Bug 1439187
| Summary: | AVC denied messages seen with selinux in permissive mode | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Varun Mylaraiah <mvarun> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED DUPLICATE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.4 | CC: | lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-04-05 12:38:25 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
*** This bug has been marked as a duplicate of bug 1436689 *** |
Description of problem: AVC denied messages seen while running Kerberos Lockout Policy with selinux in permissive mode Version-Release number of selected component (if applicable): selinux-policy-3.13.1-136.el7.noarch How reproducible: 100% Steps to Reproduce: 1.Ensure SELinux is in permissive mode 2.install ipa-server [root@qe-blade-04 ~]# cat /var/log/audit/audit.log|audit2allow #============= tomcat_t ============== allow tomcat_t pki_tomcat_etc_rw_t:dir { getattr open read }; allow tomcat_t pki_tomcat_etc_rw_t:file getattr; allow tomcat_t pki_tomcat_var_lib_t:dir { getattr open read }; [root@qe-blade-04 ~]# rpm -q selinux-policy selinux-policy-3.13.1-136.el7.noarch [root@qe-blade-04 ~]# [root@qe-blade-04 ~]# [root@qe-blade-04 ~]# ausearch -m AVC -m USER_AVC -m SELINUX_ERR ---- time->Wed Apr 5 06:30:26 2017 type=PATH msg=audit(1491388226.294:545): item=0 name="/etc/pki/pki-tomcat/Catalina/localhost" inode=68486630 dev=fd:00 mode=040770 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL type=CWD msg=audit(1491388226.294:545): cwd="/usr/share/tomcat" type=SYSCALL msg=audit(1491388226.294:545): arch=c000003e syscall=257 success=yes exit=87 a0=ffffffffffffff9c a1=7f3920000e70 a2=90800 a3=0 items=1 ppid=1 pid=26662 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1491388226.294:545): avc: denied { open } for pid=26662 comm="java" path="/etc/pki/pki-tomcat/Catalina/localhost" dev="dm-0" ino=68486630 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=dir type=AVC msg=audit(1491388226.294:545): avc: denied { read } for pid=26662 comm="java" name="localhost" dev="dm-0" ino=68486630 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=dir ---- time->Wed Apr 5 06:30:36 2017 type=PATH msg=audit(1491388236.296:546): item=0 name="/etc/pki/pki-tomcat" inode=84438 dev=fd:00 mode=040770 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL type=CWD msg=audit(1491388236.296:546): cwd="/usr/share/tomcat" type=SYSCALL msg=audit(1491388236.296:546): arch=c000003e syscall=6 success=yes exit=0 a0=7f398e14eb30 a1=7f398e14da00 a2=7f398e14da00 a3=617461432f746163 items=1 ppid=1 pid=26662 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1491388236.296:546): avc: denied { getattr } for pid=26662 comm="java" path="/etc/pki/pki-tomcat" dev="dm-0" ino=84438 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=dir ---- time->Wed Apr 5 06:30:56 2017 type=PATH msg=audit(1491388256.298:547): item=0 name="/etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml" inode=68486631 dev=fd:00 mode=0100660 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL type=CWD msg=audit(1491388256.298:547): cwd="/usr/share/tomcat" type=SYSCALL msg=audit(1491388256.298:547): arch=c000003e syscall=4 success=yes exit=0 a0=7f3920001420 a1=7f398e1502d0 a2=7f398e1502d0 a3=617461432f746163 items=1 ppid=1 pid=26662 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1491388256.298:547): avc: denied { getattr } for pid=26662 comm="java" path="/etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml" dev="dm-0" ino=68486631 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file ---- time->Wed Apr 5 07:05:36 2017 type=PATH msg=audit(1491390336.480:576): item=0 name="/etc/pki/pki-tomcat" inode=84438 dev=fd:00 mode=040770 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL type=CWD msg=audit(1491390336.480:576): cwd="/usr/share/tomcat" type=SYSCALL msg=audit(1491390336.480:576): arch=c000003e syscall=6 success=yes exit=0 a0=7f398e14e9e0 a1=7f398e14d8b0 a2=7f398e14d8b0 a3=617461432f746163 items=1 ppid=1 pid=26662 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1491390336.480:576): avc: denied { getattr } for pid=26662 comm="java" path="/etc/pki/pki-tomcat" dev="dm-0" ino=84438 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=dir ---- time->Wed Apr 5 07:05:36 2017 type=PATH msg=audit(1491390336.480:577): item=0 name="/etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml" inode=68486631 dev=fd:00 mode=0100660 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL type=CWD msg=audit(1491390336.480:577): cwd="/usr/share/tomcat" type=SYSCALL msg=audit(1491390336.480:577): arch=c000003e syscall=6 success=yes exit=0 a0=7f398e14e9e0 a1=7f398e14d8b0 a2=7f398e14d8b0 a3=617461432f746163 items=1 ppid=1 pid=26662 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1491390336.480:577): avc: denied { getattr } for pid=26662 comm="java" path="/etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml" dev="dm-0" ino=68486631 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file ---- time->Wed Apr 5 07:05:36 2017 type=PATH msg=audit(1491390336.480:578): item=0 name="/var/lib/pki/pki-tomcat" inode=35084705 dev=fd:00 mode=040770 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_var_lib_t:s0 objtype=NORMAL type=CWD msg=audit(1491390336.480:578): cwd="/usr/share/tomcat" type=SYSCALL msg=audit(1491390336.480:578): arch=c000003e syscall=6 success=yes exit=0 a0=7f398e14ebe0 a1=7f398e14dab0 a2=7f398e14dab0 a3=62696c2f7261762f items=1 ppid=1 pid=26662 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1491390336.480:578): avc: denied { getattr } for pid=26662 comm="java" path="/var/lib/pki/pki-tomcat" dev="dm-0" ino=35084705 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir ---- time->Wed Apr 5 07:05:36 2017 type=PATH msg=audit(1491390336.481:579): item=0 name="/var/lib/pki/pki-tomcat/webapps" inode=101567439 dev=fd:00 mode=040755 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_var_lib_t:s0 objtype=NORMAL type=CWD msg=audit(1491390336.481:579): cwd="/usr/share/tomcat" type=SYSCALL msg=audit(1491390336.481:579): arch=c000003e syscall=257 success=yes exit=87 a0=ffffffffffffff9c a1=7f3920000e70 a2=90800 a3=0 items=1 ppid=1 pid=26662 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1491390336.481:579): avc: denied { open } for pid=26662 comm="java" path="/var/lib/pki/pki-tomcat/webapps" dev="dm-0" ino=101567439 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir type=AVC msg=audit(1491390336.481:579): avc: denied { read } for pid=26662 comm="java" name="webapps" dev="dm-0" ino=101567439 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir ---- time->Wed Apr 5 07:05:36 2017 type=PATH msg=audit(1491390336.481:580): item=0 name="/etc/pki/pki-tomcat/Catalina/localhost" inode=68486630 dev=fd:00 mode=040770 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL type=CWD msg=audit(1491390336.481:580): cwd="/usr/share/tomcat" type=SYSCALL msg=audit(1491390336.481:580): arch=c000003e syscall=257 success=yes exit=87 a0=ffffffffffffff9c a1=7f3920000e70 a2=90800 a3=0 items=1 ppid=1 pid=26662 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1491390336.481:580): avc: denied { open } for pid=26662 comm="java" path="/etc/pki/pki-tomcat/Catalina/localhost" dev="dm-0" ino=68486630 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=dir type=AVC msg=audit(1491390336.481:580): avc: denied { read } for pid=26662 comm="java" name="localhost" dev="dm-0" ino=68486630 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=dir ---- time->Wed Apr 5 07:20:06 2017 type=PATH msg=audit(1491391206.554:594): item=0 name="/etc/pki/pki-tomcat" inode=84438 dev=fd:00 mode=040770 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL type=CWD msg=audit(1491391206.554:594): cwd="/usr/share/tomcat" type=SYSCALL msg=audit(1491391206.554:594): arch=c000003e syscall=6 success=yes exit=0 a0=7f398e14e990 a1=7f398e14d860 a2=7f398e14d860 a3=617461432f746163 items=1 ppid=1 pid=26662 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1491391206.554:594): avc: denied { getattr } for pid=26662 comm="java" path="/etc/pki/pki-tomcat" dev="dm-0" ino=84438 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=dir ---- time->Wed Apr 5 07:20:06 2017 type=PATH msg=audit(1491391206.554:595): item=0 name="/etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml" inode=68486631 dev=fd:00 mode=0100660 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL type=CWD msg=audit(1491391206.554:595): cwd="/usr/share/tomcat" type=SYSCALL msg=audit(1491391206.554:595): arch=c000003e syscall=6 success=yes exit=0 a0=7f398e14e990 a1=7f398e14d860 a2=7f398e14d860 a3=617461432f746163 items=1 ppid=1 pid=26662 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1491391206.554:595): avc: denied { getattr } for pid=26662 comm="java" path="/etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml" dev="dm-0" ino=68486631 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file ---- time->Wed Apr 5 07:20:06 2017 type=PATH msg=audit(1491391206.555:596): item=0 name="/etc/pki/pki-tomcat/Catalina/localhost" inode=68486630 dev=fd:00 mode=040770 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL type=CWD msg=audit(1491391206.555:596): cwd="/usr/share/tomcat" type=SYSCALL msg=audit(1491391206.555:596): arch=c000003e syscall=257 success=yes exit=87 a0=ffffffffffffff9c a1=7f3920000e70 a2=90800 a3=0 items=1 ppid=1 pid=26662 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1491391206.555:596): avc: denied { open } for pid=26662 comm="java" path="/etc/pki/pki-tomcat/Catalina/localhost" dev="dm-0" ino=68486630 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=dir type=AVC msg=audit(1491391206.555:596): avc: denied { read } for pid=26662 comm="java" name="localhost" dev="dm-0" ino=68486630 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=dir ---- time->Wed Apr 5 07:27:06 2017 type=PATH msg=audit(1491391626.588:598): item=0 name="/var/lib/pki/pki-tomcat/webapps" inode=101567439 dev=fd:00 mode=040755 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_var_lib_t:s0 objtype=NORMAL type=CWD msg=audit(1491391626.588:598): cwd="/usr/share/tomcat" type=SYSCALL msg=audit(1491391626.588:598): arch=c000003e syscall=257 success=yes exit=87 a0=ffffffffffffff9c a1=7f3920000e70 a2=90800 a3=0 items=1 ppid=1 pid=26662 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1491391626.588:598): avc: denied { open } for pid=26662 comm="java" path="/var/lib/pki/pki-tomcat/webapps" dev="dm-0" ino=101567439 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir type=AVC msg=audit(1491391626.588:598): avc: denied { read } for pid=26662 comm="java" name="webapps" dev="dm-0" ino=101567439 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir ---- time->Wed Apr 5 07:27:06 2017 type=PATH msg=audit(1491391626.588:597): item=0 name="/var/lib/pki/pki-tomcat" inode=35084705 dev=fd:00 mode=040770 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_var_lib_t:s0 objtype=NORMAL type=CWD msg=audit(1491391626.588:597): cwd="/usr/share/tomcat" type=SYSCALL msg=audit(1491391626.588:597): arch=c000003e syscall=6 success=yes exit=0 a0=7f398e14eb80 a1=7f398e14da50 a2=7f398e14da50 a3=62696c2f7261762f items=1 ppid=1 pid=26662 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1491391626.588:597): avc: denied { getattr } for pid=26662 comm="java" path="/var/lib/pki/pki-tomcat" dev="dm-0" ino=35084705 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir [root@qe-blade-04 ~]#