Bug 1436689
| Summary: | AVC denials during ipa-server-install | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Varun Mylaraiah <mvarun> | ||||
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Abhijeet Kasurde <akasurde> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 7.4 | CC: | aakkiang, akasurde, cheimes, herrold, jpazdziora, ksiddiqu, lvrabec, mbabinsk, mbasti, mgrepl, mmalik, mreznik, mvarun, ndehadra, plautrba, ppicka, pvoborni, pvomacka, pvrabec, rcritten, slaznick, spoore, ssekidde, ssorce, sumenon, tscherf, wibrown | ||||
| Target Milestone: | rc | Keywords: | Regression, TestBlocker | ||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | |||||||
| : | 1443557 (view as bug list) | Environment: | |||||
| Last Closed: | 2017-08-01 15:24:23 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1443557 | ||||||
| Attachments: |
|
||||||
I reported https://bugzilla.redhat.com/show_bug.cgi?id=1438814 while verifying this but i think denials seen in https://bugzilla.redhat.com/show_bug.cgi?id=1438814#c0 should be fixed in this bug and we should close 1438814 as duplicate of this bug. Correct me if i am wrong here. Kaleem, You are right. I'll provide new build ASAP. *** Bug 1438814 has been marked as a duplicate of this bug. *** What is the correct Fixed In Version? Jan, It will be fixed in -139. Builds will be available today. *** Bug 1439187 has been marked as a duplicate of this bug. *** Still seeing avc denied
selinux-policy version
======================
selinux-policy-3.13.1-140.el7.noarch
[root@auto-hv-02-guest05 ~]# cat /var/log/audit/audit.log|audit2allow
#============= sendmail_t ==============
allow sendmail_t sysctl_net_t:file { getattr open read };
#============= tomcat_t ==============
allow tomcat_t ipa_var_lib_t:dir getattr;
allow tomcat_t pki_tomcat_cert_t:lnk_file { read rename unlink };
[root@auto-hv-02-guest05 ~]# ausearch -m AVC -m USER_AVC -m SELINUX_ERR
----
time->Thu Apr 6 13:00:00 2017
type=PATH msg=audit(1491498000.026:403): item=0 name="/var/lib/ipa" inode=885401 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ipa_var_lib_t:s0 objtype=NORMAL
type=CWD msg=audit(1491498000.026:403): cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1491498000.026:403): arch=c000003e syscall=6 success=yes exit=0 a0=7f4022ef1800 a1=7f4022ef06d0 a2=7f4022ef06d0 a3=5 items=1 ppid=1 pid=23553 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1491498000.026:403): avc: denied { getattr } for pid=23553 comm="java" path="/var/lib/ipa" dev="dm-0" ino=885401 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:ipa_var_lib_t:s0 tclass=dir
----
time->Thu Apr 6 13:00:00 2017
type=PATH msg=audit(1491498000.033:404): item=0 name="/var/lib/ipa/pki-ca/publish/MasterCRL.bin" inode=35031943 dev=fd:00 mode=0120777 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_cert_t:s0 objtype=NORMAL
type=CWD msg=audit(1491498000.033:404): cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1491498000.033:404): arch=c000003e syscall=89 success=yes exit=57 a0=7f4022ef1920 a1=7f4022eef7b0 a2=fff a3=7f4061052440 items=1 ppid=1 pid=23553 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1491498000.033:404): avc: denied { read } for pid=23553 comm="java" name="MasterCRL.bin" dev="dm-0" ino=35031943 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=lnk_file
----
time->Thu Apr 6 13:00:00 2017
type=PATH msg=audit(1491498000.033:405): item=3 name="/var/lib/ipa/pki-ca/publish/MasterCRL.bin.old" inode=35031943 dev=fd:00 mode=0120777 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_cert_t:s0 objtype=CREATE
type=PATH msg=audit(1491498000.033:405): item=2 name="/var/lib/ipa/pki-ca/publish/MasterCRL.bin" inode=35031943 dev=fd:00 mode=0120777 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_cert_t:s0 objtype=DELETE
type=PATH msg=audit(1491498000.033:405): item=1 name="/var/lib/ipa/pki-ca/publish/" inode=35031941 dev=fd:00 mode=040775 ouid=0 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_cert_t:s0 objtype=PARENT
type=PATH msg=audit(1491498000.033:405): item=0 name="/var/lib/ipa/pki-ca/publish/" inode=35031941 dev=fd:00 mode=040775 ouid=0 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_cert_t:s0 objtype=PARENT
type=CWD msg=audit(1491498000.033:405): cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1491498000.033:405): arch=c000003e syscall=82 success=yes exit=0 a0=7f4054010d40 a1=7f405400f4d0 a2=0 a3=4 items=4 ppid=1 pid=23553 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1491498000.033:405): avc: denied { rename } for pid=23553 comm="java" name="MasterCRL.bin" dev="dm-0" ino=35031943 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=lnk_file
----
time->Thu Apr 6 13:00:00 2017
type=PATH msg=audit(1491498000.034:406): item=1 name="/var/lib/ipa/pki-ca/publish/MasterCRL.bin.old" inode=35031943 dev=fd:00 mode=0120777 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_cert_t:s0 objtype=DELETE
type=PATH msg=audit(1491498000.034:406): item=0 name="/var/lib/ipa/pki-ca/publish/" inode=35031941 dev=fd:00 mode=040775 ouid=0 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_cert_t:s0 objtype=PARENT
type=CWD msg=audit(1491498000.034:406): cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1491498000.034:406): arch=c000003e syscall=87 success=yes exit=0 a0=7f4054010d40 a1=7f40540193c8 a2=0 a3=7f4022ef3050 items=2 ppid=1 pid=23553 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1491498000.034:406): avc: denied { unlink } for pid=23553 comm="java" name="MasterCRL.bin.old" dev="dm-0" ino=35031943 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=lnk_file
----
time->Thu Apr 6 15:09:33 2017
type=PATH msg=audit(1491505773.319:456): item=0 name="/proc/sys/net/ipv6/conf/all/disable_ipv6" inode=9583 dev=00:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:sysctl_net_t:s0 objtype=NORMAL
type=CWD msg=audit(1491505773.319:456): cwd="/var/spool/mqueue"
