Bug 2028637

Summary: httpd fails to start with opencryptoki SW token
Product: Red Hat Enterprise Linux 8 Reporter: Stanislav Zidek <szidek>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.6CC: bnater, ksrot, lvrabec, mmalik
Target Milestone: rcKeywords: Regression, Triaged
Target Release: 8.8   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-117.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-16 09:03:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 1 Milos Malik 2021-12-02 20:48:40 UTC 
Following SELinux denial appeared in enforcing mode:
----
type=PROCTITLE msg=audit(12/02/2021 15:46:49.833:534) : proctitle=/usr/sbin/httpd -DFOREGROUND 
type=PATH msg=audit(12/02/2021 15:46:49.833:534) : item=1 name=/dev/shm/var.lib.opencryptoki.swtok inode=64710 dev=00:16 mode=file,660 ouid=apache ogid=pkcs11 rdev=00:00 obj=unconfined_u:object_r:pkcs_slotd_tmpfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(12/02/2021 15:46:49.833:534) : item=0 name=/dev/shm/ inode=11440 dev=00:16 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmpfs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(12/02/2021 15:46:49.833:534) : cwd=/ 
type=SYSCALL msg=audit(12/02/2021 15:46:49.833:534) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7ffec0044140 a2=O_RDWR|O_CREAT|O_NOFOLLOW|O_CLOEXEC a3=0x1b0 items=2 ppid=1 pid=13720 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) 
type=AVC msg=audit(12/02/2021 15:46:49.833:534) : avc:  denied  { read write } for  pid=13720 comm=httpd name=var.lib.opencryptoki.swtok dev="tmpfs" ino=64710 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:pkcs_slotd_tmpfs_t:s0 tclass=file permissive=0 
----

# ls -lZ /dev/shm/
total 84
-rw-rw----. 1 apache pkcs11 unconfined_u:object_r:pkcs_slotd_tmpfs_t:s0 82792 Dec  2 15:46 var.lib.opencryptoki.swtok
#
Comment 2 Milos Malik 2021-12-02 20:50:47 UTC 
Following SELinux denials appeared in permissive mode:
----
type=PROCTITLE msg=audit(12/02/2021 15:49:36.552:674) : proctitle=/usr/sbin/httpd -DFOREGROUND 
type=PATH msg=audit(12/02/2021 15:49:36.552:674) : item=0 name=/dev/shm/var.lib.opencryptoki.swtok inode=64710 dev=00:16 mode=file,660 ouid=apache ogid=pkcs11 rdev=00:00 obj=unconfined_u:object_r:pkcs_slotd_tmpfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(12/02/2021 15:49:36.552:674) : cwd=/ 
type=SYSCALL msg=audit(12/02/2021 15:49:36.552:674) : arch=x86_64 syscall=openat success=yes exit=19 a0=0xffffff9c a1=0x7ffeb38e2e60 a2=O_RDWR|O_NOFOLLOW|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=21325 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) 
type=AVC msg=audit(12/02/2021 15:49:36.552:674) : avc:  denied  { open } for  pid=21325 comm=httpd path=/dev/shm/var.lib.opencryptoki.swtok dev="tmpfs" ino=64710 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:pkcs_slotd_tmpfs_t:s0 tclass=file permissive=1 
type=AVC msg=audit(12/02/2021 15:49:36.552:674) : avc:  denied  { read write } for  pid=21325 comm=httpd name=var.lib.opencryptoki.swtok dev="tmpfs" ino=64710 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:pkcs_slotd_tmpfs_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(12/02/2021 15:49:36.553:675) : proctitle=/usr/sbin/httpd -DFOREGROUND 
type=SYSCALL msg=audit(12/02/2021 15:49:36.553:675) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x13 a1=0x7ffeb38e2f10 a2=0x7ffeb38e2f10 a3=0x0 items=0 ppid=1 pid=21325 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) 
type=AVC msg=audit(12/02/2021 15:49:36.553:675) : avc:  denied  { getattr } for  pid=21325 comm=httpd path=/dev/shm/var.lib.opencryptoki.swtok dev="tmpfs" ino=64710 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:pkcs_slotd_tmpfs_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(12/02/2021 15:49:36.553:676) : proctitle=/usr/sbin/httpd -DFOREGROUND 
type=MMAP msg=audit(12/02/2021 15:49:36.553:676) : fd=19 flags=MAP_SHARED 
type=SYSCALL msg=audit(12/02/2021 15:49:36.553:676) : arch=x86_64 syscall=mmap success=yes exit=140231208845312 a0=0x0 a1=0x14368 a2=PROT_READ|PROT_WRITE a3=MAP_SHARED items=0 ppid=1 pid=21325 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) 
type=AVC msg=audit(12/02/2021 15:49:36.553:676) : avc:  denied  { map } for  pid=21325 comm=httpd path=/dev/shm/var.lib.opencryptoki.swtok dev="tmpfs" ino=64710 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:pkcs_slotd_tmpfs_t:s0 tclass=file permissive=1 
----
Comment 3 Zdenek Pytela 2021-12-06 16:26:47 UTC 
I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/966

Note the permissions will be added when httpd_use_opencryptoki boolean is on. It is off by default.
Comment 25 errata-xmlrpc 2023-05-16 09:03:44 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2965