Bug 1366915 - AVC seen during IdM automatic cert renewal
Summary: AVC seen during IdM automatic cert renewal
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.3
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On: 1365188
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-08-14 20:16 UTC by Xiyang Dong
Modified: 2016-11-04 02:37 UTC (History)
13 users (show)

Fixed In Version: selinux-policy-3.13.1-96.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1365188
Environment:
Last Closed: 2016-11-04 02:37:00 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
journalctl.out (8.09 KB, text/plain)
2016-08-14 22:42 UTC, Xiyang Dong 		no flags Details
ausearch_certmonger.out (8.40 KB, text/plain)
2016-08-14 22:44 UTC, Xiyang Dong 		no flags Details
journalctl.out_permissive (1.24 KB, text/plain)
2016-08-15 19:17 UTC, Xiyang Dong 		no flags Details
ausearch_certmonger.out_permissive (10.34 KB, text/plain)
2016-08-15 19:20 UTC, Xiyang Dong 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2283 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2016-11-03 13:36:25 UTC

Description Xiyang Dong 2016-08-14 20:16:58 UTC 
+++ This bug was initially created as a clone of Bug #1365188 +++

Description of problem:

IdM is configured with an embedded Certificate Authority. With this configuration, it must automatically renew the certificates used internally by its components.
Certmonger is used to track the certificates stored in /etc/pki/pki-tomcat/alias, succeeds in cert renewal but fails when running the CA helper script because of SElinux policy preventing from updating the file 
/var/lib/pki/pki-tomcat/conf/ca/CS.cfg with the new cert.
This results in certmonger not having the right certificate.

Certmonger is running the script /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit => the script inherits certmonger context, which is certmonger_t

$ ps -efZ | grep certmonger
system_u:system_r:certmonger_t:s0 root     1670      1  0 14:59 ?        00:00:00 /usr/sbin/certmonger -S -p /var/run/certmonger.pid -n

The file that cannot be updated is /var/lib/pki/pki-tomcat/conf/ca/CS.cfg, with context pki_tomcat_etc_rw_t:
$ sudo ls -Z /var/lib/pki/pki-tomcat/conf/ca/CS.cfg
unconfined_u:object_r:pki_tomcat_etc_rw_t:s0 /var/lib/pki/pki-tomcat/conf/ca/CS.cfg

Version-Release number of selected component (if applicable):
Fedora release 24 (Twenty Four)
freeipa-server.x86_64     4.4.0.201608050957GIT9dac0a1-0.fc24
selinux-policy.noarch    3.13.1-191.fc24.2
selinux-policy-targeted.noarch 3.13.1-191.fc24.2


How reproducible:
Always

Steps to Reproduce:
1. Install IDM with a self-signed CA:
sudo ipa-server-install --setup-dns \
--auto-forwarders \
--auto-reverse \
-n $DOMAIN \
-r $REALM \
-p Secret123 -a Secret123 \
-U

2. check when the subsystemCert expires
$ sudo getcert list -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' | grep expires

3. stop ntpd and change date to a few days before cert expiration
$ sudo systemctl stop ntpd
$ sudo date -s "2018-07-25 00:00"

4. Certmonger renews the certs, but we can find errors:
$ sudo journalctl -t renew_ca_cert --since "2018-07-25" > ~/journalctl.out
$ sudo ausearch -m avc --start today > ~/ausearch_certmonger.out

The file /var/lib/pki/pki-tomcat/conf/ca/CS.cfg has not been updated with the new cert (line ca.subsystem.cert=...)

Actual results:
AVC errors seen and journal errors for certmonger, file CS.cfg not updated.

Expected results:
No AVC error, file CS.cfg udpated.

Additional info:
Attaching output of journalctl and ausearch.

--- Additional comment from Florence Blanc-Renaud on 2016-08-08 10:55 EDT ---
Comment 2 Xiyang Dong 2016-08-14 22:31:45 UTC 
Same issue on:
selinux-policy-3.13.1-93.el7
ipa-server-4.4.0-7.el7

Same steps to reproduce as in comment 1, attached journalctl and ausearch output.
Comment 3 Xiyang Dong 2016-08-14 22:42:18 UTC 
Created attachment 1190777 [details]
journalctl.out
Comment 4 Xiyang Dong 2016-08-14 22:44:03 UTC 
Created attachment 1190778 [details]
ausearch_certmonger.out
Comment 5 Lukas Vrabec 2016-08-15 15:36:18 UTC 
Hi, 

Could you please re-test it in permissive mode? 

Thank you.
Comment 6 Xiyang Dong 2016-08-15 19:15:51 UTC 
(In reply to Lukas Vrabec from comment #5)
> Hi, 
> 
> Could you please re-test it in permissive mode? 
> 
> Thank you.

Hi Lukas,
With permissive mode,no journal errors for certmonger , but still seeing AVC errors.See attached files
Thanks
Comment 7 Xiyang Dong 2016-08-15 19:17:30 UTC 
Created attachment 1190962 [details]
journalctl.out_permissive
Comment 8 Xiyang Dong 2016-08-15 19:20:20 UTC 
Created attachment 1190963 [details]
ausearch_certmonger.out_permissive
Comment 13 Xiyang Dong 2016-08-29 14:00:49 UTC 
Still facing same error:
# rpm -q selinux-policy ipa-server
selinux-policy-3.13.1-95.el7.noarch
ipa-server-4.4.0-8.el7.x86_64

# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING

# getcert list -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' | grep expires
	expires: 2018-08-19 01:33:37 UTC
# systemctl stop ntpd
# date -s "2018-08-15 00:00"
Wed Aug 15 00:00:00 EDT 2018
# sleep 60
# getcert list -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' | grep expires
	expires: 2020-08-04 04:01:04 UTC
# ausearch -m avc --start today > ~/ausearch_certmonger.out
# journalctl -t renew_ca_cert --since "2018-08-15" > ~/journalctl.out

# cat ~/journalctl.out 
-- Logs begin at Sun 2016-08-28 21:24:14 EDT, end at Wed 2018-08-15 00:02:40 EDT. --
Aug 15 00:01:16 mgmt6.testrelm.test renew_ca_cert[20553]: Failed to backup CS.cfg: [Errno 13] Permission denied: '/var/lib/pki/pki-tomcat/conf/ca/CS.cfg'
Aug 15 00:01:16 mgmt6.testrelm.test renew_ca_cert[20553]: Traceback (most recent call last):
                                                            File "/usr/libexec/ipa/certmonger/renew_ca_cert", line 212, in <module>
                                                              main()
                                                            File "/usr/libexec/ipa/certmonger/renew_ca_cert", line 206, in main
                                                              _main()
                                                            File "/usr/libexec/ipa/certmonger/renew_ca_cert", line 78, in _main
                                                              ca.update_cert_config(nickname, cert)
                                                            File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1253, in update_cert_config
                                                              directives[nickname], cert, paths.CA_CS_CFG_PATH)
                                                            File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 389, in update_cert_cs_cfg
                                                              separator='=')
                                                            File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 387, in set_directive
                                                              st = os.stat(filename)
                                                          OSError: [Errno 13] Permission denied: '/var/lib/pki/pki-tomcat/conf/ca/CS.cfg'
Aug 15 00:01:30 mgmt6.testrelm.test renew_ca_cert[20623]: Failed to backup CS.cfg: [Errno 13] Permission denied: '/var/lib/pki/pki-tomcat/conf/ca/CS.cfg'
Aug 15 00:01:30 mgmt6.testrelm.test renew_ca_cert[20623]: Traceback (most recent call last):
                                                            File "/usr/libexec/ipa/certmonger/renew_ca_cert", line 212, in <module>
                                                              main()
                                                            File "/usr/libexec/ipa/certmonger/renew_ca_cert", line 206, in main
                                                              _main()
                                                            File "/usr/libexec/ipa/certmonger/renew_ca_cert", line 78, in _main
                                                              ca.update_cert_config(nickname, cert)
                                                            File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1253, in update_cert_config
                                                              directives[nickname], cert, paths.CA_CS_CFG_PATH)
                                                            File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 389, in update_cert_cs_cfg
                                                              separator='=')
                                                            File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 387, in set_directive
                                                              st = os.stat(filename)
                                                          OSError: [Errno 13] Permission denied: '/var/lib/pki/pki-tomcat/conf/ca/CS.cfg'
Aug 15 00:01:55 mgmt6.testrelm.test renew_ca_cert[20699]: Failed to backup CS.cfg: [Errno 13] Permission denied: '/var/lib/pki/pki-tomcat/conf/ca/CS.cfg'
Aug 15 00:01:55 mgmt6.testrelm.test renew_ca_cert[20699]: Traceback (most recent call last):
                                                            File "/usr/libexec/ipa/certmonger/renew_ca_cert", line 212, in <module>
                                                              main()
                                                            File "/usr/libexec/ipa/certmonger/renew_ca_cert", line 206, in main
                                                              _main()
                                                            File "/usr/libexec/ipa/certmonger/renew_ca_cert", line 78, in _main
                                                              ca.update_cert_config(nickname, cert)
                                                            File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1253, in update_cert_config
                                                              directives[nickname], cert, paths.CA_CS_CFG_PATH)
                                                            File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 389, in update_cert_cs_cfg
                                                              separator='=')
                                                            File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 387, in set_directive
                                                              st = os.stat(filename)
                                                          OSError: [Errno 13] Permission denied: '/var/lib/pki/pki-tomcat/conf/ca/CS.cfg'
Aug 15 00:02:35 mgmt6.testrelm.test renew_ca_cert[20873]: Failed to backup CS.cfg: [Errno 13] Permission denied: '/var/lib/pki/pki-tomcat/conf/ca/CS.cfg'
Aug 15 00:02:35 mgmt6.testrelm.test renew_ca_cert[20873]: Traceback (most recent call last):
                                                            File "/usr/libexec/ipa/certmonger/renew_ca_cert", line 212, in <module>
                                                              main()
                                                            File "/usr/libexec/ipa/certmonger/renew_ca_cert", line 206, in main
                                                              _main()
                                                            File "/usr/libexec/ipa/certmonger/renew_ca_cert", line 78, in _main
                                                              ca.update_cert_config(nickname, cert)
                                                            File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1253, in update_cert_config
                                                              directives[nickname], cert, paths.CA_CS_CFG_PATH)
                                                            File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 389, in update_cert_cs_cfg
                                                              separator='=')
                                                            File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 387, in set_directive
                                                              st = os.stat(filename)
                                                          OSError: [Errno 13] Permission denied: '/var/lib/pki/pki-tomcat/conf/ca/CS.cfg'

# cat ~/ausearch_certmonger.out
----
time->Wed Aug 15 00:01:16 2018
type=PATH msg=audit(1534305676.167:1402): item=0 name="/var/lib/pki/pki-tomcat/conf/ca/CS.cfg.ipabkp" inode=68514374 dev=fd:00 mode=0100660 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL
type=CWD msg=audit(1534305676.167:1402):  cwd="/"
type=SYSCALL msg=audit(1534305676.167:1402): arch=c000003e syscall=4 success=no exit=-13 a0=4e84ab0 a1=7ffe5b4a8f50 a2=7ffe5b4a8f50 a3=632e53432f61632f items=1 ppid=19002 pid=20553 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="renew_ca_cert" exe="/usr/bin/python2.7" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1534305676.167:1402): avc:  denied  { getattr } for  pid=20553 comm="renew_ca_cert" path="/etc/pki/pki-tomcat/ca/CS.cfg.ipabkp" dev="dm-0" ino=68514374 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
----
time->Wed Aug 15 00:01:16 2018
type=PATH msg=audit(1534305676.167:1403): item=0 name="/var/lib/pki/pki-tomcat/conf/ca/CS.cfg" inode=68514375 dev=fd:00 mode=0100660 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL
type=CWD msg=audit(1534305676.167:1403):  cwd="/"
type=SYSCALL msg=audit(1534305676.167:1403): arch=c000003e syscall=4 success=no exit=-13 a0=3361210 a1=7ffe5b4a8c70 a2=7ffe5b4a8c70 a3=632e53432f61632f items=1 ppid=19002 pid=20553 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="renew_ca_cert" exe="/usr/bin/python2.7" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1534305676.167:1403): avc:  denied  { getattr } for  pid=20553 comm="renew_ca_cert" path="/etc/pki/pki-tomcat/ca/CS.cfg" dev="dm-0" ino=68514375 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
----
time->Wed Aug 15 00:01:16 2018
type=PATH msg=audit(1534305676.168:1404): item=0 name="/var/lib/pki/pki-tomcat/conf/ca/CS.cfg" inode=68514375 dev=fd:00 mode=0100660 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL
type=CWD msg=audit(1534305676.168:1404):  cwd="/"
type=SYSCALL msg=audit(1534305676.168:1404): arch=c000003e syscall=4 success=no exit=-13 a0=3361210 a1=7ffe5b4a8f50 a2=7ffe5b4a8f50 a3=632e53432f61632f items=1 ppid=19002 pid=20553 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="renew_ca_cert" exe="/usr/bin/python2.7" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1534305676.168:1404): avc:  denied  { getattr } for  pid=20553 comm="renew_ca_cert" path="/etc/pki/pki-tomcat/ca/CS.cfg" dev="dm-0" ino=68514375 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
----
time->Wed Aug 15 00:01:16 2018
type=PATH msg=audit(1534305676.168:1405): item=0 name="/var/lib/pki/pki-tomcat/conf/ca/CS.cfg.ipabkp" inode=68514374 dev=fd:00 mode=0100660 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL
type=CWD msg=audit(1534305676.168:1405):  cwd="/"
type=SYSCALL msg=audit(1534305676.168:1405): arch=c000003e syscall=4 success=no exit=-13 a0=4e84ab0 a1=7ffe5b4a8f50 a2=7ffe5b4a8f50 a3=632e53432f61632f items=1 ppid=19002 pid=20553 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="renew_ca_cert" exe="/usr/bin/python2.7" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1534305676.168:1405): avc:  denied  { getattr } for  pid=20553 comm="renew_ca_cert" path="/etc/pki/pki-tomcat/ca/CS.cfg.ipabkp" dev="dm-0" ino=68514374 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
----
time->Wed Aug 15 00:01:16 2018
type=PATH msg=audit(1534305676.168:1406): item=0 name="/var/lib/pki/pki-tomcat/conf/ca/CS.cfg" inode=68514375 dev=fd:00 mode=0100660 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL
type=CWD msg=audit(1534305676.168:1406):  cwd="/"
type=SYSCALL msg=audit(1534305676.168:1406): arch=c000003e syscall=2 success=no exit=-13 a0=3361210 a1=0 a2=1b6 a3=24 items=1 ppid=19002 pid=20553 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="renew_ca_cert" exe="/usr/bin/python2.7" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1534305676.168:1406): avc:  denied  { read } for  pid=20553 comm="renew_ca_cert" name="CS.cfg" dev="dm-0" ino=68514375 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
----
time->Wed Aug 15 00:01:16 2018
type=PATH msg=audit(1534305676.184:1408): item=0 name="/var/lib/pki/pki-tomcat/conf/ca/CS.cfg" inode=68514375 dev=fd:00 mode=0100660 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL
type=CWD msg=audit(1534305676.184:1408):  cwd="/"
type=SYSCALL msg=audit(1534305676.184:1408): arch=c000003e syscall=4 success=no exit=-13 a0=4e64480 a1=7ffe5b4a90c0 a2=7ffe5b4a90c0 a3=632e53432f61632f items=1 ppid=19002 pid=20553 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="renew_ca_cert" exe="/usr/bin/python2.7" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1534305676.184:1408): avc:  denied  { getattr } for  pid=20553 comm="renew_ca_cert" path="/etc/pki/pki-tomcat/ca/CS.cfg" dev="dm-0" ino=68514375 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
----
time->Wed Aug 15 00:01:30 2018
type=PATH msg=audit(1534305690.560:1413): item=0 name="/var/lib/pki/pki-tomcat/conf/ca/CS.cfg.ipabkp" inode=68514374 dev=fd:00 mode=0100660 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL
type=CWD msg=audit(1534305690.560:1413):  cwd="/"
type=SYSCALL msg=audit(1534305690.560:1413): arch=c000003e syscall=4 success=no exit=-13 a0=4a9ae40 a1=7ffda2419340 a2=7ffda2419340 a3=632e53432f61632f items=1 ppid=19002 pid=20623 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="renew_ca_cert" exe="/usr/bin/python2.7" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1534305690.560:1413): avc:  denied  { getattr } for  pid=20623 comm="renew_ca_cert" path="/etc/pki/pki-tomcat/ca/CS.cfg.ipabkp" dev="dm-0" ino=68514374 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
----
time->Wed Aug 15 00:01:30 2018
type=PATH msg=audit(1534305690.560:1414): item=0 name="/var/lib/pki/pki-tomcat/conf/ca/CS.cfg" inode=68514375 dev=fd:00 mode=0100660 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL
type=CWD msg=audit(1534305690.560:1414):  cwd="/"
type=SYSCALL msg=audit(1534305690.560:1414): arch=c000003e syscall=4 success=no exit=-13 a0=391cfc0 a1=7ffda2419060 a2=7ffda2419060 a3=632e53432f61632f items=1 ppid=19002 pid=20623 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="renew_ca_cert" exe="/usr/bin/python2.7" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1534305690.560:1414): avc:  denied  { getattr } for  pid=20623 comm="renew_ca_cert" path="/etc/pki/pki-tomcat/ca/CS.cfg" dev="dm-0" ino=68514375 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
----
time->Wed Aug 15 00:01:30 2018
type=PATH msg=audit(1534305690.560:1415): item=0 name="/var/lib/pki/pki-tomcat/conf/ca/CS.cfg" inode=68514375 dev=fd:00 mode=0100660 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL
type=CWD msg=audit(1534305690.560:1415):  cwd="/"
type=SYSCALL msg=audit(1534305690.560:1415): arch=c000003e syscall=4 success=no exit=-13 a0=391cfc0 a1=7ffda2419340 a2=7ffda2419340 a3=632e53432f61632f items=1 ppid=19002 pid=20623 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="renew_ca_cert" exe="/usr/bin/python2.7" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1534305690.560:1415): avc:  denied  { getattr } for  pid=20623 comm="renew_ca_cert" path="/etc/pki/pki-tomcat/ca/CS.cfg" dev="dm-0" ino=68514375 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
----
time->Wed Aug 15 00:01:30 2018
type=PATH msg=audit(1534305690.560:1416): item=0 name="/var/lib/pki/pki-tomcat/conf/ca/CS.cfg.ipabkp" inode=68514374 dev=fd:00 mode=0100660 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL
type=CWD msg=audit(1534305690.560:1416):  cwd="/"
type=SYSCALL msg=audit(1534305690.560:1416): arch=c000003e syscall=4 success=no exit=-13 a0=4a9ae40 a1=7ffda2419340 a2=7ffda2419340 a3=632e53432f61632f items=1 ppid=19002 pid=20623 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="renew_ca_cert" exe="/usr/bin/python2.7" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1534305690.560:1416): avc:  denied  { getattr } for  pid=20623 comm="renew_ca_cert" path="/etc/pki/pki-tomcat/ca/CS.cfg.ipabkp" dev="dm-0" ino=68514374 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
----
time->Wed Aug 15 00:01:30 2018
type=PATH msg=audit(1534305690.560:1417): item=0 name="/var/lib/pki/pki-tomcat/conf/ca/CS.cfg" inode=68514375 dev=fd:00 mode=0100660 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL
type=CWD msg=audit(1534305690.560:1417):  cwd="/"
type=SYSCALL msg=audit(1534305690.560:1417): arch=c000003e syscall=2 success=no exit=-13 a0=391cfc0 a1=0 a2=1b6 a3=24 items=1 ppid=19002 pid=20623 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="renew_ca_cert" exe="/usr/bin/python2.7" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1534305690.560:1417): avc:  denied  { read } for  pid=20623 comm="renew_ca_cert" name="CS.cfg" dev="dm-0" ino=68514375 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
----
time->Wed Aug 15 00:01:30 2018
type=PATH msg=audit(1534305690.576:1419): item=0 name="/var/lib/pki/pki-tomcat/conf/ca/CS.cfg" inode=68514375 dev=fd:00 mode=0100660 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL
type=CWD msg=audit(1534305690.576:1419):  cwd="/"
type=SYSCALL msg=audit(1534305690.576:1419): arch=c000003e syscall=4 success=no exit=-13 a0=3d88e50 a1=7ffda24194b0 a2=7ffda24194b0 a3=632e53432f61632f items=1 ppid=19002 pid=20623 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="renew_ca_cert" exe="/usr/bin/python2.7" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1534305690.576:1419): avc:  denied  { getattr } for  pid=20623 comm="renew_ca_cert" path="/etc/pki/pki-tomcat/ca/CS.cfg" dev="dm-0" ino=68514375 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
----
time->Wed Aug 15 00:01:55 2018
type=PATH msg=audit(1534305715.317:1424): item=0 name="/var/lib/pki/pki-tomcat/conf/ca/CS.cfg.ipabkp" inode=68514374 dev=fd:00 mode=0100660 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL
type=CWD msg=audit(1534305715.317:1424):  cwd="/"
type=SYSCALL msg=audit(1534305715.317:1424): arch=c000003e syscall=4 success=no exit=-13 a0=4a45f50 a1=7ffea2b21850 a2=7ffea2b21850 a3=632e53432f61632f items=1 ppid=19002 pid=20699 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="renew_ca_cert" exe="/usr/bin/python2.7" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1534305715.317:1424): avc:  denied  { getattr } for  pid=20699 comm="renew_ca_cert" path="/etc/pki/pki-tomcat/ca/CS.cfg.ipabkp" dev="dm-0" ino=68514374 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
----
time->Wed Aug 15 00:01:55 2018
type=PATH msg=audit(1534305715.317:1425): item=0 name="/var/lib/pki/pki-tomcat/conf/ca/CS.cfg" inode=68514375 dev=fd:00 mode=0100660 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL
type=CWD msg=audit(1534305715.317:1425):  cwd="/"
type=SYSCALL msg=audit(1534305715.317:1425): arch=c000003e syscall=4 success=no exit=-13 a0=361be20 a1=7ffea2b21570 a2=7ffea2b21570 a3=632e53432f61632f items=1 ppid=19002 pid=20699 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="renew_ca_cert" exe="/usr/bin/python2.7" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1534305715.317:1425): avc:  denied  { getattr } for  pid=20699 comm="renew_ca_cert" path="/etc/pki/pki-tomcat/ca/CS.cfg" dev="dm-0" ino=68514375 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
----
time->Wed Aug 15 00:01:55 2018
type=PATH msg=audit(1534305715.317:1426): item=0 name="/var/lib/pki/pki-tomcat/conf/ca/CS.cfg" inode=68514375 dev=fd:00 mode=0100660 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL
type=CWD msg=audit(1534305715.317:1426):  cwd="/"
type=SYSCALL msg=audit(1534305715.317:1426): arch=c000003e syscall=4 success=no exit=-13 a0=361be20 a1=7ffea2b21850 a2=7ffea2b21850 a3=632e53432f61632f items=1 ppid=19002 pid=20699 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="renew_ca_cert" exe="/usr/bin/python2.7" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1534305715.317:1426): avc:  denied  { getattr } for  pid=20699 comm="renew_ca_cert" path="/etc/pki/pki-tomcat/ca/CS.cfg" dev="dm-0" ino=68514375 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
----
time->Wed Aug 15 00:01:55 2018
type=PATH msg=audit(1534305715.318:1427): item=0 name="/var/lib/pki/pki-tomcat/conf/ca/CS.cfg.ipabkp" inode=68514374 dev=fd:00 mode=0100660 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL
type=CWD msg=audit(1534305715.318:1427):  cwd="/"
type=SYSCALL msg=audit(1534305715.318:1427): arch=c000003e syscall=4 success=no exit=-13 a0=4a45f50 a1=7ffea2b21850 a2=7ffea2b21850 a3=632e53432f61632f items=1 ppid=19002 pid=20699 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="renew_ca_cert" exe="/usr/bin/python2.7" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1534305715.318:1427): avc:  denied  { getattr } for  pid=20699 comm="renew_ca_cert" path="/etc/pki/pki-tomcat/ca/CS.cfg.ipabkp" dev="dm-0" ino=68514374 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
----
time->Wed Aug 15 00:01:55 2018
type=PATH msg=audit(1534305715.318:1428): item=0 name="/var/lib/pki/pki-tomcat/conf/ca/CS.cfg" inode=68514375 dev=fd:00 mode=0100660 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL
type=CWD msg=audit(1534305715.318:1428):  cwd="/"
type=SYSCALL msg=audit(1534305715.318:1428): arch=c000003e syscall=2 success=no exit=-13 a0=361be20 a1=0 a2=1b6 a3=24 items=1 ppid=19002 pid=20699 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="renew_ca_cert" exe="/usr/bin/python2.7" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1534305715.318:1428): avc:  denied  { read } for  pid=20699 comm="renew_ca_cert" name="CS.cfg" dev="dm-0" ino=68514375 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
----
time->Wed Aug 15 00:01:55 2018
type=PATH msg=audit(1534305715.337:1430): item=0 name="/var/lib/pki/pki-tomcat/conf/ca/CS.cfg" inode=68514375 dev=fd:00 mode=0100660 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL
type=CWD msg=audit(1534305715.337:1430):  cwd="/"
type=SYSCALL msg=audit(1534305715.337:1430): arch=c000003e syscall=4 success=no exit=-13 a0=3701f80 a1=7ffea2b219c0 a2=7ffea2b219c0 a3=632e53432f61632f items=1 ppid=19002 pid=20699 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="renew_ca_cert" exe="/usr/bin/python2.7" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1534305715.337:1430): avc:  denied  { getattr } for  pid=20699 comm="renew_ca_cert" path="/etc/pki/pki-tomcat/ca/CS.cfg" dev="dm-0" ino=68514375 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
----
time->Wed Aug 15 00:02:35 2018
type=PATH msg=audit(1534305755.807:1437): item=0 name="/var/lib/pki/pki-tomcat/conf/ca/CS.cfg.ipabkp" inode=68514374 dev=fd:00 mode=0100660 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL
type=CWD msg=audit(1534305755.807:1437):  cwd="/"
type=SYSCALL msg=audit(1534305755.807:1437): arch=c000003e syscall=4 success=no exit=-13 a0=5895ff0 a1=7ffc625e4df0 a2=7ffc625e4df0 a3=632e53432f61632f items=1 ppid=19002 pid=20873 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="renew_ca_cert" exe="/usr/bin/python2.7" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1534305755.807:1437): avc:  denied  { getattr } for  pid=20873 comm="renew_ca_cert" path="/etc/pki/pki-tomcat/ca/CS.cfg.ipabkp" dev="dm-0" ino=68514374 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
----
time->Wed Aug 15 00:02:35 2018
type=PATH msg=audit(1534305755.808:1438): item=0 name="/var/lib/pki/pki-tomcat/conf/ca/CS.cfg" inode=68514375 dev=fd:00 mode=0100660 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL
type=CWD msg=audit(1534305755.808:1438):  cwd="/"
type=SYSCALL msg=audit(1534305755.808:1438): arch=c000003e syscall=4 success=no exit=-13 a0=5505260 a1=7ffc625e4b10 a2=7ffc625e4b10 a3=632e53432f61632f items=1 ppid=19002 pid=20873 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="renew_ca_cert" exe="/usr/bin/python2.7" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1534305755.808:1438): avc:  denied  { getattr } for  pid=20873 comm="renew_ca_cert" path="/etc/pki/pki-tomcat/ca/CS.cfg" dev="dm-0" ino=68514375 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
----
time->Wed Aug 15 00:02:35 2018
type=PATH msg=audit(1534305755.808:1439): item=0 name="/var/lib/pki/pki-tomcat/conf/ca/CS.cfg" inode=68514375 dev=fd:00 mode=0100660 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL
type=CWD msg=audit(1534305755.808:1439):  cwd="/"
type=SYSCALL msg=audit(1534305755.808:1439): arch=c000003e syscall=4 success=no exit=-13 a0=5505260 a1=7ffc625e4df0 a2=7ffc625e4df0 a3=632e53432f61632f items=1 ppid=19002 pid=20873 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="renew_ca_cert" exe="/usr/bin/python2.7" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1534305755.808:1439): avc:  denied  { getattr } for  pid=20873 comm="renew_ca_cert" path="/etc/pki/pki-tomcat/ca/CS.cfg" dev="dm-0" ino=68514375 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
----
time->Wed Aug 15 00:02:35 2018
type=PATH msg=audit(1534305755.808:1440): item=0 name="/var/lib/pki/pki-tomcat/conf/ca/CS.cfg.ipabkp" inode=68514374 dev=fd:00 mode=0100660 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL
type=CWD msg=audit(1534305755.808:1440):  cwd="/"
type=SYSCALL msg=audit(1534305755.808:1440): arch=c000003e syscall=4 success=no exit=-13 a0=5895ff0 a1=7ffc625e4df0 a2=7ffc625e4df0 a3=632e53432f61632f items=1 ppid=19002 pid=20873 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="renew_ca_cert" exe="/usr/bin/python2.7" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1534305755.808:1440): avc:  denied  { getattr } for  pid=20873 comm="renew_ca_cert" path="/etc/pki/pki-tomcat/ca/CS.cfg.ipabkp" dev="dm-0" ino=68514374 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
----
time->Wed Aug 15 00:02:35 2018
type=PATH msg=audit(1534305755.808:1441): item=0 name="/var/lib/pki/pki-tomcat/conf/ca/CS.cfg" inode=68514375 dev=fd:00 mode=0100660 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL
type=CWD msg=audit(1534305755.808:1441):  cwd="/"
type=SYSCALL msg=audit(1534305755.808:1441): arch=c000003e syscall=2 success=no exit=-13 a0=5505260 a1=0 a2=1b6 a3=24 items=1 ppid=19002 pid=20873 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="renew_ca_cert" exe="/usr/bin/python2.7" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1534305755.808:1441): avc:  denied  { read } for  pid=20873 comm="renew_ca_cert" name="CS.cfg" dev="dm-0" ino=68514375 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
----
time->Wed Aug 15 00:02:35 2018
type=PATH msg=audit(1534305755.824:1443): item=0 name="/var/lib/pki/pki-tomcat/conf/ca/CS.cfg" inode=68514375 dev=fd:00 mode=0100660 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_etc_rw_t:s0 objtype=NORMAL
type=CWD msg=audit(1534305755.824:1443):  cwd="/"
type=SYSCALL msg=audit(1534305755.824:1443): arch=c000003e syscall=4 success=no exit=-13 a0=578d3f0 a1=7ffc625e4f60 a2=7ffc625e4f60 a3=632e53432f61632f items=1 ppid=19002 pid=20873 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="renew_ca_cert" exe="/usr/bin/python2.7" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1534305755.824:1443): avc:  denied  { getattr } for  pid=20873 comm="renew_ca_cert" path="/etc/pki/pki-tomcat/ca/CS.cfg" dev="dm-0" ino=68514375 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
Comment 15 Xiyang Dong 2016-09-04 21:48:31 UTC 
Verified on selinux-policy-3.13.1-96.el7:

# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

# getcert list -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' | grep expires
	expires: 2018-08-25 21:34:30 UTC

# systemctl stop ntpd

# date -s "2018-08-22 00:00"
Wed Aug 22 00:00:00 EDT 2018

# sleep 120

# getcert list -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' | grep expires
	expires: 2018-08-25 21:34:30 UTC

# journalctl -t renew_ca_cert --since "2018-08-22" > ~/journalctl.out

# ausearch -m avc --start today > ~/ausearch_certmonger.out
<no matches>

# cat ~/ausearch_certmonger.out

# cat ~/journalctl.out 
-- No entries --
Comment 17 errata-xmlrpc 2016-11-04 02:37:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html
Note You need to log in before you can comment on or make changes to this bug.