Bug 1012051

Summary: Missing self:key write policy crashes IPA installation
Product: Red Hat Enterprise Linux 7 Reporter: Martin Kosek <mkosek>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED DUPLICATE QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: mmalik, spoore
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-10-03 09:00:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Martin Kosek 2013-09-25 15:35:20 UTC
Description of problem:
IPA server installation crashes due to missing SELinux policy.

All AVCs when installing in permissive mode:
# ausearch -m avc -ts today
----
time->Wed Sep 25 11:33:46 2013
type=SYSCALL msg=audit(1380123226.223:266): arch=c000003e syscall=248 success=yes exit=202370179 a0=7f3f05ac4b2e a1=7f3efc3320d0 a2=0 a3=0 items=0 ppid=15518 pid=15521 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="named" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key=(null)
type=AVC msg=audit(1380123226.223:266): avc:  denied  { write } for  pid=15521 comm="named" scontext=system_u:system_r:named_t:s0 tcontext=system_u:system_r:named_t:s0 tclass=key
----
time->Wed Sep 25 11:33:46 2013
type=SYSCALL msg=audit(1380123226.224:267): arch=c000003e syscall=250 success=yes exit=4 a0=b a1=c0fec83 a2=0 a3=0 items=0 ppid=15518 pid=15521 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="named" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key=(null)
type=AVC msg=audit(1380123226.224:267): avc:  denied  { read } for  pid=15521 comm="named" scontext=system_u:system_r:named_t:s0 tcontext=system_u:system_r:named_t:s0 tclass=key
----
time->Wed Sep 25 11:33:56 2013
type=SYSCALL msg=audit(1380123236.402:273): arch=c000003e syscall=250 success=yes exit=4 a0=b a1=3cc9d5db a2=0 a3=0 items=0 ppid=15543 pid=15549 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1380123236.402:273): avc:  denied  { read } for  pid=15549 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=key
----
time->Wed Sep 25 11:33:56 2013
type=SYSCALL msg=audit(1380123236.402:272): arch=c000003e syscall=248 success=yes exit=1019860443 a0=7fbb87a40b2e a1=7fbb96ce2ed0 a2=0 a3=0 items=0 ppid=15543 pid=15549 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1380123236.402:272): avc:  denied  { write } for  pid=15549 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=key


audit2allow:
# ausearch -m avc -ts today | audit2allow 


#============= httpd_t ==============
allow httpd_t self:key { read write };

#============= named_t ==============
allow named_t self:key { write read };


Version-Release number of selected component (if applicable):
policycoreutils-2.1.14-81.el7.x86_64
selinux-policy-3.12.1-80.el7.noarch
ipa-server-3.3.1-5.el7.x86_64


How reproducible:
Always

Steps to Reproduce:
1. Install ipa-server package
2. Run ipa-server-install
3.

Actual results:
Installation crashes in enforcing mode due to SELinux AVCs.

Expected results:
Installation passes.

Additional info:

Comment 2 Scott Poore 2013-09-25 15:51:22 UTC
*** Bug 1012060 has been marked as a duplicate of this bug. ***

Comment 3 Miroslav Grepl 2013-10-03 08:59:51 UTC
#============= httpd_t ==============

#!!!! This avc is allowed in the current policy
allow httpd_t self:key { read write };

#============= named_t ==============

#!!!! This avc is allowed in the current policy
allow named_t self:key { write read };

Comment 4 Miroslav Grepl 2013-10-03 09:00:50 UTC

*** This bug has been marked as a duplicate of bug 1012109 ***