Bug 1117739

Summary: Lots of avc denial messages while installing IPA Server
Product: Red Hat Enterprise Linux 6 Reporter: Kaleem <ksiddiqu>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.6CC: alee, dwalsh, jcholast, ksiddiqu, mgrepl, mkosek, mmalik, nalin, rcritten, rmainz
Target Milestone: rcKeywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-247.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1123811 (view as bug list) Environment:
Last Closed: 2014-10-14 08:03:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1123811    
Attachments:
Description Flags
audit log
none
audit.log reporting certmonger_t AVC on FreeIPA replica none

Description Kaleem 2014-07-09 09:49:34 UTC 
Description of problem:
While installing IPA Server a lot of avc deninal messages are shown though this is not blocker and installation is successful.

Version-Release number of selected component (if applicable):
[root@hp-dl380pgen8-02-vm-4 ~]# rpm -q ipa-server pki-ca
ipa-server-3.0.0-42.el6.x86_64
pki-ca-9.0.3-36.el6.noarch
[root@hp-dl380pgen8-02-vm-4 ~]#

How reproducible:
Always

Steps to Reproduce:
1.Install IPA server on latest RHEL-6.6 build 
2.Look in audit.log
3.

Actual results:
There are lot of avc denined messages in audit.log

Expected results:
There should not be any avc denined message in audit.log

Additional info:
(1)
[root@hp-dl380pgen8-02-vm-4 ~]# cat /var/log/audit/audit.log |audit2allow 


#============= certmonger_t ==============
#!!!! The source type 'certmonger_t' can write to a 'dir' of the following types:
# cert_t, mnt_t, pki_tks_cert_t, pki_ocsp_cert_t, dirsrv_config_t, var_lib_t, var_run_t, pki_ca_cert_t, pki_kra_cert_t, certmonger_var_lib_t, certmonger_var_run_t, cluster_var_lib_t, cluster_var_run_t, root_t, cluster_conf_t

allow certmonger_t tmp_t:dir write;
allow certmonger_t tmpfs_t:dir search;

#============= chkpwd_t ==============
#!!!! The source type 'chkpwd_t' can write to a 'dir' of the following type:
# mnt_t

allow chkpwd_t tmp_t:dir write;

#============= dirsrv_t ==============
allow dirsrv_t lib_t:file relabelto;

#============= httpd_t ==============
allow httpd_t httpd_tmp_t:file relabelfrom;

#============= kadmind_t ==============
allow kadmind_t kadmind_tmp_t:file relabelfrom;

#============= krb5kdc_t ==============
allow krb5kdc_t krb5kdc_tmp_t:file relabelfrom;

#============= named_t ==============
allow named_t named_tmp_t:file relabelfrom;

#============= pki_ca_t ==============
allow pki_ca_t tmp_t:file relabelfrom;

#============= prelink_t ==============
allow prelink_t initrc_t:fifo_file setattr;
allow prelink_t system_cronjob_t:fifo_file setattr;

#============= sshd_t ==============
allow sshd_t lib_t:file relabelto;

#============= sssd_t ==============
allow sssd_t lib_t:file relabelto;
[root@hp-dl380pgen8-02-vm-4 ~]#
Comment 2 Dmitri Pal 2014-07-15 13:10:13 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4438
Comment 3 Martin Kosek 2014-07-18 10:16:56 UTC 
Can this be an intermittent SELinux policy/labeling error? (CCing Mirek for reference)

I now tested on my 6.6 instance and there were no AVC after installation:

# rpm -q selinux-policy ipa-server
selinux-policy-3.7.19-244.el6.noarch
ipa-server-3.0.0-42.el6.x86_64

# getenforce 
Enforcing

# ipa-server-install -p Secret123 -a Secret123 --setup-dns --forwarder 10.0.0.1
...

# ausearch -m avc -ts today
<no matches>

Would running the test again on a up to date system change the outcome?
Comment 4 Kaleem 2014-07-18 11:59:04 UTC 
================================================================================
			With selinux-policy-3.7.19-241.el6.noarch:
================================================================================

[root@rhel66-master ~]# ausearch -m avc -ts today|audit2allow


#============= certmonger_t ==============
#!!!! The source type 'certmonger_t' can write to a 'dir' of the following types:
# cert_t, mnt_t, pki_tks_cert_t, pki_ocsp_cert_t, dirsrv_config_t, var_lib_t, var_run_t, pki_ca_cert_t, pki_kra_cert_t, certmonger_var_lib_t, certmonger_var_run_t, cluster_var_lib_t, cluster_var_run_t, root_t, cluster_conf_t

allow certmonger_t tmp_t:dir write;
allow certmonger_t tmpfs_t:dir search;

