Bug 490233
| Summary: | rhcs80alpha - selinux denies several accesses after a pkicreate | ||
|---|---|---|---|
| Product: | [Retired] Dogtag Certificate System | Reporter: | Marc Sauton <msauton> |
| Component: | SELinux | Assignee: | Ade Lee <alee> |
| Status: | CLOSED NOTABUG | QA Contact: | Chandrasekar Kannan <ckannan> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | awnuk, benl, cfu, dlackey, jmagne, mharmsen |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2009-04-02 18:42:14 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 443788 | ||
added another instance, and worked, so not sure what went wrong in the previous example.
getenforce
Enforcing
netstat -anp| egrep "30543 | 30443 | 30545 | 3080 | 30801"
semanage port -l | egrep "30543 | 30443 | 30545 | 3080 | 30801"
pkicreate -pki_instance_root=/var/lib \
-pki_instance_name=pki-subca2 \
-subsystem_type=ca \
-agent_secure_port=30543 \
-ee_secure_port=30443 \
-admin_secure_port=30545 \
-unsecure_port=3080 \
-tomcat_server_port=30801 \
-user=pkiuser \
-group=pkiuser \
-verbose
PKI service(s) are available at https://ms2-cs8-1-64.sjc.redhat.com:30543
/sbin/service pki-subca2 start | stop | restart
https://ms2-cs8-1-64.sjc.redhat.com:30443/ca/admin/console/config/login?pin=8WBc6B8madoqCCzRm6y7
semanage port -l | egrep "30543 | 30443 | 30545 | 3080 | 30801"
pki_ca_port_t tcp 30545, 30443, 30543, 30801, 3080, 20545, 20443, 20543, 20801, 2080, 9180, 9701, 9443, 9444, 9445
So, what appears to have happened in the first case is that you used the port 10443 (which failed because it was already defined as pki_kra_port_t). Did you get an error message in pkicreate? Notice that your semanage port -l does not show 10443. Thats weird - because I would have expected 10443 to show up as type pki_kra_port_t. Correct, that was a mistake from me..do not remember if there were errors with the previous pkicreate, it got me has semanage -l port did not show 10443. May be there is room for improvement with pkicreate: Ran pkicreate and asked to use already bound existing tcp ports, pkicreate just went through as if nothing was wrong, only error was: /usr/sbin/semanage: Port tcp/10443 already defined Error in setting selinux context pki_ca_port_t for 10443 Well -- that is an error! You are supposed to check that errors do not happen during the pkicreate, I can't really make the pkicreate fail more spectacularly, because this server will start up on a system where selinux is running in permissive mode. closing after discussion with Marc. |
when creating a second instance from pkicreate, selinux in enforce mode prevents it to start by default, details below. Linux ms2-cs8-1-64.sjc.redhat.com 2.6.18-128.el5xen #1 SMP Wed Dec 17 12:01:40 EST 2008 x86_64 x86_64 x86_64 GNU/Linux Red Hat Enterprise Linux Server release 5.3 (Tikanga) getenforce Enforcing pki-selinux-8.0.0-3.alpha redhat-pki-ca-ui-8.0.0-6.alpha pki-common-8.0.0-9.alpha pki-tps-8.0.0-14.alpha pki-util-8.0.0-9.alpha pki-kra-8.0.0-11.alpha pki-setup-8.0.0-9.alpha redhat-pki-kra-ui-8.0.0-5.alpha pki-java-tools-8.0.0-10.alpha redhat-pki-ra-ui-8.0.0-8.alpha pki-ca-8.0.0-11.alpha redhat-pki-ocsp-ui-8.0.0-5.alpha redhat-pki-common-ui-8.0.0-10.alpha pki-ocsp-8.0.0-11.alpha pki-ra-8.0.0-13.alpha pki-native-tools-8.0.0-9.alpha pki-tks-8.0.0-11.alpha redhat-pki-tps-ui-8.0.0-11.alpha redhat-pki-tks-ui-8.0.0-4.alpha trying to add a second ca instance using pkicreate, like this: pkicreate -pki_instance_root=/var/lib \ -pki_instance_name=pki-subca1 \ -subsystem_type=ca \ -agent_secure_port=10543 \ -ee_secure_port=10443 \ -admin_secure_port=10545 \ -unsecure_port=1080 \ -tomcat_server_port=10801 \ -user=pkiuser \ -group=pkiuser \ -verbose and the ports are only used for this instance: semanage port -l | egrep "10543 | 10443 | 10545 | 1080 | 10801" pki_ca_port_t tcp 10545, 10543, 10801, 1080, 9180, 9701, 9443, 9444, 9445 catalina.out: Mar 13, 2009 2:18:32 PM org.apache.catalina.startup.Catalina start SEVERE: Catalina.start: LifecycleException: service.getName(): "CatalinaEE"; Protocol handler start failed: java.net.BindException: Could not bind to address: (-5966) Access Denied.:10443 at org.apache.catalina.connector.Connector.start(Connector.java:1097) at org.apache.catalina.core.StandardService.start(StandardService.java:457) at org.apache.catalina.core.StandardServer.start(StandardServer.java:700) at org.apache.catalina.startup.Catalina.start(Catalina.java:552) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:616) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:295) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:433) Mar 13, 2009 2:18:32 PM org.apache.catalina.startup.Catalina start INFO: Server startup in 12619 ms system 13762.main - [13/Mar/2009:14:18:32 PDT] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate 13762.main - [13/Mar/2009:14:18:32 PDT] [13] [3] authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value /var/log/messages Mar 13 14:18:17 ms2-cs8-1-64 setroubleshoot: SELinux is preventing java (pki_ca_t) "getattr" to /var/lib/tomcat5/common/lib/jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealer t -l 6034218a-ee75-43f8-a8bd-b440a0191e73 Mar 13 14:18:17 ms2-cs8-1-64 setroubleshoot: SELinux is preventing java (pki_ca_t) "read" to jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealert -l 9d7f86c8-a64a-4554-80c7-ea c5b26eaa2d Mar 13 14:18:17 ms2-cs8-1-64 setroubleshoot: SELinux is preventing java (pki_ca_t) "getattr" to /var/lib/tomcat5/server/lib/jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealer t -l 07377148-c472-4151-bd26-cd44d50ea15a Mar 13 14:18:17 ms2-cs8-1-64 setroubleshoot: SELinux is preventing java (pki_ca_t) "read" to jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealert -l 9d7f86c8-a64a-4554-80c7-ea c5b26eaa2d Mar 13 14:18:19 ms2-cs8-1-64 setroubleshoot: SELinux is preventing java (pki_ca_t) "name_bind" to <Unknown> (pki_kra_port_t). For complete SELinux messages. run sealert -l 31af94d6-c39a-42bf-b49 c-022029102d10 sealert -l 31af94d6-c39a-42bf-b49c-022029102d10|less Summary: SELinux is preventing java (pki_ca_t) "name_bind" to <Unknown> (pki_kra_port_t). Detailed Description: SELinux denied access requested by java. It is not expected that this access is required by java and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context root:system_r:pki_ca_t Target Context system_u:object_r:pki_kra_port_t Target Objects None [ tcp_socket ] Source java Source Path /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre /bin/java Port 10443 Host ms2-cs8-1-64.sjc.redhat.com Source RPM Packages java-1.6.0-openjdk-1.6.0.0-1.0.b12.el5.2 Target RPM Packages Policy RPM selinux-policy-2.4.6-203.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name ms2-cs8-1-64.sjc.redhat.com Platform Linux ms2-cs8-1-64.sjc.redhat.com 2.6.18-128.el5xen #1 SMP Wed Dec 17 12:01:40 EST 2008 x86_64 x86_64 Alert Count 2 First Seen Fri Mar 13 14:18:19 2009 Last Seen Fri Mar 13 14:18:32 2009 Local ID 31af94d6-c39a-42bf-b49c-022029102d10 Line Numbers Raw Audit Messages host=ms2-cs8-1-64.sjc.redhat.com type=AVC msg=audit(1236979112.453:178): avc: denied { name_bind } for pid=13763 comm="java" src=10443 scontext=root:system_r:pki_ca_t:s0 tcontext=system_u:obj ect_r:pki_kra_port_t:s0 tclass=tcp_socket host=ms2-cs8-1-64.sjc.redhat.com type=SYSCALL msg=audit(1236979112.453:178): arch=c000003e syscall=49 success=no exit=-13 a0=5f a1=40fb1d20 a2=10 a3=1 items=0 ppid=1 pid=13763 auid=0 uid=500 gid =500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="java" exe="/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/java" subj=root:system_r:pki_ca_t:s0 key=(nu ll)