RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1012060 - RHEL7 ipa-server-install AVC denials for httpd_t and named_t write key
Summary: RHEL7 ipa-server-install AVC denials for httpd_t and named_t write key
Keywords:
Status: CLOSED DUPLICATE of bug 1012051
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.0
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-09-25 15:48 UTC by Scott Poore
Modified: 2014-08-06 14:29 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-09-25 15:51:21 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Scott Poore 2013-09-25 15:48:28 UTC 
Description of problem:

I'm seeing AVC denials during ipa-server-install:

[root@rhel7-1 etc]# ausearch -m avc 
----
time->Wed Sep 25 09:28:13 2013
type=SYSCALL msg=audit(1380119293.446:564): arch=c000003e syscall=248 success=no exit=-13 a0=7f10eca1eb2e a1=7f10e4331ed0 a2=0 a3=0 items=0 ppid=10607 pid=10611 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="named" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key=(null)
type=AVC msg=audit(1380119293.446:564): avc:  denied  { write } for  pid=10611 comm="named" scontext=system_u:system_r:named_t:s0 tcontext=system_u:system_r:named_t:s0 tclass=key
----
time->Wed Sep 25 09:29:19 2013
type=SYSCALL msg=audit(1380119359.265:570): arch=c000003e syscall=248 success=no exit=-13 a0=7fbd69648b2e a1=7fbd7741a950 a2=0 a3=0 items=0 ppid=10631 pid=10637 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1380119359.265:570): avc:  denied  { write } for  pid=10637 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=key
----
time->Wed Sep 25 09:29:19 2013
type=SYSCALL msg=audit(1380119359.264:569): arch=c000003e syscall=248 success=no exit=-13 a0=7fbd69648b2e a1=7fbd780890a0 a2=0 a3=0 items=0 ppid=10631 pid=10637 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1380119359.264:569): avc:  denied  { write } for  pid=10637 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=key
----
time->Wed Sep 25 09:29:19 2013
type=SYSCALL msg=audit(1380119359.265:571): arch=c000003e syscall=248 success=no exit=-13 a0=7fbd69648b2e a1=7fbd77910bd0 a2=0 a3=0 items=0 ppid=10631 pid=10637 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1380119359.265:571): avc:  denied  { write } for  pid=10637 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=key
----
time->Wed Sep 25 09:29:19 2013
type=SYSCALL msg=audit(1380119359.266:572): arch=c000003e syscall=248 success=no exit=-13 a0=7fbd69648b2e a1=7fbd7741a950 a2=0 a3=0 items=0 ppid=10631 pid=10637 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1380119359.266:572): avc:  denied  { write } for  pid=10637 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=key
----
time->Wed Sep 25 09:29:19 2013
type=SYSCALL msg=audit(1380119359.304:573): arch=c000003e syscall=248 success=no exit=-13 a0=7fbd69648b2e a1=7fbd7784e720 a2=0 a3=0 items=0 ppid=10631 pid=10637 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1380119359.304:573): avc:  denied  { write } for  pid=10637 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=key
----
time->Wed Sep 25 09:29:19 2013
type=SYSCALL msg=audit(1380119359.304:574): arch=c000003e syscall=248 success=no exit=-13 a0=7fbd69648b2e a1=7fbd77458510 a2=0 a3=0 items=0 ppid=10631 pid=10637 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1380119359.304:574): avc:  denied  { write } for  pid=10637 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=key
----
time->Wed Sep 25 09:29:19 2013
type=SYSCALL msg=audit(1380119359.305:575): arch=c000003e syscall=248 success=no exit=-13 a0=7fbd69648b2e a1=7fbd77460340 a2=0 a3=0 items=0 ppid=10631 pid=10637 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1380119359.305:575): avc:  denied  { write } for  pid=10637 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=key
----
time->Wed Sep 25 09:29:19 2013
type=SYSCALL msg=audit(1380119359.305:576): arch=c000003e syscall=248 success=no exit=-13 a0=7fbd69648b2e a1=7fbd778082b0 a2=0 a3=0 items=0 ppid=10631 pid=10637 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1380119359.305:576): avc:  denied  { write } for  pid=10637 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=key

[root@rhel7-1 etc]# cat /var/log/audit/audit.log | audit2allow 


#============= httpd_t ==============
allow httpd_t self:key write;

#============= named_t ==============
allow named_t self:key write;


Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-80.el7.noarch


How reproducible:
always

Steps to Reproduce:
1.  ipa-server-install

Actual results:
AVC denials causing ipa-server-install to fail during ipa-client-install run at end.  AVC denials listed above.

Expected results:
no AVCs during ipa-server-install

Additional info:

/var/log/ipaserver-install shows this:

2013-09-25T14:28:15Z DEBUG args=/usr/sbin/ipa-client-install --on-master --unattended --domain testrelm.com --server rhel7-1.testrelm.com --realm TESTRELM.COM --hostname rhel7-1.testrelm.com
2013-09-25T14:29:20Z DEBUG Process finished, return code=1
2013-09-25T14:29:20Z DEBUG stdout=

2013-09-25T14:29:20Z DEBUG stderr=Hostname: rhel7-1.testrelm.com
Realm: TESTRELM.COM
DNS Domain: testrelm.com
IPA Server: rhel7-1.testrelm.com
BaseDN: dc=testrelm,dc=com
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Traceback (most recent call last):
  File "/usr/sbin/ipa-client-install", line 2565, in <module>
    sys.exit(main())
  File "/usr/sbin/ipa-client-install", line 2551, in main
    rval = install(options, env, fstore, statestore)
  File "/usr/sbin/ipa-client-install", line 2349, in install
    remote_env = api.Command['env'](server=True)['result']
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 436, in __call__
    ret = self.run(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1103, in run
    return self.forward(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 782, in forward
    return self.Backend.xmlclient.forward(self.name, *args, **kw)
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 752, in forward
    raise NetworkError(uri=server, error=e.errmsg)
ipalib.errors.NetworkError: cannot connect to 'https://rhel7-1.testrelm.com/ipa/xml': Internal Server Error

2013-09-25T14:29:20Z DEBUG   File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 622, in run_script
    return_value = main_function()

  File "/usr/sbin/ipa-server-install", line 1217, in main
    sys.exit("Configuration of client side components failed!\nipa-client-install returned: " + str(e))

2013-09-25T14:29:20Z DEBUG The ipa-server-install command failed, exception: SystemExit: Configuration of client side components failed!
ipa-client-install returned: Command '/usr/sbin/ipa-client-install --on-master --unattended --domain testrelm.com --server rhel7-1.testrelm.com --realm TESTRELM.COM --hostname rhel7-1.testrelm.com' returned non-zero exit status 1
Comment 1 Scott Poore 2013-09-25 15:51:21 UTC 

*** This bug has been marked as a duplicate of bug 1012051 ***
Note You need to log in before you can comment on or make changes to this bug.