Bug 1894132

Summary: SELinux prevents 2 programs from accessing /run/lock/opencryptoki/LCK..APIlock
Product: Red Hat Enterprise Linux 8 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Patrik Koncity <pkoncity>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.3CC: asharov, ddas, jwooten, ksiddiqu, ksrot, lvrabec, mescanfe, mmalik, mnk, negativo17, omoris, pkoncity, plautrba, rcritten, ssekidde, ssidhaye, tscherf, zpytela
Target Milestone: rcKeywords: Triaged
Target Release: 8.5Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-70.el8 Doc Type: Bug Fix
Doc Text:
Cause: No transition rule exists in selinux-policy to assign a particular SELinux type to var.lib.opencryptoki.* files in shared memory. Consequence: The aforementioned files inherit its SELinux type from their parent directory, preventing services like certmonger or ipsec from accessing them. Fix: The var.lib.opencryptoki.* files created in /dev/shm have default file context specification and a file transition set. Result: Services like certmonger or ipsec can access the files in shared memory.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-09 19:42:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
SELinux denials which appeared in permissive mode none

Description Milos Malik 2020-11-03 15:48:35 UTC 
Description of problem:
 * dogtag-ipa-renew-agent-submit and pluto processes cannot search in /run/lock/opencryptoki directory

Version-Release number of selected component (if applicable):
opencryptoki-3.15.1-1.el8.x86_64
opencryptoki-icsftok-3.15.1-1.el8.x86_64
opencryptoki-libs-3.15.1-1.el8.x86_64
selinux-policy-3.14.3-54.el8_3.1.noarch
selinux-policy-devel-3.14.3-54.el8_3.1.noarch
selinux-policy-doc-3.14.3-54.el8_3.1.noarch
selinux-policy-minimum-3.14.3-54.el8_3.1.noarch
selinux-policy-mls-3.14.3-54.el8_3.1.noarch
selinux-policy-sandbox-3.14.3-54.el8_3.1.noarch
selinux-policy-targeted-3.14.3-54.el8_3.1.noarch

How reproducible:
 * after each reboot

Actual results:
----
type=PROCTITLE msg=audit(11/03/2020 16:20:17.682:120) : proctitle=/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit 
type=PATH msg=audit(11/03/2020 16:20:17.682:120) : item=0 name=/run/lock/opencryptoki/LCK..APIlock nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(11/03/2020 16:20:17.682:120) : cwd=/ 
type=SYSCALL msg=audit(11/03/2020 16:20:17.682:120) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7fa560edda48 a2=O_RDONLY a3=0x0 items=1 ppid=1515 pid=1747 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dogtag-ipa-rene exe=/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit subj=system_u:system_r:certmonger_t:s0 key=(null) 
type=AVC msg=audit(11/03/2020 16:20:17.682:120) : avc:  denied  { search } for  pid=1747 comm=dogtag-ipa-rene name=opencryptoki dev="tmpfs" ino=23126 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pkcs_slotd_lock_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(11/03/2020 16:21:30.968:203) : proctitle=/usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork 
type=PATH msg=audit(11/03/2020 16:21:30.968:203) : item=0 name=/run/lock/opencryptoki/LCK..APIlock nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(11/03/2020 16:21:30.968:203) : cwd=/run/pluto 
type=SYSCALL msg=audit(11/03/2020 16:21:30.968:203) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7fadfa25aa48 a2=O_RDONLY a3=0x0 items=1 ppid=1 pid=7280 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=pluto exe=/usr/libexec/ipsec/pluto subj=system_u:system_r:ipsec_t:s0 key=(null) 
type=AVC msg=audit(11/03/2020 16:21:30.968:203) : avc:  denied  { search } for  pid=7280 comm=pluto name=opencryptoki dev="tmpfs" ino=23126 scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:pkcs_slotd_lock_t:s0 tclass=dir permissive=0 
----

Expected results:
 * no SELinux denials
Comment 2 Milos Malik 2020-11-03 16:05:11 UTC 
More SELinux denials appeared after switching those 2 domains to permissive mode and rebooting. Here is the output from audit2allow:

