1027285 – SELinux AVC denials for pki

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1027285 - SELinux AVC denials for pki

Summary: SELinux AVC denials for pki

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-11-06 13:24 UTC by Steeve Goveas
Modified:	2014-06-18 02:28 UTC (History)
CC List:	8 users (show)
Fixed In Version:	selinux-policy-3.12.1-104.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-06-13 09:32:34 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	917843	0	unspecified	CLOSED	SELinux AVC denials for pki	2021-02-22 00:41:40 UTC
Red Hat Bugzilla	1005388	0	unspecified	CLOSED	Encountering AVC error messages	2021-02-22 00:41:40 UTC

Internal Links: 917843 1005388

Description Steeve Goveas 2013-11-06 13:24:59 UTC

Description of problem:
AVC denials found during IPA installation

Version-Release number of selected component (if applicable):
[root@hp-z600-01 ~]# rpm -q ipa-server
ipa-server-3.3.2-1.el7.x86_64

[root@hp-z600-01 ~]# rpm -q selinux-policy
selinux-policy-3.12.1-95.el7.noarch


How reproducible:
always

Steps to Reproduce:
[root@hp-z600-01 ~]# ll -Z /tmp
>>drwxr-xr-x. root root unconfined_u:object_r:rpm_script_tmp_t:s0 hsperfdata_root
-rwx------. root root system_u:object_r:initrc_tmp_t:s0 ks-script-D9dn29
-rwx------. root root system_u:object_r:initrc_tmp_t:s0 ks-script-HbzcnF
-rwx------. root root system_u:object_r:initrc_tmp_t:s0 ks-script-hCeAVu
-rw-------. root root unconfined_u:object_r:user_tmp_t:s0 tmp.u1IQb2
-rw-------. root root system_u:object_r:initrc_tmp_t:s0 yum.log

[root@hp-z600-01 ~]# ipa-server-install -U -r testrelm.com -p Secret123 -a Secret123 --setup-dns --forwarder 10.16.36.29

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
...
..
.
.
<truncated>

[root@hp-z600-01 ~]# /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts 11/06/2013 07:17:39

Actual results:

[root@hp-z600-01 ~]# /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts 11/06/2013 07:17:39
----
time->Wed Nov  6 07:17:53 2013
type=USER_AVC msg=audit(1383740273.203:259): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=2)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Wed Nov  6 07:18:45 2013
type=SYSCALL msg=audit(1383740325.593:282): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7f6ea0015e70 a2=90800 a3=0 items=0 ppid=1 pid=27096 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java-abrt" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.40-2.4.2.6.el7.x86_64/jre/bin/java-abrt" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1383740325.593:282): avc:  denied  { read } for  pid=27096 comm="java-abrt" name="hsperfdata_root" dev="dm-1" ino=203994696 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Wed Nov  6 07:18:45 2013
type=SYSCALL msg=audit(1383740325.593:283): arch=c000003e syscall=2 success=no exit=-13 a0=7f6ea0015e90 a1=242 a2=180 a3=0 items=0 ppid=1 pid=27096 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java-abrt" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.40-2.4.2.6.el7.x86_64/jre/bin/java-abrt" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1383740325.593:283): avc:  denied  { write } for  pid=27096 comm="java-abrt" name="hsperfdata_root" dev="dm-1" ino=203994696 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Wed Nov  6 07:19:49 2013
type=SYSCALL msg=audit(1383740389.179:286): arch=c000003e syscall=2 success=no exit=-13 a0=7f62180159e0 a1=242 a2=180 a3=0 items=0 ppid=27283 pid=27299 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java-abrt" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.40-2.4.2.6.el7.x86_64/jre/bin/java-abrt" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1383740389.179:286): avc:  denied  { write } for  pid=27299 comm="java-abrt" name="hsperfdata_root" dev="dm-1" ino=203994696 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Wed Nov  6 07:19:50 2013
type=SYSCALL msg=audit(1383740390.860:288): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7fcaf4015e70 a2=90800 a3=0 items=0 ppid=1 pid=27497 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java-abrt" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.40-2.4.2.6.el7.x86_64/jre/bin/java-abrt" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1383740390.860:288): avc:  denied  { read } for  pid=27497 comm="java-abrt" name="hsperfdata_root" dev="dm-1" ino=203994696 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Wed Nov  6 07:19:49 2013
type=SYSCALL msg=audit(1383740389.179:285): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7f62180159c0 a2=90800 a3=0 items=0 ppid=27283 pid=27299 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java-abrt" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.40-2.4.2.6.el7.x86_64/jre/bin/java-abrt" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1383740389.179:285): avc:  denied  { read } for  pid=27299 comm="java-abrt" name="hsperfdata_root" dev="dm-1" ino=203994696 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Wed Nov  6 07:19:50 2013
type=SYSCALL msg=audit(1383740390.861:289): arch=c000003e syscall=2 success=no exit=-13 a0=7fcaf4015e90 a1=242 a2=180 a3=0 items=0 ppid=1 pid=27497 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java-abrt" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.40-2.4.2.6.el7.x86_64/jre/bin/java-abrt" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1383740390.861:289): avc:  denied  { write } for  pid=27497 comm="java-abrt" name="hsperfdata_root" dev="dm-1" ino=203994696 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Wed Nov  6 07:19:58 2013
type=SYSCALL msg=audit(1383740398.915:292): arch=c000003e syscall=2 success=no exit=-13 a0=7f77480159e0 a1=242 a2=180 a3=0 items=0 ppid=27594 pid=27610 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java-abrt" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.40-2.4.2.6.el7.x86_64/jre/bin/java-abrt" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1383740398.915:292): avc:  denied  { write } for  pid=27610 comm="java-abrt" name="hsperfdata_root" dev="dm-1" ino=203994696 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Wed Nov  6 07:20:00 2013
type=SYSCALL msg=audit(1383740400.968:294): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7f1ac4015e70 a2=90800 a3=0 items=0 ppid=1 pid=27800 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java-abrt" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.40-2.4.2.6.el7.x86_64/jre/bin/java-abrt" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1383740400.968:294): avc:  denied  { read } for  pid=27800 comm="java-abrt" name="hsperfdata_root" dev="dm-1" ino=203994696 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Wed Nov  6 07:20:00 2013
type=SYSCALL msg=audit(1383740400.968:295): arch=c000003e syscall=2 success=no exit=-13 a0=7f1ac4015e90 a1=242 a2=180 a3=0 items=0 ppid=1 pid=27800 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java-abrt" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.40-2.4.2.6.el7.x86_64/jre/bin/java-abrt" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1383740400.968:295): avc:  denied  { write } for  pid=27800 comm="java-abrt" name="hsperfdata_root" dev="dm-1" ino=203994696 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Wed Nov  6 07:19:58 2013
type=SYSCALL msg=audit(1383740398.915:291): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7f77480159c0 a2=90800 a3=0 items=0 ppid=27594 pid=27610 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java-abrt" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.40-2.4.2.6.el7.x86_64/jre/bin/java-abrt" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1383740398.915:291): avc:  denied  { read } for  pid=27610 comm="java-abrt" name="hsperfdata_root" dev="dm-1" ino=203994696 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Wed Nov  6 07:20:40 2013
type=SYSCALL msg=audit(1383740440.795:304): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7f89c00159c0 a2=90800 a3=0 items=0 ppid=28088 pid=28104 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java-abrt" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.40-2.4.2.6.el7.x86_64/jre/bin/java-abrt" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1383740440.795:304): avc:  denied  { read } for  pid=28104 comm="java-abrt" name="hsperfdata_root" dev="dm-1" ino=203994696 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Wed Nov  6 07:20:40 2013
type=SYSCALL msg=audit(1383740440.796:305): arch=c000003e syscall=2 success=no exit=-13 a0=7f89c00159e0 a1=242 a2=180 a3=0 items=0 ppid=28088 pid=28104 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java-abrt" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.40-2.4.2.6.el7.x86_64/jre/bin/java-abrt" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1383740440.796:305): avc:  denied  { write } for  pid=28104 comm="java-abrt" name="hsperfdata_root" dev="dm-1" ino=203994696 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Wed Nov  6 07:20:42 2013
type=SYSCALL msg=audit(1383740442.386:308): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7f5274015e70 a2=90800 a3=0 items=0 ppid=1 pid=28299 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java-abrt" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.40-2.4.2.6.el7.x86_64/jre/bin/java-abrt" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1383740442.386:308): avc:  denied  { read } for  pid=28299 comm="java-abrt" name="hsperfdata_root" dev="dm-1" ino=203994696 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Wed Nov  6 07:20:42 2013
type=SYSCALL msg=audit(1383740442.386:309): arch=c000003e syscall=2 success=no exit=-13 a0=7f5274015e90 a1=242 a2=180 a3=0 items=0 ppid=1 pid=28299 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java-abrt" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.40-2.4.2.6.el7.x86_64/jre/bin/java-abrt" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1383740442.386:309): avc:  denied  { write } for  pid=28299 comm="java-abrt" name="hsperfdata_root" dev="dm-1" ino=203994696 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Wed Nov  6 07:22:32 2013
type=USER_AVC msg=audit(1383740552.857:319): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=3)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Wed Nov  6 07:22:32 2013
type=USER_AVC msg=audit(1383740552.857:320): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=4)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

Expected results:
No AVC denials found

Additional info:
* No avc denials were found after changing context 
# cd /tmp
# chcon -t tmp_t hsperf*

Comment 2 Miroslav Grepl 2013-11-06 13:52:37 UTC

This is a weird issue. Basically this directory is created by Java in the post install so we are not able to control the labeling.

I guess there is not a way how to tell Java to create this directory in a different location, right?

Comment 3 Steeve Goveas 2013-11-08 12:19:03 UTC

The directory is created while installing java-1.7.0-openjdk and its dependences rhino, jline, and java-1.7.0-openjdk-headless, not sure if location of its creation can be controlled.

[root@hp-z600-01 ~]# ll /tmp/ -Z
-rw-------. root root unconfined_u:object_r:user_tmp_t:s0 tmp.u1IQb2
-rw-------. root root system_u:object_r:initrc_tmp_t:s0 yum.log
-rw-------. root root unconfined_u:object_r:rpm_tmp_t:s0 yum_save_tx.2013-11-07.08-54._xMuN7.yumtx
-rw-------. root root unconfined_u:object_r:rpm_tmp_t:s0 yum_save_tx.2013-11-08.04-53.s0bqpU.yumtx

[root@hp-z600-01 ~]#  yum install java-1.7.0-openjdk -y

======================================================================================================================================================
 Package                                      Arch                    Version                                    Repository                      Size
======================================================================================================================================================
Installing:
 java-1.7.0-openjdk                           x86_64                  1:1.7.0.45-2.4.3.4.el7                     brew70                         205 k
Installing for dependencies:
 java-1.7.0-openjdk-headless                  x86_64                  1:1.7.0.45-2.4.3.4.el7                     brew70                          25 M
 jline                                        noarch                  1.0-7.el7                                  beaker-Server                   70 k
 rhino                                        noarch                  1.7R4-3.el7                                beaker-Server                  1.0 M

Transaction Summary
======================================================================================================================================================

[root@hp-z600-01 ~]# ll /tmp/ -Z
drwxr-xr-x. root root unconfined_u:object_r:rpm_script_tmp_t:s0 hsperfdata_root
-rw-------. root root unconfined_u:object_r:user_tmp_t:s0 tmp.u1IQb2
-rw-------. root root system_u:object_r:initrc_tmp_t:s0 yum.log
-rw-------. root root unconfined_u:object_r:rpm_tmp_t:s0 yum_save_tx.2013-11-07.08-54._xMuN7.yumtx
-rw-------. root root unconfined_u:object_r:rpm_tmp_t:s0 yum_save_tx.2013-11-08.04-53.s0bqpU.yumtx

Comment 4 Martin Kosek 2013-11-20 15:15:06 UTC

This seems as a general JDK issue, see for example https://bugzilla.redhat.com/show_bug.cgi?id=917843#c6. Also adding Nathan to know about this one.

