1436383 – AVC denial during pkispawn of CA

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1436383 - AVC denial during pkispawn of CA

Summary: AVC denial during pkispawn of CA

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-03-27 19:50 UTC by Roshni
Modified:	2017-08-01 15:24 UTC (History)
CC List:	8 users (show)
Fixed In Version:	selinux-policy-3.13.1-139
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-08-01 15:24:23 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Audit log messages in permissive mode (40.25 KB, text/plain) 2017-04-04 15:26 UTC, Roshni	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:1861	0	normal	SHIPPED_LIVE	selinux-policy bug fix update	2017-08-01 17:50:24 UTC

Description Roshni 2017-03-27 19:50:44 UTC

Description of problem:
AVC denial during pkispawn of CA

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-133.el7.noarch

How reproducible:
always

Steps to Reproduce:
1. pkispawn -s CA -f ca.cfg
2.cat ca.cfg
[DEFAULT]
pki_instance_name = topology-02-CA
pki_https_port = 20443
pki_http_port = 20080
pki_token_password =
pki_admin_password = 
pki_hostname = pki1.example.com
pki_security_domain_name = topology-02_Foobarmaster.org
pki_security_domain_password = 
pki_client_dir = /opt/topology-02-CA
pki_client_pkcs12_password = 
pki_backup_keys = True
pki_backup_password = 
pki_ds_password = 
pki_ds_ldap_port = 3389

[Tomcat]
pki_ajp_port = 20009
pki_tomcat_server_port = 20005

[CA]
pki_import_admin_cert = False
pki_ds_hostname = pki1.example.com
pki_admin_nickname = PKI CA Administrator for Example.Org
3.

Actual results:
pkispwan fails

type=AVC msg=audit(1490639498.802:2704): avc:  denied  { search } for  pid=28370 comm="java" name="topology-02-CA" dev="dm-0" ino=1627167 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir

Expected results:
pkispawn should pass

Additional info:

Comment 3 Milos Malik 2017-03-28 08:46:04 UTC

Do you see any SELinux denials when you run the same scenario in permissive mode? If yes, please attach them here.

Comment 4 Roshni 2017-03-28 14:58:52 UTC

audit log in permissive mode

type=MAC_POLICY_LOAD msg=audit(1490712865.591:172): policy loaded auid=0 ses=1
type=SYSCALL msg=audit(1490712865.591:172): arch=c000003e syscall=1 success=yes exit=3706354 a0=5 a1=7f6e9a7c0010 a2=388df2 a3=7ffc63b38d00 items=0 ppid=67369 pid=67385 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="load_policy" exe="/usr/sbin/load_policy" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=USER_AVC msg=audit(1490712866.324:173): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=4)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=SERVICE_START msg=audit(1490712866.470:174): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pki-tomcatd@topology-02-CA comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1490712866.489:175): avc:  denied  { read } for  pid=67531 comm="server" name="conf" dev="dm-0" ino=101379503 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=lnk_file
type=AVC msg=audit(1490712866.489:175): avc:  denied  { search } for  pid=67531 comm="server" name="topology-02-CA" dev="dm-0" ino=68110291 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=dir
type=AVC msg=audit(1490712866.489:175): avc:  denied  { read } for  pid=67531 comm="server" name="logging.properties" dev="dm-0" ino=67524565 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1490712866.489:175): arch=c000003e syscall=4 success=yes exit=0 a0=d76740 a1=7ffec197a4b0 a2=7ffec197a4b0 a3=8 items=0 ppid=1 pid=67531 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="server" exe="/usr/bin/bash" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712866.551:176): avc:  denied  { getattr } for  pid=67531 comm="java" path="/var/lib/pki/topology-02-CA" dev="dm-0" ino=101379494 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1490712866.551:176): arch=c000003e syscall=6 success=yes exit=0 a0=7f3a5325cc00 a1=7f3a5325bad0 a2=7f3a5325bad0 a3=7f3a5243e440 items=0 ppid=1 pid=67531 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712866.551:177): avc:  denied  { getattr } for  pid=67531 comm="java" path="/var/lib/pki/topology-02-CA/conf" dev="dm-0" ino=101379503 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1490712866.551:177): arch=c000003e syscall=6 success=yes exit=0 a0=7f3a5325cc00 a1=7f3a5325bad0 a2=7f3a5325bad0 a3=7f3a5243e440 items=0 ppid=1 pid=67531 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712866.551:178): avc:  denied  { getattr } for  pid=67531 comm="java" path="/etc/pki/topology-02-CA" dev="dm-0" ino=68110291 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=dir
type=SYSCALL msg=audit(1490712866.551:178): arch=c000003e syscall=6 success=yes exit=0 a0=7f3a5325cc00 a1=7f3a5325bad0 a2=7f3a5325bad0 a3=7963696c6f702e items=0 ppid=1 pid=67531 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712866.551:179): avc:  denied  { getattr } for  pid=67531 comm="java" path="/etc/pki/topology-02-CA/catalina.policy" dev="dm-0" ino=68110292 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
type=SYSCALL msg=audit(1490712866.551:179): arch=c000003e syscall=6 success=yes exit=0 a0=7f3a5325cc00 a1=7f3a5325bad0 a2=7f3a5325bad0 a3=7963696c6f702e items=0 ppid=1 pid=67531 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712866.551:180): avc:  denied  { read } for  pid=67531 comm="java" name="catalina.policy" dev="dm-0" ino=68110292 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
type=AVC msg=audit(1490712866.551:180): avc:  denied  { open } for  pid=67531 comm="java" path="/etc/pki/topology-02-CA/catalina.policy" dev="dm-0" ino=68110292 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
type=SYSCALL msg=audit(1490712866.551:180): arch=c000003e syscall=2 success=yes exit=6 a0=7f3a4c154a30 a1=0 a2=1b6 a3=7f3a5243e440 items=0 ppid=1 pid=67531 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712866.559:181): avc:  denied  { getattr } for  pid=67531 comm="java" path="/etc/pki/topology-02-CA/logging.properties" dev="dm-0" ino=67524565 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1490712866.559:181): arch=c000003e syscall=6 success=yes exit=0 a0=7f3a5325ca20 a1=7f3a5325b8f0 a2=7f3a5325b8f0 a3=747265706f7270 items=0 ppid=1 pid=67531 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712866.559:182): avc:  denied  { getattr } for  pid=67531 comm="java" path="/var/log/pki" dev="dm-0" ino=67737096 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1490712866.559:182): arch=c000003e syscall=6 success=yes exit=0 a0=7f3a5325ca20 a1=7f3a5325b8f0 a2=7f3a5325b8f0 a3=7f3a5243e440 items=0 ppid=1 pid=67531 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712866.559:183): avc:  denied  { getattr } for  pid=67531 comm="java" path="/var/log/pki/topology-02-CA" dev="dm-0" ino=34708056 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1490712866.559:183): arch=c000003e syscall=6 success=yes exit=0 a0=7f3a5325ca20 a1=7f3a5325b8f0 a2=7f3a5325b8f0 a3=7f3a5243e440 items=0 ppid=1 pid=67531 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712866.587:184): avc:  denied  { write } for  pid=67531 comm="java" name="topology-02-CA" dev="dm-0" ino=34708056 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_log_t:s0 tclass=dir
type=AVC msg=audit(1490712866.587:184): avc:  denied  { add_name } for  pid=67531 comm="java" name="catalina.2017-03-28.log" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_log_t:s0 tclass=dir
type=AVC msg=audit(1490712866.587:184): avc:  denied  { create } for  pid=67531 comm="java" name="catalina.2017-03-28.log" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_log_t:s0 tclass=file
type=AVC msg=audit(1490712866.587:184): avc:  denied  { open } for  pid=67531 comm="java" path="/var/log/pki/topology-02-CA/catalina.2017-03-28.log" dev="dm-0" ino=34708032 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_log_t:s0 tclass=file
type=SYSCALL msg=audit(1490712866.587:184): arch=c000003e syscall=2 success=yes exit=7 a0=7f3a4c1ab620 a1=441 a2=1b6 a3=7f3a5243e440 items=0 ppid=1 pid=67531 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712866.595:185): avc:  denied  { read } for  pid=67531 comm="java" name="lib" dev="dm-0" ino=34708057 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1490712866.595:185): arch=c000003e syscall=21 success=yes exit=0 a0=7f3a4c1b7110 a1=4 a2=0 a3=7f3a532602b0 items=0 ppid=1 pid=67531 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712866.596:186): avc:  denied  { open } for  pid=67531 comm="java" path="/var/lib/pki/topology-02-CA/lib" dev="dm-0" ino=34708057 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1490712866.596:186): arch=c000003e syscall=257 success=yes exit=11 a0=ffffffffffffff9c a1=7f3a4c1b7110 a2=90800 a3=0 items=0 ppid=1 pid=67531 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712867.096:187): avc:  denied  { search } for  pid=67531 comm="java" name="alias" dev="dm-0" ino=944900 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=dir
type=AVC msg=audit(1490712867.096:187): avc:  denied  { getattr } for  pid=67531 comm="java" path="/etc/pki/topology-02-CA/alias/secmod.db" dev="dm-0" ino=944918 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=file
type=SYSCALL msg=audit(1490712867.096:187): arch=c000003e syscall=4 success=yes exit=0 a0=7f3a4c6892c0 a1=7f3a5325f0d0 a2=7f3a5325f0d0 a3=61696c612f41432d items=0 ppid=1 pid=67531 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712867.096:188): avc:  denied  { read } for  pid=67531 comm="java" name="secmod.db" dev="dm-0" ino=944918 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=file
type=AVC msg=audit(1490712867.096:188): avc:  denied  { open } for  pid=67531 comm="java" path="/etc/pki/topology-02-CA/alias/secmod.db" dev="dm-0" ino=944918 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=file
type=SYSCALL msg=audit(1490712867.096:188): arch=c000003e syscall=2 success=yes exit=72 a0=7f3a4c6892c0 a1=0 a2=180 a3=61696c612f41432d items=0 ppid=1 pid=67531 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712867.096:189): avc:  denied  { write } for  pid=67531 comm="java" name="cert8.db" dev="dm-0" ino=944919 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=file
type=SYSCALL msg=audit(1490712867.096:189): arch=c000003e syscall=2 success=yes exit=72 a0=7f3a4c6c86a0 a1=2 a2=180 a3=61696c612f41432d items=0 ppid=1 pid=67531 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712867.161:190): avc:  denied  { write } for  pid=67531 comm="java" name="topology-02-CA" dev="dm-0" ino=101379494 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1490712867.161:190): avc:  denied  { add_name } for  pid=67531 comm="java" name="webapps" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1490712867.161:190): avc:  denied  { create } for  pid=67531 comm="java" name="webapps" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1490712867.161:190): arch=c000003e syscall=83 success=yes exit=0 a0=7f3998002020 a1=1ff a2=0 a3=7f399fffe130 items=0 ppid=1 pid=67531 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712867.163:191): avc:  denied  { read } for  pid=67531 comm="java" name="localhost" dev="dm-0" ino=944896 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=dir
type=AVC msg=audit(1490712867.163:191): avc:  denied  { open } for  pid=67531 comm="java" path="/etc/pki/topology-02-CA/Catalina/localhost" dev="dm-0" ino=944896 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=dir
type=SYSCALL msg=audit(1490712867.163:191): arch=c000003e syscall=257 success=yes exit=86 a0=ffffffffffffff9c a1=7f3998004e70 a2=90800 a3=0 items=0 ppid=1 pid=67531 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712869.771:192): avc:  denied  { write } for  pid=67586 comm="touch" path="/var/log/pki/topology-02-CA/ca/debug" dev="dm-0" ino=34708038 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_log_t:s0 tclass=file
type=SYSCALL msg=audit(1490712869.771:192): arch=c000003e syscall=2 success=yes exit=3 a0=7ffea6f33c7f a1=941 a2=1b6 a3=7ffea6f320d0 items=0 ppid=67531 pid=67586 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="touch" exe="/usr/bin/touch" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712869.773:193): avc:  denied  { setattr } for  pid=67588 comm="chmod" name="debug" dev="dm-0" ino=34708038 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_log_t:s0 tclass=file
type=SYSCALL msg=audit(1490712869.773:193): arch=c000003e syscall=268 success=yes exit=0 a0=ffffffffffffff9c a1=1d6a0f0 a2=1a0 a3=7ffd43eff050 items=0 ppid=67531 pid=67588 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="chmod" exe="/usr/bin/chmod" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712869.836:194): avc:  denied  { read } for  pid=67531 comm="java" name="ca_audit" dev="dm-0" ino=101379488 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_log_t:s0 tclass=file
type=SYSCALL msg=audit(1490712869.836:194): arch=c000003e syscall=2 success=yes exit=93 a0=7f39906bdbc0 a1=42 a2=1b6 a3=7f3a3d0524c0 items=0 ppid=1 pid=67531 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712869.953:195): avc:  denied  { getattr } for  pid=67531 comm="java" path="/etc/pki/topology-02-CA/alias" dev="dm-0" ino=944900 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=dir