#============= chkpwd_t ==============
#!!!! The source type 'chkpwd_t' can write to a 'dir' of the following type:
# mnt_t

allow chkpwd_t tmp_t:dir write;

#============= dirsrv_t ==============
allow dirsrv_t lib_t:file relabelto;

#============= httpd_t ==============
allow httpd_t httpd_tmp_t:file relabelfrom;

#============= kadmind_t ==============
allow kadmind_t kadmind_tmp_t:file relabelfrom;

#============= krb5kdc_t ==============
allow krb5kdc_t krb5kdc_tmp_t:file relabelfrom;

#============= named_t ==============
allow named_t named_tmp_t:file relabelfrom;

#============= nscd_t ==============
allow nscd_t var_lib_t:file read;

#============= pki_ca_t ==============
allow pki_ca_t tmp_t:file relabelfrom;

#============= postfix_pickup_t ==============
allow postfix_pickup_t postfix_pickup_tmp_t:file relabelfrom;

#============= prelink_t ==============
allow prelink_t initrc_t:fifo_file setattr;
allow prelink_t system_cronjob_t:fifo_file setattr;

#============= sshd_t ==============
allow sshd_t lib_t:file relabelto;

#============= sssd_t ==============
allow sssd_t lib_t:file relabelto;
[root@rhel66-master ~]# 

[root@rhel66-master ~]# rpm -q ipa-server selinux-policy
ipa-server-3.0.0-42.el6.x86_64
selinux-policy-3.7.19-241.el6.noarch
[root@rhel66-master ~]#

================================================================================
                            With selinux-policy-3.7.19-244.el6.noarch:
================================================================================

[root@rhel66-master ~]# ausearch -m avc -ts today|audit2allow


#============= prelink_mask_t ==============
allow prelink_mask_t anon_inodefs_t:file { read write };
allow prelink_mask_t dirsrv_var_log_t:file append;
allow prelink_mask_t httpd_tmp_t:file write;
allow prelink_mask_t inotifyfs_t:dir read;
allow prelink_mask_t sssd_var_log_t:file append;
allow prelink_mask_t tmp_t:file relabelfrom;
allow prelink_mask_t user_devpts_t:chr_file { read write };

#============= prelink_t ==============
allow prelink_t initrc_t:fifo_file setattr;
[root@rhel66-master ~]# 

[root@rhel66-master ~]# rpm -q ipa-server selinux-policy
ipa-server-3.0.0-42.el6.x86_64
selinux-policy-3.7.19-244.el6.noarch
[root@rhel66-master ~]#
Comment 5 Martin Kosek 2014-07-18 12:01:57 UTC 
Thanks. I see number of AVCs got lower, but there are still some. I will change component to selinux-policy to let Mirek evaluate the bug.
Comment 6 Miroslav Grepl 2014-07-21 10:05:18 UTC 
Could you please attach raw AVC msgs?
Comment 7 Miroslav Grepl 2014-07-21 10:06:07 UTC 
Also selinux-policy-3.7.19-244.el6.noarch is a release for testing.
Comment 8 Kaleem 2014-07-21 11:13:04 UTC 
Created attachment 919608 [details]
audit log
Comment 9 Martin Kosek 2014-07-22 14:22:35 UTC 
Today, I tested ipa--server-install with selinux-policy-3.7.19-245.el6.noarch I saw only these 2 AVCs:

# ipa-server-install
# ausearch -m avc -ts today
----
time->Tue Jul 22 22:07:23 2014
type=SYSCALL msg=audit(1406081243.019:3131): arch=c000003e syscall=4 success=no exit=-13 a0=7f25901d1f80 a1=7f2599095e20 a2=7f2599095e20 a3=18 items=0 ppid=1 pid=20308 auid=0 uid=496 gid=496 euid=496 suid=496 fsuid=496 egid=496 sgid=496 fsgid=496 tty=(none) ses=469 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.65.x86_64/jre/bin/java" subj=unconfined_u:system_r:pki_ca_t:s0 key=(null)
type=AVC msg=audit(1406081243.019:3131): avc:  denied  { search } for  pid=20308 comm="java" name="tomcat6" dev=dm-1 ino=138875 scontext=unconfined_u:system_r:pki_ca_t:s0 tcontext=system_u:object_r:tomcat_cache_t:s0 tclass=dir
----
time->Tue Jul 22 22:08:34 2014
type=SYSCALL msg=audit(1406081314.224:3140): arch=c000003e syscall=4 success=no exit=-13 a0=7f04dc1d1be0 a1=7f04e4bfce20 a2=7f04e4bfce20 a3=18 items=0 ppid=1 pid=20768 auid=0 uid=496 gid=496 euid=496 suid=496 fsuid=496 egid=496 sgid=496 fsgid=496 tty=(none) ses=469 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.65.x86_64/jre/bin/java" subj=unconfined_u:system_r:pki_ca_t:s0 key=(null)
type=AVC msg=audit(1406081314.224:3140): avc:  denied  { search } for  pid=20768 comm="java" name="tomcat6" dev=dm-1 ino=138875 scontext=unconfined_u:system_r:pki_ca_t:s0 tcontext=system_u:object_r:tomcat_cache_t:s0 tclass=dir

# ausearch -m avc -ts today | audit2allow 


#============= pki_ca_t ==============
allow pki_ca_t tomcat_cache_t:dir search;
# ausearch -m avc -ts today

Ade, doesn't it also require a fix in PKI SELinux policy? I think we discussed it lately as well.
Comment 10 Milos Malik 2014-07-23 17:08:14 UTC 
One of our TCs triggers the same AVC as mentioned in comment#9:
----
time->Tue Jul 22 19:22:17 2014
type=PATH msg=audit(1406049737.747:722): item=0 name="/var/cache/tomcat6/temp" inode=132332 dev=fd:00 mode=040775 ouid=0 ogid=91 rdev=00:00 obj=system_u:object_r:tomcat_cache_t:s0 nametype=NORMAL
type=CWD msg=audit(1406049737.747:722):  cwd="/var/lib"
type=SYSCALL msg=audit(1406049737.747:722): arch=40000003 syscall=195 success=no exit=-13 a0=6c34ee80 a1=b77699d0 a2=c96ff4 a3=b7606928 items=1 ppid=1 pid=11580 auid=4294967295 uid=487 gid=485 euid=487 suid=487 fsuid=487 egid=485 sgid=485 fsgid=485 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0/jre/bin/java" subj=unconfined_u:system_r:pki_ca_t:s0 key=(null)
type=AVC msg=audit(1406049737.747:722): avc:  denied  { search } for  pid=11580 comm="java" name="tomcat6" dev=dm-0 ino=132332 scontext=unconfined_u:system_r:pki_ca_t:s0 tcontext=system_u:object_r:tomcat_cache_t:s0 tclass=dir
----
Comment 11 Lukas Vrabec 2014-07-28 09:13:34 UTC 
Hi Martin, 

Yes this AVC must be fixed in pki-selinux package, we don't ship this policy in rhel6.
Comment 12 Martin Kosek 2014-07-28 10:20:12 UTC 
Ok, I will clone this Bugzilla also for PKI.
Comment 13 Lukas Vrabec 2014-07-28 10:27:37 UTC 
Thank you!
Comment 14 Miroslav Grepl 2014-07-29 08:54:14 UTC 

*** This bug has been marked as a duplicate of bug 1103674 ***
Comment 15 Martin Kosek 2014-07-29 10:27:24 UTC 
I investigated FreeIPA in a more advanced workflow (with selinux-policy-3.7.19-246.el6.noarch) and found additional AVCs.

This happens only in a certificate renewal operation on a FreeIPA/PKI replica, after the certificate is renewed on FreeIPA/PKI master server:

# getcert resubmit -i 20140728233924
Resubmitting "20140728233924" to "dogtag-ipa-retrieve-agent-submit".
# getcert list -n 'subsystemCert cert-pki-ca'
Number of certificates and requests being tracked: 8.
Request ID '20140728233924':
	status: PRE_SAVE_CERT
	stuck: no
	key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='497572453013'
	certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
	CA: dogtag-ipa-retrieve-agent-submit
	issuer: CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM
	subject: CN=CA Subsystem,O=IDM.LAB.BOS.REDHAT.COM
	expires: 2016-07-17 22:35:41 UTC
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
	post-save command: /usr/lib64/ipa/certmonger/restart_pkicad "subsystemCert cert-pki-ca"
	track: yes
	auto-renew: yes
# getcert list -n 'subsystemCert cert-pki-ca'
Number of certificates and requests being tracked: 8.
Request ID '20140728233924':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='497572453013'
	certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
	CA: dogtag-ipa-retrieve-agent-submit
	issuer: CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM
	subject: CN=CA Subsystem,O=IDM.LAB.BOS.REDHAT.COM
	expires: 2016-07-18 22:16:33 UTC
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
	post-save command: /usr/lib64/ipa/certmonger/restart_pkicad "subsystemCert cert-pki-ca"
	track: yes
	auto-renew: yes

The operation only succeeded because I had SELinux in permissive mode.

# cat /var/log/audit/audit.log | audit2allow 


#============= certmonger_t ==============
#!!!! The source type 'certmonger_t' can write to a 'file' of the following types:
# dirsrv_config_t, certmonger_var_lib_t, certmonger_var_run_t, cert_t, cluster_var_lib_t, cluster_var_run_t, root_t, cluster_conf_t

allow certmonger_t var_run_t:file { setattr read lock create write getattr unlink open };

#============= pki_ca_t ==============
allow pki_ca_t tomcat_cache_t:dir { search getattr };


Jan, do you know what is the difference? Why does certmonger needs to access var_run_t while on the server it does not?
Comment 16 Jan Cholasta 2014-07-29 10:59:57 UTC 
No idea. Could you please retry in enforcing mode?
Comment 17 Martin Kosek 2014-07-29 13:42:45 UTC 
I see certmonger is working with a /var/run/certmonger/tmp-DLg2kv/ccache and SELinux does not like it:

type=AVC msg=audit(1406678726.742:280): avc:  denied  { getattr } for  pid=3544 comm="dogtag-ipa-retr"  path="/var/run/certmonger/tmp-DLg2kv/ccache" dev=dm-1 ino=140171 scontext=unconfined_u:system_r:        certmonger_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file

CCing Nalin for reference. This looks like a place where certmonger works with the CCACHE, I assume it should be allowed or have an own context. I will attach whole audit.log from my FreeIPA PKI clone renewal testing.
Comment 18 Martin Kosek 2014-07-29 13:43:15 UTC 
Created attachment 922154 [details]
audit.log reporting certmonger_t AVC on FreeIPA replica
Comment 19 Miroslav Grepl 2014-07-29 14:18:00 UTC 
What does

# rpm -qf /var/run/certmonger

We don't have a label for the dir in the policy.
Comment 20 Martin Kosek 2014-07-29 14:34:53 UTC 
# rpm -qf /var/run/certmonger
certmonger-0.75.8-1.el6.x86_64
Comment 21 Nalin Dahyabhai 2014-07-29 17:01:18 UTC 
(In reply to Martin Kosek from comment #17)
> I see certmonger is working with a /var/run/certmonger/tmp-DLg2kv/ccache and
> SELinux does not like it:
> 
> type=AVC msg=audit(1406678726.742:280): avc:  denied  { getattr } for 
> pid=3544 comm="dogtag-ipa-retr" 
> path="/var/run/certmonger/tmp-DLg2kv/ccache" dev=dm-1 ino=140171
> scontext=unconfined_u:system_r:        certmonger_t:s0
> tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
> 
> CCing Nalin for reference. This looks like a place where certmonger works
> with the CCACHE, I assume it should be allowed or have an own context. I
> will attach whole audit.log from my FreeIPA PKI clone renewal testing.

It looks like dogtag-ipa-retrieve-agent-submit is creating a cache for its use under $TMPDIR, which certmonger sets to /var/run/certmonger.  It could use an in-memory cache (type "MEMORY" instead of type "FILE") and save itself the work of cleaning up the cache when it's done.
Comment 22 Martin Kosek 2014-07-30 06:57:07 UTC 
Ah, I see:

./install/certmonger/dogtag-ipa-retrieve-agent-submit:
...
# Update or add it
tmpdir = tempfile.mkdtemp(prefix = "tmp-")
try:
...
    ccache = ipautil.kinit_hostprincipal('/etc/krb5.keytab', tmpdir, principal)
...
finally:
    shutil.rmtree(tmpdir)

Jan, can we change it to MEMORY CCACHE? This is apparently IPA specific operation, so I do not think we need to add this rule to global SELinux policy. If yes, I will move this to IPA component and get the ACKs.
Comment 23 Jan Cholasta 2014-07-30 07:14:26 UTC 
We could, but IMO /var/run/certmonger should be labelled correctly as certmonger_var_run_t anyway, since it is in fact owned by certmonger, right? Someone might use their own CA helper and/or pre-/post-save scripts which creates temporary files and end up in the same situation.
Comment 24 Martin Kosek 2014-07-30 07:18:41 UTC 
True, both approaches would work for me. Mirek, I will leave that up you if you are OK adding new context for certmonger and thus enable other potential scripting for certmonger.
Comment 25 Miroslav Grepl 2014-07-30 07:36:26 UTC 
commit ec004f7709aea4ee2aa5f75a7a6626cc39f41fea
Author: Miroslav Grepl <mgrepl>
Date:   Tue Jul 29 15:58:39 2014 +0200

