1076523 – java avc denial message on installing IPA

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1076523 - java avc denial message on installing IPA

Summary: java avc denial message on installing IPA

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.0
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Duplicates (2):	1075153 1078192 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-03-14 13:43 UTC by Kaleem
Modified:	2014-06-13 09:44 UTC (History)
CC List:	8 users (show)
Fixed In Version:	selinux-policy-3.12.1-153.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-06-13 09:44:02 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
audit.log with selinux-policy-3.12.1-149.el7.noarch (2.88 KB, application/gzip) 2014-04-02 06:33 UTC, Martin Kosek	no flags	Details
View All

Description Kaleem 2014-03-14 13:43:52 UTC

Description of problem:
Following avc denied message shown when ipa installation is being run with external-ca option.

----
time->Fri Mar 14 05:52:22 2014
type=SYSCALL msg=audit(1394790742.084:93): arch=c000003e syscall=87 success=no exit=-13 a0=7f2e80008230 a1=7f2e80008030 a2=7f2e8000824a a3=2eda items=0 ppid=1 pid=13076 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.51-2.4.5.1.el7.x86_64/jre-abrt/bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1394790742.084:93): avc:  denied  { unlink } for  pid=13076 comm="java" name="11994" dev="dm-1" ino=986800 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=file
----
time->Fri Mar 14 05:52:22 2014
type=SYSCALL msg=audit(1394790742.147:94): arch=c000003e syscall=2 success=no exit=-13 a0=7f2e79218d18 a1=0 a2=1b6 a3=7f2e7ce0970c items=0 ppid=1 pid=13076 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.51-2.4.5.1.el7.x86_64/jre-abrt/bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1394790742.147:94): avc:  denied  { search } for  pid=13076 comm="java" name="net" dev="proc" ino=5841 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir
----
time->Fri Mar 14 05:57:16 2014
type=USER_AVC msg=audit(1394791036.770:125): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=2)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Fri Mar 14 05:57:16 2014
type=USER_AVC msg=audit(1394791036.770:126): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=3)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----

First i thought that its due to https://bugzilla.redhat.com/show_bug.cgi?id=1071858 but IPA installation ran on kernel-3.10-0.110 where bug 1071858 was fixed.
Though IPA installation is successful.

Version-Release number of selected component (if applicable):
[root@master ~]# rpm -q ipa-server pki-ca kernel
ipa-server-3.3.3-25.el7.x86_64
pki-ca-10.0.5-3.el7.noarch
kernel-3.10.0-89.el7.x86_64
kernel-3.10.0-108.el7.x86_64
kernel-3.10.0-110.el7.x86_64
[root@master ~]#

How reproducible:
Always

Steps to Reproduce:
1.Ran ipa installation with --external-ca option
  
ipa-server-install --external-ca --setup-dns --forwarder=10.65.201.89 --hostname=master.testrelm.test -r TESTRELM.TEST -n testrelm.test -p xxxxxxxx -P xxxxxxxx -a xxxxxxxx -U

2.Look into audit log for avc denial message


Actual results:
avc denial message of description section shown.

Expected results:
No avc denial message should be shown.

Comment 3 Namita Soman 2014-03-17 15:10:17 UTC

Also seeing similar avc on a ipa-server-install...so appending to this bz...

installing server using cmd:
ipa-server-install --setup-dns --forwarder=x.x.x.x --hostname=blade04.testrelm.test -r TESTRELM.TEST -n testrelm.test -p <password> -P <password> -a <password> -U

Install is successful.