type=SYSCALL msg=audit(1491505773.319:456): arch=c000003e syscall=2 success=yes exit=13 a0=7f504c7d84b0 a1=80000 a2=1b6 a3=24 items=1 ppid=1126 pid=27411 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:sendmail_t:s0 key=(null)
type=AVC msg=audit(1491505773.319:456): avc: denied { open } for pid=27411 comm="sendmail" path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=9583 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
type=AVC msg=audit(1491505773.319:456): avc: denied { read } for pid=27411 comm="sendmail" name="disable_ipv6" dev="proc" ino=9583 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
----
time->Thu Apr 6 15:09:33 2017
type=SYSCALL msg=audit(1491505773.319:457): arch=c000003e syscall=5 success=yes exit=0 a0=d a1=7fff09eba880 a2=7fff09eba880 a3=0 items=0 ppid=1126 pid=27411 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:sendmail_t:s0 key=(null)
type=AVC msg=audit(1491505773.319:457): avc: denied { getattr } for pid=27411 comm="sendmail" path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=9583 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
----
time->Thu Apr 6 17:00:00 2017
type=PATH msg=audit(1491512400.016:493): item=0 name="/var/lib/ipa" inode=885401 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ipa_var_lib_t:s0 objtype=NORMAL
type=CWD msg=audit(1491512400.016:493): cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1491512400.016:493): arch=c000003e syscall=6 success=yes exit=0 a0=7f4022ef1800 a1=7f4022ef06d0 a2=7f4022ef06d0 a3=5 items=1 ppid=1 pid=23553 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1491512400.016:493): avc: denied { getattr } for pid=23553 comm="java" path="/var/lib/ipa" dev="dm-0" ino=885401 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:ipa_var_lib_t:s0 tclass=dir
----
time->Thu Apr 6 17:00:00 2017
type=PATH msg=audit(1491512400.021:494): item=0 name="/var/lib/ipa/pki-ca/publish/MasterCRL.bin" inode=35056407 dev=fd:00 mode=0120777 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_cert_t:s0 objtype=NORMAL
type=CWD msg=audit(1491512400.021:494): cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1491512400.021:494): arch=c000003e syscall=89 success=yes exit=57 a0=7f4022ef1920 a1=7f4022eef7b0 a2=fff a3=7f4061052440 items=1 ppid=1 pid=23553 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1491512400.021:494): avc: denied { read } for pid=23553 comm="java" name="MasterCRL.bin" dev="dm-0" ino=35056407 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=lnk_file
----
time->Thu Apr 6 17:00:00 2017
type=PATH msg=audit(1491512400.021:495): item=3 name="/var/lib/ipa/pki-ca/publish/MasterCRL.bin.old" inode=35056407 dev=fd:00 mode=0120777 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_cert_t:s0 objtype=CREATE
type=PATH msg=audit(1491512400.021:495): item=2 name="/var/lib/ipa/pki-ca/publish/MasterCRL.bin" inode=35056407 dev=fd:00 mode=0120777 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_cert_t:s0 objtype=DELETE
type=PATH msg=audit(1491512400.021:495): item=1 name="/var/lib/ipa/pki-ca/publish/" inode=35031941 dev=fd:00 mode=040775 ouid=0 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_cert_t:s0 objtype=PARENT
type=PATH msg=audit(1491512400.021:495): item=0 name="/var/lib/ipa/pki-ca/publish/" inode=35031941 dev=fd:00 mode=040775 ouid=0 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_cert_t:s0 objtype=PARENT
type=CWD msg=audit(1491512400.021:495): cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1491512400.021:495): arch=c000003e syscall=82 success=yes exit=0 a0=7f4054011990 a1=7f40540119d0 a2=0 a3=4 items=4 ppid=1 pid=23553 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1491512400.021:495): avc: denied { rename } for pid=23553 comm="java" name="MasterCRL.bin" dev="dm-0" ino=35056407 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=lnk_file
----
time->Thu Apr 6 17:00:00 2017
type=PATH msg=audit(1491512400.021:496): item=1 name="/var/lib/ipa/pki-ca/publish/MasterCRL.bin.old" inode=35056407 dev=fd:00 mode=0120777 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_cert_t:s0 objtype=DELETE
type=PATH msg=audit(1491512400.021:496): item=0 name="/var/lib/ipa/pki-ca/publish/" inode=35031941 dev=fd:00 mode=040775 ouid=0 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_cert_t:s0 objtype=PARENT
type=CWD msg=audit(1491512400.021:496): cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1491512400.021:496): arch=c000003e syscall=87 success=yes exit=0 a0=7f4054011990 a1=7f40540193c8 a2=0 a3=7f4061052440 items=2 ppid=1 pid=23553 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1491512400.021:496): avc: denied { unlink } for pid=23553 comm="java" name="MasterCRL.bin.old" dev="dm-0" ino=35056407 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=lnk_file
----
time->Thu Apr 6 18:09:31 2017
type=PATH msg=audit(1491516571.970:532): item=0 name="/proc/sys/net/ipv6/conf/all/disable_ipv6" inode=9583 dev=00:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:sysctl_net_t:s0 objtype=NORMAL
type=CWD msg=audit(1491516571.970:532): cwd="/var/spool/mqueue"
type=SYSCALL msg=audit(1491516571.970:532): arch=c000003e syscall=2 success=yes exit=10 a0=7f504c7d84b0 a1=80000 a2=1b6 a3=24 items=1 ppid=1126 pid=27515 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:sendmail_t:s0 key=(null)
type=AVC msg=audit(1491516571.970:532): avc: denied { open } for pid=27515 comm="sendmail" path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=9583 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
type=AVC msg=audit(1491516571.970:532): avc: denied { read } for pid=27515 comm="sendmail" name="disable_ipv6" dev="proc" ino=9583 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
----
time->Thu Apr 6 18:09:31 2017
type=SYSCALL msg=audit(1491516571.970:533): arch=c000003e syscall=5 success=yes exit=0 a0=a a1=7fff09ec3590 a2=7fff09ec3590 a3=0 items=0 ppid=1126 pid=27515 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:sendmail_t:s0 key=(null)
type=AVC msg=audit(1491516571.970:533): avc: denied { getattr } for pid=27515 comm="sendmail" path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=9583 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
----
time->Thu Apr 6 21:00:00 2017
type=PATH msg=audit(1491526800.016:590): item=0 name="/var/lib/ipa" inode=885401 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ipa_var_lib_t:s0 objtype=NORMAL
type=CWD msg=audit(1491526800.016:590): cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1491526800.016:590): arch=c000003e syscall=6 success=yes exit=0 a0=7f4022ef1800 a1=7f4022ef06d0 a2=7f4022ef06d0 a3=5 items=1 ppid=1 pid=23553 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1491526800.016:590): avc: denied { getattr } for pid=23553 comm="java" path="/var/lib/ipa" dev="dm-0" ino=885401 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:ipa_var_lib_t:s0 tclass=dir
----
time->Thu Apr 6 21:00:00 2017
type=PATH msg=audit(1491526800.021:591): item=0 name="/var/lib/ipa/pki-ca/publish/MasterCRL.bin" inode=34363508 dev=fd:00 mode=0120777 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_cert_t:s0 objtype=NORMAL
type=CWD msg=audit(1491526800.021:591): cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1491526800.021:591): arch=c000003e syscall=89 success=yes exit=57 a0=7f4022ef1920 a1=7f4022eef7b0 a2=fff a3=7f4061052440 items=1 ppid=1 pid=23553 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1491526800.021:591): avc: denied { read } for pid=23553 comm="java" name="MasterCRL.bin" dev="dm-0" ino=34363508 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=lnk_file
----
time->Thu Apr 6 21:00:00 2017
type=PATH msg=audit(1491526800.021:592): item=3 name="/var/lib/ipa/pki-ca/publish/MasterCRL.bin.old" inode=34363508 dev=fd:00 mode=0120777 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_cert_t:s0 objtype=CREATE
type=PATH msg=audit(1491526800.021:592): item=2 name="/var/lib/ipa/pki-ca/publish/MasterCRL.bin" inode=34363508 dev=fd:00 mode=0120777 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_cert_t:s0 objtype=DELETE
type=PATH msg=audit(1491526800.021:592): item=1 name="/var/lib/ipa/pki-ca/publish/" inode=35031941 dev=fd:00 mode=040775 ouid=0 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_cert_t:s0 objtype=PARENT
type=PATH msg=audit(1491526800.021:592): item=0 name="/var/lib/ipa/pki-ca/publish/" inode=35031941 dev=fd:00 mode=040775 ouid=0 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_cert_t:s0 objtype=PARENT
type=CWD msg=audit(1491526800.021:592): cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1491526800.021:592): arch=c000003e syscall=82 success=yes exit=0 a0=7f4054012010 a1=7f4054012050 a2=0 a3=4 items=4 ppid=1 pid=23553 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1491526800.021:592): avc: denied { rename } for pid=23553 comm="java" name="MasterCRL.bin" dev="dm-0" ino=34363508 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=lnk_file
----
time->Thu Apr 6 21:00:00 2017
type=PATH msg=audit(1491526800.021:593): item=1 name="/var/lib/ipa/pki-ca/publish/MasterCRL.bin.old" inode=34363508 dev=fd:00 mode=0120777 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_cert_t:s0 objtype=DELETE
type=PATH msg=audit(1491526800.021:593): item=0 name="/var/lib/ipa/pki-ca/publish/" inode=35031941 dev=fd:00 mode=040775 ouid=0 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_cert_t:s0 objtype=PARENT
type=CWD msg=audit(1491526800.021:593): cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1491526800.021:593): arch=c000003e syscall=87 success=yes exit=0 a0=7f4054012010 a1=7f40540193c8 a2=0 a3=7f4061052440 items=2 ppid=1 pid=23553 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1491526800.021:593): avc: denied { unlink } for pid=23553 comm="java" name="MasterCRL.bin.old" dev="dm-0" ino=34363508 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=lnk_file
----
time->Thu Apr 6 22:09:32 2017
type=PATH msg=audit(1491530972.022:622): item=0 name="/proc/sys/net/ipv6/conf/all/disable_ipv6" inode=9583 dev=00:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:sysctl_net_t:s0 objtype=NORMAL
type=CWD msg=audit(1491530972.022:622): cwd="/var/spool/mqueue"
type=SYSCALL msg=audit(1491530972.022:622): arch=c000003e syscall=2 success=yes exit=10 a0=7f504c7d84b0 a1=80000 a2=1b6 a3=24 items=1 ppid=1126 pid=27660 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:sendmail_t:s0 key=(null)
type=AVC msg=audit(1491530972.022:622): avc: denied { open } for pid=27660 comm="sendmail" path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=9583 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
type=AVC msg=audit(1491530972.022:622): avc: denied { read } for pid=27660 comm="sendmail" name="disable_ipv6" dev="proc" ino=9583 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
----
time->Thu Apr 6 22:09:32 2017
type=SYSCALL msg=audit(1491530972.022:623): arch=c000003e syscall=5 success=yes exit=0 a0=a a1=7fff09ec3590 a2=7fff09ec3590 a3=0 items=0 ppid=1126 pid=27660 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:sendmail_t:s0 key=(null)
type=AVC msg=audit(1491530972.022:623): avc: denied { getattr } for pid=27660 comm="sendmail" path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=9583 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
Still seeing AVC denied selinux-policy version ====================== selinux-policy-3.13.1-141.el7.noarch Log === http://lab-02.rhts.eng.bos.redhat.com/beaker/logs/results/266218+/266218664/test_log-ipa-install-topo-default-master-install-Master-in-Default-Topology-avc.log *** Bug 1438937 has been marked as a duplicate of this bug. *** *** Bug 1439137 has been marked as a duplicate of this bug. *** *** Bug 1439179 has been marked as a duplicate of this bug. *** *** Bug 1417846 has been marked as a duplicate of this bug. *** Created attachment 1272470 [details]
AVC denials
Seeing AVC denials for /var/run/ipa/krb5cc_oddjob_trusts while running trust suites.
Martin, ipasession.key is not a session token, it is the key used to encrypt all ipa session cookies. So it cannot be stored in /var/run or sessions will be invalidated if the server is rebooted during maintenance. We could move the key to /var/lib/ipa/something I guess, but /etc/httpd/alias is where we stored long term keys before (certs and keytab) so it seemd the appropriate place for this key. The question is if /etc should be writable by the process configured with information in /etc. Yes, /etc unlike /usr does not have to be read-only but it should hold configuration which is produced by some tools, and consumed by others. Not serve as read-write data and state storage for applications. I guess that's the difference against certs and keytabs that are only read by the Web application and managed by ipa-server-install or certmonger, separately from httpd_t. About #49: /var/lib/ipa/gssproxy/http.keytab is moved using python code from /etc/httpd/alias during upgrades. About #50: Although I understand your preference I would rather not move the key now to avoid too much churn upstream, which could introduce further issues, and use the second solution. *** Bug 1444864 has been marked as a duplicate of this bug. *** *** Bug 1443557 has been marked as a duplicate of this bug. *** *** Bug 1451695 has been marked as a duplicate of this bug. *** *** Bug 1449735 has been marked as a duplicate of this bug. *** We would need SELinux policy updates for incoming ipa-server build due to re-structuring CA certificate access for KDC service (see the following AVCs):
'''
----
type=PROCTITLE msg=audit(05/24/2017 12:36:39.901:596) : proctitle=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid
type=PATH msg=audit(05/24/2017 12:36:39.901:596) : item=0 name=/var/lib/ipa-client/pki/kdc-ca-bundle.pem objtype=UNKNOWN
type=CWD msg=audit(05/24/2017 12:36:39.901:596) : cwd=/
type=SYSCALL msg=audit(05/24/2017 12:36:39.901:596) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x559eb83a5e55 a1=O_RDONLY a2=0x1b6 a3=0x24 items=1 ppid=1 pid=8146 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=krb5kdc exe=/usr/sbin/krb5kdc subj=system_u:system_r:krb5kdc_t:s0 key=(null)
type=AVC msg=audit(05/24/2017 12:36:39.901:596) : avc: denied { search } for pid=8146 comm=krb5kdc name=ipa-client dev="dm-0" ino=50387022 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:realmd_var_lib_t:s0 tclass=dir
----
type=PROCTITLE msg=audit(05/24/2017 12:37:15.870:601) : proctitle=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid
type=PATH msg=audit(05/24/2017 12:37:15.870:601) : item=0 name=/etc/selinux/config inode=50485346 dev=fd:00 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:selinux_config_t:s0 objtype=NORMAL
type=CWD msg=audit(05/24/2017 12:37:15.870:601) : cwd=/
type=SYSCALL msg=audit(05/24/2017 12:37:15.870:601) : arch=x86_64 syscall=open success=yes exit=3 a0=0x7f9981ce205b a1=O_RDONLY a2=0x1b6 a3=0x24 items=1 ppid=1 pid=8158 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=krb5kdc exe=/usr/sbin/krb5kdc subj=system_u:system_r:krb5kdc_t:s0 key=(null)
type=AVC msg=audit(05/24/2017 12:37:15.870:601) : avc: denied { open } for pid=8158 comm=krb5kdc path=/etc/selinux/config dev="dm-0" ino=50485346 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
type=AVC msg=audit(05/24/2017 12:37:15.870:601) : avc: denied { read } for pid=8158 comm=krb5kdc name=config dev="dm-0" ino=50485346 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
----
type=PROCTITLE msg=audit(05/24/2017 12:37:15.870:602) : proctitle=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid
type=SYSCALL msg=audit(05/24/2017 12:37:15.870:602) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x3 a1=0x7fffefa1cd90 a2=0x7fffefa1cd90 a3=0x8 items=0 ppid=1 pid=8158 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=krb5kdc exe=/usr/sbin/krb5kdc subj=system_u:system_r:krb5kdc_t:s0 key=(null)
type=AVC msg=audit(05/24/2017 12:37:15.870:602) : avc: denied { getattr } for pid=8158 comm=krb5kdc path=/etc/selinux/config dev="dm-0" ino=50485346 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
'''
Should I open a separate BZ for that?
Martin, Could you try this scenario with SELinux in permissive mode? Thanks. *** Bug 1457944 has been marked as a duplicate of this bug. *** *** Bug 1458420 has been marked as a duplicate of this bug. *** Hello Lukas,
I am still seeing these AVC denials. These must have been forgotten about, they appear during a user logging to the IPA Web UI. Sorry about that.
----
time->Thu Jun 8 12:16:21 2017
type=SYSCALL msg=audit(1496916981.507:211514): arch=c000003e syscall=2 success=no exit=-13 a0=7f600cf64275 a1=0 a2=1b6 a3=24 items=0 ppid=50288 pid=50665 auid=4294967295 uid=387 gid=387 euid=387 suid=387 fsuid=387 egid=387 sgid=387 fsgid=387 tty=(none) ses=4294967295 comm="kinit" exe="/usr/bin/kinit" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1496916981.507:211514): avc: denied { read } for pid=50665 comm="kinit" name="kdc-ca-bundle.pem" dev="dm-0" ino=1181 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:realmd_var_lib_t:s0 tclass=file
----
time->Thu Jun 8 12:16:37 2017
type=SYSCALL msg=audit(1496916997.693:211522): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7ffefdb608f0 a2=7ffefdb608f0 a3=0 items=0 ppid=50288 pid=50670 auid=4294967295 uid=387 gid=387 euid=387 suid=387 fsuid=387 egid=387 sgid=387 fsgid=387 tty=(none) ses=4294967295 comm="kinit" exe="/usr/bin/kinit" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1496916997.693:211522): avc: denied { getattr } for pid=50670 comm="kinit" path="/var/lib/ipa-client/pki/kdc-ca-bundle.pem" dev="dm-0" ino=1181 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:realmd_var_lib_t:s0 tclass=file
----
time->Thu Jun 8 12:16:37 2017
type=SYSCALL msg=audit(1496916997.693:211521): arch=c000003e syscall=2 success=yes exit=3 a0=7f2d4a064275 a1=0 a2=1b6 a3=24 items=0 ppid=50288 pid=50670 auid=4294967295 uid=387 gid=387 euid=387 suid=387 fsuid=387 egid=387 sgid=387 fsgid=387 tty=(none) ses=4294967295 comm="kinit" exe="/usr/bin/kinit" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1496916997.693:211521): avc: denied { open } for pid=50670 comm="kinit" path="/var/lib/ipa-client/pki/kdc-ca-bundle.pem" dev="dm-0" ino=1181 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:realmd_var_lib_t:s0 tclass=file
type=AVC msg=audit(1496916997.693:211521): avc: denied { read } for pid=50670 comm="kinit" name="kdc-ca-bundle.pem" dev="dm-0" ino=1181 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:realmd_var_lib_t:s0 tclass=file
VERSIONS:
ipa-server-4.5.0-16.el7.x86_64
selinux-policy-3.13.1-160.el7.noarch
selinux-policy-targeted-3.13.1-160.el7.noarch
This was missed until now. This was seen while authenticating with a smart card on an IPA Client.
time->Thu Jun 15 08:08:03 2017
type=PROCTITLE msg=audit(1497535683.475:17558): proctitle=2F7573722F6C6962657865632F737373642F6B7262355F6368696C64002D2D64656275672D6D6963726F7365636F6E64733D30002D2D64656275672D74696D657374616D70733D31002D2D64656275672D66643D3138002D2D64656275672D6C6576656C3D307866376630002D2D63616E6F6E6963616C697A65002D2D666173
type=SYSCALL msg=audit(1497535683.475:17558): arch=c000003e syscall=2 success=yes exit=4 a0=55e6a50b6815 a1=0 a2=1b6 a3=24 items=0 ppid=2271 pid=21804 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="krb5_child" exe="/usr/libexec/sssd/krb5_child" subj=system_u:system_r:sssd_t:s0 key=(null)
type=AVC msg=audit(1497535683.475:17558): avc: denied { open } for pid=21804 comm="krb5_child" path="/var/lib/ipa-client/pki/kdc-ca-bundle.pem" dev="dm-0" ino=202435482 scontext=system_u:system_r:sssd_t:s0 tcontext=unconfined_u:object_r:realmd_var_lib_t:s0 tclass=file
type=AVC msg=audit(1497535683.475:17558): avc: denied { read } for pid=21804 comm="krb5_child" name="kdc-ca-bundle.pem" dev="dm-0" ino=202435482 scontext=system_u:system_r:sssd_t:s0 tcontext=unconfined_u:object_r:realmd_var_lib_t:s0 tclass=file
----
time->Thu Jun 15 08:08:03 2017
type=PROCTITLE msg=audit(1497535683.475:17559): proctitle=2F7573722F6C6962657865632F737373642F6B7262355F6368696C64002D2D64656275672D6D6963726F7365636F6E64733D30002D2D64656275672D74696D657374616D70733D31002D2D64656275672D66643D3138002D2D64656275672D6C6576656C3D307866376630002D2D63616E6F6E6963616C697A65002D2D666173
type=SYSCALL msg=audit(1497535683.475:17559): arch=c000003e syscall=5 success=yes exit=0 a0=4 a1=7fff26bc8940 a2=7fff26bc8940 a3=0 items=0 ppid=2271 pid=21804 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="krb5_child" exe="/usr/libexec/sssd/krb5_child" subj=system_u:system_r:sssd_t:s0 key=(null)
type=AVC msg=audit(1497535683.475:17559): avc: denied { getattr } for pid=21804 comm="krb5_child" path="/var/lib/ipa-client/pki/kdc-ca-bundle.pem" dev="dm-0" ino=202435482 scontext=system_u:system_r:sssd_t:s0 tcontext=unconfined_u:object_r:realmd_var_lib_t:s0 tclass=file
2017-06-15 08:13:38 MDT
Verified using IPA build : ipa-server-4.5.0-20.el7.x86_64 Marking BZ as verified as no AVC seen after installation of IPA server. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1861 |
Description of problem: AVC denials during ipa-server-install Version-Release number of selected component (if applicable): ipa-server-4.5.0-2.el7.x86_64 How reproducible: 100% Steps to Reproduce: [root@hp-dl380pgen8-02-vm-2 ~]# getenforce Enforcing [root@hp-dl380pgen8-02-vm-2 ~]# ipa-server-install --setup-dns --forwarder=10.16.36.29 --reverse-zone=46.16.10.in-addr.arpa. --allow-zone-overlap --hostname=hp-dl380pgen8-02-vm-2.testrelm.test -r TESTRELM.TEST -n testrelm.test. -p <XXXXX> -a <XXXXX> --ip-address=10.16.46.51 The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) * Configure the KDC to enable PKINIT To accept the default shown in brackets, press the Enter key. WARNING: conflicting time&date synchronization service 'chronyd' will be disabled in favor of ntpd Warning: skipping DNS resolution of host hp-dl380pgen8-02-vm-2.testrelm.test Checking DNS domain testrelm.test., please wait ... Checking DNS forwarders, please wait ... Using reverse zone(s) 46.16.10.in-addr.arpa. The IPA Master Server will be configured with: Hostname: hp-dl380pgen8-02-vm-2.testrelm.test IP address(es): 10.16.46.51 Domain name: testrelm.test. Realm name: TESTRELM.TEST BIND DNS server will be configured to serve IPA domain with: Forwarders: 10.16.36.29 Forward policy: only Reverse zone(s): 46.16.10.in-addr.arpa. WARNING: Realm name does not match the domain name. You will not be able to estabilish trusts with Active Directory unless the realm name of the IPA server matches its domain name. Continue to configure the system with these values? [no]: yes The following operations may take some minutes to complete. Please wait until the prompt is returned. Adding [10.16.46.51 hp-dl380pgen8-02-vm-2.testrelm.test] to your /etc/hosts file Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv). Estimated time: 30 seconds [1/47]: creating directory server user [2/47]: creating directory server instance [3/47]: enabling ldapi [4/47]: configure autobind for root [5/47]: stopping directory server [6/47]: updating configuration in dse.ldif [7/47]: starting directory server [8/47]: adding default schema [9/47]: enabling memberof plugin [10/47]: enabling winsync plugin [11/47]: configuring replication version plugin [12/47]: enabling IPA enrollment plugin [13/47]: configuring uniqueness plugin [14/47]: configuring uuid plugin [15/47]: configuring modrdn plugin [16/47]: configuring DNS plugin [17/47]: enabling entryUSN plugin [18/47]: configuring lockout plugin [19/47]: configuring topology plugin [20/47]: creating indices [21/47]: enabling referential integrity plugin [22/47]: configuring certmap.conf [23/47]: configure new location for managed entries [24/47]: configure dirsrv ccache [25/47]: enabling SASL mapping fallback [26/47]: restarting directory server [27/47]: adding sasl mappings to the directory [28/47]: adding default layout [29/47]: adding delegation layout [30/47]: creating container for managed entries [31/47]: configuring user private groups [32/47]: configuring netgroups from hostgroups [33/47]: creating default Sudo bind user [34/47]: creating default Auto Member layout [35/47]: adding range check plugin [36/47]: creating default HBAC rule allow_all [37/47]: adding entries for topology management [38/47]: initializing group membership [39/47]: adding master entry [40/47]: initializing domain level [41/47]: configuring Posix uid/gid generation [42/47]: adding replication acis [43/47]: enabling compatibility plugin [44/47]: activating sidgen plugin [45/47]: activating extdom plugin [46/47]: tuning directory server [47/47]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/30]: creating certificate server user [2/30]: configuring certificate server instance ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpQZfYSu' returned non-zero exit status 1 ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information: ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR CA configuration failed. ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information [root@hp-dl380pgen8-02-vm-2 ~]# cat /var/log/audit/audit.log |audit2allow #============= tomcat_t ============== allow tomcat_t pki_tomcat_var_lib_t:dir { getattr search }; [root@hp-dl380pgen8-02-vm-2 ~]# [root@hp-dl380pgen8-02-vm-2 ~]# ausearch -m AVC -ts today ---- time->Tue Mar 28 08:34:19 2017 type=SYSCALL msg=audit(1490704459.186:161): arch=c000003e syscall=4 success=no exit=-13 a0=21166f0 a1=7ffecb488d00 a2=7ffecb488d00 a3=8 items=0 ppid=1 pid=31687 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="server" exe="/usr/bin/bash" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1490704459.186:161): avc: denied { search } for pid=31687 comm="server" name="pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir ---- time->Tue Mar 28 08:34:19 2017 type=SYSCALL msg=audit(1490704459.272:162): arch=c000003e syscall=6 success=no exit=-13 a0=7f28be5f9c00 a1=7f28be5f8ad0 a2=7f28be5f8ad0 a3=7461632f666e6f63 items=0 ppid=1 pid=31687 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1490704459.272:162): avc: denied { getattr } for pid=31687 comm="java" path="/var/lib/pki/pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir ---- time->Tue Mar 28 08:34:19 2017 type=SYSCALL msg=audit(1490704459.272:163): arch=c000003e syscall=6 success=no exit=-13 a0=7f28be5f9c00 a1=7f28be5f8ad0 a2=7f28be5f8ad0 a3=fd items=0 ppid=1 pid=31687 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1490704459.272:163): avc: denied { getattr } for pid=31687 comm="java" path="/var/lib/pki/pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir ---- time->Tue Mar 28 08:34:19 2017 type=SYSCALL msg=audit(1490704459.272:164): arch=c000003e syscall=6 success=no exit=-13 a0=7f28be5f9c00 a1=7f28be5f8ad0 a2=7f28be5f8ad0 a3=fd items=0 ppid=1 pid=31687 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1490704459.272:164): avc: denied { getattr } for pid=31687 comm="java" path="/var/lib/pki/pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir ---- time->Tue Mar 28 08:34:19 2017 type=SYSCALL msg=audit(1490704459.272:165): arch=c000003e syscall=4 success=no exit=-13 a0=7f28b8117700 a1=7f28be5fb7a0 a2=7f28be5fb7a0 a3=7461632f666e6f63 items=0 ppid=1 pid=31687 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1490704459.272:165): avc: denied { search } for pid=31687 comm="java" name="pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir ---- time->Tue Mar 28 08:34:19 2017 type=SYSCALL msg=audit(1490704459.306:166): arch=c000003e syscall=4 success=no exit=-13 a0=17086f0 a1=7ffdbd661320 a2=7ffdbd661320 a3=8 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="server" exe="/usr/bin/bash" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1490704459.306:166): avc: denied { search } for pid=31720 comm="server" name="pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir ---- time->Tue Mar 28 08:34:19 2017 type=SYSCALL msg=audit(1490704459.403:167): arch=c000003e syscall=4 success=no exit=-13 a0=7fcba4184040 a1=7fcbaa951380 a2=7fcbaa951380 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1490704459.403:167): avc: denied { search } for pid=31720 comm="java" name="pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir ---- time->Tue Mar 28 08:34:19 2017 type=SYSCALL msg=audit(1490704459.403:168): arch=c000003e syscall=83 success=no exit=-13 a0=7fcba4184040 a1=1ff a2=0 a3=7fcbaa9511b0 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1490704459.403:168): avc: denied { search } for pid=31720 comm="java" name="pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir ---- time->Tue Mar 28 08:34:19 2017 type=SYSCALL msg=audit(1490704459.403:169): arch=c000003e syscall=6 success=no exit=-13 a0=7fcbaa9503b0 a1=7fcbaa94f280 a2=7fcbaa94f280 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1490704459.403:169): avc: denied { getattr } for pid=31720 comm="java" path="/var/lib/pki/pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir ---- time->Tue Mar 28 08:34:19 2017 type=SYSCALL msg=audit(1490704459.403:170): arch=c000003e syscall=6 success=no exit=-13 a0=7fcbaa9503b0 a1=7fcbaa94f280 a2=7fcbaa94f280 a3=fe items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1490704459.403:170): avc: denied { getattr } for pid=31720 comm="java" path="/var/lib/pki/pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir ---- time->Tue Mar 28 08:34:19 2017 type=SYSCALL msg=audit(1490704459.404:171): arch=c000003e syscall=4 success=no exit=-13 a0=7fcba4184020 a1=7fcbaa951320 a2=7fcbaa951320 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1490704459.404:171): avc: denied { getattr } for pid=31720 comm="java" path="/var/lib/pki/pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir ---- time->Tue Mar 28 08:34:19 2017 type=SYSCALL msg=audit(1490704459.404:172): arch=c000003e syscall=6 success=no exit=-13 a0=7fcbaa950350 a1=7fcbaa94f220 a2=7fcbaa94f220 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1490704459.404:172): avc: denied { getattr } for pid=31720 comm="java" path="/var/lib/pki/pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir ---- time->Tue Mar 28 08:34:19 2017 type=SYSCALL msg=audit(1490704459.404:173): arch=c000003e syscall=4 success=no exit=-13 a0=7fcba4184020 a1=7fcbaa951380 a2=7fcbaa951380 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1490704459.404:173): avc: denied { getattr } for pid=31720 comm="java" path="/var/lib/pki/pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir ---- time->Tue Mar 28 08:34:19 2017 type=SYSCALL msg=audit(1490704459.404:174): arch=c000003e syscall=4 success=no exit=-13 a0=7fcba4184040 a1=7fcbaa9513f0 a2=7fcbaa9513f0 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1490704459.404:174): avc: denied { search } for pid=31720 comm="java" name="pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir ---- time->Tue Mar 28 08:34:19 2017 type=SYSCALL msg=audit(1490704459.404:175): arch=c000003e syscall=4 success=no exit=-13 a0=7fcba4184040 a1=7fcbaa951380 a2=7fcbaa951380 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1490704459.404:175): avc: denied { search } for pid=31720 comm="java" name="pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir ---- time->Tue Mar 28 08:34:19 2017 type=SYSCALL msg=audit(1490704459.404:176): arch=c000003e syscall=83 success=no exit=-13 a0=7fcba4184040 a1=1ff a2=0 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1490704459.404:176): avc: denied { search } for pid=31720 comm="java" name="pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir ---- time->Tue Mar 28 08:34:19 2017 type=SYSCALL msg=audit(1490704459.405:177): arch=c000003e syscall=4 success=no exit=-13 a0=7fcba41a31a0 a1=7fcbaa951320 a2=7fcbaa951320 a3=2 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1490704459.405:177): avc: denied { getattr } for pid=31720 comm="java" path="/var/lib/pki/pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir ---- time->Tue Mar 28 08:34:19 2017 type=SYSCALL msg=audit(1490704459.405:178): arch=c000003e syscall=4 success=no exit=-13 a0=7fcba41a31a0 a1=7fcbaa951380 a2=7fcbaa951380 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1490704459.405:178): avc: denied { getattr } for pid=31720 comm="java" path="/var/lib/pki/pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir ---- time->Tue Mar 28 08:34:19 2017 type=SYSCALL msg=audit(1490704459.405:179): arch=c000003e syscall=4 success=no exit=-13 a0=7fcba4184040 a1=7fcbaa9513f0 a2=7fcbaa9513f0 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1490704459.405:179): avc: denied { search } for pid=31720 comm="java" name="pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir ---- time->Tue Mar 28 08:34:19 2017 type=SYSCALL msg=audit(1490704459.405:180): arch=c000003e syscall=4 success=no exit=-13 a0=7fcba4184040 a1=7fcbaa951380 a2=7fcbaa951380 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1490704459.405:180): avc: denied { search } for pid=31720 comm="java" name="pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir ---- time->Tue Mar 28 08:34:19 2017 type=SYSCALL msg=audit(1490704459.405:181): arch=c000003e syscall=83 success=no exit=-13 a0=7fcba4184040 a1=1ff a2=0 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1490704459.405:181): avc: denied { search } for pid=31720 comm="java" name="pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir ---- time->Tue Mar 28 08:34:19 2017 type=SYSCALL msg=audit(1490704459.405:182): arch=c000003e syscall=4 success=no exit=-13 a0=7fcba41a31a0 a1=7fcbaa951320 a2=7fcbaa951320 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1490704459.405:182): avc: denied { getattr } for pid=31720 comm="java" path="/var/lib/pki/pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir ---- time->Tue Mar 28 08:34:19 2017 type=SYSCALL msg=audit(1490704459.405:183): arch=c000003e syscall=4 success=no exit=-13 a0=7fcba41a31a0 a1=7fcbaa951380 a2=7fcbaa951380 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1490704459.405:183): avc: denied { getattr } for pid=31720 comm="java" path="/var/lib/pki/pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir ---- time->Tue Mar 28 08:34:19 2017 type=SYSCALL msg=audit(1490704459.405:184): arch=c000003e syscall=4 success=no exit=-13 a0=7fcba4184040 a1=7fcbaa9513f0 a2=7fcbaa9513f0 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1490704459.405:184): avc: denied { search } for pid=31720 comm="java" name="pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir ---- time->Tue Mar 28 08:34:19 2017 type=SYSCALL msg=audit(1490704459.405:185): arch=c000003e syscall=4 success=no exit=-13 a0=7fcba4184040 a1=7fcbaa951380 a2=7fcbaa951380 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1490704459.405:185): avc: denied { search } for pid=31720 comm="java" name="pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir ---- time->Tue Mar 28 08:34:19 2017 type=SYSCALL msg=audit(1490704459.405:186): arch=c000003e syscall=83 success=no exit=-13 a0=7fcba4184040 a1=1ff a2=0 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1490704459.405:186): avc: denied { search } for pid=31720 comm="java" name="pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir ---- time->Tue Mar 28 08:34:19 2017 type=SYSCALL msg=audit(1490704459.405:187): arch=c000003e syscall=4 success=no exit=-13 a0=7fcba41a31a0 a1=7fcbaa951320 a2=7fcbaa951320 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1490704459.405:187): avc: denied { getattr } for pid=31720 comm="java" path="/var/lib/pki/pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir ---- time->Tue Mar 28 08:34:19 2017 type=SYSCALL msg=audit(1490704459.405:188): arch=c000003e syscall=4 success=no exit=-13 a0=7fcba41a31a0 a1=7fcbaa951380 a2=7fcbaa951380 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1490704459.405:188): avc: denied { getattr } for pid=31720 comm="java" path="/var/lib/pki/pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir ---- time->Tue Mar 28 08:34:19 2017 type=SYSCALL msg=audit(1490704459.405:189): arch=c000003e syscall=4 success=no exit=-13 a0=7fcba4184040 a1=7fcbaa9513f0 