1436434 – Multiple SELinux denials prevent FreeIPA server deployment on F26 and Rawhide

Bug 1436434 - Multiple SELinux denials prevent FreeIPA server deployment on F26 and Rawhide

Summary: Multiple SELinux denials prevent FreeIPA server deployment on F26 and Rawhide

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	urgent
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	AcceptedBlocker
Depends On:
Blocks:	F26AlphaBlocker
TreeView+	depends on / blocked

Reported:	2017-03-27 23:06 UTC by Adam Williamson
Modified:	2017-03-29 05:05 UTC (History)
CC List:	17 users (show)
Fixed In Version:	selinux-policy-3.13.1-249.fc26
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-03-29 05:05:41 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Adam Williamson 2017-03-27 23:06:24 UTC

Since the 20170322.n.0 compose, FreeIPA server deployment on Rawhide has been failing. I believe this is caused by a bunch of SELinux denials related to the pki-tomcat component:

----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.061:351): avc:  denied  { search } for  pid=5991 comm="pkidaemon" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.061:350): avc:  denied  { search } for  pid=5991 comm="pkidaemon" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.062:352): avc:  denied  { search } for  pid=5991 comm="pkidaemon" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.197:353): avc:  denied  { search } for  pid=6008 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.197:354): avc:  denied  { search } for  pid=6008 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.198:355): avc:  denied  { search } for  pid=6008 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.198:356): avc:  denied  { search } for  pid=6008 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.198:357): avc:  denied  { search } for  pid=6008 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.199:358): avc:  denied  { search } for  pid=6008 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.211:359): avc:  denied  { search } for  pid=6011 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.211:360): avc:  denied  { search } for  pid=6011 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.212:361): avc:  denied  { search } for  pid=6011 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.213:362): avc:  denied  { search } for  pid=6011 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.213:363): avc:  denied  { search } for  pid=6011 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.213:364): avc:  denied  { search } for  pid=6011 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.228:365): avc:  denied  { search } for  pid=6014 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.228:366): avc:  denied  { search } for  pid=6014 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.228:367): avc:  denied  { search } for  pid=6014 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.229:368): avc:  denied  { search } for  pid=6014 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.229:369): avc:  denied  { search } for  pid=6014 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.229:370): avc:  denied  { search } for  pid=6014 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.242:371): avc:  denied  { search } for  pid=6017 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.242:372): avc:  denied  { search } for  pid=6017 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.243:373): avc:  denied  { search } for  pid=6017 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.243:374): avc:  denied  { search } for  pid=6017 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.243:375): avc:  denied  { search } for  pid=6017 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.244:376): avc:  denied  { search } for  pid=6017 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.255:377): avc:  denied  { search } for  pid=6021 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.255:378): avc:  denied  { search } for  pid=6021 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.255:379): avc:  denied  { search } for  pid=6021 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.256:380): avc:  denied  { search } for  pid=6021 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.256:381): avc:  denied  { search } for  pid=6021 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.256:382): avc:  denied  { search } for  pid=6021 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.266:383): avc:  denied  { search } for  pid=6024 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.266:384): avc:  denied  { search } for  pid=6024 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.266:385): avc:  denied  { search } for  pid=6024 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.267:386): avc:  denied  { search } for  pid=6024 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.267:387): avc:  denied  { search } for  pid=6024 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.267:388): avc:  denied  { search } for  pid=6024 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.278:389): avc:  denied  { search } for  pid=6027 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.278:390): avc:  denied  { search } for  pid=6027 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.279:391): avc:  denied  { search } for  pid=6027 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.279:392): avc:  denied  { search } for  pid=6027 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.279:393): avc:  denied  { search } for  pid=6027 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.280:394): avc:  denied  { search } for  pid=6027 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.289:395): avc:  denied  { search } for  pid=6030 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.289:396): avc:  denied  { search } for  pid=6030 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.290:397): avc:  denied  { search } for  pid=6030 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.291:398): avc:  denied  { search } for  pid=6030 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.291:399): avc:  denied  { search } for  pid=6030 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.291:400): avc:  denied  { search } for  pid=6030 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.306:401): avc:  denied  { search } for  pid=6034 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.306:402): avc:  denied  { search } for  pid=6034 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.307:403): avc:  denied  { search } for  pid=6034 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.307:404): avc:  denied  { search } for  pid=6034 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.307:405): avc:  denied  { search } for  pid=6034 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.308:406): avc:  denied  { search } for  pid=6034 comm="chown" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.631:408): avc:  denied  { search } for  pid=6109 comm="server" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.631:409): avc:  denied  { search } for  pid=6109 comm="server" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.631:410): avc:  denied  { search } for  pid=6109 comm="server" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.650:411): avc:  denied  { search } for  pid=6114 comm="build-classpath" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.650:412): avc:  denied  { search } for  pid=6114 comm="build-classpath" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.650:413): avc:  denied  { search } for  pid=6114 comm="build-classpath" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.690:414): avc:  denied  { search } for  pid=6109 comm="server" name="pki-tomcat" dev="dm-0" ino=12749788 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.703:415): avc:  denied  { search } for  pid=6109 comm="java" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.703:416): avc:  denied  { search } for  pid=6109 comm="java" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.703:417): avc:  denied  { search } for  pid=6109 comm="java" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.744:418): avc:  denied  { search } for  pid=6109 comm="java" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.744:419): avc:  denied  { search } for  pid=6109 comm="java" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.745:420): avc:  denied  { search } for  pid=6109 comm="java" name="sss" dev="dm-0" ino=12951345 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.857:421): avc:  denied  { getattr } for  pid=6109 comm="java" path="/var/lib/pki/pki-tomcat" dev="dm-0" ino=12749788 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.857:422): avc:  denied  { getattr } for  pid=6109 comm="java" path="/var/lib/pki/pki-tomcat" dev="dm-0" ino=12749788 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.857:423): avc:  denied  { getattr } for  pid=6109 comm="java" path="/var/lib/pki/pki-tomcat" dev="dm-0" ino=12749788 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir permissive=0
----
time->Mon Mar 27 15:18:34 2017
type=AVC msg=audit(1490653114.857:424): avc:  denied  { search } for  pid=6109 comm="java" name="pki-tomcat" dev="dm-0" ino=12749788 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir permissive=0
----

