Bug 2000629

Summary: AVC denied { read } comm="ipa-custodia" on aarch64 during installation of ipa-server
Product: Red Hat Enterprise Linux 9 Reporter: Florence Blanc-Renaud <frenaud>
Component: ipaAssignee: Florence Blanc-Renaud <frenaud>
Status: CLOSED CURRENTRELEASE QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.0CC: ksiddiqu, myusuf, pvlasin, rcritten, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: aarch64   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.9.6-7.el9_b Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2003005 (view as bug list) Environment:
Last Closed: 2021-12-07 21:33:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2003005    

Description Florence Blanc-Renaud 2021-09-02 14:31:55 UTC 
This bug was initially created as a copy of Bug #1998129

I am copying this bug because: 
The issue is also present in RHEL 9.0.0-Beta, using RHEL-9.0.0-20210901.d.2


Description of problem:
There are AVC messages during the installation of ipa-server on RHEL8.5 (FIPS mode enabled).

Version-Release number of selected component (if applicable):
RHEL-8.5.0-20210825.n.0 (aarch64)
ipa-server 4.9.6-4.module+el8.5.0+11912+1b4496cf

Steps to Reproduce:
fips-mode-setup --enable 
reboot
hostnamectl set-hostname master.test.ipa
dnf module reset idm -y
dnf module enable -y idm:DL1/dns
dnf install -y ipa-server-dns
systemctl stop firewalld
ipa-server-install -a Secret123 -p Secret123 --setup-dns --auto-forwarders -n test.ipa -U -r TEST.IPA


Actual results:
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
selinux-policy-3.14.3-77.el8.noarch
----
time->Thu Aug 26 08:31:54 2021
type=PROCTITLE msg=audit(1629981114.133:381): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002D49002F7573722F6C6962657865632F6970612F6970612D637573746F646961002F6574632F6970612F637573746F6469612F637573746F6469612E636F6E66
type=SYSCALL msg=audit(1629981114.133:381): arch=c00000b7 syscall=56 success=no exit=-13 a0=ffffffffffffff9c a1=ffffb890d4a0 a2=0 a3=0 items=0 ppid=1 pid=19933 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ipa-custodia" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:ipa_custodia_t:s0 key=(null)
type=AVC msg=audit(1629981114.133:381): avc:  denied  { read } for  pid=19933 comm="ipa-custodia" name="cpuinfo" dev="proc" ino=4026531923 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=0
----
time->Thu Aug 26 08:38:29 2021
type=PROCTITLE msg=audit(1629981509.011:585): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002D49002F7573722F6C6962657865632F6970612F6970612D637573746F646961002F6574632F6970612F637573746F6469612F637573746F6469612E636F6E66
type=SYSCALL msg=audit(1629981509.011:585): arch=c00000b7 syscall=56 success=no exit=-13 a0=ffffffffffffff9c a1=ffff8ef9d4a0 a2=0 a3=0 items=0 ppid=1 pid=24131 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ipa-custodia" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:ipa_custodia_t:s0 key=(null)
type=AVC msg=audit(1629981509.011:585): avc:  denied  { read } for  pid=24131 comm="ipa-custodia" name="cpuinfo" dev="proc" ino=4026531923 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=0

Expected results:
No AVC messages.
Comment 1 Florence Blanc-Renaud 2021-09-02 14:33:30 UTC 
Fixed upstream:
master:
https://pagure.io/freeipa/c/b5f692c167b3f9960455518a2831d4e7dc7f0302

ipa-4-9:
https://pagure.io/freeipa/c/07e2bf732f54f936cccc4e0c7b468d77f97e911a
Comment 8 Mohammad Rizwan 2021-09-24 08:59:58 UTC 
version:
ipa-server-4.9.6-8.el9_b.aarch64
ipa-selinux-4.9.6-8.el9_b.noarch

Steps:
As FIPS is broken on RHEL9 due to https://bugzilla.redhat.com/show_bug.cgi?id=1999052, Following steps have been used to verify:
1. install ipa-server on aarch64 machine with fips enabled. it will fail
2. uninstall server, disable the fips
3. install ipa server again
4. check for avc



actual result:
[root@master ~]# ausearch -m avc
<no matches>

AVC denial not seen. Hence marking the bug as verified..