Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1049532 - IPA CA certificate renewal fails due to AVC
Summary: IPA CA certificate renewal fails due to AVC
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.0
Hardware: Unspecified
OS: Linux
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Michal Trunecka
Depends On:
Blocks: 1040018
TreeView+ depends on / blocked
Reported: 2014-01-07 17:17 UTC by Martin Kosek
Modified: 2014-09-30 23:35 UTC (History)
4 users (show)

Fixed In Version: selinux-policy-3.12.1-118.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-06-13 10:45:13 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Martin Kosek 2014-01-07 17:17:47 UTC
Description of problem:
When CA subsystem certificates on an IPA replica are being renewed (using certmonger component), the process fails due to AVC:

# getcert resubmit -d '/etc/pki/pki-tomcat/alias' -n 'auditSigningCert cert-pki-ca'Resubmitting "20140107045317" to "dogtag-ipa-retrieve-agent-submit".

# getcert list -d '/etc/pki/pki-tomcat/alias' -n 'auditSigningCert cert-pki-ca'Number of certificates and requests being tracked: 7.
Request ID '20140107045317':
	status: CA_UNREACHABLE     <<<<<<<<<
	stuck: yes
	key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='783685401901'
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
	CA: dogtag-ipa-retrieve-agent-submit
	issuer: CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM
	expires: 2015-12-28 05:00:43 UTC
	key usage: digitalSignature,nonRepudiation
	pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
	post-save command: /usr/lib64/ipa/certmonger/restart_pkicad "auditSigningCert cert-pki-ca"
	track: yes
	auto-renew: yes

type=SYSCALL msg=audit(1389071271.605:211): arch=c000003e syscall=1 success=yes exit=3198461 a0=4 a1=7fcafa2b6010 a2=30cdfd a3=7fffa5473860 items=0 ppid=5380 pid=5383 auid=525 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="load_policy" exe="/usr/sbin/load_policy" subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1389071400.261:212): avc:  denied  { name_connect } for  pid=5417 comm="dogtag-ipa-retr" dest=389 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1389071400.261:212): arch=c000003e syscall=42 success=no exit=-13 a0=4 a1=3022280 a2=10 a3=0 items=0 ppid=5042 pid=5417 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dogtag-ipa-retr" exe="/usr/bin/python2.7" subj=system_u:system_r:certmonger_t:s0 key=(null)

# tail /var/log/audit/audit.log | audit2allow 

#============= certmonger_t ==============

#!!!! This avc can be allowed using one of the these booleans:
#     nis_enabled, authlogin_nsswitch_use_ldap
allow certmonger_t ldap_port_t:tcp_socket name_connect;

When I added a SELinux module with this rule, the renewal worked.

Version-Release number of selected component (if applicable):
How reproducible:

Steps to Reproduce:
1. Install IPA server
2. Install IPA replica with CA
3. Renew CA subsystem certificate on IPA master
4. Renew CA subsystem certificate on IPA replica (reads the one generated on master)

Actual results:
Step 4. fails due to AVC

Expected results:
Step 4 succeeds

Additional info:
Detailed reproduction scenario in Bug 1040009#c3.

Comment 1 Martin Kosek 2014-01-07 17:19:32 UTC
Related FreeIPA upstream ticket: https://fedorahosted.org/freeipa/ticket/4070

Comment 2 Miroslav Grepl 2014-01-08 16:32:40 UTC
commit 6d052ee7f61976330e4c94d484a06e9e57893abf
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Wed Jan 8 17:31:39 2014 +0100

    Allow certmonger to connect ldap port to make IPA CA certificate renewal working

Comment 3 Martin Kosek 2014-01-10 15:02:31 UTC
Thanks. Will the fix be also pushed to Fedora? (rawhide or 20)

Comment 5 Miroslav Grepl 2014-01-13 13:43:44 UTC
(In reply to Martin Kosek from comment #3)
> Thanks. Will the fix be also pushed to Fedora? (rawhide or 20)

Yes, all changes go also to rawhide/F20.

Comment 6 Martin Kosek 2014-01-13 15:43:54 UTC
Thanks for info, good to know.

Comment 7 Martin Kosek 2014-01-16 08:34:52 UTC
Mirek, I do not see the fix in the latest selinux-policy-3.12.1-117.el7.noarch. I still get the same AVC + I also do not see the referred patch in the list of fixes in the latest build.

Do I miss anything?

Comment 8 Miroslav Grepl 2014-01-16 09:03:06 UTC
I apologize, you are right. Has been added only to rawhide.

Fixed in selinux-policy-3.12.1-118.el7

Comment 10 Ludek Smid 2014-06-13 10:45:13 UTC
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.