Bug 508003

Summary: more selinux AVCS when configured CA with ECC
Product: [Retired] Dogtag Certificate System Reporter: Kashyap Chamarthy <kchamart>
Component: SELinuxAssignee: Ade Lee <alee>
Status: CLOSED DUPLICATE QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: awnuk, benl, cfu, dlackey, enewland, jgalipea, jmagne, mharmsen, nkinder
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 508754 (view as bug list) Environment:
Last Closed: 2012-03-30 23:41:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Kashyap Chamarthy 2009-06-25 05:16:16 UTC 
more selinux AVCS when configured CA with ECC(x64)

[root@austin conf]# cat /var/log/audit/* | audit2allow 


#============= pki_ca_t ==============
allow pki_ca_t usr_t:dir { write add_name };
allow pki_ca_t usr_t:file { write create };
[root@austin conf]# 


-----------------------------------------------------------------------------
[root@austin user1]# sealert -l 3d7234dd-aef9-4d24-be5f-d18c79a3bace

Summary:

SELinux is preventing java (pki_ca_t) "write" to ./sbcppri.db (usr_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by java. It is not expected that this access is
required by java and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./sbcppri.db,

restorecon -v './sbcppri.db'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                user_u:system_r:pki_ca_t
Target Context                user_u:object_r:usr_t
Target Objects                ./sbcppri.db [ dir ]
Source                        java
Source Path                   /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre
                              /bin/java
Port                          <Unknown>
Host                          austin.pnq.redhat.com
Source RPM Packages           java-1.6.0-openjdk-1.6.0.0-0.30.b09.el5
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-203.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall_file
Host Name                     austin.pnq.redhat.com
Platform                      Linux austin.pnq.redhat.com 2.6.18-128.el5 #1 SMP
                              Wed Dec 17 11:41:38 EST 2008 x86_64 x86_64
Alert Count                   1
First Seen                    Tue Jun 23 18:52:01 2009
Last Seen                     Tue Jun 23 18:52:01 2009
Local ID                      3d7234dd-aef9-4d24-be5f-d18c79a3bace
Line Numbers                  

Raw Audit Messages            

host=austin.pnq.redhat.com type=AVC msg=audit(1245763321.732:1041): avc:  denied  { write } for  pid=22410 comm="java" name="sbcppri.db" dev=dm-0 ino=1114536 scontext=user_u:system_r:pki_ca_t:s0 tcontext=user_u:object_r:usr_t:s0 tclass=dir

host=austin.pnq.redhat.com type=AVC msg=audit(1245763321.732:1041): avc:  denied  { add_name } for  pid=22410 comm="java" name="x01000000" scontext=user_u:system_r:pki_ca_t:s0 tcontext=user_u:object_r:usr_t:s0 tclass=dir

host=austin.pnq.redhat.com type=AVC msg=audit(1245763321.732:1041): avc:  denied  { create } for  pid=22410 comm="java" name="x01000000" scontext=user_u:system_r:pki_ca_t:s0 tcontext=user_u:object_r:usr_t:s0 tclass=file

host=austin.pnq.redhat.com type=SYSCALL msg=audit(1245763321.732:1041): arch=c000003e syscall=2 success=yes exit=106 a0=a994d80 a1=241 a2=180 a3=0 items=0 ppid=1 pid=22410 auid=500 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=1 comm="java" exe="/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/java" subj=user_u:system_r:pki_ca_t:s0 key=(null)



[root@austin user1]# 
--------------------

[root@austin user1]# sealert -l 180b6a08-e114-4a3a-bf67-afb57c1debb0

Summary:

SELinux is preventing java (pki_ca_t) "write" to
/usr/share/pki/pkiuser/.certicom/sbcp/sbcppri.db/x01000000 (usr_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by java. It is not expected that this access is
required by java and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for
/usr/share/pki/pkiuser/.certicom/sbcp/sbcppri.db/x01000000,

restorecon -v '/usr/share/pki/pkiuser/.certicom/sbcp/sbcppri.db/x01000000'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                user_u:system_r:pki_ca_t
Target Context                user_u:object_r:usr_t
Target Objects                /usr/share/pki/pkiuser/.certicom/sbcp/sbcppri.db/x
                              01000000 [ file ]
Source                        java
Source Path                   /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre
                              /bin/java
Port                          <Unknown>
Host                          austin.pnq.redhat.com
Source RPM Packages           java-1.6.0-openjdk-1.6.0.0-0.30.b09.el5
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-203.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall_file
Host Name                     austin.pnq.redhat.com
Platform                      Linux austin.pnq.redhat.com 2.6.18-128.el5 #1 SMP
                              Wed Dec 17 11:41:38 EST 2008 x86_64 x86_64
Alert Count                   1
First Seen                    Tue Jun 23 18:52:01 2009
Last Seen                     Tue Jun 23 18:52:01 2009
Local ID                      180b6a08-e114-4a3a-bf67-afb57c1debb0
Line Numbers                  

Raw Audit Messages            

host=austin.pnq.redhat.com type=AVC msg=audit(1245763321.736:1042): avc:  denied  { write } for  pid=22410 comm="java" path="/usr/share/pki/pkiuser/.certicom/sbcp/sbcppri.db/x01000000" dev=dm-0 ino=1114543 scontext=user_u:system_r:pki_ca_t:s0 tcontext=user_u:object_r:usr_t:s0 tclass=file

host=austin.pnq.redhat.com type=SYSCALL msg=audit(1245763321.736:1042): arch=c000003e syscall=1 success=yes exit=309 a0=6a a1=a981870 a2=135 a3=0 items=0 ppid=1 pid=22410 auid=500 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=1 comm="java" exe="/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/java" subj=user_u:system_r:pki_ca_t:s0 key=(null)



[root@austin user1]# 
--------------------------
Comment 1 Kashyap Chamarthy 2009-07-07 16:28:18 UTC 
More avc's with the new initpin from certicom
=========================================

[root@rover conf]# cat /var/log/audit/* | audit2allow 


#============= pki_ca_t ==============
allow pki_ca_t usr_t:dir write;

================================================================
[root@rover conf]# sealert -l 8fdea288-2017-4555-af64-176030ead895

Summary:

SELinux is preventing java (pki_ca_t) "write" to
/usr/share/pki/eccuser/.certicom/sbcp/sbcppri.db/x01000000 (usr_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by java. It is not expected that this access is
required by java and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for
/usr/share/pki/eccuser/.certicom/sbcp/sbcppri.db/x01000000,

restorecon -v '/usr/share/pki/eccuser/.certicom/sbcp/sbcppri.db/x01000000'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                user_u:system_r:pki_ca_t
Target Context                user_u:object_r:usr_t
Target Objects                /usr/share/pki/eccuser/.certicom/sbcp/sbcppri.db/x
                              01000000 [ file ]
Source                        java
Source Path                   /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre
                              /bin/java
Port                          <Unknown>
Host                          rover.pnq.redhat.com
Source RPM Packages           java-1.6.0-openjdk-1.6.0.0-0.30.b09.el5
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-203.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall_file
Host Name                     rover.pnq.redhat.com
Platform                      Linux rover.pnq.redhat.com 2.6.18-128.el5 #1 SMP
                              Wed Dec 17 11:41:38 EST 2008 x86_64 x86_64
Alert Count                   1
First Seen                    Tue Jul  7 21:51:11 2009
Last Seen                     Tue Jul  7 21:51:11 2009
Local ID                      8fdea288-2017-4555-af64-176030ead895
Line Numbers                  

Raw Audit Messages            

host=rover.pnq.redhat.com type=AVC msg=audit(1246983671.353:265): avc:  denied  { write } for  pid=28888 comm="java" path="/usr/share/pki/eccuser/.certicom/sbcp/sbcppri.db/x01000000" dev=dm-0 ino=100958 scontext=user_u:system_r:pki_ca_t:s0 tcontext=user_u:object_r:usr_t:s0 tclass=file

host=rover.pnq.redhat.com type=SYSCALL msg=audit(1246983671.353:265): arch=c000003e syscall=1 success=yes exit=309 a0=5f a1=c077960 a2=135 a3=0 items=0 ppid=1 pid=28888 auid=500 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=2 comm="java" exe="/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/java" subj=user_u:system_r:pki_ca_t:s0 key=(null)
Comment 3 Christina Fu 2012-03-30 23:41:09 UTC 
Setting to CLOSED as duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=746701, as the solution is the same.

*** This bug has been marked as a duplicate of bug 746701 ***