Bug 495212
Summary: | SElinux issues | ||
---|---|---|---|
Product: | [Retired] Dogtag Certificate System | Reporter: | Chandrasekar Kannan <ckannan> |
Component: | SELinux | Assignee: | Ade Lee <alee> |
Status: | CLOSED ERRATA | QA Contact: | Chandrasekar Kannan <ckannan> |
Severity: | medium | Docs Contact: | |
Priority: | urgent | ||
Version: | unspecified | CC: | awnuk, benl, cfu, dlackey, jgalipea, jmagne, mharmsen |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-07-22 23:34:16 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 443788 |
Description
Chandrasekar Kannan
2009-04-10 12:54:23 UTC
Changes to be added : Index: ../../base/selinux/src/pki.te =================================================================== --- ../../base/selinux/src/pki.te (revision 389) +++ ../../base/selinux/src/pki.te (working copy) @@ -13,12 +13,12 @@ files_type(pki_ca_tomcat_exec_t) pki_ca_template(pki_ca) -allow pki_ca_t pki_kra_t:process signull; -allow pki_ca_t pki_ocsp_t:process signull; -allow pki_ca_t pki_tks_t:process signull; corenet_tcp_connect_pki_kra_port(pki_ca_t) corenet_tcp_connect_pki_ocsp_port(pki_ca_t) attribute pki_kra_config; attribute pki_kra_executable; attribute pki_kra_var_lib; @@ -32,7 +32,6 @@ files_type(pki_kra_tomcat_exec_t) pki_ca_template(pki_kra) -allow pki_kra_t pki_ca_t:process signull; corenet_tcp_connect_pki_ca_port(pki_kra_t) attribute pki_ocsp_config; @@ -48,7 +47,6 @@ files_type(pki_ocsp_tomcat_exec_t) pki_ca_template(pki_ocsp) -allow pki_ocsp_t pki_ca_t:process signull; corenet_tcp_connect_pki_ca_port(pki_ocsp_t) attribute pki_ra_config; @@ -78,8 +76,6 @@ files_type(pki_tks_tomcat_exec_t) pki_ca_template(pki_tks) -allow pki_tks_t pki_ca_t:process signull; -allow pki_tks_t pki_kra_t:process signull; corenet_tcp_connect_pki_ca_port(pki_tks_t) # needed for token enrollment, list /var/cache/tomcat5/temp @@ -99,4 +95,23 @@ pki_tps_template(pki_tps) +#interprocess communication on process shutdown +allow pki_ca_t pki_kra_t:process signull; +allow pki_ca_t pki_ocsp_t:process signull; +allow pki_ca_t pki_tks_t:process signull; +allow pki_kra_t pki_ca_t:process signull; +allow pki_kra_t pki_ocsp_t:process signull; +allow pki_kra_t pki_tks_t:process signull; + +allow pki_ocsp_t pki_ca_t:process signull; +allow pki_ocsp_t pki_kra_t:process signull; +allow pki_ocsp_t pki_tks_t:process signull; + +allow pki_tks_t pki_ca_t:process signull; +allow pki_tks_t pki_kra_t:process signull; +allow pki_tks_t pki_ocsp_t:process signull; + Index: ../../base/selinux/src/pki.if =================================================================== --- ../../base/selinux/src/pki.if (revision 389) +++ ../../base/selinux/src/pki.if (working copy) @@ -37,6 +37,7 @@ attribute pki_ca_executable, pki_ca_script, pki_ca_var_log; type pki_ca_tomcat_exec_t; type $1_port_t; + type rpm_var_lib_t; ') ######################################## # @@ -93,6 +94,9 @@ can_exec($1_t, $1_tomcat_exec_t) allow $1_t $1_tomcat_exec_t:file {getattr read}; + #installation requires this for access to /var/lib/tomcat5/common/lib/jdtcore.jar + rpm_read_db($1_t) + # Init script handling domain_use_interactive_fds($1_t) With selinux in permissive mode, I have configured these subsystems. CA,TKS,TPS,DRM. I found these selinux messages in /var/log/messages. Some are duplicates of what we have already seen. But some new. Apr 16 10:21:41 delta setroubleshoot: SELinux is preventing the java (pki_ca_t) from executing /opt/nfast/toolkits/pkcs11/libcknfast.so. For complete SELinux messages. run sealert -l 61f87c6f-7583-4078-8737-168a844422dd Apr 16 10:21:41 delta setroubleshoot: SELinux is preventing java (pki_ca_t) "write" to nserver (device_t). For complete SELinux messages. run sealert -l 5d8f8685-10b0-40ee-9c3c-a0bc2398d306 Apr 16 10:23:33 delta setroubleshoot: SELinux is preventing java (pki_ca_t) "write" to ./local (usr_t). For complete SELinux messages. run sealert -l 2d873fb8-89d0-4050-80b1-49322451addd Apr 16 10:23:33 delta setroubleshoot: SELinux is preventing java (pki_ca_t) "write" to /opt/nfast/kmdata/local/key_pkcs11_uc69b9d052b9027c934f6301689d6c94583b790601-914962497fc3b3db947043adb3ea00f1399ed792.new (usr_t). For complete SELinux messages. run sealert -l b06188d3-8dbe-48b8-8714-962d7f49bd89 Apr 16 10:23:33 delta setroubleshoot: SELinux is preventing java (pki_ca_t) "remove_name" to ./key_pkcs11_uc69b9d052b9027c934f6301689d6c94583b790601-914962497fc3b3db947043adb3ea00f1399ed792.new (usr_t). For complete SELinux messages. run sealert -l 82a7bba7-5143-4cf3-8165-f5c952cb4300 Apr 16 10:23:33 delta setroubleshoot: SELinux is preventing java (pki_ca_t) "unlink" to ./key_pkcs11_uc69b9d052b9027c934f6301689d6c94583b790601-914962497fc3b3db947043adb3ea00f1399ed792 (usr_t). For complete SELinux messages. run sealert -l d9ea7bbb-6964-4c12-850d-64b9f100aa89 Apr 16 10:25:16 delta setroubleshoot: SELinux is preventing the java (pki_ca_t) from executing /opt/nfast/toolkits/pkcs11/libcknfast.so. For complete SELinux messages. run sealert -l 61f87c6f-7583-4078-8737-168a844422dd Apr 16 10:27:53 delta setroubleshoot: SELinux is preventing the java (pki_kra_t) from executing /opt/nfast/toolkits/pkcs11/libcknfast.so. For complete SELinux messages. run sealert -l 021ea8f3-fde8-4c99-aa71-ff6ad1f46c81 Apr 16 10:27:53 delta setroubleshoot: SELinux is preventing java (pki_kra_t) "write" to nserver (device_t). For complete SELinux messages. run sealert -l f9a34096-84c2-47a0-9859-326f6554bf09 Apr 16 10:29:31 delta setroubleshoot: SELinux is preventing the java (pki_tks_t) from executing /opt/nfast/toolkits/pkcs11/libcknfast.so. For complete SELinux messages. run sealert -l 5b47513a-f83e-4009-b9be-f6b2b0415079 Apr 16 10:29:31 delta setroubleshoot: SELinux is preventing java (pki_tks_t) "write" to nserver (device_t). For complete SELinux messages. run sealert -l 212ec482-3405-4f5f-bcac-03af1585172f Apr 16 10:29:39 delta setroubleshoot: SELinux is preventing modutil (pki_tps_t) "write" to nserver (device_t). For complete SELinux messages. run sealert -l ca64ef3b-56ac-4968-9eb2-e28d125849aa Apr 16 10:29:51 delta setroubleshoot: SELinux is preventing modutil (pki_ra_t) "write" to nserver (device_t). For complete SELinux messages. run sealert -l