Bug 509917

Summary: RA fails to start with SElinux enforcing
Product: [Retired] Dogtag Certificate System Reporter: Chandrasekar Kannan <ckannan>
Component: SELinuxAssignee: Ade Lee <alee>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: awnuk, benl, cfu, dlackey, jmagne, mharmsen
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-07-22 23:37:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 443788    

Description Chandrasekar Kannan 2009-07-06 20:36:23 UTC 
on a freshly installed RHEL 5.3 i386 machine, Installing pki-ra hangs..

I see these ...

[root@trinity audit]# cat audit.log | audit2allow


#============= pki_ra_t ==============
allow pki_ra_t port_t:tcp_socket name_connect;

[root@trinity audit]# cat audit.log | grep pki
type=USER_CHAUTHTOK msg=audit(1246911861.776:31): user pid=4173 uid=0 auid=0 subj=root:system_r:groupadd_t:s0-s0:c0.c1023 msg='op=adding group acct="pkiuser" exe="/usr/sbin/groupadd" (hostname=?, addr=?, terminal=pts/0 res=success)'
type=USER_CHAUTHTOK msg=audit(1246911861.882:32): user pid=4178 uid=0 auid=0 subj=root:system_r:useradd_t:s0-s0:c0.c1023 msg='op=adding user acct="pkiuser" exe="/usr/sbin/useradd" (hostname=?, addr=?, terminal=pts/0 res=success)'
type=AVC msg=audit(1246911880.524:35): avc:  denied  { name_connect } for  pid=4316 comm="modutil" dest=1792 scontext=root:system_r:pki_ra_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1246911880.524:35): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfc63b30 a2=11efbc4 a3=bfc65330 items=0 ppid=4310 pid=4316 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="modutil" exe="/usr/bin/modutil" subj=root:system_r:pki_ra_t:s0 key=(null)
type=AVC msg=audit(1246911880.577:36): avc:  denied  { name_connect } for  pid=4318 comm="modutil" dest=1792 scontext=root:system_r:pki_ra_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1246911880.577:36): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf888110 a2=9e2bc4 a3=bf889910 items=0 ppid=4317 pid=4318 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="modutil" exe="/usr/bin/modutil" subj=root:system_r:pki_ra_t:s0 key=(null)
type=AVC msg=audit(1246911880.631:37): avc:  denied  { name_connect } for  pid=4322 comm="modutil" dest=1792 scontext=root:system_r:pki_ra_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1246911880.631:37): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfd8d090 a2=1128bc4 a3=bfd8e890 items=0 ppid=4321 pid=4322 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="modutil" exe="/usr/bin/modutil" subj=root:system_r:pki_ra_t:s0 key=(null)

-------------

Jul  6 13:24:40 trinity setroubleshoot: SELinux is preventing the modutil (pki_ra_t) from connecting to port 1792. For complete SELinux messages. run sealert -l efeb1cc3-ee21-4069-ac73-945ee52af264
Jul  6 13:24:40 trinity modutil: SSL cipher list set to RC4-MD5 
Jul  6 13:24:40 trinity setroubleshoot: SELinux is preventing the modutil (pki_ra_t) from connecting to port 1792. For complete SELinux messages. run sealert -l efeb1cc3-ee21-4069-ac73-945ee52af264
[root@trinity log]# 

---------------

  Installing     : xml-commons-apis                                [57/88] 
  Installing     : perl-XML-LibXML                                 [58/88] 
could not find ParserDetails.ini in /usr/lib/perl5/vendor_perl/5.8.8/XML/SAX
  Installing     : pki-setup                                       [59/88] 
Adding default PKI group "pkiuser" (gid=17) to /etc/group.
Adding default PKI user "pkiuser" (uid=17) to /etc/passwd.
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
  Installing     : pki-ra                                          [60/88] 
PKI instance creation Utility ...


PKI instance creation completed ...

Starting pki-ra: 
-------------------
Comment 1 Chandrasekar Kannan 2009-07-06 20:56:30 UTC 
[root@trinity audit]# cat audit.log | audit2allow -R

require {
        type pki_ra_t;
}

#============= pki_ra_t ==============
corenet_tcp_connect_generic_port(pki_ra_t)
Comment 2 Ade Lee 2009-07-06 21:40:00 UTC 
this is a lunasa port.  We allow this rule for the other subsystems already.

Index: dogtag/selinux/pki-selinux.spec
===================================================================
--- dogtag/selinux/pki-selinux.spec     (revision 662)
+++ dogtag/selinux/pki-selinux.spec     (working copy)
@@ -33,7 +33,7 @@
 ## Package Header Definitions
 %define base_name         %{base_prefix}-%{base_component}
 %define base_version      1.1.0
-%define base_release      9
+%define base_release      10
 %define base_group        System Environment/Shells
 %define base_vendor       Red Hat, Inc.
 %define base_license      GPLv2 with exceptions
@@ -249,6 +249,8 @@
 ###############################################################################
 
 %changelog
+* Wed Jul 6 2009 Ade Lee <alee> 1.1.0-10
+- Bugzilla Bug 509917 - RA fails to start with SElinux enforcing (lunasa)
 * Wed Jun 17 2009 Ade Lee <alee> 1.1.0-9
 - Bugzilla Bug 506387 and 506133 - ECC and messages for tps
 * Mon Jun 15 2009 Ade Lee <alee> 1.1.0-8
Index: base/selinux/src/pki.if
===================================================================
--- base/selinux/src/pki.if     (revision 662)
+++ base/selinux/src/pki.if     (working copy)
@@ -688,6 +688,7 @@
         corenet_tcp_sendrecv_all_nodes(pki_ra_t)
         corenet_tcp_sendrecv_all_ports(pki_ra_t)
         corenet_non_ipsec_sendrecv(pki_ra_t)
+        corenet_tcp_connect_generic_port(pki_ra_t)
 
         # talk to other subsystems
         corenet_tcp_connect_pki_ca_port(pki_ra_t)
Index: base/selinux/src/pki.te
===================================================================
--- base/selinux/src/pki.te     (revision 662)
+++ base/selinux/src/pki.te     (working copy)
@@ -1,4 +1,4 @@
-policy_module(pki,1.0.11)
+policy_module(pki,1.0.12)
 
 attribute pki_ca_config;
 attribute pki_ca_executable;
Comment 3 Ade Lee 2009-07-06 21:40:47 UTC 
[builder@dhcp231-124 pki]$ svn ci -m "Bugzilla Bug 509917: RA fails to start with SElinux enforcing" base/selinux dogtag/selinux
Sending        base/selinux/src/pki.if
Sending        base/selinux/src/pki.te
Sending        dogtag/selinux/pki-selinux.spec
Transmitting file data ...
Committed revision 679.
Comment 4 Kashyap Chamarthy 2009-07-10 15:02:01 UTC 
Verified with RC3. 

- did a  cat /dev/null > /var/log/audit/audit.log
- restarted RA
- then cat /var/log/audit/audit.log |audit2allow -R
No audit alerts found