Bug 1458420

Summary: AVC denials during RHCS subsystems install
Product: Red Hat Enterprise Linux 7 Reporter: Asha Akkiangady <aakkiang>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: alee, lvrabec, mgrepl, mharmsen, mmalik, plautrba, pvrabec, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-06-05 12:44:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Asha Akkiangady 2017-06-02 19:41:20 UTC 
Description of problem:
pkispawn of RHCS subsystems shows AVC denials for /usr/sbin/ldconfig.

Version-Release number of selected component (if applicable):
pki-server-10.4.1-7.el7.noarch
selinux-policy-3.13.1-157.el7.noarch

How reproducible:


Steps to Reproduce:
1. pkispawn a CA instance with internal soft token.
2. Installation is successful.


Actual results:
3. Following AVCs are thrown:

time->Fri Jun  2 10:41:48 2017
type=PROCTITLE msg=audit(1496414508.546:90): proctitle=7368002D63002F7362696E2F6C64636F6E666967202D7020323E2F6465762F6E756C6C
type=SYSCALL msg=audit(1496414508.546:90): arch=c000003e syscall=59 success=no exit=-13 a0=1517250 a1=15165a0 a2=1515960 a3=7ffe07dfaea0 items=0 ppid=11540 pid=11541 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1496414508.546:90): avc:  denied  { execute } for  pid=11541 comm="sh" name="ldconfig" dev="dm-0" ino=33577980 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
----
time->Fri Jun  2 10:41:48 2017
type=PROCTITLE msg=audit(1496414508.546:91): proctitle=7368002D63002F7362696E2F6C64636F6E666967202D7020323E2F6465762F6E756C6C
type=SYSCALL msg=audit(1496414508.546:91): arch=c000003e syscall=4 success=no exit=-13 a0=1517250 a1=7ffe07dfb0e0 a2=7ffe07dfb0e0 a3=7ffe07dfaea0 items=0 ppid=11540 pid=11541 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1496414508.546:91): avc:  denied  { getattr } for  pid=11541 comm="sh" path="/usr/sbin/ldconfig" dev="dm-0" ino=33577980 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
----
time->Fri Jun  2 10:41:48 2017
type=PROCTITLE msg=audit(1496414508.546:92): proctitle=7368002D63002F7362696E2F6C64636F6E666967202D7020323E2F6465762F6E756C6C
type=SYSCALL msg=audit(1496414508.546:92): arch=c000003e syscall=4 success=no exit=-13 a0=1517250 a1=7ffe07dfb0c0 a2=7ffe07dfb0c0 a3=7ffe07dfaea0 items=0 ppid=11540 pid=11541 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1496414508.546:92): avc:  denied  { getattr } for  pid=11541 comm="sh" path="/usr/sbin/ldconfig" dev="dm-0" ino=33577980 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
----
time->Fri Jun  2 10:41:48 2017
type=PROCTITLE msg=audit(1496414508.557:93): proctitle=7368002D63002F7362696E2F6C64636F6E666967202D7020323E2F6465762F6E756C6C
type=SYSCALL msg=audit(1496414508.557:93): arch=c000003e syscall=59 success=no exit=-13 a0=2116250 a1=21155a0 a2=2114960 a3=7ffc72521a70 items=0 ppid=11546 pid=11547 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1496414508.557:93): avc:  denied  { execute } for  pid=11547 comm="sh" name="ldconfig" dev="dm-0" ino=33577980 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
----
time->Fri Jun  2 10:41:48 2017
type=PROCTITLE msg=audit(1496414508.557:94): proctitle=7368002D63002F7362696E2F6C64636F6E666967202D7020323E2F6465762F6E756C6C
type=SYSCALL msg=audit(1496414508.557:94): arch=c000003e syscall=4 success=no exit=-13 a0=2116250 a1=7ffc72521cb0 a2=7ffc72521cb0 a3=7ffc72521a70 items=0 ppid=11546 pid=11547 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1496414508.557:94): avc:  denied  { getattr } for  pid=11547 comm="sh" path="/usr/sbin/ldconfig" dev="dm-0" ino=33577980 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
----
time->Fri Jun  2 10:41:48 2017
type=PROCTITLE msg=audit(1496414508.557:95): proctitle=7368002D63002F7362696E2F6C64636F6E666967202D7020323E2F6465762F6E756C6C
type=SYSCALL msg=audit(1496414508.557:95): arch=c000003e syscall=4 success=no exit=-13 a0=2116250 a1=7ffc72521c90 a2=7ffc72521c90 a3=7ffc72521a70 items=0 ppid=11546 pid=11547 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1496414508.557:95): avc:  denied  { getattr } for  pid=11547 comm="sh" path="/usr/sbin/ldconfig" dev="dm-0" ino=33577980 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
