1117739 – Lots of avc denial messages while installing IPA Server

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1117739 - Lots of avc denial messages while installing IPA Server

Summary: Lots of avc denial messages while installing IPA Server

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.6
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1123811
TreeView+	depends on / blocked

Reported:	2014-07-09 09:49 UTC by Kaleem
Modified:	2014-10-14 08:03 UTC (History)
CC List:	10 users (show)
Fixed In Version:	selinux-policy-3.7.19-247.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1123811 (view as bug list)
Environment:
Last Closed:	2014-10-14 08:03:23 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
audit log (370.05 KB, text/x-log) 2014-07-21 11:13 UTC, Kaleem	no flags	Details
audit.log reporting certmonger_t AVC on FreeIPA replica (7.54 KB, application/gzip) 2014-07-29 13:43 UTC, Martin Kosek	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2014:1568	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2014-10-14 01:27:37 UTC

Description Kaleem 2014-07-09 09:49:34 UTC

Description of problem:
While installing IPA Server a lot of avc deninal messages are shown though this is not blocker and installation is successful.

Version-Release number of selected component (if applicable):
[root@hp-dl380pgen8-02-vm-4 ~]# rpm -q ipa-server pki-ca
ipa-server-3.0.0-42.el6.x86_64
pki-ca-9.0.3-36.el6.noarch
[root@hp-dl380pgen8-02-vm-4 ~]#

How reproducible:
Always

Steps to Reproduce:
1.Install IPA server on latest RHEL-6.6 build 
2.Look in audit.log
3.

Actual results:
There are lot of avc denined messages in audit.log

Expected results:
There should not be any avc denined message in audit.log

Additional info:
(1)
[root@hp-dl380pgen8-02-vm-4 ~]# cat /var/log/audit/audit.log |audit2allow 


#============= certmonger_t ==============
#!!!! The source type 'certmonger_t' can write to a 'dir' of the following types:
# cert_t, mnt_t, pki_tks_cert_t, pki_ocsp_cert_t, dirsrv_config_t, var_lib_t, var_run_t, pki_ca_cert_t, pki_kra_cert_t, certmonger_var_lib_t, certmonger_var_run_t, cluster_var_lib_t, cluster_var_run_t, root_t, cluster_conf_t

allow certmonger_t tmp_t:dir write;
allow certmonger_t tmpfs_t:dir search;

#============= chkpwd_t ==============
#!!!! The source type 'chkpwd_t' can write to a 'dir' of the following type:
# mnt_t

allow chkpwd_t tmp_t:dir write;

#============= dirsrv_t ==============
allow dirsrv_t lib_t:file relabelto;

#============= httpd_t ==============
allow httpd_t httpd_tmp_t:file relabelfrom;

#============= kadmind_t ==============
allow kadmind_t kadmind_tmp_t:file relabelfrom;

#============= krb5kdc_t ==============
allow krb5kdc_t krb5kdc_tmp_t:file relabelfrom;

#============= named_t ==============
allow named_t named_tmp_t:file relabelfrom;

#============= pki_ca_t ==============
allow pki_ca_t tmp_t:file relabelfrom;

#============= prelink_t ==============
allow prelink_t initrc_t:fifo_file setattr;
allow prelink_t system_cronjob_t:fifo_file setattr;

#============= sshd_t ==============
allow sshd_t lib_t:file relabelto;

#============= sssd_t ==============
allow sssd_t lib_t:file relabelto;
[root@hp-dl380pgen8-02-vm-4 ~]#

Comment 2 Dmitri Pal 2014-07-15 13:10:13 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4438

Comment 3 Martin Kosek 2014-07-18 10:16:56 UTC

Can this be an intermittent SELinux policy/labeling error? (CCing Mirek for reference)

I now tested on my 6.6 instance and there were no AVC after installation:

# rpm -q selinux-policy ipa-server
selinux-policy-3.7.19-244.el6.noarch
ipa-server-3.0.0-42.el6.x86_64

# getenforce 
Enforcing

# ipa-server-install -p Secret123 -a Secret123 --setup-dns --forwarder 10.0.0.1
...

# ausearch -m avc -ts today
<no matches>

Would running the test again on a up to date system change the outcome?

Comment 4 Kaleem 2014-07-18 11:59:04 UTC

================================================================================
			With selinux-policy-3.7.19-241.el6.noarch:
================================================================================

[root@rhel66-master ~]# ausearch -m avc -ts today|audit2allow


#============= certmonger_t ==============
#!!!! The source type 'certmonger_t' can write to a 'dir' of the following types:
# cert_t, mnt_t, pki_tks_cert_t, pki_ocsp_cert_t, dirsrv_config_t, var_lib_t, var_run_t, pki_ca_cert_t, pki_kra_cert_t, certmonger_var_lib_t, certmonger_var_run_t, cluster_var_lib_t, cluster_var_run_t, root_t, cluster_conf_t

allow certmonger_t tmp_t:dir write;
allow certmonger_t tmpfs_t:dir search;

#============= chkpwd_t ==============
#!!!! The source type 'chkpwd_t' can write to a 'dir' of the following type:
# mnt_t

allow chkpwd_t tmp_t:dir write;

#============= dirsrv_t ==============
allow dirsrv_t lib_t:file relabelto;

#============= httpd_t ==============
allow httpd_t httpd_tmp_t:file relabelfrom;

#============= kadmind_t ==============
allow kadmind_t kadmind_tmp_t:file relabelfrom;

#============= krb5kdc_t ==============
allow krb5kdc_t krb5kdc_tmp_t:file relabelfrom;

#============= named_t ==============
allow named_t named_tmp_t:file relabelfrom;

#============= nscd_t ==============
allow nscd_t var_lib_t:file read;

#============= pki_ca_t ==============
allow pki_ca_t tmp_t:file relabelfrom;

#============= postfix_pickup_t ==============
allow postfix_pickup_t postfix_pickup_tmp_t:file relabelfrom;

#============= prelink_t ==============
allow prelink_t initrc_t:fifo_file setattr;
allow prelink_t system_cronjob_t:fifo_file setattr;

#============= sshd_t ==============
allow sshd_t lib_t:file relabelto;

#============= sssd_t ==============
allow sssd_t lib_t:file relabelto;
[root@rhel66-master ~]# 

[root@rhel66-master ~]# rpm -q ipa-server selinux-policy
ipa-server-3.0.0-42.el6.x86_64
selinux-policy-3.7.19-241.el6.noarch
[root@rhel66-master ~]#

================================================================================
                            With selinux-policy-3.7.19-244.el6.noarch:
================================================================================

[root@rhel66-master ~]# ausearch -m avc -ts today|audit2allow


#============= prelink_mask_t ==============
allow prelink_mask_t anon_inodefs_t:file { read write };
allow prelink_mask_t dirsrv_var_log_t:file append;
allow prelink_mask_t httpd_tmp_t:file write;
allow prelink_mask_t inotifyfs_t:dir read;
allow prelink_mask_t sssd_var_log_t:file append;
allow prelink_mask_t tmp_t:file relabelfrom;
allow prelink_mask_t user_devpts_t:chr_file { read write };

#============= prelink_t ==============
allow prelink_t initrc_t:fifo_file setattr;
[root@rhel66-master ~]# 

[root@rhel66-master ~]# rpm -q ipa-server selinux-policy
ipa-server-3.0.0-42.el6.x86_64
selinux-policy-3.7.19-244.el6.noarch
[root@rhel66-master ~]#

Comment 5 Martin Kosek 2014-07-18 12:01:57 UTC

Thanks. I see number of AVCs got lower, but there are still some. I will change component to selinux-policy to let Mirek evaluate the bug.

