Bug 1491508

Summary: [Modular Server] FreeIPA server deployment fails with SELinux in enforcing mode, despite no obvious denials
Product: [Fedora] Fedora Reporter: Adam Williamson <awilliam>
Component: freeipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 27CC: abokovoy, awilliam, cheimes, dominicpg, dwalsh, ipa-maint, jcholast, jhrozek, kparal, lsm5, lvrabec, mgrepl, mkosek, ncoghlan, plautrba, pmoore, pvoborni, rcritten, robatino, slaznick, ssorce, tkrizek
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: AcceptedBlocker
Fixed In Version: selinux-policy-3.13.1-283.3.fc27 freeipa-4.6.1-3.fc27 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-10-18 15:23:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1502880    
Attachments:
Description Flags
Tarball of logs from a failure (enforcing mode)
none
Tarball of logs from a success (permissive mode)
none
logs-post-selinux-policy-targeted-3.13.1-283.3-fc27 update
none
audit.log from a freshly installed system
none
audit.log
none
audit-post-selinux-3.13.1-283.4-upgrade.log none

Description Adam Williamson 2017-09-14 03:44:36 UTC 
With the latest Fedora 27 bits, including the freeipa-4.6.0-3 build that should solve https://bugzilla.redhat.com/show_bug.cgi?id=1490762 , FreeIPA server deployment fails with SELinux in enforcing mode and works with it in permissive mode, even though there are no obviously related AVCs logged in the journal.

The errors in ipaserver-install.log point to the client deployment (the server is enrolled as a client of itself) failing. The error in ipaclient-install.log is this:

2017-09-14T02:08:16Z DEBUG Initializing principal host/ipa001.domain.local using keytab /etc/krb5.keytab
2017-09-14T02:08:16Z DEBUG using ccache /etc/ipa/.dns_ccache
2017-09-14T02:08:16Z DEBUG Attempt 1/5: success
2017-09-14T02:08:16Z DEBUG Starting external process
2017-09-14T02:08:16Z DEBUG args=/usr/bin/certutil -d /tmp/tmp4d2er2mm -N -f /tmp/tmp4d2er2mm/pwdfile.txt -f /tmp/tmp4d2er2mm/pwdfile.txt
2017-09-14T02:08:17Z DEBUG Process finished, return code=0
2017-09-14T02:08:17Z DEBUG stdout=
2017-09-14T02:08:17Z DEBUG stderr=
2017-09-14T02:08:17Z DEBUG Starting external process
2017-09-14T02:08:17Z DEBUG args=/usr/bin/certutil -d /tmp/tmp4d2er2mm -A -n CA certificate 1 -t C,, -a -f /tmp/tmp4d2er2mm/pwdfile.txt
2017-09-14T02:08:17Z DEBUG Process finished, return code=0
2017-09-14T02:08:17Z DEBUG stdout=
2017-09-14T02:08:17Z DEBUG stderr=
2017-09-14T02:08:17Z DEBUG Error reading client session data: 'NoneType' object has no attribute 'decode'
2017-09-14T02:08:17Z DEBUG failed to find session_cookie in persistent storage for principal 'host/ipa001.domain.local'
2017-09-14T02:08:17Z INFO trying https://ipa001.domain.local/ipa/json
2017-09-14T02:08:17Z DEBUG Created connection context.rpcclient_139862819126744
2017-09-14T02:08:17Z INFO [try 1]: Forwarding 'schema' to json server 'https://ipa001.domain.local/ipa/json'
2017-09-14T02:08:17Z DEBUG New HTTP connection (ipa001.domain.local)
2017-09-14T02:08:17Z DEBUG HTTP connection destroyed (ipa001.domain.local)
Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/ipalib/rpc.py", line 709, in single_request
    if not self._auth_complete(response):
  File "/usr/lib/python3.6/site-packages/ipalib/rpc.py", line 669, in _auth_complete
    message=u"No valid Negotiate header in server response")
ipalib.errors.KerberosError: No valid Negotiate header in server response
2017-09-14T02:08:17Z DEBUG Destroyed connection context.rpcclient_139862819126744

The only AVCs logged in the journal are:

Sep 13 18:55:12 localhost.localdomain audit[588]: AVC avc:  denied  { map } for  pid=588 comm="ldconfig" path="/var/cache/ldconfig/aux-cache" dev="dm-0" ino=4961071 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:ldconfig_cache_t:s0 tclass=file permissive=0
Sep 13 18:55:12 localhost.localdomain kernel: audit: type=1400 audit(1505354112.855:81): avc:  denied  { map } for  pid=588 comm="ldconfig" path="/var/cache/ldconfig/aux-cache" dev="dm-0" ino=4961071 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:ldconfig_cache_t:s0 tclass=file permissive=0
Sep 13 18:55:13 localhost.localdomain audit[605]: AVC avc:  denied  { map } for  pid=605 comm="auditd" path="/etc/audit/auditd.conf" dev="dm-0" ino=8788395 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:auditd_etc_t:s0 tclass=file permissive=0
Sep 13 18:55:13 localhost.localdomain kernel: audit: type=1400 audit(1505354113.252:84): avc:  denied  { map } for  pid=605 comm="auditd" path="/etc/audit/auditd.conf" dev="dm-0" ino=8788395 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:auditd_etc_t:s0 tclass=file permissive=0

But this is *definitely* an SELinux issue, somehow. I had openQA production set up to run the tests 'normally' (with SELinux in enforcing mode), and it failed there twice. I had staging set up to run the tests with SELinux in permissive mode, and it passed there - then I changed staging to not run the test in permissive mode any more, ran the test again, and it failed in exactly the same way as prod. So this is definitely enforcing vs. permissive, somehow.

I will attach log tarballs from a fail (enforcing) and a pass (permissive).

Proposing as a Beta blocker for the same old reason - deployment of a release-blocking role fails.
Comment 1 Adam Williamson 2017-09-14 03:47:37 UTC 
Created attachment 1325668 [details]
Tarball of logs from a failure (enforcing mode)
Comment 2 Adam Williamson 2017-09-14 03:50:04 UTC 
Created attachment 1325669 [details]
Tarball of logs from a success (permissive mode)
Comment 3 Adam Williamson 2017-09-14 03:50:41 UTC 
CCing some FreeIPA folks who can maybe identify precisely what went wrong.
Comment 4 Alexander Bokovoy 2017-09-14 05:38:44 UTC 
I guess you need to disable dontaudit rules to see real denials. It can be achieved by running 'semodule -DB' which rebuilds SELinux database without dontaudit rules.
Comment 5 Lukas Vrabec 2017-09-14 10:23:45 UTC 
Alexander is right, could you please run:
# setenforce 0
# semodule -DB 

and then reproduce the issue?

I'll then fix all AVCs. 

Thanks,
Lukas.
Comment 6 Alexander Bokovoy 2017-09-14 18:43:11 UTC 
Lukas, unrelated to the case Adam runs with, but I see these errors in our PR CI runs:

Sep 14 16:07:46 replica1.ipa.test audit[16810]: AVC avc:  denied  { read } for  pid=16810 comm="pkidaemon" name="passwd" dev="vda1" ino=525832 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
Sep 14 16:07:46 replica1.ipa.test audit[16810]: AVC avc:  denied  { open } for  pid=16810 comm="pkidaemon" path="/var/lib/sss/mc/passwd" dev="vda1" ino=525832 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
Sep 14 16:07:46 replica1.ipa.test audit[16810]: AVC avc:  denied  { getattr } for  pid=16810 comm="pkidaemon" path="/var/lib/sss/mc/passwd" dev="vda1" ino=525832 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
S

These are from dogtag (pkidaemon) trying to do 'getpwnam()'-like operations. These should be allowed, it is just glibc nssswitch module nss_sss talking to its source (SSSD socket).
Comment 7 Adam Williamson 2017-09-15 00:41:07 UTC 
OK, here's all the AVCs I get after setenforce 0; semodule -DB . I see a few 'read' and 'open' denials for ns-slapd mixed in with all the siginh and noatsecure denials...

