Bug 1436383
| Summary: | AVC denial during pkispawn of CA | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Roshni <rpattath> | ||||
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 7.4 | CC: | aakkiang, lvrabec, mgrepl, mmalik, plautrba, pvrabec, rpattath, ssekidde | ||||
| Target Milestone: | rc | Keywords: | Regression, TestBlocker | ||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | selinux-policy-3.13.1-139 | Doc Type: | If docs needed, set a value | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2017-08-01 15:24:23 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Do you see any SELinux denials when you run the same scenario in permissive mode? If yes, please attach them here. audit log in permissive mode
type=MAC_POLICY_LOAD msg=audit(1490712865.591:172): policy loaded auid=0 ses=1
type=SYSCALL msg=audit(1490712865.591:172): arch=c000003e syscall=1 success=yes exit=3706354 a0=5 a1=7f6e9a7c0010 a2=388df2 a3=7ffc63b38d00 items=0 ppid=67369 pid=67385 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="load_policy" exe="/usr/sbin/load_policy" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=USER_AVC msg=audit(1490712866.324:173): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=4) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=SERVICE_START msg=audit(1490712866.470:174): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pki-tomcatd@topology-02-CA comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1490712866.489:175): avc: denied { read } for pid=67531 comm="server" name="conf" dev="dm-0" ino=101379503 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=lnk_file
type=AVC msg=audit(1490712866.489:175): avc: denied { search } for pid=67531 comm="server" name="topology-02-CA" dev="dm-0" ino=68110291 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=dir
type=AVC msg=audit(1490712866.489:175): avc: denied { read } for pid=67531 comm="server" name="logging.properties" dev="dm-0" ino=67524565 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1490712866.489:175): arch=c000003e syscall=4 success=yes exit=0 a0=d76740 a1=7ffec197a4b0 a2=7ffec197a4b0 a3=8 items=0 ppid=1 pid=67531 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="server" exe="/usr/bin/bash" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712866.551:176): avc: denied { getattr } for pid=67531 comm="java" path="/var/lib/pki/topology-02-CA" dev="dm-0" ino=101379494 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1490712866.551:176): arch=c000003e syscall=6 success=yes exit=0 a0=7f3a5325cc00 a1=7f3a5325bad0 a2=7f3a5325bad0 a3=7f3a5243e440 items=0 ppid=1 pid=67531 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712866.551:177): avc: denied { getattr } for pid=67531 comm="java" path="/var/lib/pki/topology-02-CA/conf" dev="dm-0" ino=101379503 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1490712866.551:177): arch=c000003e syscall=6 success=yes exit=0 a0=7f3a5325cc00 a1=7f3a5325bad0 a2=7f3a5325bad0 a3=7f3a5243e440 items=0 ppid=1 pid=67531 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712866.551:178): avc: denied { getattr } for pid=67531 comm="java" path="/etc/pki/topology-02-CA" dev="dm-0" ino=68110291 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=dir
type=SYSCALL msg=audit(1490712866.551:178): arch=c000003e syscall=6 success=yes exit=0 a0=7f3a5325cc00 a1=7f3a5325bad0 a2=7f3a5325bad0 a3=7963696c6f702e items=0 ppid=1 pid=67531 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712866.551:179): avc: denied { getattr } for pid=67531 comm="java" path="/etc/pki/topology-02-CA/catalina.policy" dev="dm-0" ino=68110292 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
type=SYSCALL msg=audit(1490712866.551:179): arch=c000003e syscall=6 success=yes exit=0 a0=7f3a5325cc00 a1=7f3a5325bad0 a2=7f3a5325bad0 a3=7963696c6f702e items=0 ppid=1 pid=67531 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712866.551:180): avc: denied { read } for pid=67531 comm="java" name="catalina.policy" dev="dm-0" ino=68110292 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
type=AVC msg=audit(1490712866.551:180): avc: denied { open } for pid=67531 comm="java" path="/etc/pki/topology-02-CA/catalina.policy" dev="dm-0" ino=68110292 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