But seeing AVCs:
time->Mon Mar 17 10:32:29 2014
type=PATH msg=audit(1395066749.831:143): item=0 name="/proc/sys/net/ipv4/ip_local_port_range" objtype=UNKNOWN
type=CWD msg=audit(1395066749.831:143):  cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1395066749.831:143): arch=c000003e syscall=2 success=no exit=-13 a0=7f44c6cead18 a1=0 a2=1b6 a3=7f44d425f70c items=1 ppid=1 pid=15801 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.51-2.4.5.1.el7.x86_64/jre-abrt/bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1395066749.831:143): avc:  denied  { search } for  pid=15801 comm="java" name="net" dev="proc" ino=8320 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir
----
time->Mon Mar 17 10:32:29 2014
type=PATH msg=audit(1395066749.831:144): item=0 name="/proc/sys/net/ipv4/ip_local_port_range" objtype=UNKNOWN
type=CWD msg=audit(1395066749.831:144):  cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1395066749.831:144): arch=c000003e syscall=2 success=no exit=-13 a0=7f44c6cead18 a1=0 a2=1b6 a3=7f44d425f70c items=1 ppid=1 pid=15801 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.51-2.4.5.1.el7.x86_64/jre-abrt/bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1395066749.831:144): avc:  denied  { search } for  pid=15801 comm="java" name="net" dev="proc" ino=8320 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir
----
time->Mon Mar 17 10:33:47 2014
type=PATH msg=audit(1395066827.823:148): item=0 name="/proc/sys/net/ipv4/ip_local_port_range" objtype=UNKNOWN
type=CWD msg=audit(1395066827.823:148):  cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1395066827.823:148): arch=c000003e syscall=2 success=no exit=-13 a0=7f8186debd18 a1=0 a2=1b6 a3=7f819430970c items=1 ppid=1 pid=16821 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.51-2.4.5.1.el7.x86_64/jre-abrt/bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1395066827.823:148): avc:  denied  { search } for  pid=16821 comm="java" name="net" dev="proc" ino=8320 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir
----
time->Mon Mar 17 10:33:47 2014
type=PATH msg=audit(1395066827.823:149): item=0 name="/proc/sys/net/ipv4/ip_local_port_range" objtype=UNKNOWN
type=CWD msg=audit(1395066827.823:149):  cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1395066827.823:149): arch=c000003e syscall=2 success=no exit=-13 a0=7f8186debd18 a1=0 a2=1b6 a3=7f819430970c items=1 ppid=1 pid=16821 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.51-2.4.5.1.el7.x86_64/jre-abrt/bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1395066827.823:149): avc:  denied  { search } for  pid=16821 comm="java" name="net" dev="proc" ino=8320 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir
----
time->Mon Mar 17 10:33:58 2014
type=PATH msg=audit(1395066838.245:152): item=0 name="/proc/sys/net/ipv4/ip_local_port_range" objtype=UNKNOWN
type=CWD msg=audit(1395066838.245:152):  cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1395066838.245:152): arch=c000003e syscall=2 success=no exit=-13 a0=7fb7dfbf9d18 a1=0 a2=1b6 a3=7fb80501270c items=1 ppid=1 pid=17216 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.51-2.4.5.1.el7.x86_64/jre-abrt/bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1395066838.245:152): avc:  denied  { search } for  pid=17216 comm="java" name="net" dev="proc" ino=8320 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir
----
time->Mon Mar 17 10:33:58 2014
type=PATH msg=audit(1395066838.245:153): item=0 name="/proc/sys/net/ipv4/ip_local_port_range" objtype=UNKNOWN
type=CWD msg=audit(1395066838.245:153):  cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1395066838.245:153): arch=c000003e syscall=2 success=no exit=-13 a0=7fb7dfbf9d18 a1=0 a2=1b6 a3=7fb80501270c items=1 ppid=1 pid=17216 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.51-2.4.5.1.el7.x86_64/jre-abrt/bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1395066838.245:153): avc:  denied  { search } for  pid=17216 comm="java" name="net" dev="proc" ino=8320 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir
----
time->Mon Mar 17 10:34:39 2014
type=PATH msg=audit(1395066879.140:164): item=0 name="/proc/sys/net/ipv4/ip_local_port_range" objtype=UNKNOWN
type=CWD msg=audit(1395066879.140:164):  cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1395066879.140:164): arch=c000003e syscall=2 success=no exit=-13 a0=7f06a38f6d18 a1=0 a2=1b6 a3=7f06c0e0970c items=1 ppid=1 pid=18024 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.51-2.4.5.1.el7.x86_64/jre-abrt/bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1395066879.140:164): avc:  denied  { search } for  pid=18024 comm="java" name="net" dev="proc" ino=8320 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir
----
time->Mon Mar 17 10:34:39 2014
type=PATH msg=audit(1395066879.140:165): item=0 name="/proc/sys/net/ipv4/ip_local_port_range" objtype=UNKNOWN
type=CWD msg=audit(1395066879.140:165):  cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1395066879.140:165): arch=c000003e syscall=2 success=no exit=-13 a0=7f06a38f6d18 a1=0 a2=1b6 a3=7f06c0e0970c items=1 ppid=1 pid=18024 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.51-2.4.5.1.el7.x86_64/jre-abrt/bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1395066879.140:165): avc:  denied  { search } for  pid=18024 comm="java" name="net" dev="proc" ino=8320 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir
----
time->Mon Mar 17 10:36:39 2014
type=USER_AVC msg=audit(1395066999.507:174): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=2)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Mon Mar 17 10:36:39 2014
type=USER_AVC msg=audit(1395066999.507:175): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=3)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Mon Mar 17 10:37:44 2014
type=PATH msg=audit(1395067064.730:186): item=0 name="/proc/sys/net/ipv4/ip_local_port_range" objtype=UNKNOWN
type=CWD msg=audit(1395067064.730:186):  cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1395067064.730:186): arch=c000003e syscall=2 success=no exit=-13 a0=7f9f500aed18 a1=0 a2=1b6 a3=7f9f6901270c items=1 ppid=1 pid=20110 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.51-2.4.5.1.el7.x86_64/jre-abrt/bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1395067064.730:186): avc:  denied  { search } for  pid=20110 comm="java" name="net" dev="proc" ino=8320 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir
----
time->Mon Mar 17 10:37:44 2014
type=PATH msg=audit(1395067064.730:187): item=0 name="/proc/sys/net/ipv4/ip_local_port_range" objtype=UNKNOWN
type=CWD msg=audit(1395067064.730:187):  cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1395067064.730:187): arch=c000003e syscall=2 success=no exit=-13 a0=7f9f500aed18 a1=0 a2=1b6 a3=7f9f6901270c items=1 ppid=1 pid=20110 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.51-2.4.5.1.el7.x86_64/jre-abrt/bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1395067064.730:187): avc:  denied  { search } for  pid=20110 comm="java" name="net" dev="proc" ino=8320 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir

Comment 4 Miroslav Grepl 2014-03-17 16:22:45 UTC

Added to Fedora.

Comment 7 Martin Kosek 2014-03-19 11:43:32 UTC

*** Bug 1078192 has been marked as a duplicate of this bug. ***

Comment 8 Rob Crittenden 2014-03-19 12:50:13 UTC

Updated Summary since this isn't related to --external-ca.

Comment 10 Miroslav Grepl 2014-03-20 09:09:54 UTC

#!!!! This avc is allowed in the current policy
allow pki_tomcat_t sysctl_net_t:dir search;

#!!!! This avc is allowed in the current policy
allow pki_tomcat_t sysctl_net_t:file { read open };


are already fixed in the latest build.


Could you re-test it? Is net_admin really needed?

Comment 11 Miroslav Grepl 2014-03-20 09:19:06 UTC

*** Bug 1075153 has been marked as a duplicate of this bug. ***

Comment 12 Kaleem 2014-03-20 09:22:38 UTC

(In reply to Miroslav Grepl from comment #10)
> #!!!! This avc is allowed in the current policy
> allow pki_tomcat_t sysctl_net_t:dir search;
> 
> #!!!! This avc is allowed in the current policy
> allow pki_tomcat_t sysctl_net_t:file { read open };
> 
> 
> are already fixed in the latest build.
Which build and compose?
> 
> 
> Could you re-test it? Is net_admin really needed?

Comment 13 Miroslav Grepl 2014-03-20 09:47:56 UTC

$ sesearch -T |grep hsperfdata_root
type_transition rpm_script_t tmp_t : dir tmp_t "hsperfdata_root"; 
type_transition authconfig_t tmp_t : dir tmp_t "hsperfdata_root"; 
type_transition devicekit_disk_t tmp_t : dir tmp_t "hsperfdata_root"; 
type_transition neutron_t tmp_t : dir tmp_t "hsperfdata_root"; 
type_transition pegasus_t tmp_t : dir tmp_t "hsperfdata_root"; 
type_transition unconfined_t tmp_t : dir tmp_t "hsperfdata_root"; 
type_transition sysadm_t tmp_t : dir tmp_t "hsperfdata_root";

$ ls -dZ /tmp /var/tmp
drwxrwxrwt. root root system_u:object_r:tmp_t:s0       /tmp
drwxrwxrwt. root root system_u:object_r:tmp_t:s0       /var/tmp


so how is hsperfdata_root exactly created?

Comment 14 Miroslav Grepl 2014-03-20 09:50:26 UTC

(In reply to Kaleem from comment #12)
> (In reply to Miroslav Grepl from comment #10)
> > #!!!! This avc is allowed in the current policy
> > allow pki_tomcat_t sysctl_net_t:dir search;
> > 
> > #!!!! This avc is allowed in the current policy
> > allow pki_tomcat_t sysctl_net_t:file { read open };
> > 
> > 
> > are already fixed in the latest build.
> Which build and compose?
> > 
> > 
> > Could you re-test it? Is net_admin really needed?

Should be in nightly or you can grab it from brew.

https://brewweb.devel.redhat.com/buildinfo?buildID=344759

Comment 15 Martin Kosek 2014-03-20 10:01:02 UTC

BTW, it seems to me that we see the hsperfdata_root AVC issue for too many times. I was able to find at least 3 other open bugs related to it:

Bug 1027285 - SELinux AVC denials for pki
Bug 962513 - f18 avc denials during freeipa server and replica installs
Bug 1005388 - Encountering AVC error messages

It looks like something we should address soon, to prevent it popping up again.

Comment 16 Miroslav Grepl 2014-03-20 10:40:36 UTC

Yes. See comment #13.

Comment 17 Kaleem 2014-03-20 10:46:17 UTC

(In reply to Miroslav Grepl from comment #13)
> $ sesearch -T |grep hsperfdata_root
> type_transition rpm_script_t tmp_t : dir tmp_t "hsperfdata_root"; 
> type_transition authconfig_t tmp_t : dir tmp_t "hsperfdata_root"; 
> type_transition devicekit_disk_t tmp_t : dir tmp_t "hsperfdata_root"; 
> type_transition neutron_t tmp_t : dir tmp_t "hsperfdata_root"; 
> type_transition pegasus_t tmp_t : dir tmp_t "hsperfdata_root"; 
> type_transition unconfined_t tmp_t : dir tmp_t "hsperfdata_root"; 
> type_transition sysadm_t tmp_t : dir tmp_t "hsperfdata_root";
> 
> $ ls -dZ /tmp /var/tmp
> drwxrwxrwt. root root system_u:object_r:tmp_t:s0       /tmp
> drwxrwxrwt. root root system_u:object_r:tmp_t:s0       /var/tmp
> 
> 
> so how is hsperfdata_root exactly created?

Please have a look at below link for hsperfdata_root .

https://bugzilla.redhat.com/show_bug.cgi?id=962513#c2

Comment 18 Milos Malik 2014-03-20 22:17:55 UTC

A clean x86_64 machine, enforcing mode, DISTRO=RHEL-7.0-20140317.0, selinux-policy-targeted-3.12.1-142.el7, unique AVCs only:

----
time->Thu Mar 20 18:06:26 2014
type=PATH msg=audit(1395353186.136:387): item=1 name="/tmp/hsperfdata_root/12458" inode=51162138 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:rpm_script_tmp_t:s0 objtype=DELETE
type=PATH msg=audit(1395353186.136:387): item=0 name="/tmp/hsperfdata_root/" inode=51162137 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:tmp_t:s0 objtype=PARENT
type=CWD msg=audit(1395353186.136:387):  cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1395353186.136:387): arch=c000003e syscall=87 success=no exit=-13 a0=7ff018008230 a1=7ff018008023 a2=38 a3=30aa items=2 ppid=1 pid=16553 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.51-2.4.5.1.el7.x86_64/jre-abrt/bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1395353186.136:387): avc:  denied  { unlink } for  pid=16553 comm="java" name="12458" dev="dm-0" ino=51162138 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=file
----
time->Thu Mar 20 18:06:26 2014
type=SYSCALL msg=audit(1395353186.187:391): arch=c000003e syscall=0 success=yes exit=12 a0=4 a1=7ff0221ab000 a2=400 a3=22 items=0 ppid=1 pid=16553 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.51-2.4.5.1.el7.x86_64/jre-abrt/bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1395353186.187:391): avc:  denied  { net_admin } for  pid=16553 comm="java" capability=12  scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:system_r:pki_tomcat_t:s0 tclass=capability
----

Comment 19 Miroslav Grepl 2014-03-24 11:43:54 UTC

We really need to know how /tmp/hsperfdata_root is created? There needs to be a renaming.

Comment 20 Eric Paris 2014-03-24 17:01:51 UTC

So some rpms script run when installing the java-1.7.0-openjdk rpm creates /tmp/hsperfdata_root and then IPA uses this (in /tmp...)?  Sounds to me like this isn't an SELinux problem, but a problem with the java rpm.  many of us have /tmp/ on /tmpfs.  It shouldn't be putting data there...

Comment 21 Miroslav Grepl 2014-03-24 17:06:26 UTC

Which should be covered by 

> type_transition rpm_script_t tmp_t : dir tmp_t "hsperfdata_root"; 

but it's not. So there needs to be a renaming.

"net_admin" issue is fixed in the latest policy build, moving the bug to ON_QA.

Comment 22 Eric Paris 2014-03-24 17:14:21 UTC

There it is:

rpm -e --justdb --nodeps java-1.7.0-openjdk-headless.x86_64
yum install -y java-1.7.0-openjdk-headless.x86_64

ls -ltrZ /tmp/

drwxr-xr-x. root root unconfined_u:object_r:tmp_t:s0   hsperfdata_root

So at least in rawhide it works.  But why in the heck is java-1.7.0-openjdk-headless.x86_64 leaving this behind in the first place?  Whatever it is, seems strange it belongs in /tmp!

Comment 23 Eric Paris 2014-03-24 17:34:09 UTC

Somehow this line does it:

27701 execve("/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.60-2.5.0.14.pre02.fc21.x86_64/jre-abrt/bin/java", ["java", "-agentpath:/usr/lib64/libabrt-java-connector.so=abrt=on", "-Xshare:dump"], [/* 30 vars */]) = 0

Which eventually results in:
27702 openat(AT_FDCWD, "/tmp/hsperfdata_root", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 3
27702 lstat("/tmp/hsperfdata_root", {st_mode=S_IFDIR|0755, st_size=60, ...}) = 0
27702 getdents(3, /* 3 entries */, 32768) = 80
27702 kill(27411, SIG_0)                = -1 ESRCH (No such process)
27702 unlink("/tmp/hsperfdata_root/27411") = 0
27702 getdents(3, /* 0 entries */, 32768) = 0
27702 close(3)                          = 0
27702 mkdir("/tmp/hsperfdata_root", 0755) = -1 EEXIST (File exists)
27702 lstat("/tmp/hsperfdata_root", {st_mode=S_IFDIR|0755, st_size=40, ...}) = 0
27702 open("/tmp/hsperfdata_root/27701", O_RDWR|O_CREAT|O_TRUNC, 0600) = 3


So no rename()   (again this is rawhide and the labeling worked)

Comment 24 Scott Poore 2014-03-24 18:46:52 UTC

FYI, I was able to run an IPA install with no AVCs with 
selinux-policy-3.12.1-145.el7.noarch.

Comment 26 Martin Kosek 2014-04-02 06:33:07 UTC

I can confirm that I still see the AVCs:

# rpm -q ipa-server selinux-policy
ipa-server-3.3.3-28.el7.x86_64
selinux-policy-3.12.1-149.el7.noarch

# getenforce 
Enforcing

# ipa-server-install
...

# ausearch -m avc -ts today | audit2allow 


#============= pki_tomcat_t ==============
allow pki_tomcat_t ipa_var_lib_t:dir { getattr search };
allow pki_tomcat_t rpm_script_tmp_t:file unlink;

I will attach my audit.log truncated before the installation.

Comment 27 Martin Kosek 2014-04-02 06:33:58 UTC

Created attachment 881642 [details]
audit.log with selinux-policy-3.12.1-149.el7.noarch

Comment 28 Eric Paris 2014-04-02 18:24:05 UTC

What was the version of selinux-policy installed when java-1.7.0-openjdk-headless.x86_64 was installed?   If you installed the updated selinux-policy after you installed the java packages you won't get the fix in question....

Comment 29 Kaleem 2014-04-03 17:54:12 UTC

Still saw following avc denial which is same as mentioned in description with installtion scenario mentioned in the description of this bug.

rpm versions:
===============
ipa-server.x86_64 0:3.3.3-28.el7
selinux-policy-3.12.1-145.el7.noarch

----------------

time->Thu Apr  3 11:49:50 2014
type=SYSCALL msg=audit(1396540190.067:97): arch=c000003e syscall=87 success=no exit=-13 a0=7fb928008230 a1=7fb928008023 a2=7fb928008245 a3=357f items=0 ppid=1 pid=15337 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.51-2.4.5.2.el7.x86_64/jre-abrt/bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1396540190.067:97): avc:  denied  { unlink } for  pid=15337 comm="java" name="13695" dev="dm-0" ino=1583215 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=file
----
time->Thu Apr  3 11:54:04 2014
type=USER_AVC msg=audit(1396540444.683:121): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=2)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Thu Apr  3 11:54:04 2014
type=USER_AVC msg=audit(1396540444.683:122): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=3)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

Comment 30 Eric Paris 2014-04-03 17:57:08 UTC

Can you answer the question in comment #28?

Comment 32 Miroslav Grepl 2014-04-07 08:01:24 UTC

So we still have issues with /tmp/hsperfdata_root labeling. Could someone tell us how it is created in this setup scenario? Or provide us a machine?

Comment 40 Miroslav Grepl 2014-04-07 18:57:56 UTC

Ok, I believe we get it working together with Milos (really thanks for testing).

https://brewweb.devel.redhat.com/buildinfo?buildID=348532

Comment 42 Ludek Smid 2014-06-13 09:44:02 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.