Bug 1012060 - RHEL7 ipa-server-install AVC denials for httpd_t and named_t write key
RHEL7 ipa-server-install AVC denials for httpd_t and named_t write key
Status: CLOSED DUPLICATE of bug 1012051
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.0
All Linux
unspecified Severity unspecified
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-09-25 11:48 EDT by Scott Poore
Modified: 2014-08-06 10:29 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-09-25 11:51:21 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Scott Poore 2013-09-25 11:48:28 EDT
Description of problem:

I'm seeing AVC denials during ipa-server-install:

[root@rhel7-1 etc]# ausearch -m avc 
----
time->Wed Sep 25 09:28:13 2013
type=SYSCALL msg=audit(1380119293.446:564): arch=c000003e syscall=248 success=no exit=-13 a0=7f10eca1eb2e a1=7f10e4331ed0 a2=0 a3=0 items=0 ppid=10607 pid=10611 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="named" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key=(null)
type=AVC msg=audit(1380119293.446:564): avc:  denied  { write } for  pid=10611 comm="named" scontext=system_u:system_r:named_t:s0 tcontext=system_u:system_r:named_t:s0 tclass=key
----
time->Wed Sep 25 09:29:19 2013
type=SYSCALL msg=audit(1380119359.265:570): arch=c000003e syscall=248 success=no exit=-13 a0=7fbd69648b2e a1=7fbd7741a950 a2=0 a3=0 items=0 ppid=10631 pid=10637 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1380119359.265:570): avc:  denied  { write } for  pid=10637 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=key
----
time->Wed Sep 25 09:29:19 2013
type=SYSCALL msg=audit(1380119359.264:569): arch=c000003e syscall=248 success=no exit=-13 a0=7fbd69648b2e a1=7fbd780890a0 a2=0 a3=0 items=0 ppid=10631 pid=10637 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1380119359.264:569): avc:  denied  { write } for  pid=10637 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=key
----
time->Wed Sep 25 09:29:19 2013
type=SYSCALL msg=audit(1380119359.265:571): arch=c000003e syscall=248 success=no exit=-13 a0=7fbd69648b2e a1=7fbd77910bd0 a2=0 a3=0 items=0 ppid=10631 pid=10637 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1380119359.265:571): avc:  denied  { write } for  pid=10637 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=key
----
time->Wed Sep 25 09:29:19 2013
type=SYSCALL msg=audit(1380119359.266:572): arch=c000003e syscall=248 success=no exit=-13 a0=7fbd69648b2e a1=7fbd7741a950 a2=0 a3=0 items=0 ppid=10631 pid=10637 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1380119359.266:572): avc:  denied  { write } for  pid=10637 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=key
----
time->Wed Sep 25 09:29:19 2013
type=SYSCALL msg=audit(1380119359.304:573): arch=c000003e syscall=248 success=no exit=-13 a0=7fbd69648b2e a1=7fbd7784e720 a2=0 a3=0 items=0 ppid=10631 pid=10637 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1380119359.304:573): avc:  denied  { write } for  pid=10637 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=key
----
time->Wed Sep 25 09:29:19 2013
type=SYSCALL msg=audit(1380119359.304:574): arch=c000003e syscall=248 success=no exit=-13 a0=7fbd69648b2e a1=7fbd77458510 a2=0 a3=0 items=0 ppid=10631 pid=10637 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1380119359.304:574): avc:  denied  { write } for  pid=10637 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=key
----
time->Wed Sep 25 09:29:19 2013
type=SYSCALL msg=audit(1380119359.305:575): arch=c000003e syscall=248 success=no exit=-13 a0=7fbd69648b2e a1=7fbd77460340 a2=0 a3=0 items=0 ppid=10631 pid=10637 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1380119359.305:575): avc:  denied  { write } for  pid=10637 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=key
----
time->Wed Sep 25 09:29:19 2013
type=SYSCALL msg=audit(1380119359.305:576): arch=c000003e syscall=248 success=no exit=-13 a0=7fbd69648b2e a1=7fbd778082b0 a2=0 a3=0 items=0 ppid=10631 pid=10637 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1380119359.305:576): avc:  denied  { write } for  pid=10637 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=key

[root@rhel7-1 etc]# cat /var/log/audit/audit.log | audit2allow 


#============= httpd_t ==============
allow httpd_t self:key write;

#============= named_t ==============
allow named_t self:key write;


Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-80.el7.noarch


How reproducible:
always

Steps to Reproduce:
1.  ipa-server-install

Actual results:
AVC denials causing ipa-server-install to fail during ipa-client-install run at end.  AVC denials listed above.

Expected results:
no AVCs during ipa-server-install

Additional info:

/var/log/ipaserver-install shows this:

2013-09-25T14:28:15Z DEBUG args=/usr/sbin/ipa-client-install --on-master --unattended --domain testrelm.com --server rhel7-1.testrelm.com --realm TESTRELM.COM --hostname rhel7-1.testrelm.com
2013-09-25T14:29:20Z DEBUG Process finished, return code=1
2013-09-25T14:29:20Z DEBUG stdout=

2013-09-25T14:29:20Z DEBUG stderr=Hostname: rhel7-1.testrelm.com
Realm: TESTRELM.COM
DNS Domain: testrelm.com
IPA Server: rhel7-1.testrelm.com
BaseDN: dc=testrelm,dc=com
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Traceback (most recent call last):
  File "/usr/sbin/ipa-client-install", line 2565, in <module>
    sys.exit(main())
  File "/usr/sbin/ipa-client-install", line 2551, in main
    rval = install(options, env, fstore, statestore)
  File "/usr/sbin/ipa-client-install", line 2349, in install
    remote_env = api.Command['env'](server=True)['result']
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 436, in __call__
    ret = self.run(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1103, in run
    return self.forward(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 782, in forward
    return self.Backend.xmlclient.forward(self.name, *args, **kw)
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 752, in forward
    raise NetworkError(uri=server, error=e.errmsg)
ipalib.errors.NetworkError: cannot connect to 'https://rhel7-1.testrelm.com/ipa/xml': Internal Server Error

2013-09-25T14:29:20Z DEBUG   File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 622, in run_script
    return_value = main_function()

  File "/usr/sbin/ipa-server-install", line 1217, in main
    sys.exit("Configuration of client side components failed!\nipa-client-install returned: " + str(e))

2013-09-25T14:29:20Z DEBUG The ipa-server-install command failed, exception: SystemExit: Configuration of client side components failed!
ipa-client-install returned: Command '/usr/sbin/ipa-client-install --on-master --unattended --domain testrelm.com --server rhel7-1.testrelm.com --realm TESTRELM.COM --hostname rhel7-1.testrelm.com' returned non-zero exit status 1
Comment 1 Scott Poore 2013-09-25 11:51:21 EDT

*** This bug has been marked as a duplicate of bug 1012051 ***

Note You need to log in before you can comment on or make changes to this bug.