Comment 6 Miroslav Grepl 2014-07-21 10:05:18 UTC

Could you please attach raw AVC msgs?

Comment 7 Miroslav Grepl 2014-07-21 10:06:07 UTC

Also selinux-policy-3.7.19-244.el6.noarch is a release for testing.

Comment 8 Kaleem 2014-07-21 11:13:04 UTC

Created attachment 919608 [details]
audit log

Comment 9 Martin Kosek 2014-07-22 14:22:35 UTC

Today, I tested ipa--server-install with selinux-policy-3.7.19-245.el6.noarch I saw only these 2 AVCs:

# ipa-server-install
# ausearch -m avc -ts today
----
time->Tue Jul 22 22:07:23 2014
type=SYSCALL msg=audit(1406081243.019:3131): arch=c000003e syscall=4 success=no exit=-13 a0=7f25901d1f80 a1=7f2599095e20 a2=7f2599095e20 a3=18 items=0 ppid=1 pid=20308 auid=0 uid=496 gid=496 euid=496 suid=496 fsuid=496 egid=496 sgid=496 fsgid=496 tty=(none) ses=469 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.65.x86_64/jre/bin/java" subj=unconfined_u:system_r:pki_ca_t:s0 key=(null)
type=AVC msg=audit(1406081243.019:3131): avc:  denied  { search } for  pid=20308 comm="java" name="tomcat6" dev=dm-1 ino=138875 scontext=unconfined_u:system_r:pki_ca_t:s0 tcontext=system_u:object_r:tomcat_cache_t:s0 tclass=dir
----
time->Tue Jul 22 22:08:34 2014
type=SYSCALL msg=audit(1406081314.224:3140): arch=c000003e syscall=4 success=no exit=-13 a0=7f04dc1d1be0 a1=7f04e4bfce20 a2=7f04e4bfce20 a3=18 items=0 ppid=1 pid=20768 auid=0 uid=496 gid=496 euid=496 suid=496 fsuid=496 egid=496 sgid=496 fsgid=496 tty=(none) ses=469 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.65.x86_64/jre/bin/java" subj=unconfined_u:system_r:pki_ca_t:s0 key=(null)
type=AVC msg=audit(1406081314.224:3140): avc:  denied  { search } for  pid=20768 comm="java" name="tomcat6" dev=dm-1 ino=138875 scontext=unconfined_u:system_r:pki_ca_t:s0 tcontext=system_u:object_r:tomcat_cache_t:s0 tclass=dir

# ausearch -m avc -ts today | audit2allow 


#============= pki_ca_t ==============
allow pki_ca_t tomcat_cache_t:dir search;
# ausearch -m avc -ts today

Ade, doesn't it also require a fix in PKI SELinux policy? I think we discussed it lately as well.

Comment 10 Milos Malik 2014-07-23 17:08:14 UTC

One of our TCs triggers the same AVC as mentioned in comment#9:
----
time->Tue Jul 22 19:22:17 2014
type=PATH msg=audit(1406049737.747:722): item=0 name="/var/cache/tomcat6/temp" inode=132332 dev=fd:00 mode=040775 ouid=0 ogid=91 rdev=00:00 obj=system_u:object_r:tomcat_cache_t:s0 nametype=NORMAL
type=CWD msg=audit(1406049737.747:722):  cwd="/var/lib"
type=SYSCALL msg=audit(1406049737.747:722): arch=40000003 syscall=195 success=no exit=-13 a0=6c34ee80 a1=b77699d0 a2=c96ff4 a3=b7606928 items=1 ppid=1 pid=11580 auid=4294967295 uid=487 gid=485 euid=487 suid=487 fsuid=487 egid=485 sgid=485 fsgid=485 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0/jre/bin/java" subj=unconfined_u:system_r:pki_ca_t:s0 key=(null)
type=AVC msg=audit(1406049737.747:722): avc:  denied  { search } for  pid=11580 comm="java" name="tomcat6" dev=dm-0 ino=132332 scontext=unconfined_u:system_r:pki_ca_t:s0 tcontext=system_u:object_r:tomcat_cache_t:s0 tclass=dir
----

Comment 11 Lukas Vrabec 2014-07-28 09:13:34 UTC

Hi Martin, 

Yes this AVC must be fixed in pki-selinux package, we don't ship this policy in rhel6.

