Bug 1149357 - AVCs encountered when installing FreeIPA via cloud-init
Summary: AVCs encountered when installing FreeIPA via cloud-init
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 20
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-10-03 20:11 UTC by Nathan Kinder
Modified: 2014-10-28 06:38 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.12.1-192.fc20
Clone Of:
Environment:
Last Closed: 2014-10-28 06:38:34 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Nathan Kinder 2014-10-03 20:11:03 UTC 
When FreeIPA is installed from a user-data script during cloud-init, some AVCs are encountered.  I see the following in Permissive mode on F20 (though I've also seen similar on RHEL 7):

---------------------------------------------------
type=USER_AVC msg=audit(1412363312.293:160): pid=293 uid=81 auid=4294967295 ses=4294967295  subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.12 spid=10092 tpid=10104 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus  exe=2F7573722F62696E2F646275732D6461656D6F6E202864656C6574656429 sauid=81 hostname=? addr=? terminal=?'
type=AVC msg=audit(1412363495.207:196): avc:  denied  { read } for  pid=11220 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=key
type=AVC msg=audit(1412363495.258:197): avc:  denied  { write } for  pid=11220 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=key
type=AVC msg=audit(1412363513.757:209): avc:  denied  { write } for  pid=11367 comm="setfiles" path="/var/log/vm-post-cloud-init-ipa.sh.log" dev="vda1" ino=3252 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:cloud_log_t:s0 tclass=file
type=AVC msg=audit(1412363928.436:220): avc:  denied  { read } for  pid=11390 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=key

[ipauser@ipa ~]$ sudo audit2allow -a

#============= certmonger_t ==============
allow certmonger_t cloud_init_t:dbus send_msg;

#============= httpd_t ==============
allow httpd_t cloud_init_t:key { read write };

#============= setfiles_t ==============
allow setfiles_t cloud_log_t:file write;
---------------------------------------------------
Comment 1 Miroslav Grepl 2014-10-14 13:20:44 UTC 
commit 522136371c428ff1cd8d6f66262fc4681f3d23c0
Author: Miroslav Grepl <mgrepl>
Date:   Tue Oct 14 15:12:56 2014 +0200

    Add cloudform_dontaudit_write_cloud_log()

commit 5df5145c13ca87ab59f6d24c01ee72711b61657e
Author: Miroslav Grepl <mgrepl>
Date:   Tue Oct 14 15:05:19 2014 +0200

    Call auth_use_nsswitch to apache to read/write cloud-init keys.

commit bc33a133ab937ca9d2c57edbe15c67d090921c16
Author: Miroslav Grepl <mgrepl>
Date:   Tue Oct 14 15:04:22 2014 +0200

    Allow cloud-init to dbus chat with certmonger.
Comment 2 Fedora Update System 2014-10-22 11:52:45 UTC 
selinux-policy-3.12.1-192.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-192.fc20
Comment 3 Fedora Update System 2014-10-23 06:23:42 UTC 
Package selinux-policy-3.12.1-192.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-192.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-13495/selinux-policy-3.12.1-192.fc20
then log in and leave karma (feedback).
Comment 4 Fedora Update System 2014-10-28 06:38:34 UTC 
selinux-policy-3.12.1-192.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.