Bug 720503
| Summary: | RA and TPS require additional SELinux permissions to run in "Enforcing" mode | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Retired] Dogtag Certificate System | Reporter: | Matthew Harmsen <mharmsen> | ||||
| Component: | TPS | Assignee: | Ade Lee <alee> | ||||
| Status: | CLOSED EOL | QA Contact: | Ben Levenson <benl> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 9.0 | CC: | alee, jmagne | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2020-03-27 18:33:19 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 530474, 720506 | ||||||
| Attachments: |
|
||||||
Created attachment 512733 [details]
patch to fix
tip: [vakwetu@dhcp231-121 base]$ svn ci -m "Bugzilla #720503 - RA and TPS require additional SELinux permissions to run in "Enforcing" mode" selinux Sending selinux/src/pki.if Sending selinux/src/pki.te Transmitting file data .. Committed revision 2056. |
"RA" and "TPS" apache-based instances fail to start on Fedora 15 if SELinux is configured in the "Enforcing" mode (they startup successfully if SELinux is reset to the "Permissive" mode). Using an "RA" instance on "goofy-vm17.dsdev.sjc.redhat.com" running "32-bit Fedora 15" with SELinux set to "Enforcing" as an example: [root@goofy-vm17 ~]# /sbin/service pki-rad start Starting pki-ra: [FAILED] [root@goofy-vm17 /var/log/audit] tail -f audit.log ... type=AVC msg=audit(1310409988.240:3816): avc: denied { read } for pid=16367 comm="httpd.worker" path="/usr/sbin/httpd.worker" dev=dm-1 ino=1338685 scontext=unconfined_u:system_r:pki_ra_t:s0 tcontext=system_u:object_r:httpd_exec_t:s0 tclass=file type=SYSCALL msg=audit(1310409988.240:3816): arch=40000003 syscall=125 success=no exit=-13 a0=19e000 a1=2000 a2=1 a3=19e000 items=0 ppid=16366 pid=16367 auid=10015 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=472 comm="httpd.worker" exe="/usr/sbin/httpd.worker" subj=unconfined_u:system_r:pki_ra_t:s0 key=(null) [root@goofy-vm17 ~]# cat /var/log/audit/audit.log |audit2allow -R require { type xauth_t; type sshd_t; type pki_tps_t; type pki_ra_t; } #============= pki_ra_t ============== apache_exec(pki_ra_t) #============= pki_tps_t ============== apache_exec(pki_tps_t) #============= sshd_t ============== fs_search_nfs(sshd_t) #============= xauth_t ============== fs_manage_nfs_dirs(xauth_t) fs_manage_nfs_files(xauth_t)