Comment 12 Martin Kosek 2014-07-28 10:20:12 UTC

Ok, I will clone this Bugzilla also for PKI.

Comment 13 Lukas Vrabec 2014-07-28 10:27:37 UTC

Thank you!

Comment 14 Miroslav Grepl 2014-07-29 08:54:14 UTC


*** This bug has been marked as a duplicate of bug 1103674 ***

Comment 15 Martin Kosek 2014-07-29 10:27:24 UTC

I investigated FreeIPA in a more advanced workflow (with selinux-policy-3.7.19-246.el6.noarch) and found additional AVCs.

This happens only in a certificate renewal operation on a FreeIPA/PKI replica, after the certificate is renewed on FreeIPA/PKI master server:

# getcert resubmit -i 20140728233924
Resubmitting "20140728233924" to "dogtag-ipa-retrieve-agent-submit".
# getcert list -n 'subsystemCert cert-pki-ca'
Number of certificates and requests being tracked: 8.
Request ID '20140728233924':
	status: PRE_SAVE_CERT
	stuck: no
	key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='497572453013'
	certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
	CA: dogtag-ipa-retrieve-agent-submit
	issuer: CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM
	subject: CN=CA Subsystem,O=IDM.LAB.BOS.REDHAT.COM
	expires: 2016-07-17 22:35:41 UTC
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
	post-save command: /usr/lib64/ipa/certmonger/restart_pkicad "subsystemCert cert-pki-ca"
	track: yes
	auto-renew: yes
# getcert list -n 'subsystemCert cert-pki-ca'
Number of certificates and requests being tracked: 8.
Request ID '20140728233924':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='497572453013'
	certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
	CA: dogtag-ipa-retrieve-agent-submit
	issuer: CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM
	subject: CN=CA Subsystem,O=IDM.LAB.BOS.REDHAT.COM
	expires: 2016-07-18 22:16:33 UTC
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
	post-save command: /usr/lib64/ipa/certmonger/restart_pkicad "subsystemCert cert-pki-ca"
	track: yes
	auto-renew: yes

The operation only succeeded because I had SELinux in permissive mode.

# cat /var/log/audit/audit.log | audit2allow 


#============= certmonger_t ==============
#!!!! The source type 'certmonger_t' can write to a 'file' of the following types:
# dirsrv_config_t, certmonger_var_lib_t, certmonger_var_run_t, cert_t, cluster_var_lib_t, cluster_var_run_t, root_t, cluster_conf_t

allow certmonger_t var_run_t:file { setattr read lock create write getattr unlink open };

#============= pki_ca_t ==============
allow pki_ca_t tomcat_cache_t:dir { search getattr };


Jan, do you know what is the difference? Why does certmonger needs to access var_run_t while on the server it does not?

Comment 16 Jan Cholasta 2014-07-29 10:59:57 UTC

No idea. Could you please retry in enforcing mode?

Comment 17 Martin Kosek 2014-07-29 13:42:45 UTC

I see certmonger is working with a /var/run/certmonger/tmp-DLg2kv/ccache and SELinux does not like it:

type=AVC msg=audit(1406678726.742:280): avc:  denied  { getattr } for  pid=3544 comm="dogtag-ipa-retr"  path="/var/run/certmonger/tmp-DLg2kv/ccache" dev=dm-1 ino=140171 scontext=unconfined_u:system_r:        certmonger_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file

CCing Nalin for reference. This looks like a place where certmonger works with the CCACHE, I assume it should be allowed or have an own context. I will attach whole audit.log from my FreeIPA PKI clone renewal testing.

Comment 18 Martin Kosek 2014-07-29 13:43:15 UTC

Created attachment 922154 [details]
audit.log reporting certmonger_t AVC on FreeIPA replica

Comment 19 Miroslav Grepl 2014-07-29 14:18:00 UTC

What does

# rpm -qf /var/run/certmonger

We don't have a label for the dir in the policy.

Comment 20 Martin Kosek 2014-07-29 14:34:53 UTC

# rpm -qf /var/run/certmonger
certmonger-0.75.8-1.el6.x86_64

Comment 21 Nalin Dahyabhai 2014-07-29 17:01:18 UTC

(In reply to Martin Kosek from comment #17)
> I see certmonger is working with a /var/run/certmonger/tmp-DLg2kv/ccache and
> SELinux does not like it:
> 
> type=AVC msg=audit(1406678726.742:280): avc:  denied  { getattr } for 
> pid=3544 comm="dogtag-ipa-retr" 
> path="/var/run/certmonger/tmp-DLg2kv/ccache" dev=dm-1 ino=140171
> scontext=unconfined_u:system_r:        certmonger_t:s0
> tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
> 
> CCing Nalin for reference. This looks like a place where certmonger works
> with the CCACHE, I assume it should be allowed or have an own context. I
> will attach whole audit.log from my FreeIPA PKI clone renewal testing.

It looks like dogtag-ipa-retrieve-agent-submit is creating a cache for its use under $TMPDIR, which certmonger sets to /var/run/certmonger.  It could use an in-memory cache (type "MEMORY" instead of type "FILE") and save itself the work of cleaning up the cache when it's done.

Comment 22 Martin Kosek 2014-07-30 06:57:07 UTC

Ah, I see:

./install/certmonger/dogtag-ipa-retrieve-agent-submit:
...
# Update or add it
tmpdir = tempfile.mkdtemp(prefix = "tmp-")
try:
...
    ccache = ipautil.kinit_hostprincipal('/etc/krb5.keytab', tmpdir, principal)
...
finally:
    shutil.rmtree(tmpdir)

Jan, can we change it to MEMORY CCACHE? This is apparently IPA specific operation, so I do not think we need to add this rule to global SELinux policy. If yes, I will move this to IPA component and get the ACKs.

Comment 23 Jan Cholasta 2014-07-30 07:14:26 UTC

We could, but IMO /var/run/certmonger should be labelled correctly as certmonger_var_run_t anyway, since it is in fact owned by certmonger, right? Someone might use their own CA helper and/or pre-/post-save scripts which creates temporary files and end up in the same situation.

Comment 24 Martin Kosek 2014-07-30 07:18:41 UTC

True, both approaches would work for me. Mirek, I will leave that up you if you are OK adding new context for certmonger and thus enable other potential scripting for certmonger.

Comment 25 Miroslav Grepl 2014-07-30 07:36:26 UTC

commit ec004f7709aea4ee2aa5f75a7a6626cc39f41fea
Author: Miroslav Grepl <mgrepl>
Date:   Tue Jul 29 15:58:39 2014 +0200

    Fix labaling for /var/run/certmonger.

Comment 27 Miroslav Grepl 2014-07-30 08:50:45 UTC

Yes. The fix is a part of this release.

Comment 28 Martin Kosek 2014-07-30 10:10:08 UTC

Great, it works:

# rpm -q selinux-policy
selinux-policy-3.7.19-247.el6.noarch
# ls -laZ /var/run/certmonger
drwxr-xr-x. root root system_u:object_r:certmonger_var_run_t:s0 .
drwxr-xr-x. root root system_u:object_r:var_run_t:s0   ..
drwx------. root root unconfined_u:object_r:certmonger_var_run_t:s0 .config
drwx------. root root unconfined_u:object_r:certmonger_var_run_t:s0 .ipa
drwx------. root root unconfined_u:object_r:certmonger_var_run_t:s0 .pki

This bug is therefore fixed and only the Bug 1123811 (pki-core) remains.