type=SYSCALL msg=audit(1490712866.551:180): arch=c000003e syscall=2 success=yes exit=6 a0=7f3a4c154a30 a1=0 a2=1b6 a3=7f3a5243e440 items=0 ppid=1 pid=67531 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712866.559:181): avc: denied { getattr } for pid=67531 comm="java" path="/etc/pki/topology-02-CA/logging.properties" dev="dm-0" ino=67524565 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1490712866.559:181): arch=c000003e syscall=6 success=yes exit=0 a0=7f3a5325ca20 a1=7f3a5325b8f0 a2=7f3a5325b8f0 a3=747265706f7270 items=0 ppid=1 pid=67531 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712866.559:182): avc: denied { getattr } for pid=67531 comm="java" path="/var/log/pki" dev="dm-0" ino=67737096 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1490712866.559:182): arch=c000003e syscall=6 success=yes exit=0 a0=7f3a5325ca20 a1=7f3a5325b8f0 a2=7f3a5325b8f0 a3=7f3a5243e440 items=0 ppid=1 pid=67531 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712866.559:183): avc: denied { getattr } for pid=67531 comm="java" path="/var/log/pki/topology-02-CA" dev="dm-0" ino=34708056 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1490712866.559:183): arch=c000003e syscall=6 success=yes exit=0 a0=7f3a5325ca20 a1=7f3a5325b8f0 a2=7f3a5325b8f0 a3=7f3a5243e440 items=0 ppid=1 pid=67531 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712866.587:184): avc: denied { write } for pid=67531 comm="java" name="topology-02-CA" dev="dm-0" ino=34708056 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_log_t:s0 tclass=dir
type=AVC msg=audit(1490712866.587:184): avc: denied { add_name } for pid=67531 comm="java" name="catalina.2017-03-28.log" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_log_t:s0 tclass=dir
type=AVC msg=audit(1490712866.587:184): avc: denied { create } for pid=67531 comm="java" name="catalina.2017-03-28.log" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_log_t:s0 tclass=file
type=AVC msg=audit(1490712866.587:184): avc: denied { open } for pid=67531 comm="java" path="/var/log/pki/topology-02-CA/catalina.2017-03-28.log" dev="dm-0" ino=34708032 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_log_t:s0 tclass=file
type=SYSCALL msg=audit(1490712866.587:184): arch=c000003e syscall=2 success=yes exit=7 a0=7f3a4c1ab620 a1=441 a2=1b6 a3=7f3a5243e440 items=0 ppid=1 pid=67531 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712866.595:185): avc: denied { read } for pid=67531 comm="java" name="lib" dev="dm-0" ino=34708057 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1490712866.595:185): arch=c000003e syscall=21 success=yes exit=0 a0=7f3a4c1b7110 a1=4 a2=0 a3=7f3a532602b0 items=0 ppid=1 pid=67531 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712866.596:186): avc: denied { open } for pid=67531 comm="java" path="/var/lib/pki/topology-02-CA/lib" dev="dm-0" ino=34708057 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1490712866.596:186): arch=c000003e syscall=257 success=yes exit=11 a0=ffffffffffffff9c a1=7f3a4c1b7110 a2=90800 a3=0 items=0 ppid=1 pid=67531 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712867.096:187): avc: denied { search } for pid=67531 comm="java" name="alias" dev="dm-0" ino=944900 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=dir
type=AVC msg=audit(1490712867.096:187): avc: denied { getattr } for pid=67531 comm="java" path="/etc/pki/topology-02-CA/alias/secmod.db" dev="dm-0" ino=944918 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=file
type=SYSCALL msg=audit(1490712867.096:187): arch=c000003e syscall=4 success=yes exit=0 a0=7f3a4c6892c0 a1=7f3a5325f0d0 a2=7f3a5325f0d0 a3=61696c612f41432d items=0 ppid=1 pid=67531 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712867.096:188): avc: denied { read } for pid=67531 comm="java" name="secmod.db" dev="dm-0" ino=944918 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=file
type=AVC msg=audit(1490712867.096:188): avc: denied { open } for pid=67531 comm="java" path="/etc/pki/topology-02-CA/alias/secmod.db" dev="dm-0" ino=944918 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=file
type=SYSCALL msg=audit(1490712867.096:188): arch=c000003e syscall=2 success=yes exit=72 a0=7f3a4c6892c0 a1=0 a2=180 a3=61696c612f41432d items=0 ppid=1 pid=67531 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712867.096:189): avc: denied { write } for pid=67531 comm="java" name="cert8.db" dev="dm-0" ino=944919 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=file
type=SYSCALL msg=audit(1490712867.096:189): arch=c000003e syscall=2 success=yes exit=72 a0=7f3a4c6c86a0 a1=2 a2=180 a3=61696c612f41432d items=0 ppid=1 pid=67531 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712867.161:190): avc: denied { write } for pid=67531 comm="java" name="topology-02-CA" dev="dm-0" ino=101379494 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1490712867.161:190): avc: denied { add_name } for pid=67531 comm="java" name="webapps" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1490712867.161:190): avc: denied { create } for pid=67531 comm="java" name="webapps" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1490712867.161:190): arch=c000003e syscall=83 success=yes exit=0 a0=7f3998002020 a1=1ff a2=0 a3=7f399fffe130 items=0 ppid=1 pid=67531 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712867.163:191): avc: denied { read } for pid=67531 comm="java" name="localhost" dev="dm-0" ino=944896 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=dir
type=AVC msg=audit(1490712867.163:191): avc: denied { open } for pid=67531 comm="java" path="/etc/pki/topology-02-CA/Catalina/localhost" dev="dm-0" ino=944896 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=dir
type=SYSCALL msg=audit(1490712867.163:191): arch=c000003e syscall=257 success=yes exit=86 a0=ffffffffffffff9c a1=7f3998004e70 a2=90800 a3=0 items=0 ppid=1 pid=67531 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712869.771:192): avc: denied { write } for pid=67586 comm="touch" path="/var/log/pki/topology-02-CA/ca/debug" dev="dm-0" ino=34708038 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_log_t:s0 tclass=file
type=SYSCALL msg=audit(1490712869.771:192): arch=c000003e syscall=2 success=yes exit=3 a0=7ffea6f33c7f a1=941 a2=1b6 a3=7ffea6f320d0 items=0 ppid=67531 pid=67586 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="touch" exe="/usr/bin/touch" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712869.773:193): avc: denied { setattr } for pid=67588 comm="chmod" name="debug" dev="dm-0" ino=34708038 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_log_t:s0 tclass=file
type=SYSCALL msg=audit(1490712869.773:193): arch=c000003e syscall=268 success=yes exit=0 a0=ffffffffffffff9c a1=1d6a0f0 a2=1a0 a3=7ffd43eff050 items=0 ppid=67531 pid=67588 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="chmod" exe="/usr/bin/chmod" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712869.836:194): avc: denied { read } for pid=67531 comm="java" name="ca_audit" dev="dm-0" ino=101379488 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_log_t:s0 tclass=file
type=SYSCALL msg=audit(1490712869.836:194): arch=c000003e syscall=2 success=yes exit=93 a0=7f39906bdbc0 a1=42 a2=1b6 a3=7f3a3d0524c0 items=0 ppid=1 pid=67531 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712869.953:195): avc: denied { getattr } for pid=67531 comm="java" path="/etc/pki/topology-02-CA/alias" dev="dm-0" ino=944900 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=dir
type=SYSCALL msg=audit(1490712869.953:195): arch=c000003e syscall=6 success=yes exit=0 a0=7f3a5325e200 a1=7f3a5325d0d0 a2=7f3a5325d0d0 a3=7f3a3d0524c0 items=0 ppid=1 pid=67531 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712871.599:196): avc: denied { write } for pid=67531 comm="java" name="CS.cfg" dev="dm-0" ino=944903 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
type=SYSCALL msg=audit(1490712871.599:196): arch=c000003e syscall=2 success=yes exit=104 a0=7f3954107b20 a1=241 a2=1b6 a3=7f3a3d0524c0 items=0 ppid=1 pid=67531 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712871.606:197): avc: denied { setattr } for pid=67656 comm="chmod" name="CS.cfg" dev="dm-0" ino=944903 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
type=SYSCALL msg=audit(1490712871.606:197): arch=c000003e syscall=268 success=yes exit=0 a0=ffffffffffffff9c a1=1f390f0 a2=1b0 a3=7ffe3957d080 items=0 ppid=67531 pid=67656 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="chmod" exe="/usr/bin/chmod" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712871.958:198): avc: denied { name_connect } for pid=67531 comm="java" dest=3389 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1490712871.958:198): arch=c000003e syscall=42 success=yes exit=0 a0=69 a1=7f399e3f6b60 a2=1c a3=7f399e3f6780 items=0 ppid=1 pid=67531 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712871.971:199): avc: denied { write } for pid=67531 comm="java" name="ca" dev="dm-0" ino=944902 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=dir
type=AVC msg=audit(1490712871.971:199): avc: denied { add_name } for pid=67531 comm="java" name="usn.ldif" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=dir
type=AVC msg=audit(1490712871.971:199): avc: denied { create } for pid=67531 comm="java" name="usn.ldif" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
type=SYSCALL msg=audit(1490712871.971:199): arch=c000003e syscall=2 success=yes exit=108 a0=7f3954451fc0 a1=241 a2=1b6 a3=2c items=0 ppid=1 pid=67531 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712888.050:200): avc: denied { write } for pid=67531 comm="java" name="alias" dev="dm-0" ino=944900 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=dir
type=AVC msg=audit(1490712888.050:200): avc: denied { add_name } for pid=67531 comm="java" name="ca_backup_keys.p12" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=dir
type=AVC msg=audit(1490712888.050:200): avc: denied { create } for pid=67531 comm="java" name="ca_backup_keys.p12" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=file
type=SYSCALL msg=audit(1490712888.050:200): arch=c000003e syscall=2 success=yes exit=132 a0=7f3954249560 a1=241 a2=1b6 a3=7f3a5243e440 items=0 ppid=1 pid=67531 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712888.061:201): avc: denied { getattr } for pid=67531 comm="java" path="/var/lib/pki/topology-02-CA/ca/profiles/ca/caAdminCert.cfg" dev="dm-0" ino=101379510 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1490712888.061:201): arch=c000003e syscall=6 success=yes exit=0 a0=7f399e3f58a0 a1=7f399e3f4770 a2=7f399e3f4770 a3=5 items=0 ppid=1 pid=67531 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712888.061:202): avc: denied { read } for pid=67531 comm="java" name="caAdminCert.cfg" dev="dm-0" ino=101379510 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=file
type=AVC msg=audit(1490712888.061:202): avc: denied { open } for pid=67531 comm="java" path="/var/lib/pki/topology-02-CA/ca/profiles/ca/caAdminCert.cfg" dev="dm-0" ino=101379510 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1490712888.061:202): arch=c000003e syscall=2 success=yes exit=132 a0=7f395424b5c0 a1=0 a2=1b6 a3=7f3a5243e440 items=0 ppid=1 pid=67531 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712889.367:203): avc: denied { search } for pid=67807 comm="server" name="topology-02-CA" dev="dm-0" ino=68110291 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=dir
type=SYSCALL msg=audit(1490712889.367:203): arch=c000003e syscall=4 success=yes exit=0 a0=114e860 a1=7ffe3ac17d40 a2=7ffe3ac17d40 a3=8 items=0 ppid=1 pid=67807 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="server" exe="/usr/bin/bash" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712889.442:204): avc: denied { getattr } for pid=67807 comm="java" path="/var/log/pki/topology-02-CA" dev="dm-0" ino=34708056 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1490712889.442:204): arch=c000003e syscall=4 success=yes exit=0 a0=7fb0b419ac80 a1=7fb0baca8380 a2=7fb0baca8380 a3=7fb0b9e88440 items=0 ppid=1 pid=67807 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712889.442:205): avc: denied { search } for pid=67807 comm="java" name="topology-02-CA" dev="dm-0" ino=34708056 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_log_t:s0 tclass=dir
type=AVC msg=audit(1490712889.442:205): avc: denied { open } for pid=67807 comm="java" path="/var/log/pki/topology-02-CA/catalina.2017-03-28.log" dev="dm-0" ino=34708032 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_log_t:s0 tclass=file
type=SYSCALL msg=audit(1490712889.442:205): arch=c000003e syscall=2 success=yes exit=7 a0=7fb0b41a2220 a1=441 a2=1b6 a3=7fb0b9e88440 items=0 ppid=1 pid=67807 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712889.446:206): avc: denied { read } for pid=67807 comm="java" name="catalina.properties" dev="dm-0" ino=68110293 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
type=AVC msg=audit(1490712889.446:206): avc: denied { open } for pid=67807 comm="java" path="/etc/pki/topology-02-CA/catalina.properties" dev="dm-0" ino=68110293 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
type=SYSCALL msg=audit(1490712889.446:206): arch=c000003e syscall=2 success=yes exit=11 a0=7fb0b4189160 a1=0 a2=1b6 a3=4 items=0 ppid=1 pid=67807 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712889.446:207): avc: denied { getattr } for pid=67807 comm="java" path="/etc/pki/topology-02-CA/catalina.properties" dev="dm-0" ino=68110293 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
type=SYSCALL msg=audit(1490712889.446:207): arch=c000003e syscall=5 success=yes exit=0 a0=b a1=7fb0baca9d40 a2=7fb0baca9d40 a3=4 items=0 ppid=1 pid=67807 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712889.449:208): avc: denied { getattr } for pid=67807 comm="java" path="/var/lib/pki/topology-02-CA" dev="dm-0" ino=101379494 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1490712889.449:208): arch=c000003e syscall=6 success=yes exit=0 a0=7fb0baca9550 a1=7fb0baca8420 a2=7fb0baca8420 a3=7fb0b9e88440 items=0 ppid=1 pid=67807 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712889.449:209): avc: denied { read } for pid=67807 comm="java" name="lib" dev="dm-0" ino=34708057 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1490712889.449:209): arch=c000003e syscall=21 success=yes exit=0 a0=7fb0b41a3730 a1=4 a2=0 a3=7fb0bacaa2b0 items=0 ppid=1 pid=67807 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712889.450:210): avc: denied { open } for pid=67807 comm="java" path="/var/lib/pki/topology-02-CA/lib" dev="dm-0" ino=34708057 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1490712889.450:210): arch=c000003e syscall=257 success=yes exit=11 a0=ffffffffffffff9c a1=7fb0b41a37e0 a2=90800 a3=0 items=0 ppid=1 pid=67807 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=SERVICE_START msg=audit(1490712889.952:211): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pki-tomcatd@topology-02-CA comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1490712889.952:212): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pki-tomcatd@topology-02-CA comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1490712890.039:213): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pki-tomcatd@topology-02-CA comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1490712890.117:214): avc: denied { getattr } for pid=67990 comm="java" path="/etc/pki/topology-02-CA" dev="dm-0" ino=68110291 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=dir
type=SYSCALL msg=audit(1490712890.117:214): arch=c000003e syscall=6 success=yes exit=0 a0=7f34f4e68c00 a1=7f34f4e67ad0 a2=7f34f4e67ad0 a3=7963696c6f702e items=0 ppid=1 pid=67990 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712890.649:215): avc: denied { search } for pid=67990 comm="java" name="alias" dev="dm-0" ino=944900 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=dir
type=AVC msg=audit(1490712890.649:215): avc: denied { getattr } for pid=67990 comm="java" path="/etc/pki/topology-02-CA/alias/secmod.db" dev="dm-0" ino=944918 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=file
type=SYSCALL msg=audit(1490712890.649:215): arch=c000003e syscall=4 success=yes exit=0 a0=7f34ec6c7470 a1=7f34f4e6b0d0 a2=7f34f4e6b0d0 a3=61696c612f41432d items=0 ppid=1 pid=67990 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712890.649:216): avc: denied { read } for pid=67990 comm="java" name="secmod.db" dev="dm-0" ino=944918 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=file
type=AVC msg=audit(1490712890.649:216): avc: denied { open } for pid=67990 comm="java" path="/etc/pki/topology-02-CA/alias/secmod.db" dev="dm-0" ino=944918 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=file
type=SYSCALL msg=audit(1490712890.649:216): arch=c000003e syscall=2 success=yes exit=72 a0=7f34ec6c7470 a1=0 a2=180 a3=61696c612f41432d items=0 ppid=1 pid=67990 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712890.650:217): avc: denied { write } for pid=67990 comm="java" name="cert8.db" dev="dm-0" ino=944919 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=file