There are also denials related to ntpd and useradd / groupadd, which I'll report separately.

Proposing as an F27 Alpha blocker, as a violation of "Release-blocking roles and the supported role configuration interfaces must meet the core functional Role Definition Requirements to the extent that supported roles can be successfully deployed, started, stopped, brought to a working configuration, and queried" - this affects the domain controller role, which is a release-blocking role.

Comment 1 Adam Williamson 2017-03-27 23:48:40 UTC

Well, fuck. This is actually affecting F26 as well, which makes it an Alpha blocker.

I believe this is the offending change:

- Remove tomcat_t domain from unconfined domains

That is absolutely *not* an appropriate change during Alpha freeze. I did not realize the -147 build made changes beyond fixing the bug approved as an FE, or else I would never have submitted it for stable. *Please* don't make changes beyond those approved as blocker/FE during milestone freezes, or at least never make changes in the 'more restrictive' direction (only 'less restrictive').

We will now need a -148 with tomcat put back in unconfined, I think. As an emergency, as fast as possible. As -147 has been pushed stable now, we cannot just go back to -146. :(

Comment 2 Kevin Fenzi 2017-03-28 00:05:06 UTC

Seems like a pretty clear blocker. ;( +1

Comment 3 Adam Williamson 2017-03-28 00:10:43 UTC

As this is an emergency and no selinux maintainers are around right now, I quickly hacked up builds for rawhide and f26 which should revert tomcat_t to unconfined. Sorry if I made any messes. I'll submit updates and test them later tonight from my laptop, I have to run out right now. If it all works out OK I'll file an RC4 request.

Comment 4 Fedora Update System 2017-03-28 00:43:39 UTC

selinux-policy-3.13.1-249.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-f34640326f

Comment 5 Ben Williams 2017-03-28 02:36:07 UTC

+1 blocker

Comment 6 Adam Williamson 2017-03-28 02:49:41 UTC

That's +3 and this is a pretty obvious one, so setting accepted.

Comment 7 Mohan Boddu 2017-03-28 02:50:35 UTC

+1 Blocker

Comment 8 Dan Mossor [danofsatx] 2017-03-28 02:51:02 UTC

+1 Blocker.

Comment 9 Neal Gompa 2017-03-28 02:58:39 UTC

+1 Blocker

Comment 10 Mike Ruckman 2017-03-28 03:23:13 UTC

+1

Comment 11 Nick Bebout 2017-03-28 12:57:50 UTC

+1 Blocker

Comment 12 Fedora Update System 2017-03-28 17:54:05 UTC

selinux-policy-3.13.1-249.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-f34640326f

Comment 13 Fedora Update System 2017-03-29 05:05:41 UTC

selinux-policy-3.13.1-249.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.