a2=7fcbaa9513f0 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1490704459.405:189): avc: denied { search } for pid=31720 comm="java" name="pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir ---- time->Tue Mar 28 08:34:19 2017 type=SYSCALL msg=audit(1490704459.408:190): arch=c000003e syscall=2 success=no exit=-13 a0=7fcba41a4360 a1=0 a2=1b6 a3=7461632f666e6f63 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1490704459.408:190): avc: denied { search } for pid=31720 comm="java" name="pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir ---- time->Tue Mar 28 08:34:19 2017 type=SYSCALL msg=audit(1490704459.415:191): arch=c000003e syscall=6 success=no exit=-13 a0=7fcbaa952550 a1=7fcbaa951420 a2=7fcbaa951420 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1490704459.415:191): avc: denied { getattr } for pid=31720 comm="java" path="/var/lib/pki/pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir ---- time->Tue Mar 28 08:34:19 2017 type=SYSCALL msg=audit(1490704459.415:192): arch=c000003e syscall=6 success=no exit=-13 a0=7fcbaa952550 a1=7fcbaa951420 a2=7fcbaa951420 a3=fe items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1490704459.415:192): avc: denied { getattr } for pid=31720 comm="java" path="/var/lib/pki/pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir ---- time->Tue Mar 28 08:34:19 2017 type=SYSCALL msg=audit(1490704459.415:193): arch=c000003e syscall=4 success=no exit=-13 a0=7fcba41b2220 a1=7fcbaa9534a0 a2=7fcbaa9534a0 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1490704459.415:193): avc: denied { search } for pid=31720 comm="java" name="pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir ---- time->Tue Mar 28 08:34:19 2017 type=SYSCALL msg=audit(1490704459.415:194): arch=c000003e syscall=4 success=no exit=-13 a0=7fcba41b2220 a1=7fcbaa9534a0 a2=7fcbaa9534a0 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1490704459.415:194): avc: denied { search } for pid=31720 comm="java" name="pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir ---- time->Tue Mar 28 08:34:19 2017 type=SYSCALL msg=audit(1490704459.415:195): arch=c000003e syscall=4 success=no exit=-13 a0=7fcba41b2220 a1=7fcbaa9534a0 a2=7fcbaa9534a0 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1490704459.415:195): avc: denied { search } for pid=31720 comm="java" name="pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir ---- time->Tue Mar 28 08:34:19 2017 type=SYSCALL msg=audit(1490704459.415:196): arch=c000003e syscall=21 success=no exit=-13 a0=7fcba41b2220 a1=4 a2=0 a3=7fcbaa9532a0 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1490704459.415:196): avc: denied { search } for pid=31720 comm="java" name="pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir ---- time->Tue Mar 28 08:34:19 2017 type=SYSCALL msg=audit(1490704459.415:197): arch=c000003e syscall=4 success=no exit=-13 a0=7fcba41b2220 a1=7fcbaa9534a0 a2=7fcbaa9534a0 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1490704459.415:197): avc: denied { search } for pid=31720 comm="java" name="pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir ---- time->Tue Mar 28 08:34:19 2017 type=SYSCALL msg=audit(1490704459.415:198): arch=c000003e syscall=4 success=no exit=-13 a0=7fcba41b2220 a1=7fcbaa9534a0 a2=7fcbaa9534a0 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1490704459.415:198): avc: denied { search } for pid=31720 comm="java" name="pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir ---- time->Tue Mar 28 08:34:19 2017 type=SYSCALL msg=audit(1490704459.416:199): arch=c000003e syscall=4 success=no exit=-13 a0=7fcba41b2220 a1=7fcbaa9534a0 a2=7fcbaa9534a0 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1490704459.416:199): avc: denied { search } for pid=31720 comm="java" name="pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir ---- time->Tue Mar 28 08:34:19 2017 type=SYSCALL msg=audit(1490704459.416:200): arch=c000003e syscall=4 success=no exit=-13 a0=7fcba41b2220 a1=7fcbaa9534a0 a2=7fcbaa9534a0 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1490704459.416:200): avc: denied { search } for pid=31720 comm="java" name="pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir ---- time->Tue Mar 28 08:34:19 2017 type=SYSCALL msg=audit(1490704459.416:201): arch=c000003e syscall=21 success=no exit=-13 a0=7fcba41b2220 a1=4 a2=0 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1490704459.416:201): avc: denied { search } for pid=31720 comm="java" name="pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir ---- time->Tue Mar 28 08:34:19 2017 type=SYSCALL msg=audit(1490704459.416:202): arch=c000003e syscall=4 success=no exit=-13 a0=7fcba41b2220 a1=7fcbaa9534a0 a2=7fcbaa9534a0 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1490704459.416:202): avc: denied { search } for pid=31720 comm="java" name="pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir ---- time->Tue Mar 28 08:34:19 2017 type=SYSCALL msg=audit(1490704459.456:203): arch=c000003e syscall=4 success=no exit=-13 a0=7fcba42d9b10 a1=7fcbaa952f30 a2=7fcbaa952f30 a3=7265732f666e6f63 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1490704459.456:203): avc: denied { search } for pid=31720 comm="java" name="pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir ---- time->Tue Mar 28 08:34:19 2017 type=SYSCALL msg=audit(1490704459.456:204): arch=c000003e syscall=2 success=no exit=-13 a0=7fcba42d9b10 a1=0 a2=1b6 a3=7265732f666e6f63 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1490704459.456:204): avc: denied { search } for pid=31720 comm="java" name="pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir [root@hp-dl380pgen8-02-vm-2 ~]# Actual results: ipa-server-install failing Expected results: ipa-server-install succeeds Additional info: