Bug 1027285

Summary: SELinux AVC denials for pki
Product: Red Hat Enterprise Linux 7 Reporter: Steeve Goveas <sgoveas>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: ksiddiqu, mgregg, mkosek, mmalik, mniranja, nkinder, nsoman, sgoveas
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.12.1-104.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 09:32:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Steeve Goveas 2013-11-06 13:24:59 UTC 
Description of problem:
AVC denials found during IPA installation

Version-Release number of selected component (if applicable):
[root@hp-z600-01 ~]# rpm -q ipa-server
ipa-server-3.3.2-1.el7.x86_64

[root@hp-z600-01 ~]# rpm -q selinux-policy
selinux-policy-3.12.1-95.el7.noarch


How reproducible:
always

Steps to Reproduce:
[root@hp-z600-01 ~]# ll -Z /tmp
>>drwxr-xr-x. root root unconfined_u:object_r:rpm_script_tmp_t:s0 hsperfdata_root
-rwx------. root root system_u:object_r:initrc_tmp_t:s0 ks-script-D9dn29
-rwx------. root root system_u:object_r:initrc_tmp_t:s0 ks-script-HbzcnF
-rwx------. root root system_u:object_r:initrc_tmp_t:s0 ks-script-hCeAVu
-rw-------. root root unconfined_u:object_r:user_tmp_t:s0 tmp.u1IQb2
-rw-------. root root system_u:object_r:initrc_tmp_t:s0 yum.log

[root@hp-z600-01 ~]# ipa-server-install -U -r testrelm.com -p Secret123 -a Secret123 --setup-dns --forwarder 10.16.36.29

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
...
..
.
.
<truncated>

[root@hp-z600-01 ~]# /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts 11/06/2013 07:17:39

Actual results:

[root@hp-z600-01 ~]# /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts 11/06/2013 07:17:39
----
time->Wed Nov  6 07:17:53 2013
type=USER_AVC msg=audit(1383740273.203:259): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=2)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Wed Nov  6 07:18:45 2013
type=SYSCALL msg=audit(1383740325.593:282): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7f6ea0015e70 a2=90800 a3=0 items=0 ppid=1 pid=27096 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java-abrt" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.40-2.4.2.6.el7.x86_64/jre/bin/java-abrt" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1383740325.593:282): avc:  denied  { read } for  pid=27096 comm="java-abrt" name="hsperfdata_root" dev="dm-1" ino=203994696 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Wed Nov  6 07:18:45 2013
type=SYSCALL msg=audit(1383740325.593:283): arch=c000003e syscall=2 success=no exit=-13 a0=7f6ea0015e90 a1=242 a2=180 a3=0 items=0 ppid=1 pid=27096 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java-abrt" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.40-2.4.2.6.el7.x86_64/jre/bin/java-abrt" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1383740325.593:283): avc:  denied  { write } for  pid=27096 comm="java-abrt" name="hsperfdata_root" dev="dm-1" ino=203994696 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Wed Nov  6 07:19:49 2013
type=SYSCALL msg=audit(1383740389.179:286): arch=c000003e syscall=2 success=no exit=-13 a0=7f62180159e0 a1=242 a2=180 a3=0 items=0 ppid=27283 pid=27299 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java-abrt" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.40-2.4.2.6.el7.x86_64/jre/bin/java-abrt" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1383740389.179:286): avc:  denied  { write } for  pid=27299 comm="java-abrt" name="hsperfdata_root" dev="dm-1" ino=203994696 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Wed Nov  6 07:19:50 2013
type=SYSCALL msg=audit(1383740390.860:288): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7fcaf4015e70 a2=90800 a3=0 items=0 ppid=1 pid=27497 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java-abrt" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.40-2.4.2.6.el7.x86_64/jre/bin/java-abrt" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1383740390.860:288): avc:  denied  { read } for  pid=27497 comm="java-abrt" name="hsperfdata_root" dev="dm-1" ino=203994696 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Wed Nov  6 07:19:49 2013
type=SYSCALL msg=audit(1383740389.179:285): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7f62180159c0 a2=90800 a3=0 items=0 ppid=27283 pid=27299 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java-abrt" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.40-2.4.2.6.el7.x86_64/jre/bin/java-abrt" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1383740389.179:285): avc:  denied  { read } for  pid=27299 comm="java-abrt" name="hsperfdata_root" dev="dm-1" ino=203994696 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Wed Nov  6 07:19:50 2013
type=SYSCALL msg=audit(1383740390.861:289): arch=c000003e syscall=2 success=no exit=-13 a0=7fcaf4015e90 a1=242 a2=180 a3=0 items=0 ppid=1 pid=27497 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java-abrt" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.40-2.4.2.6.el7.x86_64/jre/bin/java-abrt" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1383740390.861:289): avc:  denied  { write } for  pid=27497 comm="java-abrt" name="hsperfdata_root" dev="dm-1" ino=203994696 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Wed Nov  6 07:19:58 2013
type=SYSCALL msg=audit(1383740398.915:292): arch=c000003e syscall=2 success=no exit=-13 a0=7f77480159e0 a1=242 a2=180 a3=0 items=0 ppid=27594 pid=27610 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java-abrt" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.40-2.4.2.6.el7.x86_64/jre/bin/java-abrt" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1383740398.915:292): avc:  denied  { write } for  pid=27610 comm="java-abrt" name="hsperfdata_root" dev="dm-1" ino=203994696 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Wed Nov  6 07:20:00 2013
type=SYSCALL msg=audit(1383740400.968:294): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7f1ac4015e70 a2=90800 a3=0 items=0 ppid=1 pid=27800 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java-abrt" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.40-2.4.2.6.el7.x86_64/jre/bin/java-abrt" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1383740400.968:294): avc:  denied  { read } for  pid=27800 comm="java-abrt" name="hsperfdata_root" dev="dm-1" ino=203994696 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Wed Nov  6 07:20:00 2013
type=SYSCALL msg=audit(1383740400.968:295): arch=c000003e syscall=2 success=no exit=-13 a0=7f1ac4015e90 a1=242 a2=180 a3=0 items=0 ppid=1 pid=27800 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java-abrt" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.40-2.4.2.6.el7.x86_64/jre/bin/java-abrt" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1383740400.968:295): avc:  denied  { write } for  pid=27800 comm="java-abrt" name="hsperfdata_root" dev="dm-1" ino=203994696 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Wed Nov  6 07:19:58 2013
type=SYSCALL msg=audit(1383740398.915:291): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7f77480159c0 a2=90800 a3=0 items=0 ppid=27594 pid=27610 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java-abrt" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.40-2.4.2.6.el7.x86_64/jre/bin/java-abrt" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1383740398.915:291): avc:  denied  { read } for  pid=27610 comm="java-abrt" name="hsperfdata_root" dev="dm-1" ino=203994696 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Wed Nov  6 07:20:40 2013
type=SYSCALL msg=audit(1383740440.795:304): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7f89c00159c0 a2=90800 a3=0 items=0 ppid=28088 pid=28104 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java-abrt" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.40-2.4.2.6.el7.x86_64/jre/bin/java-abrt" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1383740440.795:304): avc:  denied  { read } for  pid=28104 comm="java-abrt" name="hsperfdata_root" dev="dm-1" ino=203994696 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Wed Nov  6 07:20:40 2013
type=SYSCALL msg=audit(1383740440.796:305): arch=c000003e syscall=2 success=no exit=-13 a0=7f89c00159e0 a1=242 a2=180 a3=0 items=0 ppid=28088 pid=28104 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java-abrt" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.40-2.4.2.6.el7.x86_64/jre/bin/java-abrt" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1383740440.796:305): avc:  denied  { write } for  pid=28104 comm="java-abrt" name="hsperfdata_root" dev="dm-1" ino=203994696 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Wed Nov  6 07:20:42 2013
type=SYSCALL msg=audit(1383740442.386:308): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7f5274015e70 a2=90800 a3=0 items=0 ppid=1 pid=28299 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java-abrt" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.40-2.4.2.6.el7.x86_64/jre/bin/java-abrt" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1383740442.386:308): avc:  denied  { read } for  pid=28299 comm="java-abrt" name="hsperfdata_root" dev="dm-1" ino=203994696 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Wed Nov  6 07:20:42 2013
type=SYSCALL msg=audit(1383740442.386:309): arch=c000003e syscall=2 success=no exit=-13 a0=7f5274015e90 a1=242 a2=180 a3=0 items=0 ppid=1 pid=28299 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java-abrt" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.40-2.4.2.6.el7.x86_64/jre/bin/java-abrt" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1383740442.386:309): avc:  denied  { write } for  pid=28299 comm="java-abrt" name="hsperfdata_root" dev="dm-1" ino=203994696 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Wed Nov  6 07:22:32 2013
type=USER_AVC msg=audit(1383740552.857:319): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=3)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Wed Nov  6 07:22:32 2013
type=USER_AVC msg=audit(1383740552.857:320): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=4)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