c58787a2-01a6-481f-a6e9-328839c75f16 Apr 16 10:30:34 delta setroubleshoot: SELinux is preventing the java (pki_ocsp_t) from executing /opt/nfast/toolkits/pkcs11/libcknfast.so. For complete SELinux messages. run sealert -l 7310745b-2d5e-4ece-b1d0-9077cf690503 Apr 16 10:30:34 delta setroubleshoot: SELinux is preventing java (pki_ocsp_t) "write" to nserver (device_t). For complete SELinux messages. run sealert -l b63f88e8-0ada-488f-8797-0d9003026837 Apr 16 12:34:58 delta setroubleshoot: SELinux is preventing java (pki_kra_t) "write" to ./local (usr_t). For complete SELinux messages. run sealert -l 46d8bd8f-8816-485a-8a2b-efde416143a8 Apr 16 12:34:58 delta setroubleshoot: SELinux is preventing java (pki_kra_t) "write" to /opt/nfast/kmdata/local/key_pkcs11_uc69b9d052b9027c934f6301689d6c94583b790601-ee412300c960526ca5d5cad02fa911a57fefddde.new (usr_t). For complete SELinux messages. run sealert -l a50e8c72-2e12-4a56-828f-a02c058cf043 Apr 16 12:34:58 delta setroubleshoot: SELinux is preventing java (pki_kra_t) "remove_name" to ./key_pkcs11_uc69b9d052b9027c934f6301689d6c94583b790601-ee412300c960526ca5d5cad02fa911a57fefddde.new (usr_t). For complete SELinux messages. run sealert -l f97f32df-1032-4b77-84c5-ba6d8c616cf8 Apr 16 12:34:58 delta setroubleshoot: SELinux is preventing java (pki_kra_t) "unlink" to ./key_pkcs11_uc69b9d052b9027c934f6301689d6c94583b790601-ee412300c960526ca5d5cad02fa911a57fefddde (usr_t). For complete SELinux messages. run sealert -l 03086cee-1a2a-4a54-90c5-ef4bcac252ff Apr 16 12:36:14 delta setroubleshoot: SELinux is preventing the java (pki_kra_t) from executing /opt/nfast/toolkits/pkcs11/libcknfast.so. For complete SELinux messages. run sealert -l 021ea8f3-fde8-4c99-aa71-ff6ad1f46c81 Apr 16 12:36:14 delta setroubleshoot: SELinux is preventing java (pki_kra_t) "write" to nserver (device_t). For complete SELinux messages. run sealert -l f9a34096-84c2-47a0-9859-326f6554bf09 Apr 16 13:09:35 delta setroubleshoot: SELinux is preventing java (pki_tks_t) "write" to ./local (usr_t). For complete SELinux messages. run sealert -l eb598e4b-d29a-47fa-b502-1df1f7a5cb63 Apr 16 13:09:35 delta setroubleshoot: SELinux is preventing java (pki_tks_t) "write" to /opt/nfast/kmdata/local/key_pkcs11_uc69b9d052b9027c934f6301689d6c94583b790601-fb68ee50fbf33e72516a41ae79cfd97ab666d55e.new (usr_t). For complete SELinux messages. run sealert -l 553e766c-a396-46db-b39b-8112a6eba65b Apr 16 13:09:35 delta setroubleshoot: SELinux is preventing java (pki_tks_t) "remove_name" to ./key_pkcs11_uc69b9d052b9027c934f6301689d6c94583b790601-fb68ee50fbf33e72516a41ae79cfd97ab666d55e.new (usr_t). For complete SELinux messages. run sealert -l f55d79f3-d11d-460b-bd11-a05de0d69cc6 Apr 16 13:09:35 delta setroubleshoot: SELinux is preventing java (pki_tks_t) "unlink" to ./key_pkcs11_uc69b9d052b9027c934f6301689d6c94583b790601-fb68ee50fbf33e72516a41ae79cfd97ab666d55e (usr_t). For complete SELinux messages. run sealert -l 213d2459-b59b-472f-ab2a-c401e8dc0052 Apr 16 13:12:13 delta setroubleshoot: SELinux is preventing the java (pki_tks_t) from executing /opt/nfast/toolkits/pkcs11/libcknfast.so. For complete SELinux messages. run sealert -l 5b47513a-f83e-4009-b9be-f6b2b0415079 Apr 16 13:12:13 delta setroubleshoot: SELinux is preventing java (pki_tks_t) "write" to nserver (device_t). For complete SELinux messages. run sealert -l 212ec482-3405-4f5f-bcac-03af1585172f Apr 16 13:12:13 delta setroubleshoot: SELinux is preventing java (pki_tks_t) "connectto" to /dev/nfast/nserver (unconfined_t). For complete SELinux messages. run sealert -l d6b9bab4-ef0d-4009-b436-cfca99cbc99e Apr 16 13:39:03 delta setroubleshoot: SELinux is preventing sslget (pki_tps_t) "write" to nserver (device_t). For complete SELinux messages. run sealert -l ca64ef3b-56ac-4968-9eb2-e28d125849aa Apr 16 15:15:44 delta setroubleshoot: SELinux is preventing certutil (pki_tps_t) "write" to ./local (usr_t). For complete SELinux messages. run sealert -l 1e58edaf-887e-4a25-9ac4-c475c382d770 Apr 16 15:15:44 delta setroubleshoot: SELinux is preventing certutil (pki_tps_t) "write" to /opt/nfast/kmdata/local/key_pkcs11_uc69b9d052b9027c934f6301689d6c94583b790601-336650d71df50a770f9f3789419ba82126bc99c1.new (usr_t). For complete SELinux messages. run sealert -l a468388d-965b-42f7-af0d-dfec0cd0d86f Apr 16 15:15:44 delta setroubleshoot: SELinux is preventing certutil (pki_tps_t) "remove_name" to ./key_pkcs11_uc69b9d052b9027c934f6301689d6c94583b790601-336650d71df50a770f9f3789419ba82126bc99c1.new (usr_t). For complete SELinux messages. run sealert -l af7781d8-fa45-497f-8ea1-8a3cc0f52f6a Apr 16 15:15:44 delta setroubleshoot: SELinux is preventing certutil (pki_tps_t) "unlink" to ./key_pkcs11_uc69b9d052b9027c934f6301689d6c94583b790601-336650d71df50a770f9f3789419ba82126bc99c1 (usr_t). For complete SELinux messages. run sealert -l d3009a43-b821-4eff-8c5c-d988e29ca558 Apr 16 15:17:38 delta setroubleshoot: SELinux is preventing modutil (pki_tps_t) "write" to nserver (device_t). For complete SELinux messages. run sealert -l ca64ef3b-56ac-4968-9eb2-e28d125849aa Apr 16 15:17:43 delta setroubleshoot: SELinux is preventing httpd.worker (pki_tps_t) "connectto" to /dev/nfast/nserver (unconfined_t). For complete SELinux messages. run sealert -l 98e76d8e-2ba7-418f-bda8-fa933db453a0 I'm fixing all HSM related issues in 495157. The issues indicated in this original bug posting have been addressed by the rules added above and checked into repo version 390 . So, closing this one as modified. I am still seeing the following: May 28 10:47:13 qe-blade-11 setroubleshoot: SELinux is preventing chmod (pki_tps_t) "fowner" to <Unknown> (pki_tps_t). For complete SELinux messages. run sealert -l 3957d30c-1c40-4a9a-9415-473b3d2ccad2 May 28 10:47:14 qe-blade-11 setroubleshoot: SELinux is preventing chmod (pki_tps_t) "fowner" to <Unknown> (pki_tps_t). For complete SELinux messages. run sealert -l 3957d30c-1c40-4a9a-9415-473b3d2ccad2 May 29 05:04:50 qe-blade-11 setroubleshoot: SELinux is preventing chmod (pki_tps_t) "fowner" to <Unknown> (pki_tps_t). For complete SELinux messages. run sealert -l 3957d30c-1c40-4a9a-9415-473b3d2ccad2 May 29 05:04:51 qe-blade-11 setroubleshoot: SELinux is preventing chmod (pki_tps_t) "fowner" to <Unknown> (pki_tps_t). For complete SELinux messages. run sealert -l 3957d30c-1c40-4a9a-9415-473b3d2ccad2 May 29 07:12:59 qe-blade-11 setroubleshoot: SELinux is preventing java (pki_ca_t) "name_connect" to <Unknown> (smtp_port_t). For complete SELinux messages. run sealert -l bac4cf2a-70d4-47dd-b05e-f1a1924bf60c May 29 07:14:21 qe-blade-11 setroubleshoot: SELinux is preventing java (pki_ca_t) "name_connect" to <Unknown> (smtp_port_t). For complete SELinux messages. run sealert -l bac4cf2a-70d4-47dd-b05e-f1a1924bf60c Additional Changes: Index: base/selinux/src/pki.if =================================================================== --- base/selinux/src/pki.if (revision 504) +++ base/selinux/src/pki.if (working copy) @@ -177,6 +177,9 @@ allow $1_t self:unix_dgram_socket { write create connect }; allow $1_t syslogd_t:unix_dgram_socket sendto; + #allow sending mail + corenet_tcp_connect_smtp_port($1_t) + ') ######################################## @@ -487,7 +490,8 @@ allow pki_tps_t lib_t:file execute_no_trans; - allow pki_tps_t self:capability { setuid sys_nice setgid dac_override }; + #fowner needed for chmod + allow pki_tps_t self:capability { setuid sys_nice setgid dac_override fowner}; allow pki_tps_t self:process { setsched signal getsched signull execstack execmem}; allow pki_tps_t self:sem all_sem_perms; allow pki_tps_t self:tcp_socket create_stream_socket_perms; Index: base/selinux/src/pki.te =================================================================== --- base/selinux/src/pki.te (revision 504) +++ base/selinux/src/pki.te (working copy) @@ -1,4 +1,4 @@ -policy_module(pki,1.0.7) +policy_module(pki,1.0.8) attribute pki_ca_config; attribute pki_ca_executable; Index: dogtag/selinux/pki-selinux.spec =================================================================== --- dogtag/selinux/pki-selinux.spec (revision 500) +++ dogtag/selinux/pki-selinux.spec (working copy) @@ -33,7 +33,7 @@ ## Package Header Definitions %define base_name %{base_prefix}-%{base_component} %define base_version 1.1.0 -%define base_release 5 +%define base_release 6 %define base_group System Environment/Shells %define base_vendor Red Hat, Inc. %define base_license GPLv2 with exceptions @@ -249,6 +249,8 @@ ############################################################################### %changelog +* Fri May 29 2009 Ade Lee <alee> 1.1.0-6 +- Bugzilla Bug 495212 - selinux messages from startup/ install * Mon May 25 2009 Ade Lee <alee> 1.1.0-5 - Bugzilla Bug 499242 - selinux policy updates needed to ensure that CS works with lunasa hsm * Fri May 1 2009 Ade Lee <alee> 1.1.0-4 [builder@oliver pki]$ cd base; svn ci -m "Bugzilla Bug 495212 - selinux messages from startup/ install" selinux Sending selinux/src/pki.if Sending selinux/src/pki.te Transmitting file data .. Committed revision 505. [builder@oliver base]$ cd ../dogtag; svn ci -m "Bugzilla Bug 495212 - selinux messages from startup/ install" selinux Sending selinux/pki-selinux.spec Transmitting file data . Committed revision 506. No longer seeing any SElinux messages after installation,configuration and restart of CA and all sub systems. Verified |