Bug 1603135
Summary: | AVC denials seen during install of ipa-server | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Nikhil Dehadrai <ndehadra> | ||||
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 7.6 | CC: | lvrabec, mgrepl, mmalik, plautrba, ssekidde, sumenon | ||||
Target Milestone: | rc | Keywords: | Regression | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2018-10-30 10:07:41 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
*** Bug 1605174 has been marked as a duplicate of this bug. *** AVC denials are no more seen during ipa-server-install. Refer comment #3 in bz1611413 Tested on Red Hat Enterprise Linux Server release 7.6 Beta (Maipo) using ipa-server-4.6.4-5.el7.x86_64 389-ds-base-1.3.8.4-10.el7.x86_64 krb5-server-1.15.1-34.el7.x86_64 selinux-policy-3.13.1-215.el7.noarch Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3111 |
Created attachment 1459954 [details] Complete AVC log Description of problem: AVC denials seen in quickinstall job for ipa-server Version-Release number of selected component (if applicable): selinux-policy-3.13.1-207.el7.noarch How reproducible: Always Actual results: Snippet for errors mentioned below , entire AVC log is shared in attachment. Info: Searching AVC errors produced since 1531987764.02 (Thu Jul 19 13:39:24 2018) Searching logs... Running '/usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts 07/19/2018 13:39:24 < /dev/null >/mnt/testarea/tmp.rhts-db-submit-result.PNEHIi 2>&1' ---- time->Thu Jul 19 13:43:15 2018 type=PROCTITLE msg=audit(1531987995.400:402): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69 type=PATH msg=audit(1531987995.400:402): item=0 name="/sys/fs/cgroup/memory/memory.limit_in_bytes" objtype=UNKNOWN cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=CWD msg=audit(1531987995.400:402): cwd="/usr/share/tomcat" type=SYSCALL msg=audit(1531987995.400:402): arch=c000003e syscall=2 success=no exit=-13 a0=7f7ae24f0950 a1=0 a2=1b6 a3=24 items=1 ppid=1 pid=17438 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.181-7.b13.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1531987995.400:402): avc: denied { search } for pid=17438 comm="java" name="/" dev="tmpfs" ino=7238 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=0 ---- time->Thu Jul 19 13:43:15 2018 type=PROCTITLE msg=audit(1531987995.400:403): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69 type=PATH msg=audit(1531987995.400:403): item=0 name="/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us" objtype=UNKNOWN cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=CWD msg=audit(1531987995.400:403): cwd="/usr/share/tomcat" type=SYSCALL msg=audit(1531987995.400:403): arch=c000003e syscall=2 success=no exit=-13 a0=7f7ae24f4b30 a1=0 a2=1b6 a3=24 items=1 ppid=1 pid=17438 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.181-7.b13.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1531987995.400:403): avc: denied { search } for pid=17438 comm="java" name="/" dev="tmpfs" ino=7238 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=0 ---- time->Thu Jul 19 13:43:15 2018 type=PROCTITLE msg=audit(1531987995.400:404): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69 type=PATH msg=audit(1531987995.400:404): item=0 name="/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_period_us" objtype=UNKNOWN cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=CWD msg=audit(1531987995.400:404): cwd="/usr/share/tomcat" type=SYSCALL msg=audit(1531987995.400:404): arch=c000003e syscall=2 success=no exit=-13 a0=7f7ae24f4b30 a1=0 a2=1b6 a3=24 items=1 ppid=1 pid=17438 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.181-7.b13.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1531987995.400:404): avc: denied { search } for pid=17438 comm="java" name="/" dev="tmpfs" ino=7238 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=0 ---- time->Thu Jul 19 13:43:15 2018 type=PROCTITLE msg=audit(1531987995.400:405): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69 type=PATH msg=audit(1531987995.400:405): item=0 name="/sys/fs/cgroup/cpu,cpuacct/cpu.shares" objtype=UNKNOWN cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=CWD msg=audit(1531987995.400:405): cwd="/usr/share/tomcat" type=SYSCALL msg=audit(1531987995.400:405): arch=c000003e syscall=2 success=no exit=-13 a0=7f7ae24f4b30 a1=0 a2=1b6 a3=24 items=1 ppid=1 pid=17438 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.181-7.b13.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1531987995.400:405): avc: denied { search } for pid=17438 comm="java" name="/" dev="tmpfs" ino=7238 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=0 ---- Fail: AVC messages found. Checking for errors... Using stronger AVC checks. Define empty RHTS_OPTION_STRONGER_AVC parameter if this causes any problems. Running 'cat /mnt/testarea/tmp.rhts-db-submit-result.PNEHIi | /sbin/ausearch -m AVC -m SELINUX_ERR' Fail: AVC messages found. Running 'cat %s | /sbin/ausearch -m USER_AVC >/mnt/testarea/tmp.rhts-db-submit-result.puFdl8 2>&1' Info: No AVC messages found. /bin/grep 'avc: ' /mnt/testarea/dmesg.log | /bin/grep --invert-match TESTOUT.log No AVC messages found in dmesg Running '/usr/sbin/sestatus' SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 31 Running 'rpm -q selinux-policy || true' selinux-policy-3.13.1-207.el7.noarch Expected results: No AVC denials should be observed