Comment 5 Miroslav Grepl 2013-11-20 15:20:53 UTC

We can add filename transition rule for this.

I mean for hsperfdata_root. We just need to select the correct label which is probably user_tmp_t.

   allow pki_tomcat_t user_tmp_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; 
   allow pki_tomcat_t user_tmp_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ;

Comment 6 Miroslav Grepl 2013-11-20 15:23:11 UTC

Could you guys test it with this label?

# chcon -R -t user_tmp_t /tmp/hsperfdata_root

Comment 7 Miroslav Grepl 2013-11-21 10:03:09 UTC

commit 0290b27e98dd229bf05f94233ac08924b2b52d6a
Author: Dan Walsh <dwalsh>
Date:   Fri Nov 15 13:33:18 2013 -0500

    Label hsperfdata_root as tmp_t

Comment 8 Michael Gregg 2013-12-13 19:36:34 UTC

This still seems to be a issue as of 

/sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR:

time->Fri Dec 13 14:00:23 2013
type=SYSCALL msg=audit(1386961223.120:125): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7f1b44008590 a2=90800 a3=0 items=0 ppid=1 pid=14474 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.45-2.4.3.4.el7.x86_64/jre-abrt/bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1386961223.120:125): avc:  denied  { read } for  pid=14474 comm="java" name="hsperfdata_root" dev="dm-1" ino=203115876 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Fri Dec 13 14:01:10 2013
type=SYSCALL msg=audit(1386961270.658:142): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7f7168008160 a2=90800 a3=0 items=0 ppid=15108 pid=15124 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.45-2.4.3.4.el7.x86_64/jre-abrt/bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1386961270.658:142): avc:  denied  { read } for  pid=15124 comm="java" name="hsperfdata_root" dev="dm-1" ino=203115876 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Fri Dec 13 14:01:10 2013
type=SYSCALL msg=audit(1386961270.658:143): arch=c000003e syscall=2 success=no exit=-13 a0=7f7168008180 a1=242 a2=180 a3=0 items=0 ppid=15108 pid=15124 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.45-2.4.3.4.el7.x86_64/jre-abrt/bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1386961270.658:143): avc:  denied  { write } for  pid=15124 comm="java" name="hsperfdata_root" dev="dm-1" ino=203115876 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Fri Dec 13 14:01:13 2013
type=SYSCALL msg=audit(1386961273.141:147): arch=c000003e syscall=2 success=no exit=-13 a0=7f48bc0085b0 a1=242 a2=180 a3=0 items=0 ppid=1 pid=15330 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.45-2.4.3.4.el7.x86_64/jre-abrt/bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1386961273.141:147): avc:  denied  { write } for  pid=15330 comm="java" name="hsperfdata_root" dev="dm-1" ino=203115876 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
----
time->Fri Dec 13 14:01:13 2013
type=SYSCALL msg=audit(1386961273.140:146): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7f48bc008590 a2=90800 a3=0 items=0 ppid=1 pid=15330 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.45-2.4.3.4.el7.x86_64/jre-abrt/bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1386961273.140:146): avc:  denied  { read } for  pid=15330 comm="java" name="hsperfdata_root" dev="dm-1" ino=203115876 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir



I will try a run again with "chcon -R -t user_tmp_t /tmp/hsperfdata_root"

Comment 9 Michael Gregg 2013-12-13 21:19:44 UTC

I confirmed that running the following before ipa-install is a work-around for this BZ:

mkdir /tmp/hsperfdata_root
chcon -R -t user_tmp_t /tmp/hsperfdata_root

Comment 11 Michael Gregg 2013-12-23 19:51:07 UTC

As of ipa-server-3.3.3-6.el7.x86_64 I no longer need to utilize the work-around.

Comment 12 Ludek Smid 2014-06-13 09:32:34 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.