Since the 20170322.n.0 compose, FreeIPA server deployment on Rawhide has been failing. I believe this is caused by a bunch of SELinux denials related to the pki-tomcat component: ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.061:351): avc: denied { search } for pid=5991 comm="pkidaemon" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.061:350): avc: denied { search } for pid=5991 comm="pkidaemon" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.062:352): avc: denied { search } for pid=5991 comm="pkidaemon" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.197:353): avc: denied { search } for pid=6008 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.197:354): avc: denied { search } for pid=6008 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.198:355): avc: denied { search } for pid=6008 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.198:356): avc: denied { search } for pid=6008 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.198:357): avc: denied { search } for pid=6008 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.199:358): avc: denied { search } for pid=6008 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.211:359): avc: denied { search } for pid=6011 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.211:360): avc: denied { search } for pid=6011 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.212:361): avc: denied { search } for pid=6011 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.213:362): avc: denied { search } for pid=6011 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.213:363): avc: denied { search } for pid=6011 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.213:364): avc: denied { search } for pid=6011 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.228:365): avc: denied { search } for pid=6014 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.228:366): avc: denied { search } for pid=6014 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.228:367): avc: denied { search } for pid=6014 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.229:368): avc: denied { search } for pid=6014 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.229:369): avc: denied { search } for pid=6014 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.229:370): avc: denied { search } for pid=6014 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.242:371): avc: denied { search } for pid=6017 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.242:372): avc: denied { search } for pid=6017 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.243:373): avc: denied { search } for pid=6017 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.243:374): avc: denied { search } for pid=6017 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.243:375): avc: denied { search } for pid=6017 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.244:376): avc: denied { search } for pid=6017 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.255:377): avc: denied { search } for pid=6021 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.255:378): avc: denied { search } for pid=6021 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.255:379): avc: denied { search } for pid=6021 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.256:380): avc: denied { search } for pid=6021 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.256:381): avc: denied { search } for pid=6021 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.256:382): avc: denied { search } for pid=6021 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.266:383): avc: denied { search } for pid=6024 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.266:384): avc: denied { search } for pid=6024 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.266:385): avc: denied { search } for pid=6024 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.267:386): avc: denied { search } for pid=6024 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.267:387): avc: denied { search } for pid=6024 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.267:388): avc: denied { search } for pid=6024 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.278:389): avc: denied { search } for pid=6027 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.278:390): avc: denied { search } for pid=6027 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.279:391): avc: denied { search } for pid=6027 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.279:392): avc: denied { search } for pid=6027 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.279:393): avc: denied { search } for pid=6027 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.280:394): avc: denied { search } for pid=6027 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.289:395): avc: denied { search } for pid=6030 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.289:396): avc: denied { search } for pid=6030 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.290:397): avc: denied { search } for pid=6030 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.291:398): avc: denied { search } for pid=6030 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.291:399): avc: denied { search } for pid=6030 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.291:400): avc: denied { search } for pid=6030 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.306:401): avc: denied { search } for pid=6034 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.306:402): avc: denied { search } for pid=6034 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.307:403): avc: denied { search } for pid=6034 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.307:404): avc: denied { search } for pid=6034 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.307:405): avc: denied { search } for pid=6034 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.308:406): avc: denied { search } for pid=6034 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.631:408): avc: denied { search } for pid=6109 comm="server" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.631:409): avc: denied { search } for pid=6109 comm="server" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.631:410): avc: denied { search } for pid=6109 comm="server" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.650:411): avc: denied { search } for pid=6114 comm="build-classpath" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.650:412): avc: denied { search } for pid=6114 comm="build-classpath" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.650:413): avc: denied { search } for pid=6114 comm="build-classpath" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.690:414): avc: denied { search } for pid=6109 comm="server" name="pki-tomcat" dev="dm-0" ino=12749788 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.703:415): avc: denied { search } for pid=6109 comm="java" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.703:416): avc: denied { search } for pid=6109 comm="java" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.703:417): avc: denied { search } for pid=6109 comm="java" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.744:418): avc: denied { search } for pid=6109 comm="java" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.744:419): avc: denied { search } for pid=6109 comm="java" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.745:420): avc: denied { search } for pid=6109 comm="java" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.857:421): avc: denied { getattr } for pid=6109 comm="java" path="/var/lib/pki/pki-tomcat" dev="dm-0" ino=12749788 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.857:422): avc: denied { getattr } for pid=6109 comm="java" path="/var/lib/pki/pki-tomcat" dev="dm-0" ino=12749788 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.857:423): avc: denied { getattr } for pid=6109 comm="java" path="/var/lib/pki/pki-tomcat" dev="dm-0" ino=12749788 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir permissive=0 ---- time->Mon Mar 27 15:18:34 2017 type=AVC msg=audit(1490653114.857:424): avc: denied { search } for pid=6109 comm="java" name="pki-tomcat" dev="dm-0" ino=12749788 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir permissive=0 ---- There are also denials related to ntpd and useradd / groupadd, which I'll report separately. Proposing as an F27 Alpha blocker, as a violation of "Release-blocking roles and the supported role configuration interfaces must meet the core functional Role Definition Requirements to the extent that supported roles can be successfully deployed, started, stopped, brought to a working configuration, and queried" - this affects the domain controller role, which is a release-blocking role.
Well, fuck. This is actually affecting F26 as well, which makes it an Alpha blocker. I believe this is the offending change: - Remove tomcat_t domain from unconfined domains That is absolutely *not* an appropriate change during Alpha freeze. I did not realize the -147 build made changes beyond fixing the bug approved as an FE, or else I would never have submitted it for stable. *Please* don't make changes beyond those approved as blocker/FE during milestone freezes, or at least never make changes in the 'more restrictive' direction (only 'less restrictive'). We will now need a -148 with tomcat put back in unconfined, I think. As an emergency, as fast as possible. As -147 has been pushed stable now, we cannot just go back to -146. :(
Seems like a pretty clear blocker. ;( +1
As this is an emergency and no selinux maintainers are around right now, I quickly hacked up builds for rawhide and f26 which should revert tomcat_t to unconfined. Sorry if I made any messes. I'll submit updates and test them later tonight from my laptop, I have to run out right now. If it all works out OK I'll file an RC4 request.
selinux-policy-3.13.1-249.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-f34640326f
+1 blocker
That's +3 and this is a pretty obvious one, so setting accepted.
+1 Blocker
+1 Blocker.
+1
selinux-policy-3.13.1-249.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-f34640326f
selinux-policy-3.13.1-249.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.