Bug 1447436
Summary: | HSM related denial with Red Hat Cert System | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Jack Magne <jmagne> | ||||
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | ||||
Severity: | urgent | Docs Contact: | |||||
Priority: | urgent | ||||||
Version: | 7.4 | CC: | aakkiang, jmagne, jneedle, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde | ||||
Target Milestone: | rc | Keywords: | TestBlocker | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | selinux-policy-3.13.1-152.el7 | Doc Type: | If docs needed, set a value | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2017-08-01 15:26:23 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1445519 | ||||||
Attachments: |
|
Description
Jack Magne
2017-05-02 19:05:22 UTC
I have following selinux packages on the system: selinux-policy-3.13.1-148.el7.noarch selinux-policy-targeted-3.13.1-148.el7.noarch Installing CA server using HSM shows following denial: time->Wed May 10 15:24:30 2017 type=PROCTITLE msg=audit(1494444270.438:2123): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69 type=SYSCALL msg=audit(1494444270.438:2123): arch=c000003e syscall=2 success=no exit=-13 a0=7f5418686850 a1=80000 a2=7f5418674dd0 a3=6b6362696c2f3131 items=0 ppid=1 pid=14233 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-7.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1494444270.438:2123): avc: denied { read } for pid=14233 comm="java" name="libcknfast.so" dev="dm-0" ino=33571641 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=file Hi Lucas, When I put the system in permissive mode and install CA, it throws following AVC denials. Could you please make sure all of them are taken care? Thanks, Asha ---- time->Thu May 11 11:49:45 2017 type=PROCTITLE msg=audit(1494517785.103:131): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69 type=SYSCALL msg=audit(1494517785.103:131): arch=c000003e syscall=2 success=yes exit=74 a0=7f6c907265e0 a1=80000 a2=7f6c90714b60 a3=6b6362696c2f3131 items=0 ppid=1 pid=14057 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-7.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1494517785.103:131): avc: denied { open } for pid=14057 comm="java" path="/opt/nfast/toolkits/pkcs11/libcknfast.so" dev="dm-0" ino=33571641 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=file type=AVC msg=audit(1494517785.103:131): avc: denied { read } for pid=14057 comm="java" name="libcknfast.so" dev="dm-0" ino=33571641 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=file ---- time->Thu May 11 11:49:45 2017 type=PROCTITLE msg=audit(1494517785.103:132): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69 type=SYSCALL msg=audit(1494517785.103:132): arch=c000003e syscall=5 success=yes exit=0 a0=4a a1=7f6c99f889c0 a2=7f6c99f889c0 a3=6b6362696c2f3131 items=0 ppid=1 pid=14057 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-7.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1494517785.103:132): avc: denied { getattr } for pid=14057 comm="java" path="/opt/nfast/toolkits/pkcs11/libcknfast.so" dev="dm-0" ino=33571641 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=file ---- time->Thu May 11 11:49:45 2017 type=PROCTITLE msg=audit(1494517785.104:133): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69 type=SYSCALL msg=audit(1494517785.104:133): arch=c000003e syscall=9 success=yes exit=140103743201280 a0=0 a1=49c8c0 a2=5 a3=802 items=0 ppid=1 pid=14057 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-7.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1494517785.104:133): avc: denied { execute } for pid=14057 comm="java" path="/opt/nfast/toolkits/pkcs11/libcknfast.so" dev="dm-0" ino=33571641 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=file ---- time->Thu May 11 11:49:45 2017 type=PROCTITLE msg=audit(1494517785.105:134): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69 type=SYSCALL msg=audit(1494517785.105:134): arch=c000003e syscall=42 success=yes exit=0 a0=4a a1=7f6c99f88890 a2=6e a3=7f6c99f88570 items=0 ppid=1 pid=14057 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-7.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1494517785.105:134): avc: denied { connectto } for pid=14057 comm="java" path="/opt/nfast/sockets/nserver" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket ---- time->Thu May 11 11:49:51 2017 type=PROCTITLE msg=audit(1494517791.745:135): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69 type=SYSCALL msg=audit(1494517791.745:135): arch=c000003e syscall=257 success=yes exit=75 a0=ffffffffffffff9c a1=7f6c901343b0 a2=90800 a3=0 items=0 ppid=1 pid=14057 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-7.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1494517791.745:135): avc: denied { read } for pid=14057 comm="java" name="local" dev="dm-0" ino=69042662 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=dir ---- time->Thu May 11 11:50:46 2017 type=PROCTITLE msg=audit(1494517846.608:136): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69 type=SYSCALL msg=audit(1494517846.608:136): arch=c000003e syscall=2 success=yes exit=127 a0=7f6c5c361660 a1=241 a2=1b6 a3=24 items=0 ppid=1 pid=14057 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-7.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1494517846.608:136): avc: denied { write open } for pid=14057 comm="java" path="/opt/nfast/kmdata/local/key_pkcs11_ucdf32e4c01b41d2f7a653126c9f2f75700a1ce00a-3903fbe33a4e077beaa209a403a2930e48cb6ce3.new" dev="dm-0" ino=67518191 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_common_t:s0 tclass=file type=AVC msg=audit(1494517846.608:136): avc: denied { create } for pid=14057 comm="java" name="key_pkcs11_ucdf32e4c01b41d2f7a653126c9f2f75700a1ce00a-3903fbe33a4e077beaa209a403a2930e48cb6ce3.new" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_common_t:s0 tclass=file type=AVC msg=audit(1494517846.608:136): avc: denied { add_name } for pid=14057 comm="java" name="key_pkcs11_ucdf32e4c01b41d2f7a653126c9f2f75700a1ce00a-3903fbe33a4e077beaa209a403a2930e48cb6ce3.new" scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=dir type=AVC msg=audit(1494517846.608:136): avc: denied { write } for pid=14057 comm="java" name="local" dev="dm-0" ino=69042662 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=dir ---- time->Thu May 11 11:50:46 2017 type=PROCTITLE msg=audit(1494517846.608:137): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69 type=SYSCALL msg=audit(1494517846.608:137): arch=c000003e syscall=5 success=yes exit=0 a0=7f a1=7f6c4fef6ef0 a2=7f6c4fef6ef0 a3=1 items=0 ppid=1 pid=14057 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-7.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1494517846.608:137): avc: denied { getattr } for pid=14057 comm="java" path="/opt/nfast/kmdata/local/key_pkcs11_ucdf32e4c01b41d2f7a653126c9f2f75700a1ce00a-3903fbe33a4e077beaa209a403a2930e48cb6ce3.new" dev="dm-0" ino=67518191 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_common_t:s0 tclass=file ---- time->Thu May 11 11:50:46 2017 type=PROCTITLE msg=audit(1494517846.609:138): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69 type=SYSCALL msg=audit(1494517846.609:138): arch=c000003e syscall=82 success=yes exit=0 a0=7f6c5c361660 a1=7f6c5c358b50 a2=fffffffffffffef0 a3=7f6c4fef6d60 items=0 ppid=1 pid=14057 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-7.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1494517846.609:138): avc: denied { rename } for pid=14057 comm="java" name="key_pkcs11_ucdf32e4c01b41d2f7a653126c9f2f75700a1ce00a-3903fbe33a4e077beaa209a403a2930e48cb6ce3.new" dev="dm-0" ino=67518191 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_common_t:s0 tclass=file type=AVC msg=audit(1494517846.609:138): avc: denied { remove_name } for pid=14057 comm="java" name="key_pkcs11_ucdf32e4c01b41d2f7a653126c9f2f75700a1ce00a-3903fbe33a4e077beaa209a403a2930e48cb6ce3.new" dev="dm-0" ino=67518191 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=dir ---- time->Thu May 11 11:50:46 2017 type=PROCTITLE msg=audit(1494517846.650:139): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69 type=SYSCALL msg=audit(1494517846.650:139): arch=c000003e syscall=2 success=yes exit=127 a0=7f6c5c35cbe0 a1=0 a2=1b6 a3=24 items=0 ppid=1 pid=14057 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-7.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1494517846.650:139): avc: denied { read } for pid=14057 comm="java" name="key_pkcs11_ucdf32e4c01b41d2f7a653126c9f2f75700a1ce00a-3903fbe33a4e077beaa209a403a2930e48cb6ce3" dev="dm-0" ino=67518191 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_common_t:s0 tclass=file ---- time->Thu May 11 11:50:46 2017 type=PROCTITLE msg=audit(1494517846.650:140): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69 type=SYSCALL msg=audit(1494517846.650:140): arch=c000003e syscall=82 success=yes exit=0 a0=7f6c5c35df30 a1=7f6c5c35cbe0 a2=7f6c5c000078 a3=7a items=0 ppid=1 pid=14057 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-7.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1494517846.650:140): avc: denied { unlink } for pid=14057 comm="java" name="key_pkcs11_ucdf32e4c01b41d2f7a653126c9f2f75700a1ce00a-3903fbe33a4e077beaa209a403a2930e48cb6ce3" dev="dm-0" ino=67518191 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_common_t:s0 tclass=file ---- time->Thu May 11 11:51:06 2017 type=PROCTITLE msg=audit(1494517866.457:144): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69 type=SYSCALL msg=audit(1494517866.457:144): arch=c000003e syscall=42 success=yes exit=0 a0=4a a1=7fbe6c118890 a2=6e a3=7fbe6c118570 items=0 ppid=1 pid=14476 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-7.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1494517866.457:144): avc: denied { connectto } for pid=14476 comm="java" path="/opt/nfast/sockets/nserver" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket ---- time->Thu May 11 11:51:13 2017 type=PROCTITLE msg=audit(1494517873.406:146): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69 type=SYSCALL msg=audit(1494517873.406:146): arch=c000003e syscall=5 success=yes exit=0 a0=4c a1=7fbe6c118ab0 a2=7fbe6c118ab0 a3=0 items=0 ppid=1 pid=14476 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-7.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1494517873.406:146): avc: denied { getattr } for pid=14476 comm="java" path="/opt/nfast/kmdata/local/key_pkcs11_ucdf32e4c01b41d2f7a653126c9f2f75700a1ce00a-3903fbe33a4e077beaa209a403a2930e48cb6ce3" dev="dm-0" ino=69219270 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_common_t:s0 tclass=file ---- time->Thu May 11 11:51:13 2017 type=PROCTITLE msg=audit(1494517873.406:145): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69 type=SYSCALL msg=audit(1494517873.406:145): arch=c000003e syscall=2 success=yes exit=76 a0=7fbe64160c20 a1=0 a2=1b6 a3=24 items=0 ppid=1 pid=14476 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-7.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1494517873.406:145): avc: denied { open } for pid=14476 comm="java" path="/opt/nfast/kmdata/local/key_pkcs11_ucdf32e4c01b41d2f7a653126c9f2f75700a1ce00a-3903fbe33a4e077beaa209a403a2930e48cb6ce3" dev="dm-0" ino=69219270 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_common_t:s0 tclass=file type=AVC msg=audit(1494517873.406:145): avc: denied { read } for pid=14476 comm="java" name="key_pkcs11_ucdf32e4c01b41d2f7a653126c9f2f75700a1ce00a-3903fbe33a4e077beaa209a403a2930e48cb6ce3" dev="dm-0" ino=69219270 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_common_t:s0 tclass=file Hi, These AVCs will be fixed in next selinux-policy build. Created attachment 1279819 [details]
Audit log for the CA install with HSM throwing AVC messages.
I've installed selinux-policy-3.13.1-149.el7 on a RHEL 7.4 Server x86_64 system, CA installation with HSM results in same AVCs as above. Audit log attached. # audit2allow -i /var/log/audit/audit.log #============= tomcat_t ============== #!!!! The file '/opt/nfast/sockets/nserver' is mislabeled on your system. #!!!! Fix with $ restorecon -R -v /opt/nfast/sockets/nserver allow tomcat_t initrc_t:unix_stream_socket connectto; allow tomcat_t pki_common_t:dir { add_name read remove_name write }; allow tomcat_t pki_common_t:file { create execute rename unlink write }; I applied the restorecon, the avcs recur. Re-opening the bug. Asha, I added following rules to tomcat_t policy: allow tomcat_t pki_common_t:dir { add_name read remove_name write }; allow tomcat_t pki_common_t:file { create execute rename unlink write }; But, could you attach output of ps command when you catch these AVCs? 1. Please run tests 2. run: # ps -efZ | grep initrc_t Thanks. Lukas. Hi Lukas, Here is the ps command output after the test run: # ps -efZ | grep initrc_t unconfined_u:system_r:initrc_t:s0 nfast 15419 1 0 May17 ? 00:00:11 ../sbin/hardserver -p hardserver.pid -Lhardserver.log unconfined_u:system_r:initrc_t:s0 nfast 15422 15419 0 May17 ? 00:00:00 ../sbin/hardserver --spawn-svc unconfined_u:system_r:initrc_t:s0 root 15460 1 0 May17 ? 00:00:00 su raserv -c set -e echo $$ >raserv.pid exec ../sbin/raserv -Lraserv.log unconfined_u:system_r:initrc_t:s0 raserv 15463 15460 0 May17 ? 00:00:01 ../sbin/raserv -Lraserv.log unconfined_u:system_r:initrc_t:s0 ncsnmpd 15514 1 0 May17 ? 00:00:01 ../sbin/snmpd -p /opt/nfast/log/ncsnmpd.pid -Lf /opt/nfast/log/ncsnmpd.log -A unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 19704 13189 0 11:07 pts/1 00:00:00 grep --color=auto initrc_t Thanks, Asha I tested with selinux-policy-3.13.1-151.el7 on a RHEL 7.4 x86_64 system with Thales and LunaSA HSMs. It still did not work. CA installation with Thales HSM shows following AVCs: ---- time->Fri May 19 03:01:44 2017 type=PROCTITLE msg=audit(1495177304.229:856): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69 type=SYSCALL msg=audit(1495177304.229:856): arch=c000003e syscall=9 success=yes exit=139660883202048 a0=0 a1=49c8c0 a2=5 a3=802 items=0 ppid=1 pid=15224 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-7.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1495177304.229:856): avc: denied { execute } for pid=15224 comm="java" path="/opt/nfast/toolkits/pkcs11/libcknfast.so" dev="dm-0" ino=33565238 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=file ---- time->Fri May 19 03:01:44 2017 type=PROCTITLE msg=audit(1495177304.230:857): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69 type=SYSCALL msg=audit(1495177304.230:857): arch=c000003e syscall=42 success=yes exit=0 a0=4b a1=7f057d617890 a2=6e a3=7f057d617570 items=0 ppid=1 pid=15224 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-7.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1495177304.230:857): avc: denied { connectto } for pid=15224 comm="java" path="/opt/nfast/sockets/nserver" scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=unix_stream_socket ---- time->Fri May 19 03:03:11 2017 type=PROCTITLE msg=audit(1495177391.415:861): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69 type=SYSCALL msg=audit(1495177391.415:861): arch=c000003e syscall=9 success=yes exit=140645169864704 a0=0 a1=49c8c0 a2=5 a3=802 items=0 ppid=1 pid=15642 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-7.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1495177391.415:861): avc: denied { execute } for pid=15642 comm="java" path="/opt/nfast/toolkits/pkcs11/libcknfast.so" dev="dm-0" ino=33565238 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=file ---- time->Fri May 19 03:03:11 2017 type=PROCTITLE msg=audit(1495177391.417:862): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69 type=SYSCALL msg=audit(1495177391.417:862): arch=c000003e syscall=42 success=yes exit=0 a0=4b a1=7feac3a38890 a2=6e a3=7feac3a38570 items=0 ppid=1 pid=15642 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-7.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1495177391.417:862): avc: denied { connectto } for pid=15642 comm="java" path="/opt/nfast/sockets/nserver" scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=unix_stream_socket CA installation with Lunasa HSM shows following AVCs: ---- time->Fri May 19 03:44:26 2017 type=SYSCALL msg=audit(1495179866.490:123246): arch=c000003e syscall=42 success=no exit=-115 a0=4a a1=7f3f41906b60 a2=10 a3=7f3f419059e0 items=0 ppid=1 pid=20597 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-8.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1495179866.490:123246): avc: denied { name_connect } for pid=20597 comm="java" dest=1792 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket ---- time->Fri May 19 03:45:38 2017 type=SYSCALL msg=audit(1495179938.443:123250): arch=c000003e syscall=42 success=no exit=-115 a0=4a a1=7fbf3e07db60 a2=10 a3=7fbf3e07c9e0 items=0 ppid=1 pid=21070 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-8.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1495179938.443:123250): avc: denied { name_connect } for pid=21070 comm="java" dest=1792 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket Tested RHCS installs with nCipher and Lunasa HSMs using selinux-policy-3.13.1-160.el7, no AVCs found. # rpm -q selinux-policy selinux-policy-targeted pki-ca selinux-policy-3.13.1-160.el7.noarch selinux-policy-targeted-3.13.1-160.el7.noarch pki-ca-10.4.1-8.el7.noarch Marking the bug verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1861 |