Bug 1366915

Summary:

AVC seen during IdM automatic cert renewal

Product:

Red Hat Enterprise Linux 7

Reporter:

Xiyang Dong <xdong>

Component:

selinux-policy

Assignee:

Lukas Vrabec <lvrabec>

Status:

CLOSED ERRATA

QA Contact:

Milos Malik <mmalik>

Severity:

unspecified

Docs Contact:

Priority:

unspecified

Version:

7.3

CC:

dapospis, dominick.grift, dwalsh, extras-qa, frenaud, lvrabec, mgrepl, mmalik, plautrba, pvoborni, pvrabec, ssekidde, xdong

Target Milestone:

Target Release:

---

Hardware:

All

OS:

Linux

Whiteboard:

Fixed In Version:

selinux-policy-3.13.1-96.el7

Doc Type:

If docs needed, set a value

Doc Text:

Story Points:

---

Clone Of:

1365188

Environment:

Last Closed:

2016-11-04 02:37:00 UTC

Type:

Bug

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Bug Depends On:

1365188

Bug Blocks:

Attachments:

Description	Flags
journalctl.out	none
ausearch_certmonger.out	none
journalctl.out_permissive	none
ausearch_certmonger.out_permissive	none

Description Xiyang Dong 2016-08-14 20:16:58 UTC

+++ This bug was initially created as a clone of Bug #1365188 +++

Description of problem:

IdM is configured with an embedded Certificate Authority. With this configuration, it must automatically renew the certificates used internally by its components.
Certmonger is used to track the certificates stored in /etc/pki/pki-tomcat/alias, succeeds in cert renewal but fails when running the CA helper script because of SElinux policy preventing from updating the file 
/var/lib/pki/pki-tomcat/conf/ca/CS.cfg with the new cert.
This results in certmonger not having the right certificate.

Certmonger is running the script /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit => the script inherits certmonger context, which is certmonger_t

$ ps -efZ | grep certmonger
system_u:system_r:certmonger_t:s0 root     1670      1  0 14:59 ?        00:00:00 /usr/sbin/certmonger -S -p /var/run/certmonger.pid -n

The file that cannot be updated is /var/lib/pki/pki-tomcat/conf/ca/CS.cfg, with context pki_tomcat_etc_rw_t:
$ sudo ls -Z /var/lib/pki/pki-tomcat/conf/ca/CS.cfg
unconfined_u:object_r:pki_tomcat_etc_rw_t:s0 /var/lib/pki/pki-tomcat/conf/ca/CS.cfg

Version-Release number of selected component (if applicable):
Fedora release 24 (Twenty Four)
freeipa-server.x86_64     4.4.0.201608050957GIT9dac0a1-0.fc24
selinux-policy.noarch    3.13.1-191.fc24.2
selinux-policy-targeted.noarch 3.13.1-191.fc24.2


How reproducible:
Always

Steps to Reproduce:
1. Install IDM with a self-signed CA:
sudo ipa-server-install --setup-dns \
--auto-forwarders \
--auto-reverse \
-n $DOMAIN \
-r $REALM \
-p Secret123 -a Secret123 \
-U

2. check when the subsystemCert expires
$ sudo getcert list -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' | grep expires

3. stop ntpd and change date to a few days before cert expiration
$ sudo systemctl stop ntpd
$ sudo date -s "2018-07-25 00:00"

4. Certmonger renews the certs, but we can find errors:
$ sudo journalctl -t renew_ca_cert --since "2018-07-25" > ~/journalctl.out
$ sudo ausearch -m avc --start today > ~/ausearch_certmonger.out

The file /var/lib/pki/pki-tomcat/conf/ca/CS.cfg has not been updated with the new cert (line ca.subsystem.cert=...)

Actual results:
AVC errors seen and journal errors for certmonger, file CS.cfg not updated.

Expected results:
No AVC error, file CS.cfg udpated.

Additional info:
Attaching output of journalctl and ausearch.

--- Additional comment from Florence Blanc-Renaud on 2016-08-08 10:55 EDT ---

Comment 2 Xiyang Dong 2016-08-14 22:31:45 UTC

Same issue on:
selinux-policy-3.13.1-93.el7
ipa-server-4.4.0-7.el7

Same steps to reproduce as in comment 1, attached journalctl and ausearch output.

