Bug 1027285 - SELinux AVC denials for pki
SELinux AVC denials for pki
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.0
Unspecified Linux
unspecified Severity unspecified
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-11-06 08:24 EST by Steeve Goveas
Modified: 2014-06-17 22:28 EDT (History)
8 users (show)

See Also:
Fixed In Version: selinux-policy-3.12.1-104.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-13 05:32:34 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Steeve Goveas 2013-11-06 08:24:59 EST
Description of problem:
AVC denials found during IPA installation

Version-Release number of selected component (if applicable):
[root@hp-z600-01 ~]# rpm -q ipa-server
ipa-server-3.3.2-1.el7.x86_64

[root@hp-z600-01 ~]# rpm -q selinux-policy
selinux-policy-3.12.1-95.el7.noarch


How reproducible:
always

Steps to Reproduce:
[root@hp-z600-01 ~]# ll -Z /tmp
>>drwxr-xr-x. root root unconfined_u:object_r:rpm_script_tmp_t:s0 hsperfdata_root
-rwx------. root root system_u:object_r:initrc_tmp_t:s0 ks-script-D9dn29
-rwx------. root root system_u:object_r:initrc_tmp_t:s0 ks-script-HbzcnF
-rwx------. root root system_u:object_r:initrc_tmp_t:s0 ks-script-hCeAVu
-rw-------. root root unconfined_u:object_r:user_tmp_t:s0 tmp.u1IQb2
-rw-------. root root system_u:object_r:initrc_tmp_t:s0 yum.log

[root@hp-z600-01 ~]# ipa-server-install -U -r testrelm.com -p Secret123 -a Secret123 --setup-dns --forwarder 10.16.36.29

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
...
..
.
.
<truncated>

[root@hp-z600-01 ~]# /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts 11/06/2013 07:17:39

Actual results:

[root@hp-z600-01 ~]# /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts 11/06/2013 07:17:39
----
time->Wed Nov  6 07:17:53 2013
type=USER_AVC msg=audit(1383740273.203:259): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=2)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Wed Nov  6 07:18:45 2013
type=SYSCALL msg=audit(1383740325.593:282): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7f6ea0015e70 a2=90800 a3=0 items=0 ppid=1 pid=27096 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java-abrt" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.40-2.4.2.6.el7.x86_64/jre/bin/java-abrt" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1383740325.593:282): avc:  denied  { read } for  pid=27096 comm="java-abrt" name="hsperfdata_root" dev="dm-1" ino=203994696 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Wed Nov  6 07:18:45 2013
type=SYSCALL msg=audit(1383740325.593:283): arch=c000003e syscall=2 success=no exit=-13 a0=7f6ea0015e90 a1=242 a2=180 a3=0 items=0 ppid=1 pid=27096 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java-abrt" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.40-2.4.2.6.el7.x86_64/jre/bin/java-abrt" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1383740325.593:283): avc:  denied  { write } for  pid=27096 comm="java-abrt" name="hsperfdata_root" dev="dm-1" ino=203994696 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Wed Nov  6 07:19:49 2013
type=SYSCALL msg=audit(1383740389.179:286): arch=c000003e syscall=2 success=no exit=-13 a0=7f62180159e0 a1=242 a2=180 a3=0 items=0 ppid=27283 pid=27299 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java-abrt" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.40-2.4.2.6.el7.x86_64/jre/bin/java-abrt" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1383740389.179:286): avc:  denied  { write } for  pid=27299 comm="java-abrt" name="hsperfdata_root" dev="dm-1" ino=203994696 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Wed Nov  6 07:19:50 2013
type=SYSCALL msg=audit(1383740390.860:288): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7fcaf4015e70 a2=90800 a3=0 items=0 ppid=1 pid=27497 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java-abrt" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.40-2.4.2.6.el7.x86_64/jre/bin/java-abrt" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1383740390.860:288): avc:  denied  { read } for  pid=27497 comm="java-abrt" name="hsperfdata_root" dev="dm-1" ino=203994696 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Wed Nov  6 07:19:49 2013
type=SYSCALL msg=audit(1383740389.179:285): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7f62180159c0 a2=90800 a3=0 items=0 ppid=27283 pid=27299 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java-abrt" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.40-2.4.2.6.el7.x86_64/jre/bin/java-abrt" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1383740389.179:285): avc:  denied  { read } for  pid=27299 comm="java-abrt" name="hsperfdata_root" dev="dm-1" ino=203994696 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Wed Nov  6 07:19:50 2013
type=SYSCALL msg=audit(1383740390.861:289): arch=c000003e syscall=2 success=no exit=-13 a0=7fcaf4015e90 a1=242 a2=180 a3=0 items=0 ppid=1 pid=27497 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java-abrt" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.40-2.4.2.6.el7.x86_64/jre/bin/java-abrt" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1383740390.861:289): avc:  denied  { write } for  pid=27497 comm="java-abrt" name="hsperfdata_root" dev="dm-1" ino=203994696 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Wed Nov  6 07:19:58 2013
type=SYSCALL msg=audit(1383740398.915:292): arch=c000003e syscall=2 success=no exit=-13 a0=7f77480159e0 a1=242 a2=180 a3=0 items=0 ppid=27594 pid=27610 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java-abrt" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.40-2.4.2.6.el7.x86_64/jre/bin/java-abrt" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1383740398.915:292): avc:  denied  { write } for  pid=27610 comm="java-abrt" name="hsperfdata_root" dev="dm-1" ino=203994696 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Wed Nov  6 07:20:00 2013
type=SYSCALL msg=audit(1383740400.968:294): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7f1ac4015e70 a2=90800 a3=0 items=0 ppid=1 pid=27800 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java-abrt" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.40-2.4.2.6.el7.x86_64/jre/bin/java-abrt" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1383740400.968:294): avc:  denied  { read } for  pid=27800 comm="java-abrt" name="hsperfdata_root" dev="dm-1" ino=203994696 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Wed Nov  6 07:20:00 2013
type=SYSCALL msg=audit(1383740400.968:295): arch=c000003e syscall=2 success=no exit=-13 a0=7f1ac4015e90 a1=242 a2=180 a3=0 items=0 ppid=1 pid=27800 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java-abrt" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.40-2.4.2.6.el7.x86_64/jre/bin/java-abrt" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1383740400.968:295): avc:  denied  { write } for  pid=27800 comm="java-abrt" name="hsperfdata_root" dev="dm-1" ino=203994696 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Wed Nov  6 07:19:58 2013
type=SYSCALL msg=audit(1383740398.915:291): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7f77480159c0 a2=90800 a3=0 items=0 ppid=27594 pid=27610 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java-abrt" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.40-2.4.2.6.el7.x86_64/jre/bin/java-abrt" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1383740398.915:291): avc:  denied  { read } for  pid=27610 comm="java-abrt" name="hsperfdata_root" dev="dm-1" ino=203994696 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Wed Nov  6 07:20:40 2013
type=SYSCALL msg=audit(1383740440.795:304): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7f89c00159c0 a2=90800 a3=0 items=0 ppid=28088 pid=28104 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java-abrt" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.40-2.4.2.6.el7.x86_64/jre/bin/java-abrt" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1383740440.795:304): avc:  denied  { read } for  pid=28104 comm="java-abrt" name="hsperfdata_root" dev="dm-1" ino=203994696 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Wed Nov  6 07:20:40 2013
type=SYSCALL msg=audit(1383740440.796:305): arch=c000003e syscall=2 success=no exit=-13 a0=7f89c00159e0 a1=242 a2=180 a3=0 items=0 ppid=28088 pid=28104 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java-abrt" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.40-2.4.2.6.el7.x86_64/jre/bin/java-abrt" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1383740440.796:305): avc:  denied  { write } for  pid=28104 comm="java-abrt" name="hsperfdata_root" dev="dm-1" ino=203994696 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Wed Nov  6 07:20:42 2013
type=SYSCALL msg=audit(1383740442.386:308): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7f5274015e70 a2=90800 a3=0 items=0 ppid=1 pid=28299 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java-abrt" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.40-2.4.2.6.el7.x86_64/jre/bin/java-abrt" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1383740442.386:308): avc:  denied  { read } for  pid=28299 comm="java-abrt" name="hsperfdata_root" dev="dm-1" ino=203994696 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Wed Nov  6 07:20:42 2013
type=SYSCALL msg=audit(1383740442.386:309): arch=c000003e syscall=2 success=no exit=-13 a0=7f5274015e90 a1=242 a2=180 a3=0 items=0 ppid=1 pid=28299 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java-abrt" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.40-2.4.2.6.el7.x86_64/jre/bin/java-abrt" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1383740442.386:309): avc:  denied  { write } for  pid=28299 comm="java-abrt" name="hsperfdata_root" dev="dm-1" ino=203994696 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Wed Nov  6 07:22:32 2013
type=USER_AVC msg=audit(1383740552.857:319): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=3)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Wed Nov  6 07:22:32 2013
type=USER_AVC msg=audit(1383740552.857:320): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=4)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

Expected results:
No AVC denials found

Additional info:
* No avc denials were found after changing context 
# cd /tmp
# chcon -t tmp_t hsperf*
Comment 2 Miroslav Grepl 2013-11-06 08:52:37 EST
This is a weird issue. Basically this directory is created by Java in the post install so we are not able to control the labeling.

I guess there is not a way how to tell Java to create this directory in a different location, right?
Comment 3 Steeve Goveas 2013-11-08 07:19:03 EST
The directory is created while installing java-1.7.0-openjdk and its dependences rhino, jline, and java-1.7.0-openjdk-headless, not sure if location of its creation can be controlled.

[root@hp-z600-01 ~]# ll /tmp/ -Z
-rw-------. root root unconfined_u:object_r:user_tmp_t:s0 tmp.u1IQb2
-rw-------. root root system_u:object_r:initrc_tmp_t:s0 yum.log
-rw-------. root root unconfined_u:object_r:rpm_tmp_t:s0 yum_save_tx.2013-11-07.08-54._xMuN7.yumtx
-rw-------. root root unconfined_u:object_r:rpm_tmp_t:s0 yum_save_tx.2013-11-08.04-53.s0bqpU.yumtx

[root@hp-z600-01 ~]#  yum install java-1.7.0-openjdk -y

======================================================================================================================================================
 Package                                      Arch                    Version                                    Repository                      Size
======================================================================================================================================================
Installing:
 java-1.7.0-openjdk                           x86_64                  1:1.7.0.45-2.4.3.4.el7                     brew70                         205 k
Installing for dependencies:
 java-1.7.0-openjdk-headless                  x86_64                  1:1.7.0.45-2.4.3.4.el7                     brew70                          25 M
 jline                                        noarch                  1.0-7.el7                                  beaker-Server                   70 k
 rhino                                        noarch                  1.7R4-3.el7                                beaker-Server                  1.0 M

Transaction Summary
======================================================================================================================================================

[root@hp-z600-01 ~]# ll /tmp/ -Z
drwxr-xr-x. root root unconfined_u:object_r:rpm_script_tmp_t:s0 hsperfdata_root
-rw-------. root root unconfined_u:object_r:user_tmp_t:s0 tmp.u1IQb2
-rw-------. root root system_u:object_r:initrc_tmp_t:s0 yum.log
-rw-------. root root unconfined_u:object_r:rpm_tmp_t:s0 yum_save_tx.2013-11-07.08-54._xMuN7.yumtx
-rw-------. root root unconfined_u:object_r:rpm_tmp_t:s0 yum_save_tx.2013-11-08.04-53.s0bqpU.yumtx
Comment 4 Martin Kosek 2013-11-20 10:15:06 EST
This seems as a general JDK issue, see for example https://bugzilla.redhat.com/show_bug.cgi?id=917843#c6. Also adding Nathan to know about this one.
Comment 5 Miroslav Grepl 2013-11-20 10:20:53 EST
We can add filename transition rule for this.

I mean for hsperfdata_root. We just need to select the correct label which is probably user_tmp_t.

   allow pki_tomcat_t user_tmp_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; 
   allow pki_tomcat_t user_tmp_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ;
Comment 6 Miroslav Grepl 2013-11-20 10:23:11 EST
Could you guys test it with this label?

# chcon -R -t user_tmp_t /tmp/hsperfdata_root
Comment 7 Miroslav Grepl 2013-11-21 05:03:09 EST
commit 0290b27e98dd229bf05f94233ac08924b2b52d6a
Author: Dan Walsh <dwalsh@redhat.com>
Date:   Fri Nov 15 13:33:18 2013 -0500

    Label hsperfdata_root as tmp_t
Comment 8 Michael Gregg 2013-12-13 14:36:34 EST
This still seems to be a issue as of 

/sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR:

time->Fri Dec 13 14:00:23 2013
type=SYSCALL msg=audit(1386961223.120:125): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7f1b44008590 a2=90800 a3=0 items=0 ppid=1 pid=14474 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.45-2.4.3.4.el7.x86_64/jre-abrt/bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1386961223.120:125): avc:  denied  { read } for  pid=14474 comm="java" name="hsperfdata_root" dev="dm-1" ino=203115876 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Fri Dec 13 14:01:10 2013
type=SYSCALL msg=audit(1386961270.658:142): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7f7168008160 a2=90800 a3=0 items=0 ppid=15108 pid=15124 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.45-2.4.3.4.el7.x86_64/jre-abrt/bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1386961270.658:142): avc:  denied  { read } for  pid=15124 comm="java" name="hsperfdata_root" dev="dm-1" ino=203115876 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Fri Dec 13 14:01:10 2013
type=SYSCALL msg=audit(1386961270.658:143): arch=c000003e syscall=2 success=no exit=-13 a0=7f7168008180 a1=242 a2=180 a3=0 items=0 ppid=15108 pid=15124 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.45-2.4.3.4.el7.x86_64/jre-abrt/bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1386961270.658:143): avc:  denied  { write } for  pid=15124 comm="java" name="hsperfdata_root" dev="dm-1" ino=203115876 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Fri Dec 13 14:01:13 2013
type=SYSCALL msg=audit(1386961273.141:147): arch=c000003e syscall=2 success=no exit=-13 a0=7f48bc0085b0 a1=242 a2=180 a3=0 items=0 ppid=1 pid=15330 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.45-2.4.3.4.el7.x86_64/jre-abrt/bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1386961273.141:147): avc:  denied  { write } for  pid=15330 comm="java" name="hsperfdata_root" dev="dm-1" ino=203115876 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Fri Dec 13 14:01:13 2013
type=SYSCALL msg=audit(1386961273.140:146): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7f48bc008590 a2=90800 a3=0 items=0 ppid=1 pid=15330 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.45-2.4.3.4.el7.x86_64/jre-abrt/bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1386961273.140:146): avc:  denied  { read } for  pid=15330 comm="java" name="hsperfdata_root" dev="dm-1" ino=203115876 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir



I will try a run again with "chcon -R -t user_tmp_t /tmp/hsperfdata_root"
Comment 9 Michael Gregg 2013-12-13 16:19:44 EST
I confirmed that running the following before ipa-install is a work-around for this BZ:

mkdir /tmp/hsperfdata_root
chcon -R -t user_tmp_t /tmp/hsperfdata_root
Comment 11 Michael Gregg 2013-12-23 14:51:07 EST
As of ipa-server-3.3.3-6.el7.x86_64 I no longer need to utilize the work-around.
Comment 12 Ludek Smid 2014-06-13 05:32:34 EDT
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.