type=SYSCALL msg=audit(1490712890.650:217): arch=c000003e syscall=2 success=yes exit=72 a0=7f34ec706850 a1=2 a2=180 a3=61696c612f41432d items=0 ppid=1 pid=67990 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712890.718:218): avc: denied { read } for pid=67990 comm="java" name="localhost" dev="dm-0" ino=944896 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=dir
type=AVC msg=audit(1490712890.718:218): avc: denied { open } for pid=67990 comm="java" path="/etc/pki/topology-02-CA/Catalina/localhost" dev="dm-0" ino=944896 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=dir
type=SYSCALL msg=audit(1490712890.718:218): arch=c000003e syscall=257 success=yes exit=86 a0=ffffffffffffff9c a1=7f3438004e20 a2=90800 a3=0 items=0 ppid=1 pid=67990 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490712891.452:219): avc: denied { write } for pid=67990 comm="java" name="_" dev="dm-0" ino=67524568 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1490712891.452:219): arch=c000003e syscall=21 success=yes exit=0 a0=7f343c374480 a1=2 a2=0 a3=7f34f404a440 items=0 ppid=1 pid=67990 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
This issue is not seen when using selinux-policy-3.13.1-130.el7.noarch. This is the last version pkispawn is successful in enforcing mode. I still see the following in enforcing mode using selinux-policy-3.13.1-137.el7.noarch
type=AVC msg=audit(1491318302.313:1375): avc: denied { read } for pid=2133 comm="java" name="lib" dev="dm-0" ino=100664678 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1491318302.313:1375): arch=c000003e syscall=21 success=no exit=-13 a0=7fe1801b6750 a1=4 a2=0 a3=62696c2f7261762f items=0 ppid=1 pid=2133 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1491318302.357:1376): avc: denied { getattr } for pid=2133 comm="java" path="/etc/pki/topology-02-CA/server.xml" dev="dm-0" ino=1069627 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
type=SYSCALL msg=audit(1491318302.357:1376): arch=c000003e syscall=4 success=no exit=-13 a0=7fe1802e7300 a1=7fe18698cf30 a2=7fe18698cf30 a3=32302d79676f6c6f items=0 ppid=1 pid=2133 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1491318302.357:1377): avc: denied { read } for pid=2133 comm="java" name="server.xml" dev="dm-0" ino=1069627 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
Attaching the audit log messages in permissive mode because there are many AVCs
Created attachment 1268713 [details]
Audit log messages in permissive mode
Fixed, I'll provide builds ASAP. [root@pki1 ~]# rpm -qi selinux-policy Name : selinux-policy Version : 3.13.1 Release : 140.el7 Architecture: noarch Install Date: Thu 06 Apr 2017 08:59:14 AM EDT Group : System Environment/Base Size : 5707 License : GPLv2+ Signature : (none) Source RPM : selinux-policy-3.13.1-140.el7.src.rpm Build Date : Wed 05 Apr 2017 12:43:33 PM EDT Build Host : ppc-035.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : http://oss.tresys.com/repos/refpolicy/ Summary : SELinux policy configuration Description : SELinux Reference Policy - modular. Based off of reference policy: Checked out revision 2.20091117 pkispawn was successful in enforcing mode. clis work as expected Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1861 |
Description of problem: AVC denial during pkispawn of CA Version-Release number of selected component (if applicable): selinux-policy-3.13.1-133.el7.noarch How reproducible: always Steps to Reproduce: 1. pkispawn -s CA -f ca.cfg 2.cat ca.cfg [DEFAULT] pki_instance_name = topology-02-CA pki_https_port = 20443 pki_http_port = 20080 pki_token_password = pki_admin_password = pki_hostname = pki1.example.com pki_security_domain_name = topology-02_Foobarmaster.org pki_security_domain_password = pki_client_dir = /opt/topology-02-CA pki_client_pkcs12_password = pki_backup_keys = True pki_backup_password = pki_ds_password = pki_ds_ldap_port = 3389 [Tomcat] pki_ajp_port = 20009 pki_tomcat_server_port = 20005 [CA] pki_import_admin_cert = False pki_ds_hostname = pki1.example.com pki_admin_nickname = PKI CA Administrator for Example.Org 3. Actual results: pkispwan fails type=AVC msg=audit(1490639498.802:2704): avc: denied { search } for pid=28370 comm="java" name="topology-02-CA" dev="dm-0" ino=1627167 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir Expected results: pkispawn should pass Additional info: