Hide Forgot
Description of problem: During automated testing, I see this when ipa-client-install is run: time->Tue Sep 17 16:56:52 2013 type=SYSCALL msg=audit(1379451412.344:120): arch=c000003e syscall=248 success=yes exit=704914934 a0=7f3760054b83 a1=7f376174a950 a2=0 a3=0 items=0 ppid=12612 pid=12655 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ipa-submit" exe="/usr/libexec/certmonger/ipa-submit" subj=system_u:system_r:certmonger_t:s0 key=(null) type=AVC msg=audit(1379451412.344:120): avc: denied { write } for pid=12655 comm="ipa-submit" scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:certmonger_t:s0 tclass=key ---- time->Tue Sep 17 16:56:52 2013 type=SYSCALL msg=audit(1379451412.344:121): arch=c000003e syscall=250 success=yes exit=0 a0=b a1=2a0425f6 a2=0 a3=0 items=0 ppid=12612 pid=12655 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ipa-submit" exe="/usr/libexec/certmonger/ipa-submit" subj=system_u:system_r:certmonger_t:s0 key=(null) type=AVC msg=audit(1379451412.344:121): avc: denied { read } for pid=12655 comm="ipa-submit" scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:certmonger_t:s0 tclass=key Version-Release number of selected component (if applicable): selinux-policy-3.12.1-80.el7.noarch How reproducible: yet unknown Steps to Reproduce: 1. Install IPA Master 2. Install IPA Client (w/ ipa-client-install) 3. ausearch -m avc Actual results: lists AVC denial from above. Expected results: no denials expected. Additional info:
ipa-submit is a certmonger component. # rpm -ql certmonger | grep ipa-submit /usr/libexec/certmonger/ipa-submit /usr/share/doc/certmonger-0.67/ipa-submit.txt /usr/share/man/man8/certmonger-ipa-submit.8.gz I tried to run ipa-client-install and hit the same bug: # rpm -q selinux-policy selinux-policy-3.12.1-80.el7.noarch # ipa-client-install WARNING: ntpd time&date synchronization service will not be configured as conflicting service (chronyd) is enabled Use --force-ntpd option to disable it and force configuration of ntpd Discovery was successful! Hostname: vm-052.idm.lab.bos.redhat.com Realm: IDM.LAB.BOS.REDHAT.COM DNS Domain: idm.lab.bos.redhat.com IPA Server: vm-086.idm.lab.bos.redhat.com BaseDN: dc=idm,dc=lab,dc=bos,dc=redhat,dc=com Continue to configure the system with these values? [no]: ^C[root@vm-052 ~]# truncate -s 0 /var/log/audit/audit.log [root@vm-052 ~]# ipa-client-install ^C [root@vm-052 ~]# getenforce Enforcing [root@vm-052 ~]# ipa-client-install ... SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Client configuration complete. # ipa-getcert list Number of certificates and requests being tracked: 1. Request ID '20130918081005': status: CA_UNREACHABLE ca-error: Server failed request, will retry: -504 (HTTP response code is 401, not 200). stuck: yes key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate - vm-052.idm.lab.bos.redhat.com',token='NSS Certificate DB' certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate - vm-052.idm.lab.bos.redhat.com' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes # ausearch -m avc -ts today ---- time->Wed Sep 18 04:10:05 2013 type=SYSCALL msg=audit(1379491805.335:131): arch=c000003e syscall=248 success=no exit=-13 a0=7fb6e47afb83 a1=7fb6e704b3f0 a2=0 a3=0 items=0 ppid=14368 pid=14384 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ipa-submit" exe="/usr/libexec/certmonger/ipa-submit" subj=system_u:system_r:certmonger_t:s0 key=(null) type=AVC msg=audit(1379491805.335:131): avc: denied { write } for pid=14384 comm="ipa-submit" scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:certmonger_t:s0 tclass=key # cat /var/log/audit/audit.log | audit2allow #============= certmonger_t ============== allow certmonger_t self:key write; # rpm -q selinux-policy selinux-policy-3.12.1-80.el7.noarch Moving to selinux-policy component.
Note that there is another potentially related bug from IPA team: Bug 1007606.
Did it work with this local policy?
It does indeed work with the local policy.
So does that mean this needs to be added to selinux-policy?
Yes - Jan verified in Comment 6 that the policy fixes it. Now I assume the ball is on Mirek's playground to update the policy.
I added fixes.
*** Bug 1010992 has been marked as a duplicate of this bug. ***
(In reply to Miroslav Grepl from comment #9) > I added fixes. to Fedora. Will back port them.
*** This bug has been marked as a duplicate of bug 1012109 ***