#============= certmonger_t ==============
allow certmonger_t pkcs_slotd_exec_t:file getattr;
allow certmonger_t pkcs_slotd_lock_t:dir search;
allow certmonger_t pkcs_slotd_lock_t:file { lock open read };
allow certmonger_t pkcs_slotd_t:shm { associate read unix_read unix_write write };

#!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode'
allow certmonger_t pkcs_slotd_t:unix_stream_socket connectto;
allow certmonger_t pkcs_slotd_var_run_t:sock_file { getattr write };

#============= ipsec_t ==============
allow ipsec_t pkcs_slotd_exec_t:file getattr;
allow ipsec_t pkcs_slotd_lock_t:dir search;
allow ipsec_t pkcs_slotd_lock_t:file { lock open read };
allow ipsec_t pkcs_slotd_t:shm { associate read unix_read unix_write write };

#!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode'
allow ipsec_t pkcs_slotd_t:unix_stream_socket connectto;
allow ipsec_t pkcs_slotd_var_run_t:sock_file getattr;

Complete SELinux denials will be attached soon.
Comment 3 Milos Malik 2020-11-03 16:07:08 UTC 
Created attachment 1726295 [details]
SELinux denials which appeared in permissive mode
Comment 4 Milos Malik 2020-11-03 16:15:05 UTC 
Steps to Reproduce:
# service ipsec stop
# service ipsec start
# service certmonger stop
# service certmonger start
# service certmonger status
Redirecting to /bin/systemctl status certmonger.service
● certmonger.service - Certificate monitoring and PKI enrollment
   Loaded: loaded (/usr/lib/systemd/system/certmonger.service; enabled; vendor preset: disabled)
   Active: active (running) (thawing) since Tue 2020-11-03 17:10:58 CET; 3min 48s ago
 Main PID: 9332 (certmonger)
    Tasks: 1 (limit: 23678)
   Memory: 2.5M
   CGroup: /system.slice/certmonger.service
           └─9332 /usr/sbin/certmonger -S -p /var/run/certmonger.pid -n

Nov 03 17:10:58 localhost.localdomain systemd[1]: Starting Certificate monitoring and PKI enrollment...
Nov 03 17:10:58 localhost.localdomain systemd[1]: Started Certificate monitoring and PKI enrollment.
Nov 03 17:10:59 localhost.localdomain dogtag-ipa-renew-agent-submit[9351]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
#
Comment 8 Zdenek Pytela 2020-12-02 14:25:47 UTC 
*** Bug 1900979 has been marked as a duplicate of this bug. ***
Comment 9 Zdenek Pytela 2020-12-02 14:27:43 UTC 
Note according to https://bugzilla.redhat.com/show_bug.cgi?id=1900979#c2 addressing the first denial was enough:
allow certmonger_t pkcs_slotd_lock_t:dir search;
Comment 10 Rob Crittenden 2020-12-02 15:38:07 UTC 
In my test in 1900979 there were no certificates stored in opencryptoki so that may be why only search was needed, because it didn't have to proceed in reading anything further.
Comment 11 Rob Crittenden 2020-12-21 16:02:54 UTC 
*** Bug 1909658 has been marked as a duplicate of this bug. ***
Comment 12 Kaleem 2021-01-13 12:12:57 UTC 
Zdenek,

Any update on fixing this bug?
Comment 13 Zdenek Pytela 2021-01-13 16:44:46 UTC 
Kaleem,

Unfortunately, no progress has been made so far. If you have any information regarding severity of this bug or impact in different environments, please include them in this bz.
Comment 21 Milos Malik 2021-02-15 11:10:33 UTC 
Following SELinux denials appeared in permissive mode:
----
type=PROCTITLE msg=audit(02/15/2021 05:53:21.079:650) : proctitle=/usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork 
type=PATH msg=audit(02/15/2021 05:53:21.079:650) : item=1 name=/dev/shm/var.lib.opencryptoki.tpm.root inode=132358 dev=00:16 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmpfs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(02/15/2021 05:53:21.079:650) : item=0 name=/dev/shm/ inode=11295 dev=00:16 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmpfs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/15/2021 05:53:21.079:650) : cwd=/run/pluto 
type=SYSCALL msg=audit(02/15/2021 05:53:21.079:650) : arch=x86_64 syscall=openat success=yes exit=12 a0=0xffffff9c a1=0x7fff27a5b3b0 a2=O_RDWR|O_CREAT|O_NOFOLLOW|O_CLOEXEC a3=0x1b6 items=2 ppid=1 pid=113091 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=pluto exe=/usr/libexec/ipsec/pluto subj=system_u:system_r:ipsec_t:s0 key=(null) 
type=AVC msg=audit(02/15/2021 05:53:21.079:650) : avc:  denied  { read open } for  pid=113091 comm=pluto path=/dev/shm/var.lib.opencryptoki.tpm.root dev="tmpfs" ino=132358 scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 
type=AVC msg=audit(02/15/2021 05:53:21.079:650) : avc:  denied  { create } for  pid=113091 comm=pluto name=var.lib.opencryptoki.tpm.root scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 
type=AVC msg=audit(02/15/2021 05:53:21.079:650) : avc:  denied  { add_name } for  pid=113091 comm=pluto name=var.lib.opencryptoki.tpm.root scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1 
----
type=PROCTITLE msg=audit(02/15/2021 05:53:21.079:651) : proctitle=/usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork 
type=PATH msg=audit(02/15/2021 05:53:21.079:651) : item=0 name=(null) inode=132358 dev=00:16 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmpfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/15/2021 05:53:21.079:651) : cwd=/run/pluto 
type=SYSCALL msg=audit(02/15/2021 05:53:21.079:651) : arch=x86_64 syscall=fchmod success=yes exit=0 a0=0xc a1=0666 a2=0x0 a3=0x1b6 items=1 ppid=1 pid=113091 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=pluto exe=/usr/libexec/ipsec/pluto subj=system_u:system_r:ipsec_t:s0 key=(null) 
type=AVC msg=audit(02/15/2021 05:53:21.079:651) : avc:  denied  { setattr } for  pid=113091 comm=pluto name=var.lib.opencryptoki.tpm.root dev="tmpfs" ino=132358 scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(02/15/2021 05:53:21.079:652) : proctitle=/usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork 
type=SYSCALL msg=audit(02/15/2021 05:53:21.079:652) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0xc a1=0x7fff27a5b460 a2=0x7fff27a5b460 a3=0x1b6 items=0 ppid=1 pid=113091 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=pluto exe=/usr/libexec/ipsec/pluto subj=system_u:system_r:ipsec_t:s0 key=(null) 
type=AVC msg=audit(02/15/2021 05:53:21.079:652) : avc:  denied  { getattr } for  pid=113091 comm=pluto path=/dev/shm/var.lib.opencryptoki.tpm.root dev="tmpfs" ino=132358 scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(02/15/2021 05:53:21.079:653) : proctitle=/usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork 
type=MMAP msg=audit(02/15/2021 05:53:21.079:653) : fd=12 flags=MAP_SHARED 
type=SYSCALL msg=audit(02/15/2021 05:53:21.079:653) : arch=x86_64 syscall=mmap success=yes exit=140238486581248 a0=0x0 a1=0x14368 a2=PROT_READ|PROT_WRITE a3=MAP_SHARED items=0 ppid=1 pid=113091 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=pluto exe=/usr/libexec/ipsec/pluto subj=system_u:system_r:ipsec_t:s0 key=(null) 
type=AVC msg=audit(02/15/2021 05:53:21.079:653) : avc:  denied  { map } for  pid=113091 comm=pluto path=/dev/shm/var.lib.opencryptoki.tpm.root dev="tmpfs" ino=132358 scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(02/15/2021 05:53:21.080:654) : proctitle=/usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork 
type=SOCKADDR msg=audit(02/15/2021 05:53:21.080:654) : saddr={ saddr_fam=inet6 laddr=::1 lport=30003 } 
type=SYSCALL msg=audit(02/15/2021 05:53:21.080:654) : arch=x86_64 syscall=connect success=no exit=ECONNREFUSED(Connection refused) a0=0xc a1=0x5595e20e6930 a2=0x1c a3=0x0 items=0 ppid=1 pid=113091 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=pluto exe=/usr/libexec/ipsec/pluto subj=system_u:system_r:ipsec_t:s0 key=(null) 
type=AVC msg=audit(02/15/2021 05:53:21.080:654) : avc:  denied  { name_connect } for  pid=113091 comm=pluto dest=30003 scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:tcs_port_t:s0 tclass=tcp_socket permissive=1 
----
type=PROCTITLE msg=audit(02/15/2021 05:53:21.081:655) : proctitle=/usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork 
type=PATH msg=audit(02/15/2021 05:53:21.081:655) : item=0 name=(null) inode=2427846 dev=fd:01 mode=file,660 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:pkcs_slotd_var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/15/2021 05:53:21.081:655) : cwd=/run/pluto 
type=SYSCALL msg=audit(02/15/2021 05:53:21.081:655) : arch=x86_64 syscall=fchown success=yes exit=0 a0=0xe a1=0x0 a2=0x3de a3=0xf0000002 items=1 ppid=1 pid=113091 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=pluto exe=/usr/libexec/ipsec/pluto subj=system_u:system_r:ipsec_t:s0 key=(null) 
type=AVC msg=audit(02/15/2021 05:53:21.081:655) : avc:  denied  { chown } for  pid=113091 comm=pluto capability=chown  scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:system_r:ipsec_t:s0 tclass=capability permissive=1 
----
type=PROCTITLE msg=audit(02/15/2021 05:53:21.441:665) : proctitle=/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit 
type=PATH msg=audit(02/15/2021 05:53:21.441:665) : item=0 name=/dev/shm/ inode=11295 dev=00:16 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmpfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/15/2021 05:53:21.441:665) : cwd=/ 
type=SYSCALL msg=audit(02/15/2021 05:53:21.441:665) : arch=x86_64 syscall=statfs success=yes exit=0 a0=0x7f4bc06bf520 a1=0x7ffc4da22070 a2=0x7f4bc08c93b0 a3=0x8b items=1 ppid=113126 pid=113172 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dogtag-ipa-rene exe=/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit subj=system_u:system_r:certmonger_t:s0 key=(null) 
type=AVC msg=audit(02/15/2021 05:53:21.441:665) : avc:  denied  { getattr } for  pid=113172 comm=dogtag-ipa-rene name=/ dev="tmpfs" ino=11295 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=1 
----
type=PROCTITLE msg=audit(02/15/2021 05:53:21.441:666) : proctitle=/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit 
type=PATH msg=audit(02/15/2021 05:53:21.441:666) : item=0 name=/dev/shm/var.lib.opencryptoki.tpm.root inode=132358 dev=00:16 mode=file,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmpfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/15/2021 05:53:21.441:666) : cwd=/ 
type=SYSCALL msg=audit(02/15/2021 05:53:21.441:666) : arch=x86_64 syscall=openat success=yes exit=10 a0=0xffffff9c a1=0x7ffc4da22370 a2=O_RDWR|O_NOFOLLOW|O_CLOEXEC a3=0x0 items=1 ppid=113126 pid=113172 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dogtag-ipa-rene exe=/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit subj=system_u:system_r:certmonger_t:s0 key=(null) 
type=AVC msg=audit(02/15/2021 05:53:21.441:666) : avc:  denied  { open } for  pid=113172 comm=dogtag-ipa-rene path=/dev/shm/var.lib.opencryptoki.tpm.root dev="tmpfs" ino=132358 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 
type=AVC msg=audit(02/15/2021 05:53:21.441:666) : avc:  denied  { read write } for  pid=113172 comm=dogtag-ipa-rene name=var.lib.opencryptoki.tpm.root dev="tmpfs" ino=132358 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(02/15/2021 05:53:21.441:667) : proctitle=/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit 
type=SYSCALL msg=audit(02/15/2021 05:53:21.441:667) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0xa a1=0x7ffc4da22420 a2=0x7ffc4da22420 a3=0x0 items=0 ppid=113126 pid=113172 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dogtag-ipa-rene exe=/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit subj=system_u:system_r:certmonger_t:s0 key=(null) 
type=AVC msg=audit(02/15/2021 05:53:21.441:667) : avc:  denied  { getattr } for  pid=113172 comm=dogtag-ipa-rene path=/dev/shm/var.lib.opencryptoki.tpm.root dev="tmpfs" ino=132358 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(02/15/2021 05:53:21.441:668) : proctitle=/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit 
type=MMAP msg=audit(02/15/2021 05:53:21.441:668) : fd=10 flags=MAP_SHARED 
type=SYSCALL msg=audit(02/15/2021 05:53:21.441:668) : arch=x86_64 syscall=mmap success=yes exit=139963354017792 a0=0x0 a1=0x14368 a2=PROT_READ|PROT_WRITE a3=MAP_SHARED items=0 ppid=113126 pid=113172 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dogtag-ipa-rene exe=/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit subj=system_u:system_r:certmonger_t:s0 key=(null) 
type=AVC msg=audit(02/15/2021 05:53:21.441:668) : avc:  denied  { map } for  pid=113172 comm=dogtag-ipa-rene path=/dev/shm/var.lib.opencryptoki.tpm.root dev="tmpfs" ino=132358 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(02/15/2021 05:53:21.442:669) : proctitle=/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit 
type=SOCKADDR msg=audit(02/15/2021 05:53:21.442:669) : saddr={ saddr_fam=inet6 laddr=::1 lport=30003 } 
type=SYSCALL msg=audit(02/15/2021 05:53:21.442:669) : arch=x86_64 syscall=connect success=no exit=ECONNREFUSED(Connection refused) a0=0xa a1=0x555f6e891fb0 a2=0x1c a3=0x0 items=0 ppid=113126 pid=113172 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dogtag-ipa-rene exe=/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit subj=system_u:system_r:certmonger_t:s0 key=(null) 
type=AVC msg=audit(02/15/2021 05:53:21.442:669) : avc:  denied  { name_connect } for  pid=113172 comm=dogtag-ipa-rene dest=30003 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:tcs_port_t:s0 tclass=tcp_socket permissive=1 
----
Comment 25 Patrik Koncity 2021-05-24 13:48:37 UTC 
PR:https://github.com/fedora-selinux/selinux-policy/pull/637
Comment 26 Zdenek Pytela 2021-06-03 18:17:57 UTC 
Needs backporting (1x base, 2x contrib):
commit 3f7821fedda121e9e8f287c55c1ac4e6c069aade (HEAD -> rawhide, upstream/rawhide)
Author: Patrik Koncity <pkoncity>
Date:   Fri May 28 09:56:58 2021 +0200

    Allow using opencryptoki for ipsec

    Allow ipsec_t change owner of file via chown capability.
    Also ipsec allow create and manage objects in the tmpfs directories
    with a private type pkcs_slotd_tmpfs_t (pkcs_tmpfs_filetrans).

    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1894132

commit 458483c4c62db1131a56d5e2c12bcb8e14d80674
Author: Patrik Koncity <pkoncity>
Date:   Fri May 28 09:53:59 2021 +0200

    Allow using opencryptoki for certmonger

    Allow certmonger_t to get attributes of tmpfs (fs_getattr_tmpfs)
    and also certmonger allow create and manage objects in the tmpfs
    directories with a private type pkcs_slotd_tmpfs_t (pkcs_tmpfs_filetrans).
    Also certmonger can proper use opencryptoki (pkcs_use_opencryptoki).

    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1894132

commit 21b83118bf8d7ef0dfe3521d882eae34a872a935
Author: Patrik Koncity <pkoncity>
Date:   Mon May 24 14:06:27 2021 +0200
    Label var.lib.opencryptoki.* files and create pkcs_tmpfs_filetrans()

    The var.lib.opencryptoki.* files are located in /dev/shm/
    are now labeled as pkcs_slotd_tmpfs_t.
    New interface pkcs_tmpfs_filetrans() allow
    create and manage objects in the tmpfs directories with a private
    type (pkcs_slotd_tmpfs_t) and also allow manage tmpfs dirs.
    In pkcs_use_opencryptoki add permission allowing
    domain to tcp connect tcs port.

    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1894132
Comment 47 Than Ngo 2021-08-19 18:25:49 UTC 
*** Bug 1991840 has been marked as a duplicate of this bug. ***
Comment 49 errata-xmlrpc 2021-11-09 19:42:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4420