps to Reproduce: 1. Install ipa-server package 2. Run ipa-server-install 3. Actual results: Installation crashes in enforcing mode due to SELinux AVCs. Expected results: Installation passes. Additional info: