1049532 – IPA CA certificate renewal fails due to AVC

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1049532 - IPA CA certificate renewal fails due to AVC

Summary: IPA CA certificate renewal fails due to AVC

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Michal Trunecka
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1040018
TreeView+	depends on / blocked

Reported:	2014-01-07 17:17 UTC by Martin Kosek
Modified:	2014-09-30 23:35 UTC (History)
CC List:	4 users (show)
Fixed In Version:	selinux-policy-3.12.1-118.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-06-13 10:45:13 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Martin Kosek 2014-01-07 17:17:47 UTC

Description of problem:
When CA subsystem certificates on an IPA replica are being renewed (using certmonger component), the process fails due to AVC:

# getcert resubmit -d '/etc/pki/pki-tomcat/alias' -n 'auditSigningCert cert-pki-ca'Resubmitting "20140107045317" to "dogtag-ipa-retrieve-agent-submit".

# getcert list -d '/etc/pki/pki-tomcat/alias' -n 'auditSigningCert cert-pki-ca'Number of certificates and requests being tracked: 7.
Request ID '20140107045317':
	status: CA_UNREACHABLE     <<<<<<<<<
	stuck: yes
	key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='783685401901'
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
	CA: dogtag-ipa-retrieve-agent-submit
	issuer: CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM
	subject: CN=CA Audit,O=IDM.LAB.BOS.REDHAT.COM
	expires: 2015-12-28 05:00:43 UTC
	key usage: digitalSignature,nonRepudiation
	pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
	post-save command: /usr/lib64/ipa/certmonger/restart_pkicad "auditSigningCert cert-pki-ca"
	track: yes
	auto-renew: yes



/var/log/audit.log:
type=SYSCALL msg=audit(1389071271.605:211): arch=c000003e syscall=1 success=yes exit=3198461 a0=4 a1=7fcafa2b6010 a2=30cdfd a3=7fffa5473860 items=0 ppid=5380 pid=5383 auid=525 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="load_policy" exe="/usr/sbin/load_policy" subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1389071400.261:212): avc:  denied  { name_connect } for  pid=5417 comm="dogtag-ipa-retr" dest=389 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1389071400.261:212): arch=c000003e syscall=42 success=no exit=-13 a0=4 a1=3022280 a2=10 a3=0 items=0 ppid=5042 pid=5417 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dogtag-ipa-retr" exe="/usr/bin/python2.7" subj=system_u:system_r:certmonger_t:s0 key=(null)

# tail /var/log/audit/audit.log | audit2allow 


#============= certmonger_t ==============

#!!!! This avc can be allowed using one of the these booleans:
#     nis_enabled, authlogin_nsswitch_use_ldap
allow certmonger_t ldap_port_t:tcp_socket name_connect;


When I added a SELinux module with this rule, the renewal worked.

Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-112.el7.noarch
ipa-server-3.3.3-8.el7.x86_64
certmonger-0.70-1.el7.x86_64
pki-ca-10.0.5-3.el7.noarch
389-ds-base-1.3.1.6-13.el7.x86_64
How reproducible:


Steps to Reproduce:
1. Install IPA server
2. Install IPA replica with CA
3. Renew CA subsystem certificate on IPA master
4. Renew CA subsystem certificate on IPA replica (reads the one generated on master)

Actual results:
Step 4. fails due to AVC

Expected results:
Step 4 succeeds

Additional info:
Detailed reproduction scenario in Bug 1040009#c3.

Comment 1 Martin Kosek 2014-01-07 17:19:32 UTC

Related FreeIPA upstream ticket: https://fedorahosted.org/freeipa/ticket/4070

Comment 2 Miroslav Grepl 2014-01-08 16:32:40 UTC

commit 6d052ee7f61976330e4c94d484a06e9e57893abf
Author: Miroslav Grepl <mgrepl>
Date:   Wed Jan 8 17:31:39 2014 +0100

    Allow certmonger to connect ldap port to make IPA CA certificate renewal working

Comment 3 Martin Kosek 2014-01-10 15:02:31 UTC

Thanks. Will the fix be also pushed to Fedora? (rawhide or 20)

Comment 5 Miroslav Grepl 2014-01-13 13:43:44 UTC

(In reply to Martin Kosek from comment #3)
> Thanks. Will the fix be also pushed to Fedora? (rawhide or 20)

Yes, all changes go also to rawhide/F20.

Comment 6 Martin Kosek 2014-01-13 15:43:54 UTC

Thanks for info, good to know.

Comment 7 Martin Kosek 2014-01-16 08:34:52 UTC

Mirek, I do not see the fix in the latest selinux-policy-3.12.1-117.el7.noarch. I still get the same AVC + I also do not see the referred patch in the list of fixes in the latest build.

Do I miss anything?

Comment 8 Miroslav Grepl 2014-01-16 09:03:06 UTC

I apologize, you are right. Has been added only to rawhide.

Fixed in selinux-policy-3.12.1-118.el7

Comment 10 Ludek Smid 2014-06-13 10:45:13 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.