Bug 1603135

Summary: AVC denials seen during install of ipa-server
Product: Red Hat Enterprise Linux 7 Reporter: Nikhil Dehadrai <ndehadra>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.6CC: lvrabec, mgrepl, mmalik, plautrba, ssekidde, sumenon
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 10:07:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Complete AVC log none

Description Nikhil Dehadrai 2018-07-19 09:32:19 UTC 
Created attachment 1459954 [details]
Complete AVC log

Description of problem:
AVC denials seen in quickinstall job for ipa-server 

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-207.el7.noarch

How reproducible:
Always

Actual results: Snippet for errors mentioned below , entire AVC log is shared in attachment.

Info: Searching AVC errors produced since 1531987764.02 (Thu Jul 19 13:39:24 2018)
Searching logs...
Running '/usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts 07/19/2018 13:39:24 < /dev/null >/mnt/testarea/tmp.rhts-db-submit-result.PNEHIi 2>&1'
----
time->Thu Jul 19 13:43:15 2018
type=PROCTITLE msg=audit(1531987995.400:402): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69
type=PATH msg=audit(1531987995.400:402): item=0 name="/sys/fs/cgroup/memory/memory.limit_in_bytes" objtype=UNKNOWN cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1531987995.400:402):  cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1531987995.400:402): arch=c000003e syscall=2 success=no exit=-13 a0=7f7ae24f0950 a1=0 a2=1b6 a3=24 items=1 ppid=1 pid=17438 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.181-7.b13.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1531987995.400:402): avc:  denied  { search } for  pid=17438 comm="java" name="/" dev="tmpfs" ino=7238 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=0
----
time->Thu Jul 19 13:43:15 2018
type=PROCTITLE msg=audit(1531987995.400:403): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69
type=PATH msg=audit(1531987995.400:403): item=0 name="/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us" objtype=UNKNOWN cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1531987995.400:403):  cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1531987995.400:403): arch=c000003e syscall=2 success=no exit=-13 a0=7f7ae24f4b30 a1=0 a2=1b6 a3=24 items=1 ppid=1 pid=17438 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.181-7.b13.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1531987995.400:403): avc:  denied  { search } for  pid=17438 comm="java" name="/" dev="tmpfs" ino=7238 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=0
----
time->Thu Jul 19 13:43:15 2018
type=PROCTITLE msg=audit(1531987995.400:404): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69
type=PATH msg=audit(1531987995.400:404): item=0 name="/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_period_us" objtype=UNKNOWN cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1531987995.400:404):  cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1531987995.400:404): arch=c000003e syscall=2 success=no exit=-13 a0=7f7ae24f4b30 a1=0 a2=1b6 a3=24 items=1 ppid=1 pid=17438 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.181-7.b13.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1531987995.400:404): avc:  denied  { search } for  pid=17438 comm="java" name="/" dev="tmpfs" ino=7238 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=0
----
time->Thu Jul 19 13:43:15 2018
type=PROCTITLE msg=audit(1531987995.400:405): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69
type=PATH msg=audit(1531987995.400:405): item=0 name="/sys/fs/cgroup/cpu,cpuacct/cpu.shares" objtype=UNKNOWN cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1531987995.400:405):  cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1531987995.400:405): arch=c000003e syscall=2 success=no exit=-13 a0=7f7ae24f4b30 a1=0 a2=1b6 a3=24 items=1 ppid=1 pid=17438 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.181-7.b13.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1531987995.400:405): avc:  denied  { search } for  pid=17438 comm="java" name="/" dev="tmpfs" ino=7238 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=0
----


Fail: AVC messages found.
Checking for errors...
Using stronger AVC checks.
	Define empty RHTS_OPTION_STRONGER_AVC parameter if this causes any problems.
Running 'cat /mnt/testarea/tmp.rhts-db-submit-result.PNEHIi | /sbin/ausearch -m AVC -m SELINUX_ERR'
Fail: AVC messages found.
Running 'cat %s | /sbin/ausearch -m USER_AVC >/mnt/testarea/tmp.rhts-db-submit-result.puFdl8 2>&1'
Info: No AVC messages found.
/bin/grep 'avc: ' /mnt/testarea/dmesg.log | /bin/grep --invert-match TESTOUT.log
No AVC messages found in dmesg
Running '/usr/sbin/sestatus'
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31
Running 'rpm -q selinux-policy || true'
selinux-policy-3.13.1-207.el7.noarch


Expected results:
No AVC denials should be observed
Comment 4 Lukas Vrabec 2018-07-20 11:50:47 UTC 
*** Bug 1605174 has been marked as a duplicate of this bug. ***
Comment 6 Sudhir Menon 2018-08-21 07:48:37 UTC 
AVC denials are no more seen during ipa-server-install.
Refer comment #3 in bz1611413

Tested on Red Hat Enterprise Linux Server release 7.6 Beta (Maipo) using
ipa-server-4.6.4-5.el7.x86_64
389-ds-base-1.3.8.4-10.el7.x86_64
krb5-server-1.15.1-34.el7.x86_64
selinux-policy-3.13.1-215.el7.noarch
Comment 10 errata-xmlrpc 2018-10-30 10:07:41 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111