[adamw@adam tmp]$ journalctl --file var/log/journal/4d5457c5362341319fa548d249711e0b/system.journal | grep -i avc
Sep 14 13:33:28 localhost.localdomain audit[603]: AVC avc:  denied  { map } for  pid=603 comm="ldconfig" path="/var/cache/ldconfig/aux-cache" dev="dm-0" ino=4925999 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:ldconfig_cache_t:s0 tclass=file permissive=1
Sep 14 13:33:28 localhost.localdomain kernel: audit: type=1400 audit(1505421208.022:72): avc:  denied  { map } for  pid=603 comm="ldconfig" path="/var/cache/ldconfig/aux-cache" dev="dm-0" ino=4925999 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:ldconfig_cache_t:s0 tclass=file permissive=1
Sep 14 13:33:28 localhost.localdomain audit[620]: AVC avc:  denied  { map } for  pid=620 comm="auditd" path="/etc/audit/auditd.conf" dev="dm-0" ino=8844075 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:auditd_etc_t:s0 tclass=file permissive=1
Sep 14 13:37:13 ipa001.domain.local audit[670]: USER_AVC pid=670 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=2)
Sep 14 13:37:17 ipa001.domain.local audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=2)
Sep 14 13:39:16 ipa001.domain.local audit[638]: USER_AVC pid=638 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=2)
Sep 14 13:39:31 ipa001.domain.local audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=2)
Sep 14 13:39:31 ipa001.domain.local audit[1021]: AVC avc:  denied  { noatsecure } for  pid=1021 comm="nfs-server-gene" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=process permissive=1
Sep 14 13:39:31 ipa001.domain.local audit[1020]: AVC avc:  denied  { noatsecure } for  pid=1020 comm="lvm2-activation" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:lvm_t:s0 tclass=process permissive=1
Sep 14 13:39:31 ipa001.domain.local audit[1032]: AVC avc:  denied  { siginh } for  pid=1032 comm="grep" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1
Sep 14 13:39:31 ipa001.domain.local audit[1032]: AVC avc:  denied  { noatsecure } for  pid=1032 comm="grep" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1
Sep 14 13:39:31 ipa001.domain.local audit[1028]: AVC avc:  denied  { noatsecure } for  pid=1028 comm="systemd-gpt-aut" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=process permissive=1
Sep 14 13:39:34 ipa001.domain.local audit[1039]: AVC avc:  denied  { noatsecure } for  pid=1039 comm="haveged" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:entropyd_t:s0 tclass=process permissive=1
Sep 14 13:39:52 ipa001.domain.local audit[1053]: AVC avc:  denied  { net_admin } for  pid=1053 comm="groupadd" capability=12  scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:system_r:groupadd_t:s0 tclass=capability permissive=1
Sep 14 13:39:54 ipa001.domain.local audit[1088]: AVC avc:  denied  { noatsecure } for  pid=1088 comm="systemd-gpt-aut" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=process permissive=1
Sep 14 13:39:54 ipa001.domain.local audit[1081]: AVC avc:  denied  { noatsecure } for  pid=1081 comm="nfs-server-gene" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=process permissive=1
Sep 14 13:39:54 ipa001.domain.local audit[1080]: AVC avc:  denied  { noatsecure } for  pid=1080 comm="lvm2-activation" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:lvm_t:s0 tclass=process permissive=1
Sep 14 13:39:54 ipa001.domain.local audit[1099]: AVC avc:  denied  { net_admin } for  pid=1099 comm="groupadd" capability=12  scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:system_r:groupadd_t:s0 tclass=capability permissive=1
Sep 14 13:39:55 ipa001.domain.local audit[1103]: AVC avc:  denied  { net_admin } for  pid=1103 comm="useradd" capability=12  scontext=system_u:system_r:useradd_t:s0 tcontext=system_u:system_r:useradd_t:s0 tclass=capability permissive=1
Sep 14 13:39:56 ipa001.domain.local audit[638]: USER_AVC pid=638 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=3)
Sep 14 13:39:56 ipa001.domain.local audit[1135]: AVC avc:  denied  { rlimitinh } for  pid=1135 comm="setfiles" scontext=system_u:system_r:setsebool_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=process permissive=1
Sep 14 13:39:56 ipa001.domain.local audit[1135]: AVC avc:  denied  { siginh } for  pid=1135 comm="setfiles" scontext=system_u:system_r:setsebool_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=process permissive=1
Sep 14 13:39:56 ipa001.domain.local audit[1135]: AVC avc:  denied  { noatsecure } for  pid=1135 comm="setfiles" scontext=system_u:system_r:setsebool_t:s0 tcontext=system_u:system_r:setfiles_t:s0 tclass=process permissive=1
Sep 14 13:39:56 ipa001.domain.local audit[1138]: AVC avc:  denied  { rlimitinh } for  pid=1138 comm="load_policy" scontext=system_u:system_r:setsebool_t:s0 tcontext=system_u:system_r:load_policy_t:s0 tclass=process permissive=1
Sep 14 13:39:56 ipa001.domain.local audit[1138]: AVC avc:  denied  { siginh } for  pid=1138 comm="load_policy" scontext=system_u:system_r:setsebool_t:s0 tcontext=system_u:system_r:load_policy_t:s0 tclass=process permissive=1
Sep 14 13:39:56 ipa001.domain.local audit[1138]: AVC avc:  denied  { noatsecure } for  pid=1138 comm="load_policy" scontext=system_u:system_r:setsebool_t:s0 tcontext=system_u:system_r:load_policy_t:s0 tclass=process permissive=1
Sep 14 13:39:57 ipa001.domain.local audit[638]: USER_AVC pid=638 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=4)
Sep 14 13:39:57 ipa001.domain.local audit[1148]: AVC avc:  denied  { net_admin } for  pid=1148 comm="groupadd" capability=12  scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:system_r:groupadd_t:s0 tclass=capability permissive=1
Sep 14 13:39:57 ipa001.domain.local audit[1153]: AVC avc:  denied  { net_admin } for  pid=1153 comm="useradd" capability=12  scontext=system_u:system_r:useradd_t:s0 tcontext=system_u:system_r:useradd_t:s0 tclass=capability permissive=1
Sep 14 13:40:19 ipa001.domain.local audit[1292]: AVC avc:  denied  { net_admin } for  pid=1292 comm="useradd" capability=12  scontext=system_u:system_r:useradd_t:s0 tcontext=system_u:system_r:useradd_t:s0 tclass=capability permissive=1
Sep 14 13:40:25 ipa001.domain.local audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=3)
Sep 14 13:40:25 ipa001.domain.local audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=4)
Sep 14 13:40:25 ipa001.domain.local audit[1374]: AVC avc:  denied  { noatsecure } for  pid=1374 comm="lvm2-activation" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:lvm_t:s0 tclass=process permissive=1
Sep 14 13:40:25 ipa001.domain.local audit[1385]: AVC avc:  denied  { siginh } for  pid=1385 comm="grep" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1
Sep 14 13:40:25 ipa001.domain.local audit[1385]: AVC avc:  denied  { noatsecure } for  pid=1385 comm="grep" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1
Sep 14 13:40:25 ipa001.domain.local audit[1382]: AVC avc:  denied  { noatsecure } for  pid=1382 comm="systemd-gpt-aut" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=process permissive=1
Sep 14 13:40:25 ipa001.domain.local audit[1375]: AVC avc:  denied  { noatsecure } for  pid=1375 comm="nfs-server-gene" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=process permissive=1
Sep 14 13:40:25 ipa001.domain.local audit[1393]: AVC avc:  denied  { net_admin } for  pid=1393 comm="groupadd" capability=12  scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:system_r:groupadd_t:s0 tclass=capability permissive=1
Sep 14 13:40:26 ipa001.domain.local audit[1418]: AVC avc:  denied  { siginh } for  pid=1418 comm="selinuxenabled" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1
Sep 14 13:40:26 ipa001.domain.local audit[1418]: AVC avc:  denied  { noatsecure } for  pid=1418 comm="selinuxenabled" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1
Sep 14 13:40:26 ipa001.domain.local audit[1433]: AVC avc:  denied  { net_admin } for  pid=1433 comm="groupadd" capability=12  scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:system_r:groupadd_t:s0 tclass=capability permissive=1
Sep 14 13:40:27 ipa001.domain.local audit[1468]: AVC avc:  denied  { noatsecure } for  pid=1468 comm="nfs-server-gene" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=process permissive=1
Sep 14 13:40:27 ipa001.domain.local audit[1475]: AVC avc:  denied  { noatsecure } for  pid=1475 comm="systemd-gpt-aut" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=process permissive=1
Sep 14 13:40:27 ipa001.domain.local audit[1479]: AVC avc:  denied  { siginh } for  pid=1479 comm="grep" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1
Sep 14 13:40:27 ipa001.domain.local audit[1478]: AVC avc:  denied  { noatsecure } for  pid=1478 comm="selinuxenabled" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1
Sep 14 13:40:27 ipa001.domain.local audit[1467]: AVC avc:  denied  { noatsecure } for  pid=1467 comm="lvm2-activation" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:lvm_t:s0 tclass=process permissive=1
Sep 14 13:40:30 ipa001.domain.local audit[3558]: AVC avc:  denied  { noatsecure } for  pid=3558 comm="nfs-server-gene" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=process permissive=1
Sep 14 13:40:33 ipa001.domain.local audit[3574]: AVC avc:  denied  { rlimitinh } for  pid=3574 comm="iptables-restor" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process permissive=1
Sep 14 13:40:33 ipa001.domain.local audit[3574]: AVC avc:  denied  { siginh } for  pid=3574 comm="iptables-restor" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process permissive=1
Sep 14 13:40:33 ipa001.domain.local audit[3574]: AVC avc:  denied  { noatsecure } for  pid=3574 comm="iptables-restor" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process permissive=1
