Bug 1401611 - Selinux prevents ipsec to read /etc/pki/nss-legacy/nss-rhel6.config
Summary: Selinux prevents ipsec to read /etc/pki/nss-legacy/nss-rhel6.config
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.8
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-12-05 17:19 UTC by Jaroslav Aster
Modified: 2017-03-21 09:49 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-03-21 09:49:57 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:0627 0 normal SHIPPED_LIVE selinux-policy bug fix update 2017-03-21 12:29:23 UTC

Description Jaroslav Aster 2016-12-05 17:19:45 UTC 
Description of problem:

Selinux prevents ipsec to read /etc/pki/nss-legacy/nss-rhel6.config.


Version-Release number of selected component (if applicable):

selinux-policy-3.7.19-305.el6.noarch


How reproducible:

100%


Steps to Reproduce:
1.
2.
3.


Actual results:

----
time->Sun Dec  4 06:59:14 2016
type=PATH msg=audit(1480852754.337:37820): item=0 name="/etc/pki/nss-legacy/nss-rhel6.config" inode=2228479 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cert_t:s0 nametype=NORMAL
type=CWD msg=audit(1480852754.337:37820):  cwd="/"
type=SYSCALL msg=audit(1480852754.337:37820): arch=80000015 syscall=33 success=yes exit=0 a0=80d92cf328 a1=4 a2=16 a3=fefefefefefefeff items=1 ppid=24969 pid=24972 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="certutil" exe="/usr/bin/certutil" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1480852754.337:37820): avc:  denied  { read } for  pid=24972 comm="certutil" name="nss-rhel6.config" dev=dm-0 ino=2228479 scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file
----
time->Sun Dec  4 06:59:14 2016
type=PATH msg=audit(1480852754.337:37821): item=0 name="/etc/pki/nss-legacy/nss-rhel6.config" inode=2228479 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cert_t:s0 nametype=NORMAL
type=CWD msg=audit(1480852754.337:37821):  cwd="/"
type=SYSCALL msg=audit(1480852754.337:37821): arch=80000015 syscall=5 success=yes exit=5 a0=1000ecb49b0 a1=0 a2=1b6 a3=0 items=1 ppid=24969 pid=24972 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="certutil" exe="/usr/bin/certutil" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1480852754.337:37821): avc:  denied  { open } for  pid=24972 comm="certutil" name="nss-rhel6.config" dev=dm-0 ino=2228479 scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file

Expected results:

No avcs.
Comment 5 errata-xmlrpc 2017-03-21 09:49:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0627.html
Note You need to log in before you can comment on or make changes to this bug.