| Summary: | AVC denials during ipa server and replica installs | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Namita Soman <nsoman> |
| Component: | pki-core | Assignee: | Matthew Harmsen <mharmsen> |
| Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.5 | CC: | alee, jgalipea, nkinder |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-11-21 22:26:12 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Patch pushed to IPA branch for 6.5: To ssh://vakwetu.org/git/pki.git 96e18f8..25aa37e IPA_v2_RHEL_6_ERRATA_BRANCH -> IPA_v2_RHEL_6_ERRATA_BRANCH Verified using pki-core-9.0.3-32.el6 Not seeing AVCs while installing master nor replica. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1682.html |
Description of problem: Installed ipa-server on 6.5 and seeing AVC errors - on both master and replica installs # ausearch -m avc -ts 13:45 ---- time->Mon Aug 19 13:54:58 2013 type=SYSCALL msg=audit(1376934898.540:77): arch=c000003e syscall=2 success=no exit=-13 a0=7f7752a6b1d8 a1=80000 a2=403ff a3=7f77524e7d55 items=0 ppid=1 pid=3700 auid=0 uid=496 gid=496 euid=496 suid=496 fsuid=496 egid=496 sgid=496 fsgid=496 tty=(none) ses=1 comm="java" exe="/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/java" subj=unconfined_u:system_r:pki_ca_t:s0 key=(null) type=AVC msg=audit(1376934898.540:77): avc: denied { read } for pid=3700 comm="java" name="online" dev=sysfs ino=23 scontext=unconfined_u:system_r:pki_ca_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file ---- time->Mon Aug 19 13:54:59 2013 type=SYSCALL msg=audit(1376934899.008:78): arch=c000003e syscall=2 success=no exit=-13 a0=7f7752a6b1d8 a1=80000 a2=403ff a3=1 items=0 ppid=1 pid=3715 auid=0 uid=496 gid=496 euid=496 suid=496 fsuid=496 egid=496 sgid=496 fsgid=496 tty=(none) ses=1 comm="java" exe="/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/java" subj=unconfined_u:system_r:pki_ca_t:s0 key=(null) type=AVC msg=audit(1376934899.008:78): avc: denied { read } for pid=3715 comm="java" name="online" dev=sysfs ino=23 scontext=unconfined_u:system_r:pki_ca_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file ---- time->Mon Aug 19 13:56:14 2013 type=SYSCALL msg=audit(1376934974.628:87): arch=c000003e syscall=2 success=no exit=-13 a0=7fce356581d8 a1=80000 a2=403ff a3=7fce350d4d55 items=0 ppid=1 pid=4253 auid=0 uid=496 gid=496 euid=496 suid=496 fsuid=496 egid=496 sgid=496 fsgid=496 tty=(none) ses=1 comm="java" exe="/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/java" subj=unconfined_u:system_r:pki_ca_t:s0 key=(null) type=AVC msg=audit(1376934974.628:87): avc: denied { read } for pid=4253 comm="java" name="online" dev=sysfs ino=23 scontext=unconfined_u:system_r:pki_ca_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file # audit2allow -i /var/log/audit/audit.log #============= pki_ca_t ============== allow pki_ca_t sysfs_t:file read; # audit2allow -R -i /var/log/audit/audit.log require { type pki_ca_t; } #============= pki_ca_t ============== dev_read_sysfs(pki_ca_t) Version-Release number of selected component (if applicable): ipa-server-3.0.0-33.el6.x86_64 pki-ca-9.0.3-31.el6.noarch How reproducible: always Steps to Reproduce: 1. Install ipa server Actual results: install seems to work but see AVC denials listed above. Expected results: no avc denials expected. Additional info: