Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1009177

Summary: RHEL7 ipa-client-install AVC denial for ipa-submit
Product: Red Hat Enterprise Linux 7 Reporter: Scott Poore <spoore>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED DUPLICATE QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: jcholast, jpazdziora, jstancek, mgrepl, mkosek, mmalik, rcritten
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-10-03 09:02:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Scott Poore 2013-09-17 22:03:28 UTC 
Description of problem:

During automated testing, I see this when ipa-client-install is run:

time->Tue Sep 17 16:56:52 2013
type=SYSCALL msg=audit(1379451412.344:120): arch=c000003e syscall=248 success=yes exit=704914934 a0=7f3760054b83 a1=7f376174a950 a2=0 a3=0 items=0 ppid=12612 pid=12655 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ipa-submit" exe="/usr/libexec/certmonger/ipa-submit" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1379451412.344:120): avc:  denied  { write } for  pid=12655 comm="ipa-submit" scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:certmonger_t:s0 tclass=key
----
time->Tue Sep 17 16:56:52 2013
type=SYSCALL msg=audit(1379451412.344:121): arch=c000003e syscall=250 success=yes exit=0 a0=b a1=2a0425f6 a2=0 a3=0 items=0 ppid=12612 pid=12655 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ipa-submit" exe="/usr/libexec/certmonger/ipa-submit" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1379451412.344:121): avc:  denied  { read } for  pid=12655 comm="ipa-submit" scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:certmonger_t:s0 tclass=key


Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-80.el7.noarch


How reproducible:
yet unknown 

Steps to Reproduce:
1.  Install IPA Master
2.  Install IPA Client (w/ ipa-client-install)
3.  ausearch -m avc

Actual results:
lists AVC denial from above.

Expected results:
no denials expected.


Additional info:
Comment 2 Martin Kosek 2013-09-18 08:15:47 UTC 
ipa-submit is a certmonger component.

# rpm -ql certmonger | grep ipa-submit
/usr/libexec/certmonger/ipa-submit
/usr/share/doc/certmonger-0.67/ipa-submit.txt
/usr/share/man/man8/certmonger-ipa-submit.8.gz

I tried to run ipa-client-install and hit the same bug:

# rpm -q selinux-policy
selinux-policy-3.12.1-80.el7.noarch

# ipa-client-install 
WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd

Discovery was successful!
Hostname: vm-052.idm.lab.bos.redhat.com
Realm: IDM.LAB.BOS.REDHAT.COM
DNS Domain: idm.lab.bos.redhat.com
IPA Server: vm-086.idm.lab.bos.redhat.com
BaseDN: dc=idm,dc=lab,dc=bos,dc=redhat,dc=com

Continue to configure the system with these values? [no]: ^C[root@vm-052 ~]# truncate -s 0 /var/log/audit/audit.log 
[root@vm-052 ~]# ipa-client-install ^C
[root@vm-052 ~]# getenforce 
Enforcing
[root@vm-052 ~]# ipa-client-install 
...
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.

# ipa-getcert list
Number of certificates and requests being tracked: 1.
Request ID '20130918081005':
	status: CA_UNREACHABLE
	ca-error: Server failed request, will retry: -504 (HTTP response code is 401, not 200).
	stuck: yes
	key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate - vm-052.idm.lab.bos.redhat.com',token='NSS Certificate DB'
	certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate - vm-052.idm.lab.bos.redhat.com'
	CA: IPA
	issuer: 
	subject: 
	expires: unknown
	pre-save command: 
	post-save command: 
	track: yes
	auto-renew: yes

# ausearch -m avc  -ts today
----
time->Wed Sep 18 04:10:05 2013
type=SYSCALL msg=audit(1379491805.335:131): arch=c000003e syscall=248 success=no exit=-13 a0=7fb6e47afb83 a1=7fb6e704b3f0 a2=0 a3=0 items=0 ppid=14368 pid=14384 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ipa-submit" exe="/usr/libexec/certmonger/ipa-submit" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1379491805.335:131): avc:  denied  { write } for  pid=14384 comm="ipa-submit" scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:certmonger_t:s0 tclass=key

# cat /var/log/audit/audit.log | audit2allow 


#============= certmonger_t ==============
allow certmonger_t self:key write;

# rpm -q selinux-policy
selinux-policy-3.12.1-80.el7.noarch

Moving to selinux-policy component.
Comment 3 Martin Kosek 2013-09-18 08:27:10 UTC 
Note that there is another potentially related bug from IPA team: Bug 1007606.
Comment 4 Miroslav Grepl 2013-09-18 08:43:19 UTC 
Did it work with this local policy?
Comment 6 Jan Cholasta 2013-09-19 06:39:16 UTC 
It does indeed work with the local policy.
Comment 7 Scott Poore 2013-09-24 14:50:50 UTC 
So does that mean this needs to be added to selinux-policy?
Comment 8 Martin Kosek 2013-09-24 16:10:15 UTC 
Yes - Jan verified in Comment 6 that the policy fixes it.

Now I assume the ball is on Mirek's playground to update the policy.
Comment 9 Miroslav Grepl 2013-09-30 14:45:14 UTC 
I added fixes.
Comment 10 Miroslav Grepl 2013-09-30 14:45:35 UTC 
*** Bug 1010992 has been marked as a duplicate of this bug. ***
Comment 11 Miroslav Grepl 2013-09-30 15:09:06 UTC 
(In reply to Miroslav Grepl from comment #9)
> I added fixes.

to Fedora. Will back port them.
Comment 13 Miroslav Grepl 2013-10-03 09:02:24 UTC 

*** This bug has been marked as a duplicate of bug 1012109 ***