Bug 1804958
| Summary: | denied { search } for pid=XXX comm="certmonger" name="opencryptoki" (breaks FreeIPA) | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Adam Williamson <awilliam> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | rawhide | CC: | abokovoy, dwalsh, grepl.miroslav, lslebodn, lvrabec, plautrba, robatino, vmojzis, zpytela |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | openqa | ||
| Fixed In Version: | selinux-policy-3.14.6-5.fc33 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-02-22 16:21:40 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1705303 | ||
Note - this may also hit fresh FreeIPA deployments on F32/Rawhide, I can't tell yet because those tests are failing earlier due to some silly fedora-repos shenanigans I won't bore you with here. We should be able to tell with the next composes. commit f7a21a9f173e1c8071718b1dea40eed2271c284d (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Lukas Vrabec <lvrabec>
Date: Thu Feb 20 15:20:04 2020 +0100
Allow certmonger_t domain to read pkcs_slotd lock files
I reported this bug 3 months ago but freeIPA folks did not invest lot of time with explanation https://bugzilla.redhat.com/show_bug.cgi?id=1772445 This comment was flagged as spam, view the edit history to see the original text if required. |
openQA FreeIPA upgrade test in current Rawhide (tests upgrade from Fedora 31 to Rawhide) is hitting a repeated SELinux denial which seems to break the upgrade process: Feb 19 09:17:41 ipa001.domain.local audit[971]: AVC avc: denied { search } for pid=971 comm="certmonger" name="opencryptoki" dev="tmpfs" ino=26947 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pkcs_slotd_lock_t:s0 tclass=dir permissive=0 I'm assuming this will hit F32 as well for now (can't tell yet as all F32 composes so far have had the Plymouth bug, which caused this test to fail earlier). So proposing as a Beta blocker as a violation of "It must be possible to successfully complete a direct upgrade from a fully updated installation of each of the last two stable Fedora Server releases with the system configured as a FreeIPA domain controller or postgresql server as specified in the relevant criteria." If this turns out *not* to be affecting F32 once we get a testable compose, I'll withdraw the nomination.