Bug 1488404
Summary: | SELinux denials during ipa-server-install | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Tomas Krizek <tkrizek> |
Component: | selinux-policy-targeted | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Ben Levenson <benl> |
Severity: | urgent | Docs Contact: | |
Priority: | unspecified | ||
Version: | 27 | CC: | awilliam, dwalsh, gparente, lslebodn, lsm5, lvrabec, mgrepl, plautrba, pmoore, robatino |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-09-12 08:06:14 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1396702 |
Description
Tomas Krizek
2017-09-05 10:09:16 UTC
I've already reported several of these to Lukas and I believe he's fixed several. Can you test with selinux-policy-3.13.1-279.fc27 (it's in Koji, not yet Bodhi) and see which if any remain? Thanks. Here's the list I get with the latest openQA test with the F27 update that makes FreeIPA kinda-work again, including USER_AVCs: Sep 05 14:59:48 localhost.localdomain audit[587]: AVC avc: denied { map } for pid=587 comm="ldconfig" path="/var/cache/ldconfig/aux-cache" dev="dm-0" ino=4925999 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:ldconfig_cache_t:s0 tclass=file permissive=1 Sep 05 14:59:48 localhost.localdomain kernel: audit: type=1400 audit(1504648788.937:75): avc: denied { map } for pid=587 comm="ldconfig" path="/var/cache/ldconfig/aux-cache" dev="dm-0" ino=4925999 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:ldconfig_cache_t:s0 tclass=file permissive=1 Sep 05 14:59:49 localhost.localdomain audit[603]: AVC avc: denied { map } for pid=603 comm="auditd" path="/etc/audit/auditd.conf" dev="dm-0" ino=8844075 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:auditd_etc_t:s0 tclass=file permissive=1 Sep 05 15:03:35 ipa001.domain.local audit[4636]: AVC avc: denied { map } for pid=4636 comm="abrt-dump-journ" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8685729 scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Sep 05 15:03:59 ipa001.domain.local audit[13043]: AVC avc: denied { map } for pid=13043 comm="abrt-dump-journ" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8685729 scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Sep 05 15:04:55 ipa001.domain.local audit[512]: AVC avc: denied { read } for pid=512 comm="sh" name="passwd" dev="dm-0" ino=8685729 scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Sep 05 15:04:55 ipa001.domain.local audit[512]: AVC avc: denied { open } for pid=512 comm="sh" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8685729 scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Sep 05 15:04:55 ipa001.domain.local audit[512]: AVC avc: denied { getattr } for pid=512 comm="sh" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8685729 scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Sep 05 15:04:55 ipa001.domain.local audit[512]: AVC avc: denied { map } for pid=512 comm="sh" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8685729 scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Sep 05 15:04:55 ipa001.domain.local audit[512]: AVC avc: denied { write } for pid=512 comm="sh" name="nss" dev="dm-0" ino=12922699 scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=1 Sep 05 15:04:56 ipa001.domain.local audit[666]: AVC avc: denied { map } for pid=666 comm="abrt-dump-journ" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8685729 scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Sep 05 15:05:46 ipa001.domain.local audit[628]: USER_AVC pid=628 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.16 spid=1 tpid=1033 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:rpm_script_t:s0 tclass=dbus permissive=1 Sep 05 15:05:46 ipa001.domain.local audit[628]: USER_AVC pid=628 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=LookupDynamicUserByName dest=org.freedesktop.systemd1 spid=1034 tpid=1 scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=1 Sep 05 15:05:46 ipa001.domain.local audit[628]: USER_AVC pid=628 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.17 spid=1 tpid=1034 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:groupadd_t:s0 tclass=dbus permissive=1 Sep 05 15:05:49 ipa001.domain.local audit[628]: USER_AVC pid=628 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=LookupDynamicUserByName dest=org.freedesktop.systemd1 spid=1084 tpid=1 scontext=system_u:system_r:useradd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=1 Sep 05 15:05:49 ipa001.domain.local audit[628]: USER_AVC pid=628 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.22 spid=1 tpid=1084 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:useradd_t:s0 tclass=dbus permissive=1 Sep 05 15:05:52 ipa001.domain.local audit[628]: USER_AVC pid=628 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.27 spid=1 tpid=1128 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:rpm_script_t:s0 tclass=dbus permissive=1 Sep 05 15:05:52 ipa001.domain.local audit[628]: USER_AVC pid=628 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=LookupDynamicUserByName dest=org.freedesktop.systemd1 spid=1129 tpid=1 scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=1 Sep 05 15:05:52 ipa001.domain.local audit[628]: USER_AVC pid=628 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.28 spid=1 tpid=1129 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:groupadd_t:s0 tclass=dbus permissive=1 Sep 05 15:05:52 ipa001.domain.local audit[628]: USER_AVC pid=628 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=LookupDynamicUserByName dest=org.freedesktop.systemd1 spid=1134 tpid=1 scontext=system_u:system_r:useradd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=1 Sep 05 15:05:52 ipa001.domain.local audit[628]: USER_AVC pid=628 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.30 spid=1 tpid=1134 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:useradd_t:s0 tclass=dbus permissive=1 Sep 05 15:06:33 ipa001.domain.local audit[3761]: AVC avc: denied { map } for pid=3761 comm="ns-slapd" path="/dev/shm/2zc8lm" dev="tmpfs" ino=31196 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:dirsrv_tmpfs_t:s0 tclass=file permissive=1 Sep 05 15:06:39 ipa001.domain.local audit[3761]: AVC avc: denied { map } for pid=3761 comm="ns-slapd" path="/var/lib/dirsrv/slapd-DOMAIN-LOCAL/db/__db.001" dev="dm-0" ino=13552045 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:dirsrv_var_lib_t:s0 tclass=file permissive=1 Sep 05 15:06:41 ipa001.domain.local audit[3812]: AVC avc: denied { write } for pid=3812 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=13552048 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=1 Sep 05 15:06:41 ipa001.domain.local audit[3812]: AVC avc: denied { link } for pid=3812 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=13552048 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=1 Sep 05 15:06:41 ipa001.domain.local audit[3812]: AVC avc: denied { rename } for pid=3812 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=13552048 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=1 Sep 05 15:06:47 ipa001.domain.local audit[3812]: AVC avc: denied { unlink } for pid=3812 comm="ns-slapd" name="dse.ldif.bak" dev="dm-0" ino=13552048 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=1 Sep 05 15:06:55 ipa001.domain.local audit[3900]: AVC avc: denied { map } for pid=3900 comm="ns-slapd" path="/var/lib/dirsrv/slapd-DOMAIN-LOCAL/db/__db.001" dev="dm-0" ino=13552044 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:dirsrv_var_lib_t:s0 tclass=file permissive=1 Sep 05 15:07:03 ipa001.domain.local audit[4012]: AVC avc: denied { map } for pid=4012 comm="ns-slapd" path="/var/lib/dirsrv/slapd-DOMAIN-LOCAL/db/__db.001" dev="dm-0" ino=13552044 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:dirsrv_var_lib_t:s0 tclass=file permissive=1 Sep 05 15:07:09 ipa001.domain.local audit[4206]: AVC avc: denied { read } for pid=4206 comm="pkidaemon" name="passwd" dev="dm-0" ino=8652896 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Sep 05 15:07:09 ipa001.domain.local audit[4206]: AVC avc: denied { open } for pid=4206 comm="pkidaemon" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8652896 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Sep 05 15:07:09 ipa001.domain.local audit[4206]: AVC avc: denied { getattr } for pid=4206 comm="pkidaemon" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8652896 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Sep 05 15:07:09 ipa001.domain.local audit[4206]: AVC avc: denied { map } for pid=4206 comm="pkidaemon" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8652896 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Sep 05 15:08:22 ipa001.domain.local audit[4602]: AVC avc: denied { read } for pid=4602 comm="pkidaemon" name="passwd" dev="dm-0" ino=8652896 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Sep 05 15:08:22 ipa001.domain.local audit[4602]: AVC avc: denied { open } for pid=4602 comm="pkidaemon" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8652896 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Sep 05 15:08:22 ipa001.domain.local audit[4602]: AVC avc: denied { getattr } for pid=4602 comm="pkidaemon" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8652896 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Sep 05 15:08:22 ipa001.domain.local audit[4602]: AVC avc: denied { map } for pid=4602 comm="pkidaemon" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8652896 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Sep 05 15:08:56 ipa001.domain.local audit[5119]: AVC avc: denied { read } for pid=5119 comm="pkidaemon" name="passwd" dev="dm-0" ino=8652896 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Sep 05 15:08:56 ipa001.domain.local audit[5119]: AVC avc: denied { open } for pid=5119 comm="pkidaemon" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8652896 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Sep 05 15:08:56 ipa001.domain.local audit[5119]: AVC avc: denied { getattr } for pid=5119 comm="pkidaemon" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8652896 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Sep 05 15:08:56 ipa001.domain.local audit[5119]: AVC avc: denied { map } for pid=5119 comm="pkidaemon" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8652896 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Sep 05 15:09:49 ipa001.domain.local audit[5838]: AVC avc: denied { map } for pid=5838 comm="ns-slapd" path="/dev/shm/DoJNc7" dev="tmpfs" ino=52885 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:dirsrv_tmpfs_t:s0 tclass=file permissive=1 Sep 05 15:09:54 ipa001.domain.local audit[5838]: AVC avc: denied { map } for pid=5838 comm="ns-slapd" path="/var/lib/dirsrv/slapd-DOMAIN-LOCAL/db/__db.001" dev="dm-0" ino=13552044 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:dirsrv_var_lib_t:s0 tclass=file permissive=1 Sep 05 15:10:02 ipa001.domain.local audit[5930]: AVC avc: denied { map } for pid=5930 comm="ns-slapd" path="/dev/shm/m96aV6" dev="tmpfs" ino=53303 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:dirsrv_tmpfs_t:s0 tclass=file permissive=1 Sep 05 15:10:08 ipa001.domain.local audit[5930]: AVC avc: denied { map } for pid=5930 comm="ns-slapd" path="/var/lib/dirsrv/slapd-DOMAIN-LOCAL/db/__db.001" dev="dm-0" ino=13552044 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:dirsrv_var_lib_t:s0 tclass=file permissive=1 Sep 05 15:10:16 ipa001.domain.local audit[6059]: AVC avc: denied { read } for pid=6059 comm="pkidaemon" name="passwd" dev="dm-0" ino=8652896 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Sep 05 15:10:16 ipa001.domain.local audit[6059]: AVC avc: denied { open } for pid=6059 comm="pkidaemon" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8652896 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Sep 05 15:10:16 ipa001.domain.local audit[6059]: AVC avc: denied { getattr } for pid=6059 comm="pkidaemon" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8652896 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Sep 05 15:10:16 ipa001.domain.local audit[6059]: AVC avc: denied { map } for pid=6059 comm="pkidaemon" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8652896 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Sep 05 15:10:39 ipa001.domain.local audit[6520]: AVC avc: denied { map } for pid=6520 comm="nss_pcache" path="/etc/pki/ca-trust/source/README" dev="dm-0" ino=34287 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1 Sep 05 15:10:47 ipa001.domain.local audit[6909]: AVC avc: denied { map } for pid=6909 comm="ns-slapd" path="/dev/shm/rR8fi8" dev="tmpfs" ino=59817 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:dirsrv_tmpfs_t:s0 tclass=file permissive=1 Sep 05 15:10:53 ipa001.domain.local audit[6909]: AVC avc: denied { map } for pid=6909 comm="ns-slapd" path="/var/lib/dirsrv/slapd-DOMAIN-LOCAL/db/__db.001" dev="dm-0" ino=13552044 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:dirsrv_var_lib_t:s0 tclass=file permissive=1 Sep 05 15:12:22 ipa001.domain.local audit[7055]: AVC avc: denied { map } for pid=7055 comm="ns-slapd" path="/var/lib/dirsrv/slapd-DOMAIN-LOCAL/db/__db.001" dev="dm-0" ino=13552044 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:dirsrv_var_lib_t:s0 tclass=file permissive=1 Sep 05 15:12:27 ipa001.domain.local audit[7177]: AVC avc: denied { map } for pid=7177 comm="nss_pcache" path="/etc/pki/ca-trust/source/README" dev="dm-0" ino=34287 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1 Sep 05 15:12:28 ipa001.domain.local audit[7453]: AVC avc: denied { map } for pid=7453 comm="named-pkcs11" path="/usr/share/GeoIP/GeoLiteCountry.dat" dev="dm-0" ino=34619 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 Sep 05 15:12:30 ipa001.domain.local audit[7494]: AVC avc: denied { map } for pid=7494 comm="httpd" path="/etc/pki/ca-trust/source/README" dev="dm-0" ino=34287 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1 Sep 05 15:18:00 ipa001.domain.local audit[7181]: AVC avc: denied { execmem } for pid=7181 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=1 Sep 05 15:25:06 ipa001.domain.local audit[1]: AVC avc: denied { unlink } for pid=1 comm="systemd" name="krb5cc-httpd" dev="tmpfs" ino=61277 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=file permissive=1 With -279 in the latest Rawhide compose, these denials still appear during a successful server deployment with enforcing=0: [adamw@adam tmp]$ journalctl --file var/log/journal/9d9e6135d4644e03b7fba286745fef02/system.journal | grep -i denied Sep 06 06:37:38 localhost.localdomain audit[605]: AVC avc: denied { map } for pid=605 comm="ldconfig" path="/var/cache/ldconfig/aux-cache" dev="dm-0" ino=8887546 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:ldconfig_cache_t:s0 tclass=file permissive=0 Sep 06 06:46:03 localhost.localdomain audit[526]: AVC avc: denied { read } for pid=526 comm="sh" name="passwd" dev="dm-0" ino=8888275 scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Sep 06 06:46:03 localhost.localdomain audit[526]: AVC avc: denied { open } for pid=526 comm="sh" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8888275 scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Sep 06 06:46:03 localhost.localdomain audit[526]: AVC avc: denied { getattr } for pid=526 comm="sh" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8888275 scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Sep 06 06:46:03 localhost.localdomain audit[526]: AVC avc: denied { map } for pid=526 comm="sh" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8888275 scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Sep 06 06:46:03 localhost.localdomain audit[526]: AVC avc: denied { write } for pid=526 comm="sh" name="nss" dev="dm-0" ino=12848641 scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=1 Sep 06 06:48:22 ipa001.domain.local audit[636]: USER_AVC pid=636 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.23 spid=1 tpid=1159 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:rpm_script_t:s0 tclass=dbus permissive=1 Sep 06 06:48:22 ipa001.domain.local audit[636]: USER_AVC pid=636 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=LookupDynamicUserByName dest=org.freedesktop.systemd1 spid=1160 tpid=1 scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=1 Sep 06 06:48:22 ipa001.domain.local audit[636]: USER_AVC pid=636 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.24 spid=1 tpid=1160 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:groupadd_t:s0 tclass=dbus permissive=1 Sep 06 06:48:24 ipa001.domain.local audit[636]: USER_AVC pid=636 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=LookupDynamicUserByName dest=org.freedesktop.systemd1 spid=1211 tpid=1 scontext=system_u:system_r:useradd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=1 Sep 06 06:48:24 ipa001.domain.local audit[636]: USER_AVC pid=636 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.31 spid=1 tpid=1211 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:useradd_t:s0 tclass=dbus permissive=1 Sep 06 06:48:40 ipa001.domain.local audit[636]: USER_AVC pid=636 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=LookupDynamicUserByName dest=org.freedesktop.systemd1 spid=1258 tpid=1 scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=1 Sep 06 06:48:40 ipa001.domain.local audit[636]: USER_AVC pid=636 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.34 spid=1 tpid=1258 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:groupadd_t:s0 tclass=dbus permissive=1 Sep 06 06:48:45 ipa001.domain.local audit[636]: USER_AVC pid=636 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.35 spid=1 tpid=1268 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:rpm_script_t:s0 tclass=dbus permissive=1 Sep 06 06:48:45 ipa001.domain.local audit[636]: USER_AVC pid=636 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=LookupDynamicUserByName dest=org.freedesktop.systemd1 spid=1274 tpid=1 scontext=system_u:system_r:useradd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=1 Sep 06 06:48:45 ipa001.domain.local audit[636]: USER_AVC pid=636 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.38 spid=1 tpid=1274 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:useradd_t:s0 tclass=dbus permissive=1 Sep 06 06:49:40 ipa001.domain.local audit[5748]: AVC avc: denied { write } for pid=5748 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=936382 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=1 Sep 06 06:49:40 ipa001.domain.local audit[5748]: AVC avc: denied { link } for pid=5748 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=936382 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=1 Sep 06 06:49:40 ipa001.domain.local audit[5748]: AVC avc: denied { rename } for pid=5748 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=936382 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=1 Sep 06 06:49:46 ipa001.domain.local audit[5748]: AVC avc: denied { unlink } for pid=5748 comm="ns-slapd" name="dse.ldif.bak" dev="dm-0" ino=936382 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=1 Sep 06 06:54:00 ipa001.domain.local audit[8457]: AVC avc: denied { map } for pid=8457 comm="nss_pcache" path="/etc/pki/ca-trust/source/README" dev="dm-0" ino=253126 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1 Sep 06 06:55:50 ipa001.domain.local audit[9116]: AVC avc: denied { map } for pid=9116 comm="nss_pcache" path="/etc/pki/ca-trust/source/README" dev="dm-0" ino=253126 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1 Sep 06 06:55:53 ipa001.domain.local audit[9417]: AVC avc: denied { map } for pid=9417 comm="named-pkcs11" path="/usr/share/GeoIP/GeoLiteCountry.dat" dev="dm-0" ino=253450 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 Sep 06 06:55:56 ipa001.domain.local audit[9441]: AVC avc: denied { map } for pid=9441 comm="httpd" path="/etc/pki/ca-trust/source/README" dev="dm-0" ino=253126 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1 Sep 06 07:05:28 ipa001.domain.local audit[1]: AVC avc: denied { unlink } for pid=1 comm="systemd" name="krb5cc-httpd" dev="tmpfs" ino=65276 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=file permissive=1 This bug isn't really 'blocking' the CA_UNREACHABLE bug, that's something else entirely. Instead, nominating this one directly as a Beta blocker, for the same reason as all the others: these denials prevent FreeIPA server deployment, which is a core requirement of a release-blocking Server role, from working. (One of the earlier denials *does* cause the server deployment test to fail on openQA production, where the test is run with SELinux in enforcing mode; I got the full list of denials from the logs of the same test on openQA staging, where we're currently running the test with SELinux in permissive mode). selinux-policy-3.13.1-280.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-edf1be580e selinux-policy-3.13.1-280.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-edf1be580e selinux-policy-3.13.1-280.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. -280 did not fix all the denials I mentioned, these remain: Sep 11 12:04:07 ipa001.domain.local audit[5710]: AVC avc: denied { write } for pid=5710 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=9435129 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=0 Sep 11 12:04:07 ipa001.domain.local audit[5710]: AVC avc: denied { write } for pid=5710 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=9435129 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=0 Sep 11 12:04:07 ipa001.domain.local audit[5710]: AVC avc: denied { write } for pid=5710 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=9435129 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=0 Sep 11 12:04:07 ipa001.domain.local audit[5710]: AVC avc: denied { link } for pid=5710 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=9435129 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=0 note the unusual tcontext there (presumably because the deployment is being run via rolekit). (In reply to Adam Williamson from comment #8) > -280 did not fix all the denials I mentioned, these remain: > > Sep 11 12:04:07 ipa001.domain.local audit[5710]: AVC avc: denied { write } > for pid=5710 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=9435129 > scontext=system_u:system_r:dirsrv_t:s0 > tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=0 > Sep 11 12:04:07 ipa001.domain.local audit[5710]: AVC avc: denied { write } > for pid=5710 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=9435129 > scontext=system_u:system_r:dirsrv_t:s0 > tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=0 > Sep 11 12:04:07 ipa001.domain.local audit[5710]: AVC avc: denied { write } > for pid=5710 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=9435129 > scontext=system_u:system_r:dirsrv_t:s0 > tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=0 > Sep 11 12:04:07 ipa001.domain.local audit[5710]: AVC avc: denied { link } > for pid=5710 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=9435129 > scontext=system_u:system_r:dirsrv_t:s0 > tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=0 > > note the unusual tcontext there (presumably because the deployment is being > run via rolekit). becasue it is a bug in freeipa-server and not in selinux-policy BZ1490762 There's one more denial I see during the FreeIPA tests on openQA staging (with enforcing=0), I think this one comes during decommissioning: Sep 12 13:10:02 ipa001.domain.local audit[1]: AVC avc: denied { unlink } for pid=1 comm="systemd" name="krb5cc-httpd" dev="tmpfs" ino=65496 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=file permissive=1 (In reply to Adam Williamson from comment #10) > There's one more denial I see during the FreeIPA tests on openQA staging > (with enforcing=0), I think this one comes during decommissioning: > > Sep 12 13:10:02 ipa001.domain.local audit[1]: AVC avc: denied { unlink } > for pid=1 comm="systemd" name="krb5cc-httpd" dev="tmpfs" ino=65496 > scontext=system_u:system_r:init_t:s0 > tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=file permissive=1 It is a harmless AVC. "krb5cc-httpd" is kerberos ccache file used in httd.service and this AVC occurs when httd.service is stopped and systemd tries to clean all files in PrivateTmp. So it will not cause any critical problems but it woudl probably nice to allow it. BTW it can be tracked in different BZ because it usually does not happen as part of ipa-server-install but later and moreover it is related to httpd+systemd then freeipa use-case |