Comment 29 Milos Malik 2014-08-01 09:33:46 UTC

# rpm -qa selinux-policy\*
selinux-policy-targeted-3.7.19-247.el6.noarch
selinux-policy-3.7.19-247.el6.noarch
#
----
time->Fri Aug  1 11:14:53 2014
type=PATH msg=audit(1406884493.073:117): item=0 name="/var/cache/tomcat6/temp" inode=2093647 dev=fd:00 mode=040775 ouid=0 ogid=91 rdev=00:00 obj=system_u:object_r:tomcat_cache_t:s0 nametype=NORMAL
type=CWD msg=audit(1406884493.073:117):  cwd="/var/lib"
type=SYSCALL msg=audit(1406884493.073:117): arch=c000003e syscall=4 success=no exit=-13 a0=7f4e301a6570 a1=7f4e35fb0e20 a2=7f4e35fb0e20 a3=18 items=1 ppid=1 pid=3937 auid=0 uid=496 gid=496 euid=496 suid=496 fsuid=496 egid=496 sgid=496 fsgid=496 tty=(none) ses=1 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.65.x86_64/jre/bin/java" subj=unconfined_u:system_r:pki_ca_t:s0 key=(null)
type=AVC msg=audit(1406884493.073:117): avc:  denied  { search } for  pid=3937 comm="java" name="tomcat6" dev=dm-0 ino=2093647 scontext=unconfined_u:system_r:pki_ca_t:s0 tcontext=system_u:object_r:tomcat_cache_t:s0 tclass=dir
----

Comment 30 Milos Malik 2014-08-01 09:51:28 UTC

The same automated TC, the same machine, but in permissive mode:
----
time->Fri Aug  1 11:34:56 2014
type=PATH msg=audit(1406885696.891:163): item=0 name="/var/cache/tomcat6/temp" inode=2093649 dev=fd:00 mode=040775 ouid=0 ogid=91 rdev=00:00 obj=system_u:object_r:tomcat_cache_t:s0 nametype=NORMAL
type=CWD msg=audit(1406885696.891:163):  cwd="/var/lib"
type=SYSCALL msg=audit(1406885696.891:163): arch=c000003e syscall=4 success=yes exit=0 a0=7f8c941e2080 a1=7f8c98a57e20 a2=7f8c98a57e20 a3=18 items=1 ppid=1 pid=9317 auid=0 uid=496 gid=496 euid=496 suid=496 fsuid=496 egid=496 sgid=496 fsgid=496 tty=(none) ses=1 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.65.x86_64/jre/bin/java" subj=unconfined_u:system_r:pki_ca_t:s0 key=(null)
type=AVC msg=audit(1406885696.891:163): avc:  denied  { getattr } for  pid=9317 comm="java" path="/var/cache/tomcat6/temp" dev=dm-0 ino=2093649 scontext=unconfined_u:system_r:pki_ca_t:s0 tcontext=system_u:object_r:tomcat_cache_t:s0 tclass=dir
type=AVC msg=audit(1406885696.891:163): avc:  denied  { search } for  pid=9317 comm="java" name="tomcat6" dev=dm-0 ino=2093647 scontext=unconfined_u:system_r:pki_ca_t:s0 tcontext=system_u:object_r:tomcat_cache_t:s0 tclass=dir
----

Comment 31 Martin Kosek 2014-08-01 10:34:46 UTC

These AVCs are being fixed in Bug 1123811 (as the problem is not in system SELinux policy).

Current development build of pki-core I tested removed them both.

Comment 34 errata-xmlrpc 2014-10-14 08:03:23 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1568.html

Note You need to log in before you can comment on or make changes to this bug.