Bug 1012051 - Missing self:key write policy crashes IPA installation
Missing self:key write policy crashes IPA installation
Status: CLOSED DUPLICATE of bug 1012109
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.0
All Linux
unspecified Severity unspecified
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
: 1012060 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-09-25 11:35 EDT by Martin Kosek
Modified: 2014-07-25 08:55 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-10-03 05:00:50 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Martin Kosek 2013-09-25 11:35:20 EDT
Description of problem:
IPA server installation crashes due to missing SELinux policy.

All AVCs when installing in permissive mode:
# ausearch -m avc -ts today
----
time->Wed Sep 25 11:33:46 2013
type=SYSCALL msg=audit(1380123226.223:266): arch=c000003e syscall=248 success=yes exit=202370179 a0=7f3f05ac4b2e a1=7f3efc3320d0 a2=0 a3=0 items=0 ppid=15518 pid=15521 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="named" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key=(null)
type=AVC msg=audit(1380123226.223:266): avc:  denied  { write } for  pid=15521 comm="named" scontext=system_u:system_r:named_t:s0 tcontext=system_u:system_r:named_t:s0 tclass=key
----
time->Wed Sep 25 11:33:46 2013
type=SYSCALL msg=audit(1380123226.224:267): arch=c000003e syscall=250 success=yes exit=4 a0=b a1=c0fec83 a2=0 a3=0 items=0 ppid=15518 pid=15521 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="named" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key=(null)
type=AVC msg=audit(1380123226.224:267): avc:  denied  { read } for  pid=15521 comm="named" scontext=system_u:system_r:named_t:s0 tcontext=system_u:system_r:named_t:s0 tclass=key
----
time->Wed Sep 25 11:33:56 2013
type=SYSCALL msg=audit(1380123236.402:273): arch=c000003e syscall=250 success=yes exit=4 a0=b a1=3cc9d5db a2=0 a3=0 items=0 ppid=15543 pid=15549 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1380123236.402:273): avc:  denied  { read } for  pid=15549 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=key
----
time->Wed Sep 25 11:33:56 2013
type=SYSCALL msg=audit(1380123236.402:272): arch=c000003e syscall=248 success=yes exit=1019860443 a0=7fbb87a40b2e a1=7fbb96ce2ed0 a2=0 a3=0 items=0 ppid=15543 pid=15549 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1380123236.402:272): avc:  denied  { write } for  pid=15549 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=key


audit2allow:
# ausearch -m avc -ts today | audit2allow 


#============= httpd_t ==============
allow httpd_t self:key { read write };

#============= named_t ==============
allow named_t self:key { write read };


Version-Release number of selected component (if applicable):
policycoreutils-2.1.14-81.el7.x86_64
selinux-policy-3.12.1-80.el7.noarch
ipa-server-3.3.1-5.el7.x86_64


How reproducible:
Always

Steps to Reproduce:
1. Install ipa-server package
2. Run ipa-server-install
3.

Actual results:
Installation crashes in enforcing mode due to SELinux AVCs.

Expected results:
Installation passes.

Additional info:
Comment 2 Scott Poore 2013-09-25 11:51:22 EDT
*** Bug 1012060 has been marked as a duplicate of this bug. ***
Comment 3 Miroslav Grepl 2013-10-03 04:59:51 EDT
#============= httpd_t ==============

#!!!! This avc is allowed in the current policy
allow httpd_t self:key { read write };

#============= named_t ==============

#!!!! This avc is allowed in the current policy
allow named_t self:key { write read };
Comment 4 Miroslav Grepl 2013-10-03 05:00:50 EDT

*** This bug has been marked as a duplicate of bug 1012109 ***

Note You need to log in before you can comment on or make changes to this bug.