----
time->Fri Jun  2 10:42:17 2017
type=PROCTITLE msg=audit(1496414537.209:99): proctitle=7368002D63002F7362696E2F6C64636F6E666967202D7020323E2F6465762F6E756C6C
type=SYSCALL msg=audit(1496414537.209:99): arch=c000003e syscall=59 success=no exit=-13 a0=f5d250 a1=f5c5a0 a2=f5b960 a3=7ffce84fcdf0 items=0 ppid=12206 pid=12207 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1496414537.209:99): avc:  denied  { execute } for  pid=12207 comm="sh" name="ldconfig" dev="dm-0" ino=33577980 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
----
time->Fri Jun  2 10:42:17 2017
type=PROCTITLE msg=audit(1496414537.209:100): proctitle=7368002D63002F7362696E2F6C64636F6E666967202D7020323E2F6465762F6E756C6C
type=SYSCALL msg=audit(1496414537.209:100): arch=c000003e syscall=4 success=no exit=-13 a0=f5d250 a1=7ffce84fd030 a2=7ffce84fd030 a3=7ffce84fcdf0 items=0 ppid=12206 pid=12207 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1496414537.209:100): avc:  denied  { getattr } for  pid=12207 comm="sh" path="/usr/sbin/ldconfig" dev="dm-0" ino=33577980 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
----
time->Fri Jun  2 10:42:17 2017
type=PROCTITLE msg=audit(1496414537.209:101): proctitle=7368002D63002F7362696E2F6C64636F6E666967202D7020323E2F6465762F6E756C6C
type=SYSCALL msg=audit(1496414537.209:101): arch=c000003e syscall=4 success=no exit=-13 a0=f5d250 a1=7ffce84fd010 a2=7ffce84fd010 a3=7ffce84fcdf0 items=0 ppid=12206 pid=12207 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1496414537.209:101): avc:  denied  { getattr } for  pid=12207 comm="sh" path="/usr/sbin/ldconfig" dev="dm-0" ino=33577980 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
----
time->Fri Jun  2 10:42:17 2017
type=PROCTITLE msg=audit(1496414537.219:102): proctitle=7368002D63002F7362696E2F6C64636F6E666967202D7020323E2F6465762F6E756C6C
type=SYSCALL msg=audit(1496414537.219:102): arch=c000003e syscall=59 success=no exit=-13 a0=1eb6250 a1=1eb55a0 a2=1eb4960 a3=7ffdefdd3b60 items=0 ppid=12212 pid=12213 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1496414537.219:102): avc:  denied  { execute } for  pid=12213 comm="sh" name="ldconfig" dev="dm-0" ino=33577980 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
----
time->Fri Jun  2 10:42:17 2017
type=PROCTITLE msg=audit(1496414537.219:103): proctitle=7368002D63002F7362696E2F6C64636F6E666967202D7020323E2F6465762F6E756C6C
type=SYSCALL msg=audit(1496414537.219:103): arch=c000003e syscall=4 success=no exit=-13 a0=1eb6250 a1=7ffdefdd3da0 a2=7ffdefdd3da0 a3=7ffdefdd3b60 items=0 ppid=12212 pid=12213 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1496414537.219:103): avc:  denied  { getattr } for  pid=12213 comm="sh" path="/usr/sbin/ldconfig" dev="dm-0" ino=33577980 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
----
time->Fri Jun  2 10:42:17 2017
type=PROCTITLE msg=audit(1496414537.219:104): proctitle=7368002D63002F7362696E2F6C64636F6E666967202D7020323E2F6465762F6E756C6C
type=SYSCALL msg=audit(1496414537.219:104): arch=c000003e syscall=4 success=no exit=-13 a0=1eb6250 a1=7ffdefdd3d80 a2=7ffdefdd3d80 a3=7ffdefdd3b60 items=0 ppid=12212 pid=12213 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1496414537.219:104): avc:  denied  { getattr } for  pid=12213 comm="sh" path="/usr/sbin/ldconfig" dev="dm-0" ino=33577980 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file

Expected results:
AVC denials should not occur.

Additional info:
Comment 2 Ade Lee 2017-06-02 21:03:52 UTC 
doing an audit2allow on these gives :

#============= pki_tomcat_t ==============
allow pki_tomcat_t ldconfig_exec_t:file { execute getattr };


This should be added to the policy by the selinu-policy group.
Comment 3 Lukas Vrabec 2017-06-05 12:44:58 UTC 

*** This bug has been marked as a duplicate of bug 1436689 ***