Expected results:
No AVC denials found

Additional info:
* No avc denials were found after changing context 
# cd /tmp
# chcon -t tmp_t hsperf*
Comment 2 Miroslav Grepl 2013-11-06 13:52:37 UTC 
This is a weird issue. Basically this directory is created by Java in the post install so we are not able to control the labeling.

I guess there is not a way how to tell Java to create this directory in a different location, right?
Comment 3 Steeve Goveas 2013-11-08 12:19:03 UTC 
The directory is created while installing java-1.7.0-openjdk and its dependences rhino, jline, and java-1.7.0-openjdk-headless, not sure if location of its creation can be controlled.

[root@hp-z600-01 ~]# ll /tmp/ -Z
-rw-------. root root unconfined_u:object_r:user_tmp_t:s0 tmp.u1IQb2
-rw-------. root root system_u:object_r:initrc_tmp_t:s0 yum.log
-rw-------. root root unconfined_u:object_r:rpm_tmp_t:s0 yum_save_tx.2013-11-07.08-54._xMuN7.yumtx
-rw-------. root root unconfined_u:object_r:rpm_tmp_t:s0 yum_save_tx.2013-11-08.04-53.s0bqpU.yumtx

[root@hp-z600-01 ~]#  yum install java-1.7.0-openjdk -y

======================================================================================================================================================
 Package                                      Arch                    Version                                    Repository                      Size
======================================================================================================================================================
Installing:
 java-1.7.0-openjdk                           x86_64                  1:1.7.0.45-2.4.3.4.el7                     brew70                         205 k
Installing for dependencies:
 java-1.7.0-openjdk-headless                  x86_64                  1:1.7.0.45-2.4.3.4.el7                     brew70                          25 M
 jline                                        noarch                  1.0-7.el7                                  beaker-Server                   70 k
 rhino                                        noarch                  1.7R4-3.el7                                beaker-Server                  1.0 M

Transaction Summary
======================================================================================================================================================

[root@hp-z600-01 ~]# ll /tmp/ -Z
drwxr-xr-x. root root unconfined_u:object_r:rpm_script_tmp_t:s0 hsperfdata_root
-rw-------. root root unconfined_u:object_r:user_tmp_t:s0 tmp.u1IQb2
-rw-------. root root system_u:object_r:initrc_tmp_t:s0 yum.log
-rw-------. root root unconfined_u:object_r:rpm_tmp_t:s0 yum_save_tx.2013-11-07.08-54._xMuN7.yumtx
-rw-------. root root unconfined_u:object_r:rpm_tmp_t:s0 yum_save_tx.2013-11-08.04-53.s0bqpU.yumtx
Comment 4 Martin Kosek 2013-11-20 15:15:06 UTC 
This seems as a general JDK issue, see for example https://bugzilla.redhat.com/show_bug.cgi?id=917843#c6. Also adding Nathan to know about this one.
Comment 5 Miroslav Grepl 2013-11-20 15:20:53 UTC 
We can add filename transition rule for this.