Comment 3 Xiyang Dong 2016-08-14 22:42:18 UTC

Created attachment 1190777 [details]
journalctl.out

Comment 4 Xiyang Dong 2016-08-14 22:44:03 UTC

Created attachment 1190778 [details]
ausearch_certmonger.out

Comment 5 Lukas Vrabec 2016-08-15 15:36:18 UTC

Hi, 

Could you please re-test it in permissive mode? 

Thank you.

Comment 6 Xiyang Dong 2016-08-15 19:15:51 UTC

(In reply to Lukas Vrabec from comment #5)
> Hi, 
> 
> Could you please re-test it in permissive mode? 
> 
> Thank you.

Hi Lukas,
With permissive mode,no journal errors for certmonger , but still seeing AVC errors.See attached files
Thanks

Comment 7 Xiyang Dong 2016-08-15 19:17:30 UTC

Created attachment 1190962 [details]
journalctl.out_permissive

Comment 8 Xiyang Dong 2016-08-15 19:20:20 UTC

Created attachment 1190963 [details]
ausearch_certmonger.out_permissive

Comment 13 Xiyang Dong 2016-08-29 14:00:49 UTC

Still facing same error:
# rpm -q selinux-policy ipa-server
selinux-policy-3.13.1-95.el7.noarch
ipa-server-4.4.0-8.el7.x86_64

# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING

# getcert list -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' | grep expires
	expires: 2018-08-19 01:33:37 UTC
# systemctl stop ntpd
# date -s "2018-08-15 00:00"
Wed Aug 15 00:00:00 EDT 2018
# sleep 60
# getcert list -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' | grep expires
	expires: 2020-08-04 04:01:04 UTC
# ausearch -m avc --start today > ~/ausearch_certmonger.out
# journalctl -t renew_ca_cert --since "2018-08-15" > ~/journalctl.out

# cat ~/journalctl.out 
-- Logs begin at Sun 2016-08-28 21:24:14 EDT, end at Wed 2018-08-15 00:02:40 EDT. --
Aug 15 00:01:16 mgmt6.testrelm.test renew_ca_cert[20553]: Failed to backup CS.cfg: [Errno 13] Permission denied: '/var/lib/pki/pki-tomcat/conf/ca/CS.cfg'
Aug 15 00:01:16 mgmt6.testrelm.test renew_ca_cert[20553]: Traceback (most recent call last):
                                                            File "/usr/libexec/ipa/certmonger/renew_ca_cert", line 212, in <module>
                                                              main()
                                                            File "/usr/libexec/ipa/certmonger/renew_ca_cert", line 206, in main
                                                              _main()
                                                            File "/usr/libexec/ipa/certmonger/renew_ca_cert", line 78, in _main
                                                              ca.update_cert_config(nickname, cert)
                                                            File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1253, in update_cert_config
                                                              directives[nickname], cert, paths.CA_CS_CFG_PATH)
                                                            File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 389, in update_cert_cs_cfg
                                                              separator='=')
                                                            File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 387, in set_directive
                                                              st = os.stat(filename)
                                                          OSError: [Errno 13] Permission denied: '/var/lib/pki/pki-tomcat/conf/ca/CS.cfg'
Aug 15 00:01:30 mgmt6.testrelm.test renew_ca_cert[20623]: Failed to backup CS.cfg: [Errno 13] Permission denied: '/var/lib/pki/pki-tomcat/conf/ca/CS.cfg'
Aug 15 00:01:30 mgmt6.testrelm.test renew_ca_cert[20623]: Traceback (most recent call last):
                                                            File "/usr/libexec/ipa/certmonger/renew_ca_cert", line 212, in <module>
                                                              main()
                                                            File "/usr/libexec/ipa/certmonger/renew_ca_cert", line 206, in main
                                                              _main()
                                                            File "/usr/libexec/ipa/certmonger/renew_ca_cert", line 78, in _main
                                                              ca.update_cert_config(nickname, cert)
                                                            File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1253, in update_cert_config
                                                              directives[nickname], cert, paths.CA_CS_CFG_PATH)
                                                            File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 389, in update_cert_cs_cfg
                                                              separator='=')
                                                            File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 387, in set_directive
                                                              st = os.stat(filename)
                                                          OSError: [Errno 13] Permission denied: '/var/lib/pki/pki-tomcat/conf/ca/CS.cfg'
Aug 15 00:01:55 mgmt6.testrelm.test renew_ca_cert[20699]: Failed to backup CS.cfg: [Errno 13] Permission denied: '/var/lib/pki/pki-tomcat/conf/ca/CS.cfg'
Aug 15 00:01:55 mgmt6.testrelm.test renew_ca_cert[20699]: Traceback (most recent call last):
                                                            File "/usr/libexec/ipa/certmonger/renew_ca_cert", line 212, in <module>
                                                              main()
                                                            File "/usr/libexec/ipa/certmonger/renew_ca_cert", line 206, in main
                                                              _main()
                                                            File "/usr/libexec/ipa/certmonger/renew_ca_cert", line 78, in _main
                                                              ca.update_cert_config(nickname, cert)
                                                            File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1253, in update_cert_config
                                                              directives[nickname], cert, paths.CA_CS_CFG_PATH)
                                                            File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 389, in update_cert_cs_cfg
                                                              separator='=')
                                                            File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 387, in set_directive
                                                              st = os.stat(filename)
                                                          OSError: [Errno 13] Permission denied: '/var/lib/pki/pki-tomcat/conf/ca/CS.cfg'
Aug 15 00:02:35 mgmt6.testrelm.test renew_ca_cert[20873]: Failed to backup CS.cfg: [Errno 13] Permission denied: '/var/lib/pki/pki-tomcat/conf/ca/CS.cfg'
Aug 15 00:02:35 mgmt6.testrelm.test renew_ca_cert[20873]: Traceback (most recent call last):
                                                            File "/usr/libexec/ipa/certmonger/renew_ca_cert", line 212, in <module>
                                                              main()
                                                            File "/usr/libexec/ipa/certmonger/renew_ca_cert", line 206, in main
                                                              _main()
                                                            File "/usr/libexec/ipa/certmonger/renew_ca_cert", line 78, in _main
                                                              ca.update_cert_config(nickname, cert)
                                                            File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1253, in update_cert_config
                                                              directives[nickname], cert, paths.CA_CS_CFG_PATH)
                                                            File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 389, in update_cert_cs_cfg
                                                              separator='=')
                                                            File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 387, in set_directive
                                                              st = os.stat(filename)
                                                          OSError: [Errno 13] Permission denied: '/var/lib/pki/pki-tomcat/conf/ca/CS.cfg'

# cat ~/ausearch_certmonger.out
----
time->Wed Aug 15 00:01:16 2018
type=PATH msg=audit(1534305676.167:1402): item=0 name="/var/lib/pki/pki-tomcat/conf/ca/CS.cfg.ipabkp" inode=68514374 dev=fd:00 mode=0100660 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL
type=CWD msg=audit(1534305676.167:1402):  cwd="/"
type=SYSCALL msg=audit(1534305676.167:1402): arch=c000003e syscall=4 success=no exit=-13 a0=4e84ab0 a1=7ffe5b4a8f50 a2=7ffe5b4a8f50 a3=632e53432f61632f items=1 ppid=19002 pid=20553 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="renew_ca_cert" exe="/usr/bin/python2.7" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1534305676.167:1402): avc:  denied  { getattr } for  pid=20553 comm="renew_ca_cert" path="/etc/pki/pki-tomcat/ca/CS.cfg.ipabkp" dev="dm-0" ino=68514374 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
----
time->Wed Aug 15 00:01:16 2018
type=PATH msg=audit(1534305676.167:1403): item=0 name="/var/lib/pki/pki-tomcat/conf/ca/CS.cfg" inode=68514375 dev=fd:00 mode=0100660 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL
type=CWD msg=audit(1534305676.167:1403):  cwd="/"
type=SYSCALL msg=audit(1534305676.167:1403): arch=c000003e syscall=4 success=no exit=-13 a0=3361210 a1=7ffe5b4a8c70 a2=7ffe5b4a8c70 a3=632e53432f61632f items=1 ppid=19002 pid=20553 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="renew_ca_cert" exe="/usr/bin/python2.7" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1534305676.167:1403): avc:  denied  { getattr } for  pid=20553 comm="renew_ca_cert" path="/etc/pki/pki-tomcat/ca/CS.cfg" dev="dm-0" ino=68514375 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
----
time->Wed Aug 15 00:01:16 2018
type=PATH msg=audit(1534305676.168:1404): item=0 name="/var/lib/pki/pki-tomcat/conf/ca/CS.cfg" inode=68514375 dev=fd:00 mode=0100660 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL
type=CWD msg=audit(1534305676.168:1404):  cwd="/"
type=SYSCALL msg=audit(1534305676.168:1404): arch=c000003e syscall=4 success=no exit=-13 a0=3361210 a1=7ffe5b4a8f50 a2=7ffe5b4a8f50 a3=632e53432f61632f items=1 ppid=19002 pid=20553 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="renew_ca_cert" exe="/usr/bin/python2.7" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1534305676.168:1404): avc:  denied  { getattr } for  pid=20553 comm="renew_ca_cert" path="/etc/pki/pki-tomcat/ca/CS.cfg" dev="dm-0" ino=68514375 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
----
time->Wed Aug 15 00:01:16 2018
type=PATH msg=audit(1534305676.168:1405): item=0 name="/var/lib/pki/pki-tomcat/conf/ca/CS.cfg.ipabkp" inode=68514374 dev=fd:00 mode=0100660 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL
type=CWD msg=audit(1534305676.168:1405):  cwd="/"
type=SYSCALL msg=audit(1534305676.168:1405): arch=c000003e syscall=4 success=no exit=-13 a0=4e84ab0 a1=7ffe5b4a8f50 a2=7ffe5b4a8f50 a3=632e53432f61632f items=1 ppid=19002 pid=20553 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="renew_ca_cert" exe="/usr/bin/python2.7" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1534305676.168:1405): avc:  denied  { getattr } for  pid=20553 comm="renew_ca_cert" path="/etc/pki/pki-tomcat/ca/CS.cfg.ipabkp" dev="dm-0" ino=68514374 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
----
time->Wed Aug 15 00:01:16 2018
type=PATH msg=audit(1534305676.168:1406): item=0 name="/var/lib/pki/pki-tomcat/conf/ca/CS.cfg" inode=68514375 dev=fd:00 mode=0100660 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL
type=CWD msg=audit(1534305676.168:1406):  cwd="/"
type=SYSCALL msg=audit(1534305676.168:1406): arch=c000003e syscall=2 success=no exit=-13 a0=3361210 a1=0 a2=1b6 a3=24 items=1 ppid=19002 pid=20553 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="renew_ca_cert" exe="/usr/bin/python2.7" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1534305676.168:1406): avc:  denied  { read } for  pid=20553 comm="renew_ca_cert" name="CS.cfg" dev="dm-0" ino=68514375 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
