Bug 1012060

Summary: RHEL7 ipa-server-install AVC denials for httpd_t and named_t write key
Product: Red Hat Enterprise Linux 7 Reporter: Scott Poore <spoore>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED DUPLICATE QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-09-25 15:51:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Scott Poore 2013-09-25 15:48:28 UTC 
Description of problem:

I'm seeing AVC denials during ipa-server-install:

[root@rhel7-1 etc]# ausearch -m avc 
----
time->Wed Sep 25 09:28:13 2013
type=SYSCALL msg=audit(1380119293.446:564): arch=c000003e syscall=248 success=no exit=-13 a0=7f10eca1eb2e a1=7f10e4331ed0 a2=0 a3=0 items=0 ppid=10607 pid=10611 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="named" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key=(null)
type=AVC msg=audit(1380119293.446:564): avc:  denied  { write } for  pid=10611 comm="named" scontext=system_u:system_r:named_t:s0 tcontext=system_u:system_r:named_t:s0 tclass=key
----
time->Wed Sep 25 09:29:19 2013
type=SYSCALL msg=audit(1380119359.265:570): arch=c000003e syscall=248 success=no exit=-13 a0=7fbd69648b2e a1=7fbd7741a950 a2=0 a3=0 items=0 ppid=10631 pid=10637 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1380119359.265:570): avc:  denied  { write } for  pid=10637 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=key
----
time->Wed Sep 25 09:29:19 2013
type=SYSCALL msg=audit(1380119359.264:569): arch=c000003e syscall=248 success=no exit=-13 a0=7fbd69648b2e a1=7fbd780890a0 a2=0 a3=0 items=0 ppid=10631 pid=10637 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1380119359.264:569): avc:  denied  { write } for  pid=10637 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=key
----
time->Wed Sep 25 09:29:19 2013
type=SYSCALL msg=audit(1380119359.265:571): arch=c000003e syscall=248 success=no exit=-13 a0=7fbd69648b2e a1=7fbd77910bd0 a2=0 a3=0 items=0 ppid=10631 pid=10637 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1380119359.265:571): avc:  denied  { write } for  pid=10637 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=key
----
time->Wed Sep 25 09:29:19 2013
type=SYSCALL msg=audit(1380119359.266:572): arch=c000003e syscall=248 success=no exit=-13 a0=7fbd69648b2e a1=7fbd7741a950 a2=0 a3=0 items=0 ppid=10631 pid=10637 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1380119359.266:572): avc:  denied  { write } for  pid=10637 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=key
----
time->Wed Sep 25 09:29:19 2013
type=SYSCALL msg=audit(1380119359.304:573): arch=c000003e syscall=248 success=no exit=-13 a0=7fbd69648b2e a1=7fbd7784e720 a2=0 a3=0 items=0 ppid=10631 pid=10637 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1380119359.304:573): avc:  denied  { write } for  pid=10637 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=key
----
time->Wed Sep 25 09:29:19 2013
type=SYSCALL msg=audit(1380119359.304:574): arch=c000003e syscall=248 success=no exit=-13 a0=7fbd69648b2e a1=7fbd77458510 a2=0 a3=0 items=0 ppid=10631 pid=10637 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1380119359.304:574): avc:  denied  { write } for  pid=10637 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=key
----
time->Wed Sep 25 09:29:19 2013
type=SYSCALL msg=audit(1380119359.305:575): arch=c000003e syscall=248 success=no exit=-13 a0=7fbd69648b2e a1=7fbd77460340 a2=0 a3=0 items=0 ppid=10631 pid=10637 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1380119359.305:575): avc:  denied  { write } for  pid=10637 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=key
----
time->Wed Sep 25 09:29:19 2013
type=SYSCALL msg=audit(1380119359.305:576): arch=c000003e syscall=248 success=no exit=-13 a0=7fbd69648b2e a1=7fbd778082b0 a2=0 a3=0 items=0 ppid=10631 pid=10637 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1380119359.305:576): avc:  denied  { write } for  pid=10637 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=key

[root@rhel7-1 etc]# cat /var/log/audit/audit.log | audit2allow 


#============= httpd_t ==============
allow httpd_t self:key write;

#============= named_t ==============
allow named_t self:key write;


Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-80.el7.noarch


How reproducible:
always

Steps to Reproduce:
1.  ipa-server-install

Actual results:
AVC denials causing ipa-server-install to fail during ipa-client-install run at end.  AVC denials listed above.

Expected results:
no AVCs during ipa-server-install

Additional info:

/var/log/ipaserver-install shows this:

2013-09-25T14:28:15Z DEBUG args=/usr/sbin/ipa-client-install --on-master --unattended --domain testrelm.com --server rhel7-1.testrelm.com --realm TESTRELM.COM --hostname rhel7-1.testrelm.com
2013-09-25T14:29:20Z DEBUG Process finished, return code=1
2013-09-25T14:29:20Z DEBUG stdout=

2013-09-25T14:29:20Z DEBUG stderr=Hostname: rhel7-1.testrelm.com
Realm: TESTRELM.COM
DNS Domain: testrelm.com
IPA Server: rhel7-1.testrelm.com
BaseDN: dc=testrelm,dc=com
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Traceback (most recent call last):
  File "/usr/sbin/ipa-client-install", line 2565, in <module>
    sys.exit(main())
  File "/usr/sbin/ipa-client-install", line 2551, in main
    rval = install(options, env, fstore, statestore)
  File "/usr/sbin/ipa-client-install", line 2349, in install
    remote_env = api.Command['env'](server=True)['result']
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 436, in __call__
    ret = self.run(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1103, in run
    return self.forward(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 782, in forward
    return self.Backend.xmlclient.forward(self.name, *args, **kw)
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 752, in forward
    raise NetworkError(uri=server, error=e.errmsg)
ipalib.errors.NetworkError: cannot connect to 'https://rhel7-1.testrelm.com/ipa/xml': Internal Server Error

2013-09-25T14:29:20Z DEBUG   File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 622, in run_script
    return_value = main_function()

  File "/usr/sbin/ipa-server-install", line 1217, in main
    sys.exit("Configuration of client side components failed!\nipa-client-install returned: " + str(e))

2013-09-25T14:29:20Z DEBUG The ipa-server-install command failed, exception: SystemExit: Configuration of client side components failed!
ipa-client-install returned: Command '/usr/sbin/ipa-client-install --on-master --unattended --domain testrelm.com --server rhel7-1.testrelm.com --realm TESTRELM.COM --hostname rhel7-1.testrelm.com' returned non-zero exit status 1
Comment 1 Scott Poore 2013-09-25 15:51:21 UTC 

*** This bug has been marked as a duplicate of bug 1012051 ***