type=SYSCALL msg=audit(1490712869.953:195): arch=c000003e syscall=6 success=yes exit=0 a0=7f3a5325e200 a1=7f3a5325d0d0 a2=7f3a5325d0d0 a3=7f3a3d0524c0 items=0 ppid=1 pid=67531 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712871.599:196): avc:  denied  { write } for  pid=67531 comm="java" name="CS.cfg" dev="dm-0" ino=944903 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
type=SYSCALL msg=audit(1490712871.599:196): arch=c000003e syscall=2 success=yes exit=104 a0=7f3954107b20 a1=241 a2=1b6 a3=7f3a3d0524c0 items=0 ppid=1 pid=67531 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712871.606:197): avc:  denied  { setattr } for  pid=67656 comm="chmod" name="CS.cfg" dev="dm-0" ino=944903 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
type=SYSCALL msg=audit(1490712871.606:197): arch=c000003e syscall=268 success=yes exit=0 a0=ffffffffffffff9c a1=1f390f0 a2=1b0 a3=7ffe3957d080 items=0 ppid=67531 pid=67656 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="chmod" exe="/usr/bin/chmod" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712871.958:198): avc:  denied  { name_connect } for  pid=67531 comm="java" dest=3389 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1490712871.958:198): arch=c000003e syscall=42 success=yes exit=0 a0=69 a1=7f399e3f6b60 a2=1c a3=7f399e3f6780 items=0 ppid=1 pid=67531 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712871.971:199): avc:  denied  { write } for  pid=67531 comm="java" name="ca" dev="dm-0" ino=944902 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=dir
type=AVC msg=audit(1490712871.971:199): avc:  denied  { add_name } for  pid=67531 comm="java" name="usn.ldif" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=dir
type=AVC msg=audit(1490712871.971:199): avc:  denied  { create } for  pid=67531 comm="java" name="usn.ldif" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
type=SYSCALL msg=audit(1490712871.971:199): arch=c000003e syscall=2 success=yes exit=108 a0=7f3954451fc0 a1=241 a2=1b6 a3=2c items=0 ppid=1 pid=67531 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712888.050:200): avc:  denied  { write } for  pid=67531 comm="java" name="alias" dev="dm-0" ino=944900 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=dir
type=AVC msg=audit(1490712888.050:200): avc:  denied  { add_name } for  pid=67531 comm="java" name="ca_backup_keys.p12" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=dir
type=AVC msg=audit(1490712888.050:200): avc:  denied  { create } for  pid=67531 comm="java" name="ca_backup_keys.p12" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=file
type=SYSCALL msg=audit(1490712888.050:200): arch=c000003e syscall=2 success=yes exit=132 a0=7f3954249560 a1=241 a2=1b6 a3=7f3a5243e440 items=0 ppid=1 pid=67531 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712888.061:201): avc:  denied  { getattr } for  pid=67531 comm="java" path="/var/lib/pki/topology-02-CA/ca/profiles/ca/caAdminCert.cfg" dev="dm-0" ino=101379510 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1490712888.061:201): arch=c000003e syscall=6 success=yes exit=0 a0=7f399e3f58a0 a1=7f399e3f4770 a2=7f399e3f4770 a3=5 items=0 ppid=1 pid=67531 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712888.061:202): avc:  denied  { read } for  pid=67531 comm="java" name="caAdminCert.cfg" dev="dm-0" ino=101379510 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=file
type=AVC msg=audit(1490712888.061:202): avc:  denied  { open } for  pid=67531 comm="java" path="/var/lib/pki/topology-02-CA/ca/profiles/ca/caAdminCert.cfg" dev="dm-0" ino=101379510 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1490712888.061:202): arch=c000003e syscall=2 success=yes exit=132 a0=7f395424b5c0 a1=0 a2=1b6 a3=7f3a5243e440 items=0 ppid=1 pid=67531 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712889.367:203): avc:  denied  { search } for  pid=67807 comm="server" name="topology-02-CA" dev="dm-0" ino=68110291 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=dir
type=SYSCALL msg=audit(1490712889.367:203): arch=c000003e syscall=4 success=yes exit=0 a0=114e860 a1=7ffe3ac17d40 a2=7ffe3ac17d40 a3=8 items=0 ppid=1 pid=67807 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="server" exe="/usr/bin/bash" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712889.442:204): avc:  denied  { getattr } for  pid=67807 comm="java" path="/var/log/pki/topology-02-CA" dev="dm-0" ino=34708056 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1490712889.442:204): arch=c000003e syscall=4 success=yes exit=0 a0=7fb0b419ac80 a1=7fb0baca8380 a2=7fb0baca8380 a3=7fb0b9e88440 items=0 ppid=1 pid=67807 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712889.442:205): avc:  denied  { search } for  pid=67807 comm="java" name="topology-02-CA" dev="dm-0" ino=34708056 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_log_t:s0 tclass=dir
type=AVC msg=audit(1490712889.442:205): avc:  denied  { open } for  pid=67807 comm="java" path="/var/log/pki/topology-02-CA/catalina.2017-03-28.log" dev="dm-0" ino=34708032 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_log_t:s0 tclass=file
type=SYSCALL msg=audit(1490712889.442:205): arch=c000003e syscall=2 success=yes exit=7 a0=7fb0b41a2220 a1=441 a2=1b6 a3=7fb0b9e88440 items=0 ppid=1 pid=67807 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712889.446:206): avc:  denied  { read } for  pid=67807 comm="java" name="catalina.properties" dev="dm-0" ino=68110293 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