I mean for hsperfdata_root. We just need to select the correct label which is probably user_tmp_t.

   allow pki_tomcat_t user_tmp_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; 
   allow pki_tomcat_t user_tmp_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ;
Comment 6 Miroslav Grepl 2013-11-20 15:23:11 UTC 
Could you guys test it with this label?

# chcon -R -t user_tmp_t /tmp/hsperfdata_root
Comment 7 Miroslav Grepl 2013-11-21 10:03:09 UTC 
commit 0290b27e98dd229bf05f94233ac08924b2b52d6a
Author: Dan Walsh <dwalsh>
Date:   Fri Nov 15 13:33:18 2013 -0500

    Label hsperfdata_root as tmp_t
Comment 8 Michael Gregg 2013-12-13 19:36:34 UTC 
This still seems to be a issue as of 

/sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR:

time->Fri Dec 13 14:00:23 2013
type=SYSCALL msg=audit(1386961223.120:125): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7f1b44008590 a2=90800 a3=0 items=0 ppid=1 pid=14474 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.45-2.4.3.4.el7.x86_64/jre-abrt/bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1386961223.120:125): avc:  denied  { read } for  pid=14474 comm="java" name="hsperfdata_root" dev="dm-1" ino=203115876 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Fri Dec 13 14:01:10 2013
type=SYSCALL msg=audit(1386961270.658:142): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7f7168008160 a2=90800 a3=0 items=0 ppid=15108 pid=15124 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.45-2.4.3.4.el7.x86_64/jre-abrt/bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1386961270.658:142): avc:  denied  { read } for  pid=15124 comm="java" name="hsperfdata_root" dev="dm-1" ino=203115876 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Fri Dec 13 14:01:10 2013
type=SYSCALL msg=audit(1386961270.658:143): arch=c000003e syscall=2 success=no exit=-13 a0=7f7168008180 a1=242 a2=180 a3=0 items=0 ppid=15108 pid=15124 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.45-2.4.3.4.el7.x86_64/jre-abrt/bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1386961270.658:143): avc:  denied  { write } for  pid=15124 comm="java" name="hsperfdata_root" dev="dm-1" ino=203115876 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Fri Dec 13 14:01:13 2013
type=SYSCALL msg=audit(1386961273.141:147): arch=c000003e syscall=2 success=no exit=-13 a0=7f48bc0085b0 a1=242 a2=180 a3=0 items=0 ppid=1 pid=15330 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.45-2.4.3.4.el7.x86_64/jre-abrt/bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1386961273.141:147): avc:  denied  { write } for  pid=15330 comm="java" name="hsperfdata_root" dev="dm-1" ino=203115876 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Fri Dec 13 14:01:13 2013
type=SYSCALL msg=audit(1386961273.140:146): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7f48bc008590 a2=90800 a3=0 items=0 ppid=1 pid=15330 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.45-2.4.3.4.el7.x86_64/jre-abrt/bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1386961273.140:146): avc:  denied  { read } for  pid=15330 comm="java" name="hsperfdata_root" dev="dm-1" ino=203115876 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir



I will try a run again with "chcon -R -t user_tmp_t /tmp/hsperfdata_root"
Comment 9 Michael Gregg 2013-12-13 21:19:44 UTC 
I confirmed that running the following before ipa-install is a work-around for this BZ:

mkdir /tmp/hsperfdata_root
chcon -R -t user_tmp_t /tmp/hsperfdata_root
Comment 11 Michael Gregg 2013-12-23 19:51:07 UTC 
As of ipa-server-3.3.3-6.el7.x86_64 I no longer need to utilize the work-around.
Comment 12 Ludek Smid 2014-06-13 09:32:34 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.