Bug 1731160

Summary: AVC denials noticed during quickinstall and ipa-ctl
Product: Red Hat Enterprise Linux 8 Reporter: Varun Mylaraiah <mvarun>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.1CC: lvrabec, mmalik, plautrba, ssekidde, zpytela
Target Milestone: rcKeywords: Regression
Target Release: 8.0   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-07-18 15:51:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Varun Mylaraiah 2019-07-18 13:20:25 UTC 
Description of problem:
AVC denials noticed during quickinstall and ipa-ctl

Version-Release number of selected component (if applicable):
selinux-policy-3.14.3-11.el8.noarch


SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      31
selinux-policy-3.14.3-11.el8.noarch

Actual results:

time->Wed Jul 17 15:04:49 2019
type=PROCTITLE msg=audit(1563390289.846:1515): proctitle="/usr/libexec/certmonger/ipa-submit"
type=PATH msg=audit(1563390289.846:1515): item=0 name="/var/kerberos/krb5/user/0/client.keytab" nametype=UNKNOWN cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1563390289.846:1515): cwd="/"
type=SYSCALL msg=audit(1563390289.846:1515): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=557d11d83f20 a2=0 a3=0 items=1 ppid=31338 pid=31341 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ipa-submit" exe="/usr/libexec/certmonger/ipa-submit" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1563390289.846:1515): avc:  denied  { search } for  pid=31341 comm="ipa-submit" name="krb5" dev="vda1" ino=337627 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=0
----

time->Wed Jul 17 15:08:24 2019
type=PROCTITLE msg=audit(1563390504.540:1631): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002D45002F7573722F6C6962657865632F6970612F6970612D646E736B657973796E632D7265706C696361
type=PATH msg=audit(1563390504.540:1631): item=0 name="/var/kerberos/krb5/user/991/client.keytab" nametype=UNKNOWN cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1563390504.540:1631): cwd="/"
type=SYSCALL msg=audit(1563390504.540:1631): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=5648ae31c240 a2=0 a3=0 items=1 ppid=2503 pid=2587 auid=4294967295 uid=991 gid=25 euid=991 suid=991 fsuid=991 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="ipa-dnskeysync-" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:ipa_dnskey_t:s0 key=(null)
type=AVC msg=audit(1563390504.540:1631): avc:  denied  { search } for  pid=2587 comm="ipa-dnskeysync-" name="krb5" dev="vda1" ino=337627 scontext=system_u:system_r:ipa_dnskey_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=0
----

time->Wed Jul 17 15:04:49 2019
type=PROCTITLE msg=audit(1563390289.846:1515): proctitle="/usr/libexec/certmonger/ipa-submit"
type=PATH msg=audit(1563390289.846:1515): item=0 name="/var/kerberos/krb5/user/0/client.keytab" nametype=UNKNOWN cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1563390289.846:1515): cwd="/"
type=SYSCALL msg=audit(1563390289.846:1515): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=557d11d83f20 a2=0 a3=0 items=1 ppid=31338 pid=31341 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ipa-submit" exe="/usr/libexec/certmonger/ipa-submit" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1563390289.846:1515): avc:  denied  { search } for  pid=31341 comm="ipa-submit" name="krb5" dev="vda1" ino=337627 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=0
----


time->Wed Jul 17 15:08:42 2019
type=PROCTITLE msg=audit(1563390522.037:1633): proctitle=2F7573722F6C6962657865632F737373642F737373645F6265002D2D646F6D61696E007465737472656C6D2E74657374002D2D7569640030002D2D6769640030002D2D6C6F676765723D66696C6573
type=PATH msg=audit(1563390522.037:1633): item=0 name="/var/kerberos/krb5/user/0/client.keytab" nametype=UNKNOWN cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1563390522.037:1633): cwd="/"
type=SYSCALL msg=audit(1563390522.037:1633): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=55f16cf1c730 a2=0 a3=0 items=1 ppid=1511 pid=1516 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sssd_be" exe="/usr/libexec/sssd/sssd_be" subj=system_u:system_r:sssd_t:s0 key=(null)
type=AVC msg=audit(1563390522.037:1633): avc:  denied  { search } for  pid=1516 comm="sssd_be" name="krb5" dev="vda1" ino=337627 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=0
------

time->Wed Jul 17 15:09:40 2019
type=PROCTITLE msg=audit(1563390580.392:1703): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002D45002F7573722F6C6962657865632F6970612F6970612D646E736B657973796E632D7265706C696361
type=PATH msg=audit(1563390580.392:1703): item=0 name="/var/kerberos/krb5/user/991/client.keytab" nametype=UNKNOWN cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1563390580.392:1703): cwd="/"
type=SYSCALL msg=audit(1563390580.392:1703): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=563dffb253e0 a2=0 a3=0 items=1 ppid=7867 pid=8683 auid=4294967295 uid=991 gid=25 euid=991 suid=991 fsuid=991 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="ipa-dnskeysync-" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:ipa_dnskey_t:s0 key=(null)
type=AVC msg=audit(1563390580.392:1703): avc:  denied  { search } for  pid=8683 comm="ipa-dnskeysync-" name="krb5" dev="vda1" ino=337627 scontext=system_u:system_r:ipa_dnskey_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=0
----

time->Wed Jul 17 15:09:51 2019
type=PROCTITLE msg=audit(1563390591.589:1732): proctitle=2F7573722F7362696E2F6E616D65642D706B63733131002D75006E616D6564002D63002F6574632F6E616D65642E636F6E66
type=PATH msg=audit(1563390591.589:1732): item=0 name="/var/kerberos/krb5/user/25/client.keytab" nametype=UNKNOWN cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1563390591.589:1732): cwd="/var/named"
type=SYSCALL msg=audit(1563390591.589:1732): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7ff0ad7ce450 a2=0 a3=0 items=1 ppid=9328 pid=9330 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="isc-worker0000" exe="/usr/sbin/named-pkcs11" subj=system_u:system_r:named_t:s0 key=(null)
type=AVC msg=audit(1563390591.589:1732): avc:  denied  { search } for  pid=9330 comm="isc-worker0000" name="krb5" dev="vda1" ino=337627 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=0
----

time->Wed Jul 17 15:10:08 2019
type=PROCTITLE msg=audit(1563390608.583:1756): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002D45002F7573722F6C6962657865632F6970612F6970612D646E736B657973796E6364
type=PATH msg=audit(1563390608.583:1756): item=0 name="/var/kerberos/krb5/user/991/client.keytab" nametype=UNKNOWN cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1563390608.583:1756): cwd="/"
type=SYSCALL msg=audit(1563390608.583:1756): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=55fb4562e240 a2=0 a3=0 items=1 ppid=1 pid=9927 auid=4294967295 uid=991 gid=25 euid=991 suid=991 fsuid=991 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="ipa-dnskeysyncd" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:ipa_dnskey_t:s0 key=(null)
type=AVC msg=audit(1563390608.583:1756): avc:  denied  { search } for  pid=9927 comm="ipa-dnskeysyncd" name="krb5" dev="vda1" ino=337627 scontext=system_u:system_r:ipa_dnskey_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=0
----

Expected results:
No AVC denials should be observed



Additional info:
Comment 1 Lukas Vrabec 2019-07-18 15:51:48 UTC 

*** This bug has been marked as a duplicate of bug 1730144 ***