Bug 1730144
| Summary: | AVC seen executing /usr/libexec/certmonger/ipa-submit | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Xiyang Dong <xdong> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 8.1 | CC: | abokovoy, ksiddiqu, lvrabec, mmalik, mmarusak, mvarun, plautrba, sgadekar, sgoveas, ssekidde, ssidhaye, tdudlak, twoerner, xdong, yoyang, zpytela |
| Target Milestone: | rc | Keywords: | Regression, TestBlocker |
| Target Release: | 8.1 | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-11-05 22:12:08 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Xiyang Dong
2019-07-16 01:21:43 UTC
Following SELinux denial appeared multiple times in results of the test job:
----
time->Mon Jul 15 17:45:27 2019
type=PROCTITLE msg=audit(1563227127.635:1816): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002D45002F7573722F6C6962657865632F6970612F6970612D646E736B657973796E6364
type=PATH msg=audit(1563227127.635:1816): item=0 name="/var/kerberos/krb5/user/991/client.keytab" nametype=UNKNOWN cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1563227127.635:1816): cwd="/"
type=SYSCALL msg=audit(1563227127.635:1816): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=55b84686cdd0 a2=0 a3=0 items=1 ppid=1 pid=12055 auid=4294967295 uid=991 gid=25 euid=991 suid=991 fsuid=991 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="ipa-dnskeysyncd" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:ipa_dnskey_t:s0 key=(null)
type=AVC msg=audit(1563227127.635:1816): avc: denied { search } for pid=12055 comm="ipa-dnskeysyncd" name="krb5" dev="vda1" ino=327195 scontext=system_u:system_r:ipa_dnskey_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=0
----
*** Bug 1731066 has been marked as a duplicate of this bug. *** *** Bug 1731160 has been marked as a duplicate of this bug. *** Lukas, There are some additional avc denial in closed duplicate bug https://bugzilla.redhat.com/show_bug.cgi?id=1731160#c0 Please have a look at those too. @Kaleem, These are same SELinux denials. resetting the needinfo to Alexander. ipa_dnskey_t context is using Kerberos client keytab and has to have access to its own keytab. This is OK. *** Bug 1734399 has been marked as a duplicate of this bug. *** We have a new bug using selinux-policy-3.14.3-13.el8.noarch that seems to be related to this one: https://bugzilla.redhat.com/show_bug.cgi?id=1738271 *** Bug 1738271 has been marked as a duplicate of this bug. *** commit 6ad5267f708da377916e466babc13865c9ebdb16 (HEAD -> rhel8.1-contrib, origin/rhel8.1-contrib)
Author: Lukas Vrabec <lvrabec>
Date: Fri Aug 9 15:38:45 2019 +0200
Allow ipa_dnskey_t domain to read kerberos keytab
Resolves: rhbz#1730144
*** Bug 1740540 has been marked as a duplicate of this bug. *** *** Bug 1740642 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:3547 |