----
time->Wed Aug 15 00:01:16 2018
type=PATH msg=audit(1534305676.184:1408): item=0 name="/var/lib/pki/pki-tomcat/conf/ca/CS.cfg" inode=68514375 dev=fd:00 mode=0100660 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL
type=CWD msg=audit(1534305676.184:1408):  cwd="/"
type=SYSCALL msg=audit(1534305676.184:1408): arch=c000003e syscall=4 success=no exit=-13 a0=4e64480 a1=7ffe5b4a90c0 a2=7ffe5b4a90c0 a3=632e53432f61632f items=1 ppid=19002 pid=20553 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="renew_ca_cert" exe="/usr/bin/python2.7" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1534305676.184:1408): avc:  denied  { getattr } for  pid=20553 comm="renew_ca_cert" path="/etc/pki/pki-tomcat/ca/CS.cfg" dev="dm-0" ino=68514375 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
----
time->Wed Aug 15 00:01:30 2018
type=PATH msg=audit(1534305690.560:1413): item=0 name="/var/lib/pki/pki-tomcat/conf/ca/CS.cfg.ipabkp" inode=68514374 dev=fd:00 mode=0100660 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL
type=CWD msg=audit(1534305690.560:1413):  cwd="/"
type=SYSCALL msg=audit(1534305690.560:1413): arch=c000003e syscall=4 success=no exit=-13 a0=4a9ae40 a1=7ffda2419340 a2=7ffda2419340 a3=632e53432f61632f items=1 ppid=19002 pid=20623 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="renew_ca_cert" exe="/usr/bin/python2.7" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1534305690.560:1413): avc:  denied  { getattr } for  pid=20623 comm="renew_ca_cert" path="/etc/pki/pki-tomcat/ca/CS.cfg.ipabkp" dev="dm-0" ino=68514374 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
----
time->Wed Aug 15 00:01:30 2018
type=PATH msg=audit(1534305690.560:1414): item=0 name="/var/lib/pki/pki-tomcat/conf/ca/CS.cfg" inode=68514375 dev=fd:00 mode=0100660 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL
type=CWD msg=audit(1534305690.560:1414):  cwd="/"
type=SYSCALL msg=audit(1534305690.560:1414): arch=c000003e syscall=4 success=no exit=-13 a0=391cfc0 a1=7ffda2419060 a2=7ffda2419060 a3=632e53432f61632f items=1 ppid=19002 pid=20623 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="renew_ca_cert" exe="/usr/bin/python2.7" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1534305690.560:1414): avc:  denied  { getattr } for  pid=20623 comm="renew_ca_cert" path="/etc/pki/pki-tomcat/ca/CS.cfg" dev="dm-0" ino=68514375 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
----
time->Wed Aug 15 00:01:30 2018
type=PATH msg=audit(1534305690.560:1415): item=0 name="/var/lib/pki/pki-tomcat/conf/ca/CS.cfg" inode=68514375 dev=fd:00 mode=0100660 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL
type=CWD msg=audit(1534305690.560:1415):  cwd="/"
type=SYSCALL msg=audit(1534305690.560:1415): arch=c000003e syscall=4 success=no exit=-13 a0=391cfc0 a1=7ffda2419340 a2=7ffda2419340 a3=632e53432f61632f items=1 ppid=19002 pid=20623 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="renew_ca_cert" exe="/usr/bin/python2.7" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1534305690.560:1415): avc:  denied  { getattr } for  pid=20623 comm="renew_ca_cert" path="/etc/pki/pki-tomcat/ca/CS.cfg" dev="dm-0" ino=68514375 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
----
time->Wed Aug 15 00:01:30 2018
type=PATH msg=audit(1534305690.560:1416): item=0 name="/var/lib/pki/pki-tomcat/conf/ca/CS.cfg.ipabkp" inode=68514374 dev=fd:00 mode=0100660 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL
type=CWD msg=audit(1534305690.560:1416):  cwd="/"
type=SYSCALL msg=audit(1534305690.560:1416): arch=c000003e syscall=4 success=no exit=-13 a0=4a9ae40 a1=7ffda2419340 a2=7ffda2419340 a3=632e53432f61632f items=1 ppid=19002 pid=20623 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="renew_ca_cert" exe="/usr/bin/python2.7" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1534305690.560:1416): avc:  denied  { getattr } for  pid=20623 comm="renew_ca_cert" path="/etc/pki/pki-tomcat/ca/CS.cfg.ipabkp" dev="dm-0" ino=68514374 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
