Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
The denials point to adding this policy to make the AVC go away (even in permissive).
allow certmonger_t pkcs_slotd_lock_t:dir search;
Note that IPA for a while now, without an AVC reported, has logged:
Nov 25 11:15:06 ipa.example.test dogtag-ipa-renew-agent-submit[10436]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock
Even with a temporary policy in place this error is reported.
My test policy:
module cryptoki 1.0;
require {
type certmonger_t;
type pkcs_slotd_lock_t;
class dir search;
}
#============= certmonger_t ==============
allow certmonger_t pkcs_slotd_lock_t:dir search;
So yes we can make the AVC go away but it has no practical effect AFAICT.
certmonger policy is managed by the selinux team.
Description of problem: Following AVC denial seen during IPA install with latest IPA build for RHEL8.4 time->Mon Nov 23 19:28:03 2020 type=PROCTITLE msg=audit(1606177683.382:1708): proctitle="/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit" type=PATH msg=audit(1606177683.382:1708): item=0 name="/run/lock/opencryptoki/LCK..APIlock" nametype=UNKNOWN cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(1606177683.382:1708): cwd="/" type=SYSCALL msg=audit(1606177683.382:1708): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7f55b6bfda48 a2=0 a3=0 items=1 ppid=33391 pid=33411 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dogtag-ipa-rene" exe="/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit" subj=system_u:system_r:certmonger_t:s0 key=(null) type=AVC msg=audit(1606177683.382:1708): avc: denied { search } for pid=33411 comm="dogtag-ipa-rene" name="opencryptoki" dev="tmpfs" ino=72945 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pkcs_slotd_lock_t:s0 tclass=dir permissive=0 ---- time->Mon Nov 23 19:28:14 2020 type=PROCTITLE msg=audit(1606177694.181:1709): proctitle=2F7573722F6C6962657865632F636572746D6F6E6765722F646F677461672D7375626D6974002D2D636166696C65002F7661722F6C69622F6970612F746D705F5F5F6A726D6272002D2D65652D75726C00687474703A2F2F63692D766D2D31302D302D39382D3130312E746573747265616C6D2E746573743A383038302F6361 type=PATH msg=audit(1606177694.181:1709): item=0 name="/run/lock/opencryptoki/LCK..APIlock" nametype=UNKNOWN cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(1606177694.181:1709): cwd="/" type=SYSCALL msg=audit(1606177694.181:1709): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7fa6e1219a48 a2=0 a3=0 items=1 ppid=33391 pid=33512 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dogtag-submit" exe="/usr/libexec/certmonger/dogtag-submit" subj=system_u:system_r:certmonger_t:s0 key=(null) type=AVC msg=audit(1606177694.181:1709): avc: denied { search } for pid=33512 comm="dogtag-submit" name="opencryptoki" dev="tmpfs" ino=72945 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pkcs_slotd_lock_t:s0 tclass=dir permissive=0 Version-Release number of selected component (if applicable): certmonger-0.79.7-15.el8.x86_64 ipa-selinux-4.8.7-12.module+el8.3.0+8223+6212645f.noarch selinux-policy-3.14.3-56.el8.noarch ipa-server-4.9.0-0.1.rc1.module+el8.4.0+8830+62cd648b.x86_64 opencryptoki-3.15.1-1.el8.x86_64 How reproducible: Always Steps to Reproduce: 1. Install IPA Actual results: AVC denial seen Expected results: No AVC denial should be there.