Sep 14 13:40:34 ipa001.domain.local audit[3580]: AVC avc:  denied  { noatsecure } for  pid=3580 comm="systemd-hostnam" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:systemd_hostnamed_t:s0 tclass=process permissive=1
Sep 14 13:40:37 ipa001.domain.local audit[3608]: AVC avc:  denied  { noatsecure } for  pid=3608 comm="systemd-gpt-aut" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=process permissive=1
Sep 14 13:40:37 ipa001.domain.local audit[3611]: AVC avc:  denied  { siginh } for  pid=3611 comm="grep" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1
Sep 14 13:40:37 ipa001.domain.local audit[3611]: AVC avc:  denied  { noatsecure } for  pid=3611 comm="grep" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1
Sep 14 13:40:37 ipa001.domain.local audit[3600]: AVC avc:  denied  { noatsecure } for  pid=3600 comm="lvm2-activation" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:lvm_t:s0 tclass=process permissive=1
Sep 14 13:40:37 ipa001.domain.local audit[3641]: AVC avc:  denied  { noatsecure } for  pid=3641 comm="ntpd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:ntpd_t:s0 tclass=process permissive=1
Sep 14 13:40:40 ipa001.domain.local audit[3760]: AVC avc:  denied  { noatsecure } for  pid=3760 comm="nfs-server-gene" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=process permissive=1
Sep 14 13:40:40 ipa001.domain.local audit[3759]: AVC avc:  denied  { noatsecure } for  pid=3759 comm="lvm2-activation" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:lvm_t:s0 tclass=process permissive=1
Sep 14 13:40:40 ipa001.domain.local audit[3767]: AVC avc:  denied  { noatsecure } for  pid=3767 comm="systemd-gpt-aut" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=process permissive=1
Sep 14 13:40:40 ipa001.domain.local audit[3782]: AVC avc:  denied  { noatsecure } for  pid=3782 comm="ns-slapd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:dirsrv_t:s0 tclass=process permissive=1
Sep 14 13:40:48 ipa001.domain.local audit[3835]: AVC avc:  denied  { siginh } for  pid=3835 comm="ds_systemd_ask_" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1
Sep 14 13:40:48 ipa001.domain.local audit[3835]: AVC avc:  denied  { noatsecure } for  pid=3835 comm="ds_systemd_ask_" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1
Sep 14 13:41:04 ipa001.domain.local audit[4007]: AVC avc:  denied  { noatsecure } for  pid=4007 comm="systemd-gpt-aut" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=process permissive=1
Sep 14 13:41:04 ipa001.domain.local audit[4000]: AVC avc:  denied  { noatsecure } for  pid=4000 comm="nfs-server-gene" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=process permissive=1
Sep 14 13:41:04 ipa001.domain.local audit[4012]: AVC avc:  denied  { siginh } for  pid=4012 comm="grep" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1
Sep 14 13:41:04 ipa001.domain.local audit[4012]: AVC avc:  denied  { noatsecure } for  pid=4012 comm="grep" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1
Sep 14 13:41:04 ipa001.domain.local audit[3999]: AVC avc:  denied  { noatsecure } for  pid=3999 comm="lvm2-activation" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:lvm_t:s0 tclass=process permissive=1
Sep 14 13:41:05 ipa001.domain.local audit[4020]: AVC avc:  denied  { noatsecure } for  pid=4020 comm="nfs-server-gene" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=process permissive=1
Sep 14 13:41:05 ipa001.domain.local audit[4027]: AVC avc:  denied  { noatsecure } for  pid=4027 comm="systemd-gpt-aut" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=process permissive=1
Sep 14 13:41:07 ipa001.domain.local audit[4042]: AVC avc:  denied  { noatsecure } for  pid=4042 comm="ns-slapd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:dirsrv_t:s0 tclass=process permissive=1
Sep 14 13:41:13 ipa001.domain.local audit[4091]: AVC avc:  denied  { noatsecure } for  pid=4091 comm="lvm2-activation" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:lvm_t:s0 tclass=process permissive=1
Sep 14 13:41:17 ipa001.domain.local audit[4149]: AVC avc:  denied  { noatsecure } for  pid=4149 comm="krb5kdc" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:krb5kdc_t:s0 tclass=process permissive=1
Sep 14 13:41:17 ipa001.domain.local audit[4149]: AVC avc:  denied  { read } for  pid=4149 comm="krb5kdc" name="config" dev="dm-0" ino=8691982 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file permissive=1
Sep 14 13:41:17 ipa001.domain.local audit[4149]: AVC avc:  denied  { open } for  pid=4149 comm="krb5kdc" path="/etc/selinux/config" dev="dm-0" ino=8691982 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file permissive=1
Sep 14 13:41:17 ipa001.domain.local audit[4149]: AVC avc:  denied  { getattr } for  pid=4149 comm="krb5kdc" path="/etc/selinux/config" dev="dm-0" ino=8691982 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file permissive=1
Sep 14 13:41:17 ipa001.domain.local audit[4172]: AVC avc:  denied  { siginh } for  pid=4172 comm="grep" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1
Sep 14 13:41:17 ipa001.domain.local audit[4172]: AVC avc:  denied  { noatsecure } for  pid=4172 comm="grep" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1
Sep 14 13:41:17 ipa001.domain.local audit[4177]: AVC avc:  denied  { noatsecure } for  pid=4177 comm="kadmind" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kadmind_t:s0 tclass=process permissive=1
Sep 14 13:41:17 ipa001.domain.local audit[4177]: AVC avc:  denied  { name_bind } for  pid=4177 comm="kadmind" src=961 scontext=system_u:system_r:kadmind_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket permissive=1
Sep 14 13:41:17 ipa001.domain.local audit[4185]: AVC avc:  denied  { noatsecure } for  pid=4185 comm="nfs-server-gene" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=process permissive=1
Sep 14 13:41:19 ipa001.domain.local audit[4218]: AVC avc:  denied  { noatsecure } for  pid=4218 comm="lvm2-activation" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:lvm_t:s0 tclass=process permissive=1
Sep 14 13:41:19 ipa001.domain.local audit[4236]: AVC avc:  denied  { noatsecure } for  pid=4236 comm="pkidaemon" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:pki_tomcat_t:s0 tclass=process permissive=1
Sep 14 13:41:19 ipa001.domain.local audit[4359]: AVC avc:  denied  { noatsecure } for  pid=4359 comm="server" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=process permissive=1
Sep 14 13:42:33 ipa001.domain.local audit[4600]: AVC avc:  denied  { siginh } for  pid=4600 comm="grep" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1
Sep 14 13:42:33 ipa001.domain.local audit[4600]: AVC avc:  denied  { noatsecure } for  pid=4600 comm="grep" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1
Sep 14 13:42:33 ipa001.domain.local audit[4604]: AVC avc:  denied  { noatsecure } for  pid=4604 comm="server" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=process permissive=1
Sep 14 13:42:34 ipa001.domain.local audit[4634]: AVC avc:  denied  { noatsecure } for  pid=4634 comm="pkidaemon" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:pki_tomcat_t:s0 tclass=process permissive=1
Sep 14 13:42:45 ipa001.domain.local audit[4919]: AVC avc:  denied  { noatsecure } for  pid=4919 comm="lvm2-activation" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:lvm_t:s0 tclass=process permissive=1
Sep 14 13:42:45 ipa001.domain.local audit[4920]: AVC avc:  denied  { noatsecure } for  pid=4920 comm="nfs-server-gene" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=process permissive=1
Sep 14 13:42:45 ipa001.domain.local audit[4927]: AVC avc:  denied  { noatsecure } for  pid=4927 comm="systemd-gpt-aut" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=process permissive=1
Sep 14 13:42:45 ipa001.domain.local audit[4934]: AVC avc:  denied  { siginh } for  pid=4934 comm="selinuxenabled" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1
Sep 14 13:42:45 ipa001.domain.local audit[4934]: AVC avc:  denied  { noatsecure } for  pid=4934 comm="selinuxenabled" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1
Sep 14 13:42:45 ipa001.domain.local audit[4939]: AVC avc:  denied  { noatsecure } for  pid=4939 comm="certmonger" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:certmonger_t:s0 tclass=process permissive=1
Sep 14 13:43:06 ipa001.domain.local audit[5099]: AVC avc:  denied  { noatsecure } for  pid=5099 comm="server" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=process permissive=1
Sep 14 13:43:09 ipa001.domain.local audit[5139]: AVC avc:  denied  { noatsecure } for  pid=5139 comm="pkidaemon" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:pki_tomcat_t:s0 tclass=process permissive=1
Sep 14 13:43:48 ipa001.domain.local audit[5782]: AVC avc:  denied  { noatsecure } for  pid=5782 comm="nfs-server-gene" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=process permissive=1
Sep 14 13:43:48 ipa001.domain.local audit[5789]: AVC avc:  denied  { noatsecure } for  pid=5789 comm="systemd-gpt-aut" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=process permissive=1
Sep 14 13:43:48 ipa001.domain.local audit[5796]: AVC avc:  denied  { siginh } for  pid=5796 comm="grep" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1
Sep 14 13:43:48 ipa001.domain.local audit[5795]: AVC avc:  denied  { noatsecure } for  pid=5795 comm="selinuxenabled" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1
Sep 14 13:44:00 ipa001.domain.local audit[5834]: AVC avc:  denied  { net_admin } for  pid=5834 comm="systemctl" capability=12  scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:certmonger_t:s0 tclass=capability permissive=1
Sep 14 13:44:00 ipa001.domain.local audit[5838]: AVC avc:  denied  { noatsecure } for  pid=5838 comm="lvm2-activation" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:lvm_t:s0 tclass=process permissive=1
Sep 14 13:44:00 ipa001.domain.local audit[5839]: AVC avc:  denied  { noatsecure } for  pid=5839 comm="nfs-server-gene" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=process permissive=1
Sep 14 13:44:00 ipa001.domain.local audit[5846]: AVC avc:  denied  { noatsecure } for  pid=5846 comm="systemd-gpt-aut" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=process permissive=1
Sep 14 13:44:00 ipa001.domain.local audit[5855]: AVC avc:  denied  { net_admin } for  pid=5855 comm="systemctl" capability=12  scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:certmonger_t:s0 tclass=capability permissive=1
Sep 14 13:44:01 ipa001.domain.local audit[5861]: AVC avc:  denied  { noatsecure } for  pid=5861 comm="ns-slapd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:dirsrv_t:s0 tclass=process permissive=1
Sep 14 13:44:12 ipa001.domain.local audit[5861]: AVC avc:  denied  { read } for  pid=5861 comm="ns-slapd" name="config" dev="dm-0" ino=8691982 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file permissive=1
Sep 14 13:44:12 ipa001.domain.local audit[5861]: AVC avc:  denied  { open } for  pid=5861 comm="ns-slapd" path="/etc/selinux/config" dev="dm-0" ino=8691982 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file permissive=1
Sep 14 13:44:12 ipa001.domain.local audit[5861]: AVC avc:  denied  { getattr } for  pid=5861 comm="ns-slapd" path="/etc/selinux/config" dev="dm-0" ino=8691982 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file permissive=1
Sep 14 13:44:12 ipa001.domain.local audit[5945]: AVC avc:  denied  { siginh } for  pid=5945 comm="selinuxenabled" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1
Sep 14 13:44:12 ipa001.domain.local audit[5944]: AVC avc:  denied  { noatsecure } for  pid=5944 comm="grep" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1
Sep 14 13:44:21 ipa001.domain.local audit[5999]: AVC avc:  denied  { noatsecure } for  pid=5999 comm="server" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=process permissive=1
Sep 14 13:44:30 ipa001.domain.local audit[6078]: AVC avc:  denied  { noatsecure } for  pid=6078 comm="pkidaemon" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:pki_tomcat_t:s0 tclass=process permissive=1
Sep 14 13:44:39 ipa001.domain.local audit[6366]: AVC avc:  denied  { noatsecure } for  pid=6366 comm="systemd-gpt-aut" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=process permissive=1
Sep 14 13:44:39 ipa001.domain.local audit[6370]: AVC avc:  denied  { siginh } for  pid=6370 comm="grep" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1
Sep 14 13:44:39 ipa001.domain.local audit[6370]: AVC avc:  denied  { noatsecure } for  pid=6370 comm="grep" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1
Sep 14 13:44:39 ipa001.domain.local audit[6359]: AVC avc:  denied  { noatsecure } for  pid=6359 comm="nfs-server-gene" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=process permissive=1
Sep 14 13:44:39 ipa001.domain.local audit[6358]: AVC avc:  denied  { noatsecure } for  pid=6358 comm="lvm2-activation" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:lvm_t:s0 tclass=process permissive=1
Sep 14 13:44:42 ipa001.domain.local audit[6388]: AVC avc:  denied  { noatsecure } for  pid=6388 comm="nfs-server-gene" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=process permissive=1
Sep 14 13:44:42 ipa001.domain.local audit[6395]: AVC avc:  denied  { noatsecure } for  pid=6395 comm="systemd-gpt-aut" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=process permissive=1
Sep 14 13:44:42 ipa001.domain.local audit[6387]: AVC avc:  denied  { noatsecure } for  pid=6387 comm="lvm2-activation" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:lvm_t:s0 tclass=process permissive=1
Sep 14 13:44:44 ipa001.domain.local audit[6471]: AVC avc:  denied  { net_admin } for  pid=6471 comm="systemctl" capability=12  scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:certmonger_t:s0 tclass=capability permissive=1
Sep 14 13:44:49 ipa001.domain.local audit[638]: USER_AVC pid=638 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=5)
Sep 14 13:44:50 ipa001.domain.local audit[638]: USER_AVC pid=638 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=6)
Sep 14 13:44:50 ipa001.domain.local audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=5)
Sep 14 13:44:50 ipa001.domain.local audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=6)
Sep 14 13:44:50 ipa001.domain.local audit[6519]: AVC avc:  denied  { siginh } for  pid=6519 comm="ipa-httpd-kdcpr" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1
Sep 14 13:44:50 ipa001.domain.local audit[6519]: AVC avc:  denied  { noatsecure } for  pid=6519 comm="ipa-httpd-kdcpr" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1
Sep 14 13:44:53 ipa001.domain.local audit[6537]: AVC avc:  denied  { noatsecure } for  pid=6537 comm="httpd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=1
Sep 14 13:44:53 ipa001.domain.local audit[6537]: AVC avc:  denied  { net_admin } for  pid=6537 comm="httpd" capability=12  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=1
Sep 14 13:44:53 ipa001.domain.local audit[6683]: AVC avc:  denied  { noatsecure } for  pid=6683 comm="nfs-server-gene" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=process permissive=1
Sep 14 13:44:53 ipa001.domain.local audit[6682]: AVC avc:  denied  { noatsecure } for  pid=6682 comm="lvm2-activation" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:lvm_t:s0 tclass=process permissive=1
Sep 14 13:44:53 ipa001.domain.local audit[6690]: AVC avc:  denied  { noatsecure } for  pid=6690 comm="systemd-gpt-aut" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=process permissive=1
Sep 14 13:44:53 ipa001.domain.local audit[6705]: AVC avc:  denied  { noatsecure } for  pid=6705 comm="nfs-server-gene" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=process permissive=1
Sep 14 13:44:53 ipa001.domain.local audit[6712]: AVC avc:  denied  { noatsecure } for  pid=6712 comm="systemd-gpt-aut" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=process permissive=1
Sep 14 13:44:54 ipa001.domain.local audit[6722]: AVC avc:  denied  { noatsecure } for  pid=6722 comm="oddjobd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=process permissive=1
Sep 14 13:44:56 ipa001.domain.local audit[6880]: AVC avc:  denied  { net_admin } for  pid=6880 comm="systemctl" capability=12  scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:certmonger_t:s0 tclass=capability permissive=1
Sep 14 13:44:56 ipa001.domain.local audit[6882]: AVC avc:  denied  { noatsecure } for  pid=6882 comm="krb5kdc" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:krb5kdc_t:s0 tclass=process permissive=1
Sep 14 13:44:56 ipa001.domain.local audit[6882]: AVC avc:  denied  { read } for  pid=6882 comm="krb5kdc" name="config" dev="dm-0" ino=8691982 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file permissive=1
Sep 14 13:44:56 ipa001.domain.local audit[6882]: AVC avc:  denied  { open } for  pid=6882 comm="krb5kdc" path="/etc/selinux/config" dev="dm-0" ino=8691982 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file permissive=1
Sep 14 13:44:56 ipa001.domain.local audit[6882]: AVC avc:  denied  { getattr } for  pid=6882 comm="krb5kdc" path="/etc/selinux/config" dev="dm-0" ino=8691982 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file permissive=1
Sep 14 13:45:00 ipa001.domain.local audit[6921]: AVC avc:  denied  { noatsecure } for  pid=6921 comm="ns-slapd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:dirsrv_t:s0 tclass=process permissive=1
Sep 14 13:45:02 ipa001.domain.local audit[6537]: AVC avc:  denied  { net_admin } for  pid=6537 comm="httpd" capability=12  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=1
Sep 14 13:46:32 ipa001.domain.local audit[7077]: AVC avc:  denied  { noatsecure } for  pid=7077 comm="ns-slapd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:dirsrv_t:s0 tclass=process permissive=1
Sep 14 13:46:32 ipa001.domain.local audit[6537]: AVC avc:  denied  { net_admin } for  pid=6537 comm="httpd" capability=12  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=1
Sep 14 13:46:38 ipa001.domain.local audit[7122]: AVC avc:  denied  { noatsecure } for  pid=7122 comm="krb5kdc" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:krb5kdc_t:s0 tclass=process permissive=1
Sep 14 13:46:40 ipa001.domain.local audit[7149]: AVC avc:  denied  { noatsecure } for  pid=7149 comm="lvm2-activation" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:lvm_t:s0 tclass=process permissive=1
Sep 14 13:46:40 ipa001.domain.local audit[7157]: AVC avc:  denied  { noatsecure } for  pid=7157 comm="systemd-gpt-aut" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=process permissive=1
Sep 14 13:46:40 ipa001.domain.local audit[7150]: AVC avc:  denied  { noatsecure } for  pid=7150 comm="nfs-server-gene" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=process permissive=1
Sep 14 13:46:40 ipa001.domain.local audit[7164]: AVC avc:  denied  { siginh } for  pid=7164 comm="grep" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1
Sep 14 13:46:40 ipa001.domain.local audit[7164]: AVC avc:  denied  { noatsecure } for  pid=7164 comm="grep" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1
Sep 14 13:46:43 ipa001.domain.local audit[7198]: AVC avc:  denied  { noatsecure } for  pid=7198 comm="httpd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=1
Sep 14 13:46:43 ipa001.domain.local audit[7198]: AVC avc:  denied  { net_admin } for  pid=7198 comm="httpd" capability=12  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=1
Sep 14 13:46:44 ipa001.domain.local audit[7464]: AVC avc:  denied  { noatsecure } for  pid=7464 comm="lvm2-activation" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:lvm_t:s0 tclass=process permissive=1
Sep 14 13:46:44 ipa001.domain.local audit[7465]: AVC avc:  denied  { noatsecure } for  pid=7465 comm="nfs-server-gene" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=process permissive=1
Sep 14 13:46:44 ipa001.domain.local audit[7482]: AVC avc:  denied  { noatsecure } for  pid=7482 comm="ipa-dnskeysyncd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:ipa_dnskey_t:s0 tclass=process permissive=1
Sep 14 13:46:44 ipa001.domain.local audit[7486]: AVC avc:  denied  { siginh } for  pid=7486 comm="generate-rndc-k" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1
Sep 14 13:46:44 ipa001.domain.local audit[7486]: AVC avc:  denied  { noatsecure } for  pid=7486 comm="generate-rndc-k" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1
Sep 14 13:46:44 ipa001.domain.local audit[7489]: AVC avc:  denied  { siginh } for  pid=7489 comm="bash" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process permissive=1
Sep 14 13:46:44 ipa001.domain.local audit[7489]: AVC avc:  denied  { noatsecure } for  pid=7489 comm="bash" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process permissive=1
Sep 14 13:46:44 ipa001.domain.local audit[7491]: AVC avc:  denied  { noatsecure } for  pid=7491 comm="named-pkcs11" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:named_t:s0 tclass=process permissive=1
Sep 14 13:46:51 ipa001.domain.local audit[6433]: AVC avc:  denied  { read } for  pid=6433 comm="gssproxy" name="config" dev="dm-0" ino=8691982 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file permissive=1
Sep 14 13:46:51 ipa001.domain.local audit[6433]: AVC avc:  denied  { open } for  pid=6433 comm="gssproxy" path="/etc/selinux/config" dev="dm-0" ino=8691982 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file permissive=1
Sep 14 13:46:51 ipa001.domain.local audit[6433]: AVC avc:  denied  { getattr } for  pid=6433 comm="gssproxy" path="/etc/selinux/config" dev="dm-0" ino=8691982 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file permissive=1
Sep 14 13:46:52 ipa001.domain.local audit[7198]: AVC avc:  denied  { net_admin } for  pid=7198 comm="httpd" capability=12  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=1
Sep 14 13:46:56 ipa001.domain.local audit[7492]: AVC avc:  denied  { read } for  pid=7492 comm="named-pkcs11" name="config" dev="dm-0" ino=8691982 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file permissive=1
Sep 14 13:46:56 ipa001.domain.local audit[7492]: AVC avc:  denied  { open } for  pid=7492 comm="named-pkcs11" path="/etc/selinux/config" dev="dm-0" ino=8691982 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file permissive=1
Sep 14 13:46:56 ipa001.domain.local audit[7492]: AVC avc:  denied  { getattr } for  pid=7492 comm="named-pkcs11" path="/etc/selinux/config" dev="dm-0" ino=8691982 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file permissive=1
Sep 14 13:46:56 ipa001.domain.local audit[7492]: AVC avc:  denied  { setfscreate } for  pid=7492 comm="named-pkcs11" scontext=system_u:system_r:named_t:s0 tcontext=system_u:system_r:named_t:s0 tclass=process permissive=1
Sep 14 13:46:57 ipa001.domain.local audit[7581]: AVC avc:  denied  { noatsecure } for  pid=7581 comm="systemd-gpt-aut" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=process permissive=1
Sep 14 13:46:57 ipa001.domain.local audit[7574]: AVC avc:  denied  { noatsecure } for  pid=7574 comm="nfs-server-gene" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=process permissive=1
Sep 14 13:46:57 ipa001.domain.local audit[7573]: AVC avc:  denied  { noatsecure } for  pid=7573 comm="lvm2-activation" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:lvm_t:s0 tclass=process permissive=1
Sep 14 13:46:57 ipa001.domain.local audit[7591]: AVC avc:  denied  { noatsecure } for  pid=7591 comm="sssd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=process permissive=1
Sep 14 13:46:59 ipa001.domain.local audit[7606]: AVC avc:  denied  { noatsecure } for  pid=7606 comm="nfs-server-gene" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=process permissive=1
Sep 14 13:46:59 ipa001.domain.local audit[7613]: AVC avc:  denied  { noatsecure } for  pid=7613 comm="systemd-gpt-aut" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=process permissive=1
Sep 14 13:46:59 ipa001.domain.local audit[7605]: AVC avc:  denied  { noatsecure } for  pid=7605 comm="lvm2-activation" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:lvm_t:s0 tclass=process permissive=1
Sep 14 13:46:59 ipa001.domain.local audit[7619]: AVC avc:  denied  { siginh } for  pid=7619 comm="selinuxenabled" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1
Sep 14 13:46:59 ipa001.domain.local audit[7619]: AVC avc:  denied  { noatsecure } for  pid=7619 comm="selinuxenabled" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1
Sep 14 13:46:59 ipa001.domain.local audit[7627]: AVC avc:  denied  { noatsecure } for  pid=7627 comm="sshd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=process permissive=1
Sep 14 13:47:00 ipa001.domain.local audit[7653]: AVC avc:  denied  { siginh } for  pid=7653 comm="grep" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1
Sep 14 13:47:00 ipa001.domain.local audit[7653]: AVC avc:  denied  { noatsecure } for  pid=7653 comm="grep" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1
Sep 14 13:47:00 ipa001.domain.local audit[7665]: AVC avc:  denied  { siginh } for  pid=7665 comm="fedora-domainna" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process permissive=1
Sep 14 13:47:00 ipa001.domain.local audit[7665]: AVC avc:  denied  { noatsecure } for  pid=7665 comm="fedora-domainna" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process permissive=1
Sep 14 13:47:00 ipa001.domain.local audit[7672]: AVC avc:  denied  { noatsecure } for  pid=7672 comm="nfs-server-gene" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=process permissive=1
Sep 14 13:47:02 ipa001.domain.local audit[7198]: AVC avc:  denied  { net_admin } for  pid=7198 comm="httpd" capability=12  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=1
Sep 14 13:47:49 ipa001.domain.local audit[7721]: AVC avc:  denied  { noatsecure } for  pid=7721 comm="ipa-dnskeysyncd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:ipa_dnskey_t:s0 tclass=process permissive=1
Sep 14 13:47:50 ipa001.domain.local audit[7730]: AVC avc:  denied  { noatsecure } for  pid=7730 comm="lvm2-activation" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:lvm_t:s0 tclass=process permissive=1
Sep 14 13:47:50 ipa001.domain.local audit[7738]: AVC avc:  denied  { noatsecure } for  pid=7738 comm="systemd-gpt-aut" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=process permissive=1
Sep 14 13:47:55 ipa001.domain.local audit[7793]: AVC avc:  denied  { noatsecure } for  pid=7793 comm="sssd_kcm" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=process permissive=1
Sep 14 13:48:02 ipa001.domain.local audit[7198]: AVC avc:  denied  { net_admin } for  pid=7198 comm="httpd" capability=12  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=1
Sep 14 13:48:47 ipa001.domain.local audit[7833]: AVC avc:  denied  { noatsecure } for  pid=7833 comm="dnf" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=process permissive=1
Sep 14 13:48:53 ipa001.domain.local audit[7841]: AVC avc:  denied  { noatsecure } for  pid=7841 comm="ipa-dnskeysyncd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:ipa_dnskey_t:s0 tclass=process permissive=1
Sep 14 13:48:53 ipa001.domain.local audit[7842]: AVC avc:  denied  { noatsecure } for  pid=7842 comm="roled" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:rolekit_t:s0 tclass=process permissive=1
Sep 14 13:50:02 ipa001.domain.local audit[7198]: AVC avc:  denied  { net_admin } for  pid=7198 comm="httpd" capability=12  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=1
Sep 14 13:52:03 ipa001.domain.local audit[7900]: AVC avc:  denied  { noatsecure } for  pid=7900 comm="ipa-dnskeysyncd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:ipa_dnskey_t:s0 tclass=process permissive=1
Sep 14 13:53:09 ipa001.domain.local audit[7077]: AVC avc:  denied  { read } for  pid=7077 comm="ns-slapd" name="config" dev="dm-0" ino=8691982 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file permissive=1
Sep 14 13:53:09 ipa001.domain.local audit[7077]: AVC avc:  denied  { open } for  pid=7077 comm="ns-slapd" path="/etc/selinux/config" dev="dm-0" ino=8691982 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file permissive=1
Sep 14 13:53:09 ipa001.domain.local audit[7077]: AVC avc:  denied  { getattr } for  pid=7077 comm="ns-slapd" path="/etc/selinux/config" dev="dm-0" ino=8691982 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file permissive=1
Sep 14 13:53:47 ipa001.domain.local audit[7923]: AVC avc:  denied  { noatsecure } for  pid=7923 comm="systemd-tmpfile" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:systemd_tmpfiles_t:s0 tclass=process permissive=1
Sep 14 13:53:47 ipa001.domain.local audit[7923]: AVC avc:  denied  { net_admin } for  pid=7923 comm="systemd-tmpfile" capability=12  scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:systemd_tmpfiles_t:s0 tclass=capability permissive=1
Sep 14 13:58:25 ipa001.domain.local audit[7982]: AVC avc:  denied  { noatsecure } for  pid=7982 comm="roled" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:rolekit_t:s0 tclass=process permissive=1
Sep 14 13:58:25 ipa001.domain.local audit[7984]: AVC avc:  denied  { siginh } for  pid=7984 comm="ipactl" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1
Sep 14 13:58:25 ipa001.domain.local audit[7984]: AVC avc:  denied  { noatsecure } for  pid=7984 comm="ipactl" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1
Sep 14 13:58:25 ipa001.domain.local audit[7987]: AVC avc:  denied  { noatsecure } for  pid=7987 comm="lvm2-activation" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:lvm_t:s0 tclass=process permissive=1
Sep 14 13:58:25 ipa001.domain.local audit[7988]: AVC avc:  denied  { noatsecure } for  pid=7988 comm="nfs-server-gene" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=process permissive=1
Sep 14 13:58:25 ipa001.domain.local audit[7995]: AVC avc:  denied  { noatsecure } for  pid=7995 comm="systemd-gpt-aut" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=process permissive=1
Sep 14 13:58:29 ipa001.domain.local audit[8016]: AVC avc:  denied  { noatsecure } for  pid=8016 comm="server" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=process permissive=1
Sep 14 13:58:30 ipa001.domain.local audit[1]: AVC avc:  denied  { unlink } for  pid=1 comm="systemd" name="krb5cc-httpd" dev="tmpfs" ino=62280 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=file permissive=1
Sep 14 13:58:30 ipa001.domain.local audit[8058]: AVC avc:  denied  { siginh } for  pid=8058 comm="sh" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process permissive=1
Sep 14 13:58:30 ipa001.domain.local audit[8058]: AVC avc:  denied  { noatsecure } for  pid=8058 comm="sh" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process permissive=1
Sep 14 13:58:45 ipa001.domain.local audit[8088]: AVC avc:  denied  { noatsecure } for  pid=8088 comm="lvm2-activation" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:lvm_t:s0 tclass=process permissive=1
Sep 14 13:58:45 ipa001.domain.local audit[8089]: AVC avc:  denied  { noatsecure } for  pid=8089 comm="nfs-server-gene" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=process permissive=1
Sep 14 13:58:45 ipa001.domain.local audit[8098]: AVC avc:  denied  { siginh } for  pid=8098 comm="grep" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1
Sep 14 13:58:45 ipa001.domain.local audit[8098]: AVC avc:  denied  { noatsecure } for  pid=8098 comm="grep" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1
Sep 14 13:58:45 ipa001.domain.local audit[8096]: AVC avc:  denied  { noatsecure } for  pid=8096 comm="systemd-gpt-aut" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=process permissive=1
Sep 14 13:58:46 ipa001.domain.local audit[8113]: AVC avc:  denied  { noatsecure } for  pid=8113 comm="certmonger" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:certmonger_t:s0 tclass=process permissive=1
Sep 14 13:58:50 ipa001.domain.local audit[8228]: AVC avc:  denied  { siginh } for  pid=8228 comm="grep" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1
Sep 14 13:58:50 ipa001.domain.local audit[8228]: AVC avc:  denied  { noatsecure } for  pid=8228 comm="grep" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1
Sep 14 13:58:50 ipa001.domain.local audit[8243]: AVC avc:  denied  { noatsecure } for  pid=8243 comm="certmonger" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:certmonger_t:s0 tclass=process permissive=1
Sep 14 13:58:51 ipa001.domain.local audit[8329]: AVC avc:  denied  { noatsecure } for  pid=8329 comm="sssd_kcm" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=process permissive=1
Sep 14 13:58:51 ipa001.domain.local audit[8343]: AVC avc:  denied  { noatsecure } for  pid=8343 comm="systemd-gpt-aut" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=process permissive=1
Sep 14 13:58:51 ipa001.domain.local audit[8358]: AVC avc:  denied  { noatsecure } for  pid=8358 comm="lvm2-activation" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:lvm_t:s0 tclass=process permissive=1
Sep 14 13:58:52 ipa001.domain.local audit[638]: USER_AVC pid=638 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=7)
Sep 14 13:58:54 ipa001.domain.local audit[638]: USER_AVC pid=638 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=8)
Sep 14 13:58:54 ipa001.domain.local audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=7)
Sep 14 13:58:54 ipa001.domain.local audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=8)
Sep 14 13:58:54 ipa001.domain.local audit[8471]: AVC avc:  denied  { noatsecure } for  pid=8471 comm="nfs-server-gene" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=process permissive=1
Sep 14 13:58:54 ipa001.domain.local audit[8470]: AVC avc:  denied  { noatsecure } for  pid=8470 comm="lvm2-activation" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:lvm_t:s0 tclass=process permissive=1
Sep 14 13:58:54 ipa001.domain.local audit[8482]: AVC avc:  denied  { siginh } for  pid=8482 comm="grep" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1
Sep 14 13:58:54 ipa001.domain.local audit[8482]: AVC avc:  denied  { noatsecure } for  pid=8482 comm="grep" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1
Sep 14 13:58:54 ipa001.domain.local audit[8478]: AVC avc:  denied  { noatsecure } for  pid=8478 comm="systemd-gpt-aut" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=process permissive=1
Sep 14 13:58:58 ipa001.domain.local audit[8678]: AVC avc:  denied  { noatsecure } for  pid=8678 comm="chronyd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:chronyd_t:s0 tclass=process permissive=1
Sep 14 13:58:59 ipa001.domain.local audit[8698]: AVC avc:  denied  { siginh } for  pid=8698 comm="grep" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1
Sep 14 13:58:59 ipa001.domain.local audit[8698]: AVC avc:  denied  { noatsecure } for  pid=8698 comm="grep" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1
Sep 14 13:59:02 ipa001.domain.local audit[8825]: AVC avc:  denied  { noatsecure } for  pid=8825 comm="nfs-server-gene" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=process permissive=1
Sep 14 13:59:02 ipa001.domain.local audit[8845]: AVC avc:  denied  { noatsecure } for  pid=8845 comm="sshd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=process permissive=1
Sep 14 13:59:03 ipa001.domain.local audit[8853]: AVC avc:  denied  { rlimitinh } for  pid=8853 comm="iptables-restor" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process permissive=1
Sep 14 13:59:03 ipa001.domain.local audit[8853]: AVC avc:  denied  { siginh } for  pid=8853 comm="iptables-restor" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process permissive=1
Sep 14 13:59:03 ipa001.domain.local audit[8853]: AVC avc:  denied  { noatsecure } for  pid=8853 comm="iptables-restor" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process permissive=1
Sep 14 13:59:03 ipa001.domain.local audit[8869]: AVC avc:  denied  { noatsecure } for  pid=8869 comm="systemd-gpt-aut" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=process permissive=1
Sep 14 13:59:03 ipa001.domain.local audit[8861]: AVC avc:  denied  { noatsecure } for  pid=8861 comm="lvm2-activation" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:lvm_t:s0 tclass=process permissive=1
Sep 14 13:59:21 ipa001.domain.local audit[8885]: AVC avc:  denied  { noatsecure } for  pid=8885 comm="agetty" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tclass=process permissive=1
Sep 14 13:59:25 ipa001.domain.local audit[8885]: AVC avc:  denied  { read write } for  pid=8885 comm="login" path="socket:[73983]" dev="sockfs" ino=73983 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tclass=netlink_route_socket permissive=1
Sep 14 13:59:25 ipa001.domain.local audit[8885]: AVC avc:  denied  { rlimitinh } for  pid=8885 comm="login" scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process permissive=1
Sep 14 13:59:25 ipa001.domain.local audit[8885]: AVC avc:  denied  { siginh } for  pid=8885 comm="login" scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process permissive=1
Sep 14 13:59:25 ipa001.domain.local audit[8885]: AVC avc:  denied  { noatsecure } for  pid=8885 comm="login" scontext=system_u:system_r:getty_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process permissive=1
Sep 14 13:59:25 ipa001.domain.local audit[8886]: AVC avc:  denied  { read write } for  pid=8886 comm="unix_chkpwd" path="/dev/tty6" dev="devtmpfs" ino=10114 scontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=1
Sep 14 13:59:25 ipa001.domain.local audit[8886]: AVC avc:  denied  { rlimitinh } for  pid=8886 comm="unix_chkpwd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=1
Sep 14 13:59:25 ipa001.domain.local audit[8886]: AVC avc:  denied  { siginh } for  pid=8886 comm="unix_chkpwd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=1
Sep 14 13:59:25 ipa001.domain.local audit[8886]: AVC avc:  denied  { noatsecure } for  pid=8886 comm="unix_chkpwd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process permissive=1
Sep 14 13:59:26 ipa001.domain.local audit[8885]: AVC avc:  denied  { net_admin } for  pid=8885 comm="login" capability=12  scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=capability permissive=1
Sep 14 13:59:26 ipa001.domain.local audit[8889]: AVC avc:  denied  { siginh } for  pid=8889 comm="bash" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=1
Sep 14 13:59:26 ipa001.domain.local audit[8889]: AVC avc:  denied  { noatsecure } for  pid=8889 comm="bash" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=1
Comment 8 Adam Williamson 2017-09-15 02:17:07 UTC 
Discussed at 2017-09-14 Beta Go/No-Go meeting, acting as a blocker review meeting: https://meetbot-raw.fedoraproject.org/fedora-meeting-2/2017-09-14/f27-beta-go-no-go-meeting.2017-09-14-17.00.html . Accepted as a blocker as it prevents deployment of a release-blocking role (domain controller).
Comment 9 Dominic P Geevarghese 2017-09-15 10:50:39 UTC 
*** Bug 1491868 has been marked as a duplicate of this bug. ***
Comment 10 Fedora Update System 2017-09-18 13:37:36 UTC 
selinux-policy-3.13.1-283.3.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-a1b4dab97d
Comment 11 Dominic P Geevarghese 2017-09-18 18:15:08 UTC 
I am getting following AVC with updated selinux packages 

type=AVC msg=audit(1505758296.330:194): avc:  denied  { write } for  pid=2979 comm="ns-slapd" name="ldap_389" dev="vda4" ino=25260800 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0
type=AVC msg=audit(1505758296.330:195): avc:  denied  { unlink } for  pid=2979 comm="ns-slapd" name="ldap_389" dev="vda4" ino=25260800 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0


and installed failed 

No valid Negotiate header in server response
The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information
ipapython.admintool: ERROR    Configuration of client side components failed!
ipapython.admintool: ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
Comment 12 Kamil Páral 2017-09-18 18:30:11 UTC 
Back to assigned per comment 11.
Comment 13 Dominic P Geevarghese 2017-09-18 20:12:34 UTC 
Created attachment 1327603 [details]
logs-post-selinux-policy-targeted-3.13.1-283.3-fc27 update

Logs uploaded for review.
Comment 14 Fedora Update System 2017-09-18 22:23:38 UTC 
selinux-policy-3.13.1-283.3.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-a1b4dab97d
Comment 15 Adam Williamson 2017-09-19 00:08:05 UTC 
openQA testing of 283.3.fc27 suggests deployment still fails (on prod, with SELinux in enforcing mode):

https://openqa.fedoraproject.org/tests/143883

you can get the logs from a successful run with SELinux in permissive mode from the stg run:

https://openqa.stg.fedoraproject.org/tests/163835

The /var/log tarball is https://openqa.stg.fedoraproject.org/tests/163835/file/role_deploy_domain_controller_check-var_log.tar.gz . Examining the journal shows a whole ton of FreeIPA-ish denials, if anything, even more of 'em. Dunno what happened with the update, but it doesn't look good.
Comment 16 Lukas Vrabec 2017-09-19 15:20:40 UTC 
Guys, 

Do anyone know which process created this file? "ldap_389" in temp? 

Thanks,
Lukas.
Comment 17 Dominic P Geevarghese 2017-09-19 16:26:04 UTC 
not sure whether I got you correct. if not, please share the best way to capture desired logs. As per logs below ns-slapd command is in relation with ldap_389 

type=AVC msg=audit(1505836957.232:1473): avc:  denied  { write } for  pid=11734 comm="ns-slapd" name="ldap_389" dev="vda4" ino=25260800 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0
type=AVC msg=audit(1505836957.232:1474): avc:  denied  { unlink } for  pid=11734 comm="ns-slapd" name="ldap_389" dev="vda4" ino=25260800 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0
type=AVC msg=audit(1505836957.232:1475): avc:  denied  { write } for  pid=11734 comm="ns-slapd" name="ldap_389" dev="vda4" ino=25260800 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0
type=AVC msg=audit(1505836957.232:1476): avc:  denied  { unlink } for  pid=11734 comm="ns-slapd" name="ldap_389" dev="vda4" ino=25260800 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0

|-ns-slapd(11734,`system_u:system_r:dirsrv_t:s0')
 |  |-{ns-slapd}(11735,`system_u:system_r:dirsrv_t:s0')
 |  |-{ns-slapd}(11736,`system_u:system_r:dirsrv_t:s0')
      [...]
 |  |-{ns-slapd}(11781,`system_u:system_r:dirsrv_t:s0')
 |  `-{ns-slapd}(11782,`system_u:system_r:dirsrv_t:s0')

-rwxr-xr-x. 1 root root system_u:object_r:dirsrv_exec_t:s0 359032 Sep  1 18:56 /usr/sbin/ns-slapd
Comment 18 Dominic P Geevarghese 2017-09-19 20:41:43 UTC 
Created attachment 1328165 [details]
audit.log from a freshly installed system

(In reply to Dominic P Geevarghese from comment #17)

please ignore avc messages in comment #17. investigated further and found there was /var/tmp/ldap_389 file with different tcontext; system_u:object_r:tmp_t:s0. This avc doesn't appear in a freshly system and seems correct context is set but attempt to setup ipa-server exited abnormally (audit.log attached for your comments). will investigate ipa install logs tomorrow.
Comment 19 Lukas Vrabec 2017-09-20 10:19:58 UTC 
Dominic, 

Please try following local policy:
$ cat ipa_local.cil 
(allow certmonger_t certmonger_t(capability (net_admin)))
(allow httpd_t httpd_t(capability (net_admin)))
(allow systemd_tmpfiles_t systemd_tmpfiles_t(capability (net_admin)))
(allow kadmind_t hi_reserved_port_t (tcp_socket (name_bind)))

# semodule -i ipa_local.cil

Tutorial:

1. get fresh F27
2. # semodule -i ipa_local.cil
3. reproduce the scenario with ipa 

THanks,
Lukas.
Comment 20 Fedora Update System 2017-09-20 15:27:02 UTC 
selinux-policy-3.13.1-283.3.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
Comment 21 Dominic P Geevarghese 2017-09-20 16:32:07 UTC 
Created attachment 1328504 [details]
audit.log

(In reply to Lukas Vrabec from comment #19)

thanks. reproduced issue with local.policy.
uploaded audit.log.
Comment 22 Lukas Vrabec 2017-09-21 16:29:29 UTC 
I found which AVC blocking IPA installation process. Builds will be ready ASAP.
Comment 23 Fedora Update System 2017-09-22 09:50:44 UTC 
selinux-policy-3.13.1-283.4.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-1fd5e1aff6
Comment 24 Dominic P Geevarghese 2017-09-22 17:17:15 UTC 
Created attachment 1329690 [details]
audit-post-selinux-3.13.1-283.4-upgrade.log

(In reply to Lukas Vrabec from comment #22)

Great. My observations/comments on scenarios tested below

Scenario 1: 

1) installed freeipa-server with selinux=0
2) no error reported.
3) I could authenticate 'admin' user over Web GUI console.
4) rebooted machine in selinux enforcing mode
5) incorrect context set against ldap_389 file 

-rw-------. 1 dirsrv dirsrv system_u:object_r:tmp_t:s0 4777 Sep 22 20:20 ldap_389

thus, I got following denial messages

type=AVC msg=audit(1506098126.231:272): avc:  denied  { write } for  pid=1005 comm="ns-slapd" name="ldap_389" dev="dm-0" ino=25167106 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0

6) In addition to that, WebGUI authentication failed with.

type=AVC msg=audit(1506097452.471:245): avc:  denied  { execmem } for  pid=1132 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0

Scenario 2:

1) installed freeipa-server with selinux=enforcing mode 
2) no error reported. Excellent!
3) however, 'admin' user authentication failed over Web Admin portal with following messages.

type=AVC msg=audit(1506097528.709:247): avc:  denied  { execmem } for  pid=1134 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0
Comment 25 Fedora Update System 2017-09-22 17:54:20 UTC 
selinux-policy-3.13.1-283.4.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-1fd5e1aff6
Comment 26 Lukas Vrabec 2017-09-25 07:15:23 UTC 
Hi Dominic, 

First scenario is not supported, you need to run restorecon command after again enabling SELinux on your system. 

For second scenario we have SELinux boolean to allow this: 
# semanage boolean -m httpd_execmem --on

However, do we know what's going on here? Any reason why httpd needs execmem capability?
Comment 27 Standa Laznicka 2017-09-25 09:38:23 UTC 
I am not 100% sure what happens there TBH. I did find https://pagure.io/freeipa/issue/5442 pointing to https://bitbucket.org/cffi/cffi/issues/231/writeable-memory-execution-execmem-with. Also, there's https://bugzilla.redhat.com/show_bug.cgi?id=1249685#c37 so this MAY be fixed in RHEL.
From what I gather, this may be a bug in python-cffi although, again, I cannot be certain.
Comment 28 Dominic P Geevarghese 2017-09-26 16:39:39 UTC 
per bz1277224 the fix for similar alert in freeipa environment is supposed to be available with latest python-cffi and python-cryptography packages. appreciate any pointers as this blocker bz
Comment 29 Christian Heimes 2017-09-27 07:24:04 UTC 
Do you have PyOpenSSL installed on the machine? It is very likely that 0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch is no longer affective.  In the past urllib3 was bundled with python-requests. Recently upstream requests stopped bundling urllib3 and now uses the default upstream package.

A related problem was fixed in https://github.com/freeipa/freeipa/commit/623ec6c037e44e4f7bc487c9a9e2462a24b154f7.

Please try:

1) Edit `/usr/share/ipa/wsgi.py` and change `sys.modules['requests.packages.urllib3.contrib.pyopenssl'] = None` to `sys.modules['urllib3.contrib.pyopenssl'] = None`.
2) Restart Apache HTTPD

0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch should be integrated into FreeIPA.
Comment 30 Dominic P Geevarghese 2017-09-27 13:48:06 UTC 
(In reply to Christian Heimes from comment #29)

yes, following packages got installed 

python3-pyOpenSSL-17.2.0-2.fc27.noarch
python2-pyOpenSSL-17.2.0-2.fc27.noarch

it seems the steps tried couldn't solve the issue. Also, I have noticed following lines in error_log 

upon httpd reload

[wsgi:error] [pid 4807:tid 140662673946880] ipa: ERROR: Failed to start IPA: 'NoneType' object has no attribute 'inject_into_urllib3'
[wsgi:error] [pid 4806:tid 140662673946880] ipa: ERROR: Failed to start IPA: 'NoneType' object has no attribute 'inject_into_urllib3'
[wsgi:debug] [pid 4807:tid 140662163425024] src/server/mod_wsgi.c(8860): mod_wsgi (pid=4807): Started thread 0 in daemon process 'ipa'.
[wsgi:debug] [pid 4806:tid 140662163425024] src/server/mod_wsgi.c(8860): mod_wsgi (pid=4806): Started thread 0 in daemon process 'ipa'.

[auth_gssapi:error] [pid 4808:tid 140661579802368] [client 192.168.125.1:51466] NO AUTH DATA Client did not send any authentication headers, referer: https://bz1491508-dnfupgraded.infra.example.ae/ipa/ui/

upon login

[wsgi:error] [pid 4806:tid 140662163425024] [remote 192.168.125.1:51466] mod_wsgi (pid=4806): Target WSGI script '/usr/share/ipa/wsgi.py' does not contain WSGI application 'application'.
Comment 31 Dominic P Geevarghese 2017-09-27 19:35:39 UTC 
Additional Info: 

ok, modified the line in wsgi.py as below (I believe SNI check is disabled?) and reloaded http service. Then I could login over Web GUI and no selinux alerts reported.

sys.modules['urllib3.contrib'] = None
Comment 32 Dominic P Geevarghese 2017-09-29 09:50:47 UTC 
no action pending at qa side. We need to make progress on this as this is blocker bz. per comment #29 some changes at IPA side is inevitable and thus,moving to freeipa for dev folks attention.
Comment 33 Christian Heimes 2017-09-29 10:17:04 UTC 
"sys.modules['urllib3.contrib'] = None" is too broad. It blocks also features like chardet and idna.

"sys.modules['OpenSSL.SSL'] = None" blocks just PyOpenSSL's ssl module. It should work under Python 2 and 3 with old and new requests.
Comment 34 Dominic P Geevarghese 2017-09-29 13:46:00 UTC 
(In reply to Christian Heimes from comment #33)

excellent. thanks, I made the changes per suggestion. Both IPA installation and Web login worked well under selinux enforce mode. No error reported. We are in a good shape to push this patch upstream?.
Comment 35 Christian Heimes 2017-09-29 20:25:38 UTC 
(In reply to Dominic P Geevarghese from comment #34)

The line "sys.modules['urllib3.contrib.pyopenssl'] = None" should have worked. It's a bug in CPython 3.6. I have created an upstream bug and talked to Brett. He is the maintainer of import machinery. https://bugs.python.org/issue31642
Comment 36 Rob Crittenden 2017-09-29 20:48:49 UTC 
I'm unable to confirm the success in #34.

I installed from the F-27 1.5 iso and the only thing I needed to update was selinux from https://koji.fedoraproject.org/koji/buildinfo?buildID=976951 which is pending going into updates-testing.

This solved being unable to communicate with Apache with the message: error GSS ERROR gss_acquire_cred[_from]() failed to get server creds: [Unspecified GSS failure.  Minor code may provide more information ( SPNEGO cannot find mechanisms to negotiate)], referer: https://ipa.example.com/ipa/xml

I installed the update directly via:

# rpm -Uvh https://kojipkgs.fedoraproject.org//packages/selinux-policy/3.13.1/283.5.fc27/noarch/selinux-policy-3.13.1-283.5.fc27.noarch.rpm https://kojipkgs.fedoraproject.org//packages/selinux-policy/3.13.1/283.5.fc27/noarch/selinux-policy-targeted-3.13.1-283.5.fc27.noarch.rpm

I made no changes to wsgi.py and the installation was successful and spot-checking from the cli works.
Comment 37 Fedora Update System 2017-09-30 06:49:15 UTC 
selinux-policy-3.13.1-283.4.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
Comment 38 Dominic P Geevarghese 2017-10-02 06:51:24 UTC 
short summary: 

probably the last bit, we need a fix for 'IPA Web browser Login failure'.IPA 'admin' user login denied by selinux with alert; http {execmem} comment#24, though it is possible to adjust the selinux Boolean; comment#26. However, the real cause is laying at IPA script; comment#33 and comment#34.

(In reply to Rob Crittenden from comment #36)
> I made no changes to wsgi.py and the installation was successful and
> spot-checking from the cli works.

would you mind to check 'admin' login over Web GUI?.
Comment 39 Rob Crittenden 2017-10-02 14:03:52 UTC 
Works for me.
Comment 40 Adam Williamson 2017-10-16 18:43:34 UTC 
openQA isn't testing this in 'real world' usage at present due to https://bugzilla.redhat.com/show_bug.cgi?id=1491053 . Once that's fixed we'll be able to tell if there are any denials when openQA tries to log into the web UI.
Comment 41 Adam Williamson 2017-10-16 22:59:29 UTC 
I tried running the openQA tests with the update that fixes #1491053 applied, and SELinux in enforcing mode: indeed login to the webUI fails in that case, see:

https://openqa.stg.fedoraproject.org/tests/182884#step/freeipa_webui/5

"Login failed due to an unknown reason."

Server journal shows an httpd execmem denial:

Oct 16 15:46:27 ipa001.domain.local audit[7237]: AVC avc:  denied  { execmem } for  pid=7237 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0

However, the reported issue with server *deployment* is indeed fixed, so perhaps we should track this in a new report now?
Comment 42 Adam Williamson 2017-10-16 23:01:03 UTC 
moving to the new server-specific blocker tracker I just created.
Comment 43 Christian Heimes 2017-10-17 07:30:29 UTC 
freeipa-4.6.1-2.fc27 still has the old, non-working version of 0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch. The patch needs to be updated to block PyOpenSSL with latest python-requests in F27. I don't have permission to change it myself.
Comment 44 Alexander Bokovoy 2017-10-17 07:52:09 UTC 
Current effort in fixing it is tracked with https://github.com/freeipa/freeipa/pull/1158
Comment 45 Rob Crittenden 2017-10-17 11:11:53 UTC 
Patch reviewed and tested upstream, fixed in freeipa-4.6.1-3.fc27
Comment 46 Fedora Update System 2017-10-17 11:13:11 UTC 
freeipa-4.6.1-3.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-fd9748d8f1
Comment 47 Dominic P Geevarghese 2017-10-17 14:46:10 UTC 
Sweet.This works fine.
Comment 48 Fedora Update System 2017-10-17 18:52:02 UTC 
freeipa-4.6.1-3.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-fd9748d8f1
Comment 49 Adam Williamson 2017-10-17 19:38:08 UTC 
Confirmed, 4.6.1-3 finally fixes everything.
Comment 50 Tomas Krizek 2017-10-18 10:16:32 UTC 
Fixed upstream
ipa-4-5:
https://pagure.io/freeipa/c/e527dd17e89c0826d55d4a214c176fb00e383eef
ipa-4-6:
https://pagure.io/freeipa/c/52dd5e138b7ebec68c7280122b1284648bd4117b
master:
https://pagure.io/freeipa/c/dea059d158efe82ba71fe4e4669adb7caf45bc9f
Comment 51 Fedora Update System 2017-10-18 15:23:12 UTC 
freeipa-4.6.1-3.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.