type=AVC msg=audit(1490712889.446:206): avc:  denied  { open } for  pid=67807 comm="java" path="/etc/pki/topology-02-CA/catalina.properties" dev="dm-0" ino=68110293 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
type=SYSCALL msg=audit(1490712889.446:206): arch=c000003e syscall=2 success=yes exit=11 a0=7fb0b4189160 a1=0 a2=1b6 a3=4 items=0 ppid=1 pid=67807 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712889.446:207): avc:  denied  { getattr } for  pid=67807 comm="java" path="/etc/pki/topology-02-CA/catalina.properties" dev="dm-0" ino=68110293 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
type=SYSCALL msg=audit(1490712889.446:207): arch=c000003e syscall=5 success=yes exit=0 a0=b a1=7fb0baca9d40 a2=7fb0baca9d40 a3=4 items=0 ppid=1 pid=67807 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712889.449:208): avc:  denied  { getattr } for  pid=67807 comm="java" path="/var/lib/pki/topology-02-CA" dev="dm-0" ino=101379494 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1490712889.449:208): arch=c000003e syscall=6 success=yes exit=0 a0=7fb0baca9550 a1=7fb0baca8420 a2=7fb0baca8420 a3=7fb0b9e88440 items=0 ppid=1 pid=67807 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712889.449:209): avc:  denied  { read } for  pid=67807 comm="java" name="lib" dev="dm-0" ino=34708057 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1490712889.449:209): arch=c000003e syscall=21 success=yes exit=0 a0=7fb0b41a3730 a1=4 a2=0 a3=7fb0bacaa2b0 items=0 ppid=1 pid=67807 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712889.450:210): avc:  denied  { open } for  pid=67807 comm="java" path="/var/lib/pki/topology-02-CA/lib" dev="dm-0" ino=34708057 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1490712889.450:210): arch=c000003e syscall=257 success=yes exit=11 a0=ffffffffffffff9c a1=7fb0b41a37e0 a2=90800 a3=0 items=0 ppid=1 pid=67807 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=SERVICE_START msg=audit(1490712889.952:211): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pki-tomcatd@topology-02-CA comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1490712889.952:212): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pki-tomcatd@topology-02-CA comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1490712890.039:213): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pki-tomcatd@topology-02-CA comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1490712890.117:214): avc:  denied  { getattr } for  pid=67990 comm="java" path="/etc/pki/topology-02-CA" dev="dm-0" ino=68110291 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=dir
type=SYSCALL msg=audit(1490712890.117:214): arch=c000003e syscall=6 success=yes exit=0 a0=7f34f4e68c00 a1=7f34f4e67ad0 a2=7f34f4e67ad0 a3=7963696c6f702e items=0 ppid=1 pid=67990 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712890.649:215): avc:  denied  { search } for  pid=67990 comm="java" name="alias" dev="dm-0" ino=944900 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=dir
type=AVC msg=audit(1490712890.649:215): avc:  denied  { getattr } for  pid=67990 comm="java" path="/etc/pki/topology-02-CA/alias/secmod.db" dev="dm-0" ino=944918 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=file
type=SYSCALL msg=audit(1490712890.649:215): arch=c000003e syscall=4 success=yes exit=0 a0=7f34ec6c7470 a1=7f34f4e6b0d0 a2=7f34f4e6b0d0 a3=61696c612f41432d items=0 ppid=1 pid=67990 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712890.649:216): avc:  denied  { read } for  pid=67990 comm="java" name="secmod.db" dev="dm-0" ino=944918 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=file
type=AVC msg=audit(1490712890.649:216): avc:  denied  { open } for  pid=67990 comm="java" path="/etc/pki/topology-02-CA/alias/secmod.db" dev="dm-0" ino=944918 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=file
type=SYSCALL msg=audit(1490712890.649:216): arch=c000003e syscall=2 success=yes exit=72 a0=7f34ec6c7470 a1=0 a2=180 a3=61696c612f41432d items=0 ppid=1 pid=67990 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712890.650:217): avc:  denied  { write } for  pid=67990 comm="java" name="cert8.db" dev="dm-0" ino=944919 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=file
type=SYSCALL msg=audit(1490712890.650:217): arch=c000003e syscall=2 success=yes exit=72 a0=7f34ec706850 a1=2 a2=180 a3=61696c612f41432d items=0 ppid=1 pid=67990 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712890.718:218): avc:  denied  { read } for  pid=67990 comm="java" name="localhost" dev="dm-0" ino=944896 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=dir
type=AVC msg=audit(1490712890.718:218): avc:  denied  { open } for  pid=67990 comm="java" path="/etc/pki/topology-02-CA/Catalina/localhost" dev="dm-0" ino=944896 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=dir
type=SYSCALL msg=audit(1490712890.718:218): arch=c000003e syscall=257 success=yes exit=86 a0=ffffffffffffff9c a1=7f3438004e20 a2=90800 a3=0 items=0 ppid=1 pid=67990 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712891.452:219): avc:  denied  { write } for  pid=67990 comm="java" name="_" dev="dm-0" ino=67524568 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1490712891.452:219): arch=c000003e syscall=21 success=yes exit=0 a0=7f343c374480 a1=2 a2=0 a3=7f34f404a440 items=0 ppid=1 pid=67990 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)

Comment 5 Roshni 2017-03-28 17:27:43 UTC

This issue is not seen when using selinux-policy-3.13.1-130.el7.noarch. This is the last version pkispawn is successful in enforcing mode.

Comment 7 Roshni 2017-04-04 15:25:55 UTC

I still see the following in enforcing mode using selinux-policy-3.13.1-137.el7.noarch

type=AVC msg=audit(1491318302.313:1375): avc:  denied  { read } for  pid=2133 comm="java" name="lib" dev="dm-0" ino=100664678 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1491318302.313:1375): arch=c000003e syscall=21 success=no exit=-13 a0=7fe1801b6750 a1=4 a2=0 a3=62696c2f7261762f items=0 ppid=1 pid=2133 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1491318302.357:1376): avc:  denied  { getattr } for  pid=2133 comm="java" path="/etc/pki/topology-02-CA/server.xml" dev="dm-0" ino=1069627 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
type=SYSCALL msg=audit(1491318302.357:1376): arch=c000003e syscall=4 success=no exit=-13 a0=7fe1802e7300 a1=7fe18698cf30 a2=7fe18698cf30 a3=32302d79676f6c6f items=0 ppid=1 pid=2133 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1491318302.357:1377): avc:  denied  { read } for  pid=2133 comm="java" name="server.xml" dev="dm-0" ino=1069627 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file


Attaching the audit log messages in permissive mode because there are many AVCs

Comment 8 Roshni 2017-04-04 15:26:47 UTC

Created attachment 1268713 [details]
Audit log messages in permissive mode

Comment 9 Lukas Vrabec 2017-04-05 12:35:22 UTC

Fixed, 

I'll provide builds ASAP.

Comment 11 Roshni 2017-04-06 13:30:26 UTC

[root@pki1 ~]# rpm -qi selinux-policy
Name        : selinux-policy
Version     : 3.13.1
Release     : 140.el7
Architecture: noarch
Install Date: Thu 06 Apr 2017 08:59:14 AM EDT
Group       : System Environment/Base
Size        : 5707
License     : GPLv2+
Signature   : (none)
Source RPM  : selinux-policy-3.13.1-140.el7.src.rpm
Build Date  : Wed 05 Apr 2017 12:43:33 PM EDT
Build Host  : ppc-035.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://oss.tresys.com/repos/refpolicy/
Summary     : SELinux policy configuration
Description :
SELinux Reference Policy - modular.
Based off of reference policy: Checked out revision  2.20091117

pkispawn was successful in enforcing mode.
clis work as expected

Comment 12 errata-xmlrpc 2017-08-01 15:24:23 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861

Note You need to log in before you can comment on or make changes to this bug.