----
time->Wed Aug 15 00:01:30 2018
type=PATH msg=audit(1534305690.560:1417): item=0 name="/var/lib/pki/pki-tomcat/conf/ca/CS.cfg" inode=68514375 dev=fd:00 mode=0100660 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL
type=CWD msg=audit(1534305690.560:1417):  cwd="/"
type=SYSCALL msg=audit(1534305690.560:1417): arch=c000003e syscall=2 success=no exit=-13 a0=391cfc0 a1=0 a2=1b6 a3=24 items=1 ppid=19002 pid=20623 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="renew_ca_cert" exe="/usr/bin/python2.7" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1534305690.560:1417): avc:  denied  { read } for  pid=20623 comm="renew_ca_cert" name="CS.cfg" dev="dm-0" ino=68514375 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
----
time->Wed Aug 15 00:01:30 2018
type=PATH msg=audit(1534305690.576:1419): item=0 name="/var/lib/pki/pki-tomcat/conf/ca/CS.cfg" inode=68514375 dev=fd:00 mode=0100660 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL
type=CWD msg=audit(1534305690.576:1419):  cwd="/"
type=SYSCALL msg=audit(1534305690.576:1419): arch=c000003e syscall=4 success=no exit=-13 a0=3d88e50 a1=7ffda24194b0 a2=7ffda24194b0 a3=632e53432f61632f items=1 ppid=19002 pid=20623 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="renew_ca_cert" exe="/usr/bin/python2.7" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1534305690.576:1419): avc:  denied  { getattr } for  pid=20623 comm="renew_ca_cert" path="/etc/pki/pki-tomcat/ca/CS.cfg" dev="dm-0" ino=68514375 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
----
time->Wed Aug 15 00:01:55 2018
type=PATH msg=audit(1534305715.317:1424): item=0 name="/var/lib/pki/pki-tomcat/conf/ca/CS.cfg.ipabkp" inode=68514374 dev=fd:00 mode=0100660 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL
type=CWD msg=audit(1534305715.317:1424):  cwd="/"
type=SYSCALL msg=audit(1534305715.317:1424): arch=c000003e syscall=4 success=no exit=-13 a0=4a45f50 a1=7ffea2b21850 a2=7ffea2b21850 a3=632e53432f61632f items=1 ppid=19002 pid=20699 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="renew_ca_cert" exe="/usr/bin/python2.7" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1534305715.317:1424): avc:  denied  { getattr } for  pid=20699 comm="renew_ca_cert" path="/etc/pki/pki-tomcat/ca/CS.cfg.ipabkp" dev="dm-0" ino=68514374 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
----
time->Wed Aug 15 00:01:55 2018
type=PATH msg=audit(1534305715.317:1425): item=0 name="/var/lib/pki/pki-tomcat/conf/ca/CS.cfg" inode=68514375 dev=fd:00 mode=0100660 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL
type=CWD msg=audit(1534305715.317:1425):  cwd="/"
type=SYSCALL msg=audit(1534305715.317:1425): arch=c000003e syscall=4 success=no exit=-13 a0=361be20 a1=7ffea2b21570 a2=7ffea2b21570 a3=632e53432f61632f items=1 ppid=19002 pid=20699 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="renew_ca_cert" exe="/usr/bin/python2.7" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1534305715.317:1425): avc:  denied  { getattr } for  pid=20699 comm="renew_ca_cert" path="/etc/pki/pki-tomcat/ca/CS.cfg" dev="dm-0" ino=68514375 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
----
time->Wed Aug 15 00:01:55 2018
type=PATH msg=audit(1534305715.317:1426): item=0 name="/var/lib/pki/pki-tomcat/conf/ca/CS.cfg" inode=68514375 dev=fd:00 mode=0100660 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL
type=CWD msg=audit(1534305715.317:1426):  cwd="/"
type=SYSCALL msg=audit(1534305715.317:1426): arch=c000003e syscall=4 success=no exit=-13 a0=361be20 a1=7ffea2b21850 a2=7ffea2b21850 a3=632e53432f61632f items=1 ppid=19002 pid=20699 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="renew_ca_cert" exe="/usr/bin/python2.7" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1534305715.317:1426): avc:  denied  { getattr } for  pid=20699 comm="renew_ca_cert" path="/etc/pki/pki-tomcat/ca/CS.cfg" dev="dm-0" ino=68514375 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
----
time->Wed Aug 15 00:01:55 2018
type=PATH msg=audit(1534305715.318:1427): item=0 name="/var/lib/pki/pki-tomcat/conf/ca/CS.cfg.ipabkp" inode=68514374 dev=fd:00 mode=0100660 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL
type=CWD msg=audit(1534305715.318:1427):  cwd="/"
type=SYSCALL msg=audit(1534305715.318:1427): arch=c000003e syscall=4 success=no exit=-13 a0=4a45f50 a1=7ffea2b21850 a2=7ffea2b21850 a3=632e53432f61632f items=1 ppid=19002 pid=20699 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="renew_ca_cert" exe="/usr/bin/python2.7" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1534305715.318:1427): avc:  denied  { getattr } for  pid=20699 comm="renew_ca_cert" path="/etc/pki/pki-tomcat/ca/CS.cfg.ipabkp" dev="dm-0" ino=68514374 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
----
time->Wed Aug 15 00:01:55 2018
type=PATH msg=audit(1534305715.318:1428): item=0 name="/var/lib/pki/pki-tomcat/conf/ca/CS.cfg" inode=68514375 dev=fd:00 mode=0100660 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL
type=CWD msg=audit(1534305715.318:1428):  cwd="/"
type=SYSCALL msg=audit(1534305715.318:1428): arch=c000003e syscall=2 success=no exit=-13 a0=361be20 a1=0 a2=1b6 a3=24 items=1 ppid=19002 pid=20699 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="renew_ca_cert" exe="/usr/bin/python2.7" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1534305715.318:1428): avc:  denied  { read } for  pid=20699 comm="renew_ca_cert" name="CS.cfg" dev="dm-0" ino=68514375 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
----
time->Wed Aug 15 00:01:55 2018
type=PATH msg=audit(1534305715.337:1430): item=0 name="/var/lib/pki/pki-tomcat/conf/ca/CS.cfg" inode=68514375 dev=fd:00 mode=0100660 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL
type=CWD msg=audit(1534305715.337:1430):  cwd="/"
type=SYSCALL msg=audit(1534305715.337:1430): arch=c000003e syscall=4 success=no exit=-13 a0=3701f80 a1=7ffea2b219c0 a2=7ffea2b219c0 a3=632e53432f61632f items=1 ppid=19002 pid=20699 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="renew_ca_cert" exe="/usr/bin/python2.7" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1534305715.337:1430): avc:  denied  { getattr } for  pid=20699 comm="renew_ca_cert" path="/etc/pki/pki-tomcat/ca/CS.cfg" dev="dm-0" ino=68514375 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
----
time->Wed Aug 15 00:02:35 2018
type=PATH msg=audit(1534305755.807:1437): item=0 name="/var/lib/pki/pki-tomcat/conf/ca/CS.cfg.ipabkp" inode=68514374 dev=fd:00 mode=0100660 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL
type=CWD msg=audit(1534305755.807:1437):  cwd="/"
type=SYSCALL msg=audit(1534305755.807:1437): arch=c000003e syscall=4 success=no exit=-13 a0=5895ff0 a1=7ffc625e4df0 a2=7ffc625e4df0 a3=632e53432f61632f items=1 ppid=19002 pid=20873 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="renew_ca_cert" exe="/usr/bin/python2.7" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1534305755.807:1437): avc:  denied  { getattr } for  pid=20873 comm="renew_ca_cert" path="/etc/pki/pki-tomcat/ca/CS.cfg.ipabkp" dev="dm-0" ino=68514374 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
----
time->Wed Aug 15 00:02:35 2018
type=PATH msg=audit(1534305755.808:1438): item=0 name="/var/lib/pki/pki-tomcat/conf/ca/CS.cfg" inode=68514375 dev=fd:00 mode=0100660 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL
type=CWD msg=audit(1534305755.808:1438):  cwd="/"
type=SYSCALL msg=audit(1534305755.808:1438): arch=c000003e syscall=4 success=no exit=-13 a0=5505260 a1=7ffc625e4b10 a2=7ffc625e4b10 a3=632e53432f61632f items=1 ppid=19002 pid=20873 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="renew_ca_cert" exe="/usr/bin/python2.7" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1534305755.808:1438): avc:  denied  { getattr } for  pid=20873 comm="renew_ca_cert" path="/etc/pki/pki-tomcat/ca/CS.cfg" dev="dm-0" ino=68514375 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
----
time->Wed Aug 15 00:02:35 2018
type=PATH msg=audit(1534305755.808:1439): item=0 name="/var/lib/pki/pki-tomcat/conf/ca/CS.cfg" inode=68514375 dev=fd:00 mode=0100660 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL
type=CWD msg=audit(1534305755.808:1439):  cwd="/"
type=SYSCALL msg=audit(1534305755.808:1439): arch=c000003e syscall=4 success=no exit=-13 a0=5505260 a1=7ffc625e4df0 a2=7ffc625e4df0 a3=632e53432f61632f items=1 ppid=19002 pid=20873 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="renew_ca_cert" exe="/usr/bin/python2.7" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1534305755.808:1439): avc:  denied  { getattr } for  pid=20873 comm="renew_ca_cert" path="/etc/pki/pki-tomcat/ca/CS.cfg" dev="dm-0" ino=68514375 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
----
time->Wed Aug 15 00:02:35 2018
type=PATH msg=audit(1534305755.808:1440): item=0 name="/var/lib/pki/pki-tomcat/conf/ca/CS.cfg.ipabkp" inode=68514374 dev=fd:00 mode=0100660 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL
type=CWD msg=audit(1534305755.808:1440):  cwd="/"
type=SYSCALL msg=audit(1534305755.808:1440): arch=c000003e syscall=4 success=no exit=-13 a0=5895ff0 a1=7ffc625e4df0 a2=7ffc625e4df0 a3=632e53432f61632f items=1 ppid=19002 pid=20873 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="renew_ca_cert" exe="/usr/bin/python2.7" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1534305755.808:1440): avc:  denied  { getattr } for  pid=20873 comm="renew_ca_cert" path="/etc/pki/pki-tomcat/ca/CS.cfg.ipabkp" dev="dm-0" ino=68514374 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
----
time->Wed Aug 15 00:02:35 2018
type=PATH msg=audit(1534305755.808:1441): item=0 name="/var/lib/pki/pki-tomcat/conf/ca/CS.cfg" inode=68514375 dev=fd:00 mode=0100660 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL
type=CWD msg=audit(1534305755.808:1441):  cwd="/"
type=SYSCALL msg=audit(1534305755.808:1441): arch=c000003e syscall=2 success=no exit=-13 a0=5505260 a1=0 a2=1b6 a3=24 items=1 ppid=19002 pid=20873 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="renew_ca_cert" exe="/usr/bin/python2.7" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1534305755.808:1441): avc:  denied  { read } for  pid=20873 comm="renew_ca_cert" name="CS.cfg" dev="dm-0" ino=68514375 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
----
time->Wed Aug 15 00:02:35 2018
type=PATH msg=audit(1534305755.824:1443): item=0 name="/var/lib/pki/pki-tomcat/conf/ca/CS.cfg" inode=68514375 dev=fd:00 mode=0100660 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL
type=CWD msg=audit(1534305755.824:1443):  cwd="/"
type=SYSCALL msg=audit(1534305755.824:1443): arch=c000003e syscall=4 success=no exit=-13 a0=578d3f0 a1=7ffc625e4f60 a2=7ffc625e4f60 a3=632e53432f61632f items=1 ppid=19002 pid=20873 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="renew_ca_cert" exe="/usr/bin/python2.7" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1534305755.824:1443): avc:  denied  { getattr } for  pid=20873 comm="renew_ca_cert" path="/etc/pki/pki-tomcat/ca/CS.cfg" dev="dm-0" ino=68514375 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file

Comment 15 Xiyang Dong 2016-09-04 21:48:31 UTC

Verified on selinux-policy-3.13.1-96.el7:

# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

# getcert list -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' | grep expires
	expires: 2018-08-25 21:34:30 UTC

# systemctl stop ntpd

# date -s "2018-08-22 00:00"
Wed Aug 22 00:00:00 EDT 2018

# sleep 120

# getcert list -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' | grep expires
	expires: 2018-08-25 21:34:30 UTC

# journalctl -t renew_ca_cert --since "2018-08-22" > ~/journalctl.out

# ausearch -m avc --start today > ~/ausearch_certmonger.out
<no matches>

# cat ~/ausearch_certmonger.out

# cat ~/journalctl.out 
-- No entries --

Comment 17 errata-xmlrpc 2016-11-04 02:37:00 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html