    Fix labaling for /var/run/certmonger.
Comment 27 Miroslav Grepl 2014-07-30 08:50:45 UTC 
Yes. The fix is a part of this release.
Comment 28 Martin Kosek 2014-07-30 10:10:08 UTC 
Great, it works:

# rpm -q selinux-policy
selinux-policy-3.7.19-247.el6.noarch
# ls -laZ /var/run/certmonger
drwxr-xr-x. root root system_u:object_r:certmonger_var_run_t:s0 .
drwxr-xr-x. root root system_u:object_r:var_run_t:s0   ..
drwx------. root root unconfined_u:object_r:certmonger_var_run_t:s0 .config
drwx------. root root unconfined_u:object_r:certmonger_var_run_t:s0 .ipa
drwx------. root root unconfined_u:object_r:certmonger_var_run_t:s0 .pki

This bug is therefore fixed and only the Bug 1123811 (pki-core) remains.
Comment 29 Milos Malik 2014-08-01 09:33:46 UTC 
# rpm -qa selinux-policy\*
selinux-policy-targeted-3.7.19-247.el6.noarch
selinux-policy-3.7.19-247.el6.noarch
#
----
time->Fri Aug  1 11:14:53 2014
type=PATH msg=audit(1406884493.073:117): item=0 name="/var/cache/tomcat6/temp" inode=2093647 dev=fd:00 mode=040775 ouid=0 ogid=91 rdev=00:00 obj=system_u:object_r:tomcat_cache_t:s0 nametype=NORMAL
type=CWD msg=audit(1406884493.073:117):  cwd="/var/lib"
type=SYSCALL msg=audit(1406884493.073:117): arch=c000003e syscall=4 success=no exit=-13 a0=7f4e301a6570 a1=7f4e35fb0e20 a2=7f4e35fb0e20 a3=18 items=1 ppid=1 pid=3937 auid=0 uid=496 gid=496 euid=496 suid=496 fsuid=496 egid=496 sgid=496 fsgid=496 tty=(none) ses=1 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.65.x86_64/jre/bin/java" subj=unconfined_u:system_r:pki_ca_t:s0 key=(null)
type=AVC msg=audit(1406884493.073:117): avc:  denied  { search } for  pid=3937 comm="java" name="tomcat6" dev=dm-0 ino=2093647 scontext=unconfined_u:system_r:pki_ca_t:s0 tcontext=system_u:object_r:tomcat_cache_t:s0 tclass=dir
----
Comment 30 Milos Malik 2014-08-01 09:51:28 UTC 
The same automated TC, the same machine, but in permissive mode:
----
time->Fri Aug  1 11:34:56 2014
type=PATH msg=audit(1406885696.891:163): item=0 name="/var/cache/tomcat6/temp" inode=2093649 dev=fd:00 mode=040775 ouid=0 ogid=91 rdev=00:00 obj=system_u:object_r:tomcat_cache_t:s0 nametype=NORMAL
type=CWD msg=audit(1406885696.891:163):  cwd="/var/lib"
type=SYSCALL msg=audit(1406885696.891:163): arch=c000003e syscall=4 success=yes exit=0 a0=7f8c941e2080 a1=7f8c98a57e20 a2=7f8c98a57e20 a3=18 items=1 ppid=1 pid=9317 auid=0 uid=496 gid=496 euid=496 suid=496 fsuid=496 egid=496 sgid=496 fsgid=496 tty=(none) ses=1 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.65.x86_64/jre/bin/java" subj=unconfined_u:system_r:pki_ca_t:s0 key=(null)
type=AVC msg=audit(1406885696.891:163): avc:  denied  { getattr } for  pid=9317 comm="java" path="/var/cache/tomcat6/temp" dev=dm-0 ino=2093649 scontext=unconfined_u:system_r:pki_ca_t:s0 tcontext=system_u:object_r:tomcat_cache_t:s0 tclass=dir
type=AVC msg=audit(1406885696.891:163): avc:  denied  { search } for  pid=9317 comm="java" name="tomcat6" dev=dm-0 ino=2093647 scontext=unconfined_u:system_r:pki_ca_t:s0 tcontext=system_u:object_r:tomcat_cache_t:s0 tclass=dir
----
Comment 31 Martin Kosek 2014-08-01 10:34:46 UTC 
These AVCs are being fixed in Bug 1123811 (as the problem is not in system SELinux policy).

Current development build of pki-core I tested removed them both.
Comment 34 errata-xmlrpc 2014-10-14 08:03:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1568.html