Bug 508003
Summary: | more selinux AVCS when configured CA with ECC | |||
---|---|---|---|---|
Product: | [Retired] Dogtag Certificate System | Reporter: | Kashyap Chamarthy <kchamart> | |
Component: | SELinux | Assignee: | Ade Lee <alee> | |
Status: | CLOSED DUPLICATE | QA Contact: | Chandrasekar Kannan <ckannan> | |
Severity: | medium | Docs Contact: | ||
Priority: | medium | |||
Version: | unspecified | CC: | awnuk, benl, cfu, dlackey, enewland, jgalipea, jmagne, mharmsen, nkinder | |
Target Milestone: | --- | |||
Target Release: | --- | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 508754 (view as bug list) | Environment: | ||
Last Closed: | 2012-03-30 23:41:09 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: |
Description
Kashyap Chamarthy
2009-06-25 05:16:16 UTC
More avc's with the new initpin from certicom ========================================= [root@rover conf]# cat /var/log/audit/* | audit2allow #============= pki_ca_t ============== allow pki_ca_t usr_t:dir write; ================================================================ [root@rover conf]# sealert -l 8fdea288-2017-4555-af64-176030ead895 Summary: SELinux is preventing java (pki_ca_t) "write" to /usr/share/pki/eccuser/.certicom/sbcp/sbcppri.db/x01000000 (usr_t). Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by java. It is not expected that this access is required by java and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /usr/share/pki/eccuser/.certicom/sbcp/sbcppri.db/x01000000, restorecon -v '/usr/share/pki/eccuser/.certicom/sbcp/sbcppri.db/x01000000' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context user_u:system_r:pki_ca_t Target Context user_u:object_r:usr_t Target Objects /usr/share/pki/eccuser/.certicom/sbcp/sbcppri.db/x 01000000 [ file ] Source java Source Path /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre /bin/java Port <Unknown> Host rover.pnq.redhat.com Source RPM Packages java-1.6.0-openjdk-1.6.0.0-0.30.b09.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-203.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall_file Host Name rover.pnq.redhat.com Platform Linux rover.pnq.redhat.com 2.6.18-128.el5 #1 SMP Wed Dec 17 11:41:38 EST 2008 x86_64 x86_64 Alert Count 1 First Seen Tue Jul 7 21:51:11 2009 Last Seen Tue Jul 7 21:51:11 2009 Local ID 8fdea288-2017-4555-af64-176030ead895 Line Numbers Raw Audit Messages host=rover.pnq.redhat.com type=AVC msg=audit(1246983671.353:265): avc: denied { write } for pid=28888 comm="java" path="/usr/share/pki/eccuser/.certicom/sbcp/sbcppri.db/x01000000" dev=dm-0 ino=100958 scontext=user_u:system_r:pki_ca_t:s0 tcontext=user_u:object_r:usr_t:s0 tclass=file host=rover.pnq.redhat.com type=SYSCALL msg=audit(1246983671.353:265): arch=c000003e syscall=1 success=yes exit=309 a0=5f a1=c077960 a2=135 a3=0 items=0 ppid=1 pid=28888 auid=500 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=2 comm="java" exe="/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/java" subj=user_u:system_r:pki_ca_t:s0 key=(null) Setting to CLOSED as duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=746701, as the solution is the same. *** This bug has been marked as a duplicate of bug 746701 *** |