Bug 1436434

Summary: Multiple SELinux denials prevent FreeIPA server deployment on F26 and Rawhide
Product: [Fedora] Fedora Reporter: Adam Williamson <awilliam>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: rawhideCC: akurtako, csutherl, danofsatx, dominick.grift, dwalsh, jbwillia, kevin, lvrabec, mboddu, mgrepl, mruckman, nb, ngompa13, plautrba, pmoore, robatino, ssekidde
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: AcceptedBlocker
Fixed In Version: selinux-policy-3.13.1-249.fc26 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-03-29 05:05:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1349184    

Description Adam Williamson 2017-03-27 23:06:24 UTC 
Since the 20170322.n.0 compose, FreeIPA server deployment on Rawhide has been failing. I believe this is caused by a bunch of SELinux denials related to the pki-tomcat component:

----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.061:351): avc:  denied  { search } for  pid=5991 comm="pkidaemon" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.061:350): avc:  denied  { search } for  pid=5991 comm="pkidaemon" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.062:352): avc:  denied  { search } for  pid=5991 comm="pkidaemon" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.197:353): avc:  denied  { search } for  pid=6008 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.197:354): avc:  denied  { search } for  pid=6008 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.198:355): avc:  denied  { search } for  pid=6008 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.198:356): avc:  denied  { search } for  pid=6008 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.198:357): avc:  denied  { search } for  pid=6008 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.199:358): avc:  denied  { search } for  pid=6008 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.211:359): avc:  denied  { search } for  pid=6011 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.211:360): avc:  denied  { search } for  pid=6011 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.212:361): avc:  denied  { search } for  pid=6011 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.213:362): avc:  denied  { search } for  pid=6011 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.213:363): avc:  denied  { search } for  pid=6011 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.213:364): avc:  denied  { search } for  pid=6011 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.228:365): avc:  denied  { search } for  pid=6014 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.228:366): avc:  denied  { search } for  pid=6014 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.228:367): avc:  denied  { search } for  pid=6014 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.229:368): avc:  denied  { search } for  pid=6014 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.229:369): avc:  denied  { search } for  pid=6014 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.229:370): avc:  denied  { search } for  pid=6014 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.242:371): avc:  denied  { search } for  pid=6017 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.242:372): avc:  denied  { search } for  pid=6017 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.243:373): avc:  denied  { search } for  pid=6017 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.243:374): avc:  denied  { search } for  pid=6017 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.243:375): avc:  denied  { search } for  pid=6017 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.244:376): avc:  denied  { search } for  pid=6017 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.255:377): avc:  denied  { search } for  pid=6021 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.255:378): avc:  denied  { search } for  pid=6021 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.255:379): avc:  denied  { search } for  pid=6021 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.256:380): avc:  denied  { search } for  pid=6021 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.256:381): avc:  denied  { search } for  pid=6021 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.256:382): avc:  denied  { search } for  pid=6021 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.266:383): avc:  denied  { search } for  pid=6024 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.266:384): avc:  denied  { search } for  pid=6024 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.266:385): avc:  denied  { search } for  pid=6024 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.267:386): avc:  denied  { search } for  pid=6024 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.267:387): avc:  denied  { search } for  pid=6024 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.267:388): avc:  denied  { search } for  pid=6024 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.278:389): avc:  denied  { search } for  pid=6027 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.278:390): avc:  denied  { search } for  pid=6027 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.279:391): avc:  denied  { search } for  pid=6027 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.279:392): avc:  denied  { search } for  pid=6027 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.279:393): avc:  denied  { search } for  pid=6027 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.280:394): avc:  denied  { search } for  pid=6027 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.289:395): avc:  denied  { search } for  pid=6030 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.289:396): avc:  denied  { search } for  pid=6030 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.290:397): avc:  denied  { search } for  pid=6030 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.291:398): avc:  denied  { search } for  pid=6030 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.291:399): avc:  denied  { search } for  pid=6030 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.291:400): avc:  denied  { search } for  pid=6030 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.306:401): avc:  denied  { search } for  pid=6034 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.306:402): avc:  denied  { search } for  pid=6034 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.307:403): avc:  denied  { search } for  pid=6034 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.307:404): avc:  denied  { search } for  pid=6034 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.307:405): avc:  denied  { search } for  pid=6034 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.308:406): avc:  denied  { search } for  pid=6034 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.631:408): avc:  denied  { search } for  pid=6109 comm="server" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.631:409): avc:  denied  { search } for  pid=6109 comm="server" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.631:410): avc:  denied  { search } for  pid=6109 comm="server" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.650:411): avc:  denied  { search } for  pid=6114 comm="build-classpath" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.650:412): avc:  denied  { search } for  pid=6114 comm="build-classpath" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.650:413): avc:  denied  { search } for  pid=6114 comm="build-classpath" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.690:414): avc:  denied  { search } for  pid=6109 comm="server" name="pki-tomcat" dev="dm-0" ino=12749788 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.703:415): avc:  denied  { search } for  pid=6109 comm="java" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.703:416): avc:  denied  { search } for  pid=6109 comm="java" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.703:417): avc:  denied  { search } for  pid=6109 comm="java" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.744:418): avc:  denied  { search } for  pid=6109 comm="java" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.744:419): avc:  denied  { search } for  pid=6109 comm="java" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.745:420): avc:  denied  { search } for  pid=6109 comm="java" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.857:421): avc:  denied  { getattr } for  pid=6109 comm="java" path="/var/lib/pki/pki-tomcat" dev="dm-0" ino=12749788 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.857:422): avc:  denied  { getattr } for  pid=6109 comm="java" path="/var/lib/pki/pki-tomcat" dev="dm-0" ino=12749788 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.857:423): avc:  denied  { getattr } for  pid=6109 comm="java" path="/var/lib/pki/pki-tomcat" dev="dm-0" ino=12749788 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.857:424): avc:  denied  { search } for  pid=6109 comm="java" name="pki-tomcat" dev="dm-0" ino=12749788 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir permissive=0
----

There are also denials related to ntpd and useradd / groupadd, which I'll report separately.

Proposing as an F27 Alpha blocker, as a violation of "Release-blocking roles and the supported role configuration interfaces must meet the core functional Role Definition Requirements to the extent that supported roles can be successfully deployed, started, stopped, brought to a working configuration, and queried" - this affects the domain controller role, which is a release-blocking role.
Comment 1 Adam Williamson 2017-03-27 23:48:40 UTC 
Well, fuck. This is actually affecting F26 as well, which makes it an Alpha blocker.

I believe this is the offending change:

- Remove tomcat_t domain from unconfined domains

That is absolutely *not* an appropriate change during Alpha freeze. I did not realize the -147 build made changes beyond fixing the bug approved as an FE, or else I would never have submitted it for stable. *Please* don't make changes beyond those approved as blocker/FE during milestone freezes, or at least never make changes in the 'more restrictive' direction (only 'less restrictive').

We will now need a -148 with tomcat put back in unconfined, I think. As an emergency, as fast as possible. As -147 has been pushed stable now, we cannot just go back to -146. :(
Comment 2 Kevin Fenzi 2017-03-28 00:05:06 UTC 
Seems like a pretty clear blocker. ;( +1
Comment 3 Adam Williamson 2017-03-28 00:10:43 UTC 
As this is an emergency and no selinux maintainers are around right now, I quickly hacked up builds for rawhide and f26 which should revert tomcat_t to unconfined. Sorry if I made any messes. I'll submit updates and test them later tonight from my laptop, I have to run out right now. If it all works out OK I'll file an RC4 request.
Comment 4 Fedora Update System 2017-03-28 00:43:39 UTC 
selinux-policy-3.13.1-249.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-f34640326f
Comment 5 Ben Williams 2017-03-28 02:36:07 UTC 
+1 blocker
Comment 6 Adam Williamson 2017-03-28 02:49:41 UTC 
That's +3 and this is a pretty obvious one, so setting accepted.
Comment 7 Mohan Boddu 2017-03-28 02:50:35 UTC 
+1 Blocker
Comment 8 Dan Mossor [danofsatx] 2017-03-28 02:51:02 UTC 
+1 Blocker.
Comment 9 Neal Gompa 2017-03-28 02:58:39 UTC 
+1 Blocker
Comment 10 Mike Ruckman 2017-03-28 03:23:13 UTC 
+1
Comment 11 Nick Bebout 2017-03-28 12:57:50 UTC 
+1 Blocker
Comment 12 Fedora Update System 2017-03-28 17:54:05 UTC 
selinux-policy-3.13.1-249.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-f34640326f
Comment 13 Fedora Update System 2017-03-29 05:05:41 UTC 
selinux-policy-3.13.1-249.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.