RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1436689 - AVC denials during ipa-server-install
Summary: AVC denials during ipa-server-install
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.4
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Abhijeet Kasurde
URL:
Whiteboard:
: 1417846 1438814 1439137 1439179 1439187 1443557 1444864 1449735 1451695 1457944 1458420 (view as bug list)
Depends On:
Blocks: 1443557
TreeView+ depends on / blocked
 
Reported: 2017-03-28 12:50 UTC by Varun Mylaraiah
Modified: 2018-02-13 20:08 UTC (History)
27 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1443557 (view as bug list)
Environment:
Last Closed: 2017-08-01 15:24:23 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
AVC denials (26.38 KB, text/plain)
2017-04-19 05:01 UTC, Sudhir Menon
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:1861 0 normal SHIPPED_LIVE selinux-policy bug fix update 2017-08-01 17:50:24 UTC

Description Varun Mylaraiah 2017-03-28 12:50:46 UTC
Description of problem:
AVC denials during ipa-server-install 

Version-Release number of selected component (if applicable):
ipa-server-4.5.0-2.el7.x86_64

How reproducible:
100%

Steps to Reproduce:

[root@hp-dl380pgen8-02-vm-2 ~]# getenforce 
Enforcing

[root@hp-dl380pgen8-02-vm-2 ~]# ipa-server-install --setup-dns --forwarder=10.16.36.29 --reverse-zone=46.16.10.in-addr.arpa. --allow-zone-overlap --hostname=hp-dl380pgen8-02-vm-2.testrelm.test -r TESTRELM.TEST -n testrelm.test. -p <XXXXX> -a <XXXXX> --ip-address=10.16.46.51 

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)
  * Configure the KDC to enable PKINIT

To accept the default shown in brackets, press the Enter key.

WARNING: conflicting time&date synchronization service 'chronyd' will be disabled
in favor of ntpd

Warning: skipping DNS resolution of host hp-dl380pgen8-02-vm-2.testrelm.test
Checking DNS domain testrelm.test., please wait ...
Checking DNS forwarders, please wait ...
Using reverse zone(s) 46.16.10.in-addr.arpa.

The IPA Master Server will be configured with:
Hostname:       hp-dl380pgen8-02-vm-2.testrelm.test
IP address(es): 10.16.46.51
Domain name:    testrelm.test.
Realm name:     TESTRELM.TEST

BIND DNS server will be configured to serve IPA domain with:
Forwarders:       10.16.36.29
Forward policy:   only
Reverse zone(s):  46.16.10.in-addr.arpa.

WARNING: Realm name does not match the domain name.
You will not be able to estabilish trusts with Active Directory unless
the realm name of the IPA server matches its domain name.


Continue to configure the system with these values? [no]: yes

The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Adding [10.16.46.51 hp-dl380pgen8-02-vm-2.testrelm.test] to your /etc/hosts file
Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 30 seconds
  [1/47]: creating directory server user
  [2/47]: creating directory server instance
  [3/47]: enabling ldapi
  [4/47]: configure autobind for root
  [5/47]: stopping directory server
  [6/47]: updating configuration in dse.ldif
  [7/47]: starting directory server
  [8/47]: adding default schema
  [9/47]: enabling memberof plugin
  [10/47]: enabling winsync plugin
  [11/47]: configuring replication version plugin
  [12/47]: enabling IPA enrollment plugin
  [13/47]: configuring uniqueness plugin
  [14/47]: configuring uuid plugin
  [15/47]: configuring modrdn plugin
  [16/47]: configuring DNS plugin
  [17/47]: enabling entryUSN plugin
  [18/47]: configuring lockout plugin
  [19/47]: configuring topology plugin
  [20/47]: creating indices
  [21/47]: enabling referential integrity plugin
  [22/47]: configuring certmap.conf
  [23/47]: configure new location for managed entries
  [24/47]: configure dirsrv ccache
  [25/47]: enabling SASL mapping fallback
  [26/47]: restarting directory server
  [27/47]: adding sasl mappings to the directory
  [28/47]: adding default layout
  [29/47]: adding delegation layout
  [30/47]: creating container for managed entries
  [31/47]: configuring user private groups
  [32/47]: configuring netgroups from hostgroups
  [33/47]: creating default Sudo bind user
  [34/47]: creating default Auto Member layout
  [35/47]: adding range check plugin
  [36/47]: creating default HBAC rule allow_all
  [37/47]: adding entries for topology management
  [38/47]: initializing group membership
  [39/47]: adding master entry
  [40/47]: initializing domain level
  [41/47]: configuring Posix uid/gid generation
  [42/47]: adding replication acis
  [43/47]: enabling compatibility plugin
  [44/47]: activating sidgen plugin
  [45/47]: activating extdom plugin
  [46/47]: tuning directory server
  [47/47]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/30]: creating certificate server user
  [2/30]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpQZfYSu' returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL   /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR    CA configuration failed.
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information


[root@hp-dl380pgen8-02-vm-2 ~]# cat /var/log/audit/audit.log |audit2allow


#============= tomcat_t ==============
allow tomcat_t pki_tomcat_var_lib_t:dir { getattr search };
[root@hp-dl380pgen8-02-vm-2 ~]# 



[root@hp-dl380pgen8-02-vm-2 ~]# ausearch -m AVC -ts today
----
time->Tue Mar 28 08:34:19 2017
type=SYSCALL msg=audit(1490704459.186:161): arch=c000003e syscall=4 success=no exit=-13 a0=21166f0 a1=7ffecb488d00 a2=7ffecb488d00 a3=8 items=0 ppid=1 pid=31687 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="server" exe="/usr/bin/bash" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490704459.186:161): avc:  denied  { search } for  pid=31687 comm="server" name="pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
----
time->Tue Mar 28 08:34:19 2017
type=SYSCALL msg=audit(1490704459.272:162): arch=c000003e syscall=6 success=no exit=-13 a0=7f28be5f9c00 a1=7f28be5f8ad0 a2=7f28be5f8ad0 a3=7461632f666e6f63 items=0 ppid=1 pid=31687 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490704459.272:162): avc:  denied  { getattr } for  pid=31687 comm="java" path="/var/lib/pki/pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
----
time->Tue Mar 28 08:34:19 2017
type=SYSCALL msg=audit(1490704459.272:163): arch=c000003e syscall=6 success=no exit=-13 a0=7f28be5f9c00 a1=7f28be5f8ad0 a2=7f28be5f8ad0 a3=fd items=0 ppid=1 pid=31687 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490704459.272:163): avc:  denied  { getattr } for  pid=31687 comm="java" path="/var/lib/pki/pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
----
time->Tue Mar 28 08:34:19 2017
type=SYSCALL msg=audit(1490704459.272:164): arch=c000003e syscall=6 success=no exit=-13 a0=7f28be5f9c00 a1=7f28be5f8ad0 a2=7f28be5f8ad0 a3=fd items=0 ppid=1 pid=31687 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490704459.272:164): avc:  denied  { getattr } for  pid=31687 comm="java" path="/var/lib/pki/pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
----
time->Tue Mar 28 08:34:19 2017
type=SYSCALL msg=audit(1490704459.272:165): arch=c000003e syscall=4 success=no exit=-13 a0=7f28b8117700 a1=7f28be5fb7a0 a2=7f28be5fb7a0 a3=7461632f666e6f63 items=0 ppid=1 pid=31687 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490704459.272:165): avc:  denied  { search } for  pid=31687 comm="java" name="pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
----
time->Tue Mar 28 08:34:19 2017
type=SYSCALL msg=audit(1490704459.306:166): arch=c000003e syscall=4 success=no exit=-13 a0=17086f0 a1=7ffdbd661320 a2=7ffdbd661320 a3=8 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="server" exe="/usr/bin/bash" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490704459.306:166): avc:  denied  { search } for  pid=31720 comm="server" name="pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
----
time->Tue Mar 28 08:34:19 2017
type=SYSCALL msg=audit(1490704459.403:167): arch=c000003e syscall=4 success=no exit=-13 a0=7fcba4184040 a1=7fcbaa951380 a2=7fcbaa951380 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490704459.403:167): avc:  denied  { search } for  pid=31720 comm="java" name="pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
----
time->Tue Mar 28 08:34:19 2017
type=SYSCALL msg=audit(1490704459.403:168): arch=c000003e syscall=83 success=no exit=-13 a0=7fcba4184040 a1=1ff a2=0 a3=7fcbaa9511b0 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490704459.403:168): avc:  denied  { search } for  pid=31720 comm="java" name="pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
----
time->Tue Mar 28 08:34:19 2017
type=SYSCALL msg=audit(1490704459.403:169): arch=c000003e syscall=6 success=no exit=-13 a0=7fcbaa9503b0 a1=7fcbaa94f280 a2=7fcbaa94f280 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490704459.403:169): avc:  denied  { getattr } for  pid=31720 comm="java" path="/var/lib/pki/pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
----
time->Tue Mar 28 08:34:19 2017
type=SYSCALL msg=audit(1490704459.403:170): arch=c000003e syscall=6 success=no exit=-13 a0=7fcbaa9503b0 a1=7fcbaa94f280 a2=7fcbaa94f280 a3=fe items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490704459.403:170): avc:  denied  { getattr } for  pid=31720 comm="java" path="/var/lib/pki/pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
----
time->Tue Mar 28 08:34:19 2017
type=SYSCALL msg=audit(1490704459.404:171): arch=c000003e syscall=4 success=no exit=-13 a0=7fcba4184020 a1=7fcbaa951320 a2=7fcbaa951320 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490704459.404:171): avc:  denied  { getattr } for  pid=31720 comm="java" path="/var/lib/pki/pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
----
time->Tue Mar 28 08:34:19 2017
type=SYSCALL msg=audit(1490704459.404:172): arch=c000003e syscall=6 success=no exit=-13 a0=7fcbaa950350 a1=7fcbaa94f220 a2=7fcbaa94f220 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490704459.404:172): avc:  denied  { getattr } for  pid=31720 comm="java" path="/var/lib/pki/pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
----
time->Tue Mar 28 08:34:19 2017
type=SYSCALL msg=audit(1490704459.404:173): arch=c000003e syscall=4 success=no exit=-13 a0=7fcba4184020 a1=7fcbaa951380 a2=7fcbaa951380 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490704459.404:173): avc:  denied  { getattr } for  pid=31720 comm="java" path="/var/lib/pki/pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
----
time->Tue Mar 28 08:34:19 2017
type=SYSCALL msg=audit(1490704459.404:174): arch=c000003e syscall=4 success=no exit=-13 a0=7fcba4184040 a1=7fcbaa9513f0 a2=7fcbaa9513f0 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490704459.404:174): avc:  denied  { search } for  pid=31720 comm="java" name="pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
----
time->Tue Mar 28 08:34:19 2017
type=SYSCALL msg=audit(1490704459.404:175): arch=c000003e syscall=4 success=no exit=-13 a0=7fcba4184040 a1=7fcbaa951380 a2=7fcbaa951380 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490704459.404:175): avc:  denied  { search } for  pid=31720 comm="java" name="pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
----
time->Tue Mar 28 08:34:19 2017
type=SYSCALL msg=audit(1490704459.404:176): arch=c000003e syscall=83 success=no exit=-13 a0=7fcba4184040 a1=1ff a2=0 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490704459.404:176): avc:  denied  { search } for  pid=31720 comm="java" name="pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
----
time->Tue Mar 28 08:34:19 2017
type=SYSCALL msg=audit(1490704459.405:177): arch=c000003e syscall=4 success=no exit=-13 a0=7fcba41a31a0 a1=7fcbaa951320 a2=7fcbaa951320 a3=2 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490704459.405:177): avc:  denied  { getattr } for  pid=31720 comm="java" path="/var/lib/pki/pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
----
time->Tue Mar 28 08:34:19 2017
type=SYSCALL msg=audit(1490704459.405:178): arch=c000003e syscall=4 success=no exit=-13 a0=7fcba41a31a0 a1=7fcbaa951380 a2=7fcbaa951380 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490704459.405:178): avc:  denied  { getattr } for  pid=31720 comm="java" path="/var/lib/pki/pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
----
time->Tue Mar 28 08:34:19 2017
type=SYSCALL msg=audit(1490704459.405:179): arch=c000003e syscall=4 success=no exit=-13 a0=7fcba4184040 a1=7fcbaa9513f0 a2=7fcbaa9513f0 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490704459.405:179): avc:  denied  { search } for  pid=31720 comm="java" name="pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
----
time->Tue Mar 28 08:34:19 2017
type=SYSCALL msg=audit(1490704459.405:180): arch=c000003e syscall=4 success=no exit=-13 a0=7fcba4184040 a1=7fcbaa951380 a2=7fcbaa951380 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490704459.405:180): avc:  denied  { search } for  pid=31720 comm="java" name="pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
----
time->Tue Mar 28 08:34:19 2017
type=SYSCALL msg=audit(1490704459.405:181): arch=c000003e syscall=83 success=no exit=-13 a0=7fcba4184040 a1=1ff a2=0 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490704459.405:181): avc:  denied  { search } for  pid=31720 comm="java" name="pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
----
time->Tue Mar 28 08:34:19 2017
type=SYSCALL msg=audit(1490704459.405:182): arch=c000003e syscall=4 success=no exit=-13 a0=7fcba41a31a0 a1=7fcbaa951320 a2=7fcbaa951320 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490704459.405:182): avc:  denied  { getattr } for  pid=31720 comm="java" path="/var/lib/pki/pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
----
time->Tue Mar 28 08:34:19 2017
type=SYSCALL msg=audit(1490704459.405:183): arch=c000003e syscall=4 success=no exit=-13 a0=7fcba41a31a0 a1=7fcbaa951380 a2=7fcbaa951380 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490704459.405:183): avc:  denied  { getattr } for  pid=31720 comm="java" path="/var/lib/pki/pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
----
time->Tue Mar 28 08:34:19 2017
type=SYSCALL msg=audit(1490704459.405:184): arch=c000003e syscall=4 success=no exit=-13 a0=7fcba4184040 a1=7fcbaa9513f0 a2=7fcbaa9513f0 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490704459.405:184): avc:  denied  { search } for  pid=31720 comm="java" name="pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
----
time->Tue Mar 28 08:34:19 2017
type=SYSCALL msg=audit(1490704459.405:185): arch=c000003e syscall=4 success=no exit=-13 a0=7fcba4184040 a1=7fcbaa951380 a2=7fcbaa951380 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490704459.405:185): avc:  denied  { search } for  pid=31720 comm="java" name="pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
----
time->Tue Mar 28 08:34:19 2017
type=SYSCALL msg=audit(1490704459.405:186): arch=c000003e syscall=83 success=no exit=-13 a0=7fcba4184040 a1=1ff a2=0 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490704459.405:186): avc:  denied  { search } for  pid=31720 comm="java" name="pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
----
time->Tue Mar 28 08:34:19 2017
type=SYSCALL msg=audit(1490704459.405:187): arch=c000003e syscall=4 success=no exit=-13 a0=7fcba41a31a0 a1=7fcbaa951320 a2=7fcbaa951320 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490704459.405:187): avc:  denied  { getattr } for  pid=31720 comm="java" path="/var/lib/pki/pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
----
time->Tue Mar 28 08:34:19 2017
type=SYSCALL msg=audit(1490704459.405:188): arch=c000003e syscall=4 success=no exit=-13 a0=7fcba41a31a0 a1=7fcbaa951380 a2=7fcbaa951380 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490704459.405:188): avc:  denied  { getattr } for  pid=31720 comm="java" path="/var/lib/pki/pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
----
time->Tue Mar 28 08:34:19 2017
type=SYSCALL msg=audit(1490704459.405:189): arch=c000003e syscall=4 success=no exit=-13 a0=7fcba4184040 a1=7fcbaa9513f0 a2=7fcbaa9513f0 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490704459.405:189): avc:  denied  { search } for  pid=31720 comm="java" name="pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
----
time->Tue Mar 28 08:34:19 2017
type=SYSCALL msg=audit(1490704459.408:190): arch=c000003e syscall=2 success=no exit=-13 a0=7fcba41a4360 a1=0 a2=1b6 a3=7461632f666e6f63 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490704459.408:190): avc:  denied  { search } for  pid=31720 comm="java" name="pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
----
time->Tue Mar 28 08:34:19 2017
type=SYSCALL msg=audit(1490704459.415:191): arch=c000003e syscall=6 success=no exit=-13 a0=7fcbaa952550 a1=7fcbaa951420 a2=7fcbaa951420 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490704459.415:191): avc:  denied  { getattr } for  pid=31720 comm="java" path="/var/lib/pki/pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
----
time->Tue Mar 28 08:34:19 2017
type=SYSCALL msg=audit(1490704459.415:192): arch=c000003e syscall=6 success=no exit=-13 a0=7fcbaa952550 a1=7fcbaa951420 a2=7fcbaa951420 a3=fe items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490704459.415:192): avc:  denied  { getattr } for  pid=31720 comm="java" path="/var/lib/pki/pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
----
time->Tue Mar 28 08:34:19 2017
type=SYSCALL msg=audit(1490704459.415:193): arch=c000003e syscall=4 success=no exit=-13 a0=7fcba41b2220 a1=7fcbaa9534a0 a2=7fcbaa9534a0 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490704459.415:193): avc:  denied  { search } for  pid=31720 comm="java" name="pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
----
time->Tue Mar 28 08:34:19 2017
type=SYSCALL msg=audit(1490704459.415:194): arch=c000003e syscall=4 success=no exit=-13 a0=7fcba41b2220 a1=7fcbaa9534a0 a2=7fcbaa9534a0 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490704459.415:194): avc:  denied  { search } for  pid=31720 comm="java" name="pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
----
time->Tue Mar 28 08:34:19 2017
type=SYSCALL msg=audit(1490704459.415:195): arch=c000003e syscall=4 success=no exit=-13 a0=7fcba41b2220 a1=7fcbaa9534a0 a2=7fcbaa9534a0 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490704459.415:195): avc:  denied  { search } for  pid=31720 comm="java" name="pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
----
time->Tue Mar 28 08:34:19 2017
type=SYSCALL msg=audit(1490704459.415:196): arch=c000003e syscall=21 success=no exit=-13 a0=7fcba41b2220 a1=4 a2=0 a3=7fcbaa9532a0 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490704459.415:196): avc:  denied  { search } for  pid=31720 comm="java" name="pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
----
time->Tue Mar 28 08:34:19 2017
type=SYSCALL msg=audit(1490704459.415:197): arch=c000003e syscall=4 success=no exit=-13 a0=7fcba41b2220 a1=7fcbaa9534a0 a2=7fcbaa9534a0 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490704459.415:197): avc:  denied  { search } for  pid=31720 comm="java" name="pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
----
time->Tue Mar 28 08:34:19 2017
type=SYSCALL msg=audit(1490704459.415:198): arch=c000003e syscall=4 success=no exit=-13 a0=7fcba41b2220 a1=7fcbaa9534a0 a2=7fcbaa9534a0 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490704459.415:198): avc:  denied  { search } for  pid=31720 comm="java" name="pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
----
time->Tue Mar 28 08:34:19 2017
type=SYSCALL msg=audit(1490704459.416:199): arch=c000003e syscall=4 success=no exit=-13 a0=7fcba41b2220 a1=7fcbaa9534a0 a2=7fcbaa9534a0 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490704459.416:199): avc:  denied  { search } for  pid=31720 comm="java" name="pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
----
time->Tue Mar 28 08:34:19 2017
type=SYSCALL msg=audit(1490704459.416:200): arch=c000003e syscall=4 success=no exit=-13 a0=7fcba41b2220 a1=7fcbaa9534a0 a2=7fcbaa9534a0 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490704459.416:200): avc:  denied  { search } for  pid=31720 comm="java" name="pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
----
time->Tue Mar 28 08:34:19 2017
type=SYSCALL msg=audit(1490704459.416:201): arch=c000003e syscall=21 success=no exit=-13 a0=7fcba41b2220 a1=4 a2=0 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490704459.416:201): avc:  denied  { search } for  pid=31720 comm="java" name="pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
----
time->Tue Mar 28 08:34:19 2017
type=SYSCALL msg=audit(1490704459.416:202): arch=c000003e syscall=4 success=no exit=-13 a0=7fcba41b2220 a1=7fcbaa9534a0 a2=7fcbaa9534a0 a3=7fcba9b31440 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490704459.416:202): avc:  denied  { search } for  pid=31720 comm="java" name="pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
----
time->Tue Mar 28 08:34:19 2017
type=SYSCALL msg=audit(1490704459.456:203): arch=c000003e syscall=4 success=no exit=-13 a0=7fcba42d9b10 a1=7fcbaa952f30 a2=7fcbaa952f30 a3=7265732f666e6f63 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490704459.456:203): avc:  denied  { search } for  pid=31720 comm="java" name="pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
----
time->Tue Mar 28 08:34:19 2017
type=SYSCALL msg=audit(1490704459.456:204): arch=c000003e syscall=2 success=no exit=-13 a0=7fcba42d9b10 a1=0 a2=1b6 a3=7265732f666e6f63 items=0 ppid=1 pid=31720 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1490704459.456:204): avc:  denied  { search } for  pid=31720 comm="java" name="pki-tomcat" dev="dm-0" ino=34862178 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
[root@hp-dl380pgen8-02-vm-2 ~]#

Actual results:
ipa-server-install failing

Expected results:
ipa-server-install succeeds

Additional info:

Comment 4 Kaleem 2017-04-04 13:39:53 UTC
I reported https://bugzilla.redhat.com/show_bug.cgi?id=1438814 while verifying this but i think denials seen in https://bugzilla.redhat.com/show_bug.cgi?id=1438814#c0 should be fixed in this bug and we should close 1438814 as duplicate of this bug. 
Correct me if i am wrong here.

Comment 5 Lukas Vrabec 2017-04-04 15:00:39 UTC
Kaleem, 

You are right. I'll provide new build ASAP.

Comment 6 Lukas Vrabec 2017-04-04 15:01:11 UTC
*** Bug 1438814 has been marked as a duplicate of this bug. ***

Comment 7 Jan Pazdziora 2017-04-05 07:52:28 UTC
What is the correct Fixed In Version?

Comment 8 Lukas Vrabec 2017-04-05 12:35:53 UTC
Jan, 

It will be fixed in -139. Builds will be available today.

Comment 9 Lukas Vrabec 2017-04-05 12:38:25 UTC
*** Bug 1439187 has been marked as a duplicate of this bug. ***

Comment 11 Varun Mylaraiah 2017-04-07 04:51:04 UTC
Still seeing avc denied

selinux-policy version
======================
selinux-policy-3.13.1-140.el7.noarch

[root@auto-hv-02-guest05 ~]# cat /var/log/audit/audit.log|audit2allow
#============= sendmail_t ==============
allow sendmail_t sysctl_net_t:file { getattr open read };

#============= tomcat_t ==============
allow tomcat_t ipa_var_lib_t:dir getattr;
allow tomcat_t pki_tomcat_cert_t:lnk_file { read rename unlink };



[root@auto-hv-02-guest05 ~]# ausearch -m AVC -m USER_AVC -m SELINUX_ERR
----
time->Thu Apr  6 13:00:00 2017
type=PATH msg=audit(1491498000.026:403): item=0 name="/var/lib/ipa" inode=885401 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ipa_var_lib_t:s0 objtype=NORMAL
type=CWD msg=audit(1491498000.026:403):  cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1491498000.026:403): arch=c000003e syscall=6 success=yes exit=0 a0=7f4022ef1800 a1=7f4022ef06d0 a2=7f4022ef06d0 a3=5 items=1 ppid=1 pid=23553 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1491498000.026:403): avc:  denied  { getattr } for  pid=23553 comm="java" path="/var/lib/ipa" dev="dm-0" ino=885401 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:ipa_var_lib_t:s0 tclass=dir
----
time->Thu Apr  6 13:00:00 2017
type=PATH msg=audit(1491498000.033:404): item=0 name="/var/lib/ipa/pki-ca/publish/MasterCRL.bin" inode=35031943 dev=fd:00 mode=0120777 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_cert_t:s0 objtype=NORMAL
type=CWD msg=audit(1491498000.033:404):  cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1491498000.033:404): arch=c000003e syscall=89 success=yes exit=57 a0=7f4022ef1920 a1=7f4022eef7b0 a2=fff a3=7f4061052440 items=1 ppid=1 pid=23553 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1491498000.033:404): avc:  denied  { read } for  pid=23553 comm="java" name="MasterCRL.bin" dev="dm-0" ino=35031943 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=lnk_file
----
time->Thu Apr  6 13:00:00 2017
type=PATH msg=audit(1491498000.033:405): item=3 name="/var/lib/ipa/pki-ca/publish/MasterCRL.bin.old" inode=35031943 dev=fd:00 mode=0120777 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_cert_t:s0 objtype=CREATE
type=PATH msg=audit(1491498000.033:405): item=2 name="/var/lib/ipa/pki-ca/publish/MasterCRL.bin" inode=35031943 dev=fd:00 mode=0120777 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_cert_t:s0 objtype=DELETE
type=PATH msg=audit(1491498000.033:405): item=1 name="/var/lib/ipa/pki-ca/publish/" inode=35031941 dev=fd:00 mode=040775 ouid=0 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_cert_t:s0 objtype=PARENT
type=PATH msg=audit(1491498000.033:405): item=0 name="/var/lib/ipa/pki-ca/publish/" inode=35031941 dev=fd:00 mode=040775 ouid=0 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_cert_t:s0 objtype=PARENT
type=CWD msg=audit(1491498000.033:405):  cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1491498000.033:405): arch=c000003e syscall=82 success=yes exit=0 a0=7f4054010d40 a1=7f405400f4d0 a2=0 a3=4 items=4 ppid=1 pid=23553 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1491498000.033:405): avc:  denied  { rename } for  pid=23553 comm="java" name="MasterCRL.bin" dev="dm-0" ino=35031943 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=lnk_file
----
time->Thu Apr  6 13:00:00 2017
type=PATH msg=audit(1491498000.034:406): item=1 name="/var/lib/ipa/pki-ca/publish/MasterCRL.bin.old" inode=35031943 dev=fd:00 mode=0120777 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_cert_t:s0 objtype=DELETE
type=PATH msg=audit(1491498000.034:406): item=0 name="/var/lib/ipa/pki-ca/publish/" inode=35031941 dev=fd:00 mode=040775 ouid=0 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_cert_t:s0 objtype=PARENT
type=CWD msg=audit(1491498000.034:406):  cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1491498000.034:406): arch=c000003e syscall=87 success=yes exit=0 a0=7f4054010d40 a1=7f40540193c8 a2=0 a3=7f4022ef3050 items=2 ppid=1 pid=23553 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1491498000.034:406): avc:  denied  { unlink } for  pid=23553 comm="java" name="MasterCRL.bin.old" dev="dm-0" ino=35031943 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=lnk_file
----
time->Thu Apr  6 15:09:33 2017
type=PATH msg=audit(1491505773.319:456): item=0 name="/proc/sys/net/ipv6/conf/all/disable_ipv6" inode=9583 dev=00:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:sysctl_net_t:s0 objtype=NORMAL
type=CWD msg=audit(1491505773.319:456):  cwd="/var/spool/mqueue"
type=SYSCALL msg=audit(1491505773.319:456): arch=c000003e syscall=2 success=yes exit=13 a0=7f504c7d84b0 a1=80000 a2=1b6 a3=24 items=1 ppid=1126 pid=27411 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:sendmail_t:s0 key=(null)
type=AVC msg=audit(1491505773.319:456): avc:  denied  { open } for  pid=27411 comm="sendmail" path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=9583 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
type=AVC msg=audit(1491505773.319:456): avc:  denied  { read } for  pid=27411 comm="sendmail" name="disable_ipv6" dev="proc" ino=9583 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
----
time->Thu Apr  6 15:09:33 2017
type=SYSCALL msg=audit(1491505773.319:457): arch=c000003e syscall=5 success=yes exit=0 a0=d a1=7fff09eba880 a2=7fff09eba880 a3=0 items=0 ppid=1126 pid=27411 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:sendmail_t:s0 key=(null)
type=AVC msg=audit(1491505773.319:457): avc:  denied  { getattr } for  pid=27411 comm="sendmail" path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=9583 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
----
time->Thu Apr  6 17:00:00 2017
type=PATH msg=audit(1491512400.016:493): item=0 name="/var/lib/ipa" inode=885401 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ipa_var_lib_t:s0 objtype=NORMAL
type=CWD msg=audit(1491512400.016:493):  cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1491512400.016:493): arch=c000003e syscall=6 success=yes exit=0 a0=7f4022ef1800 a1=7f4022ef06d0 a2=7f4022ef06d0 a3=5 items=1 ppid=1 pid=23553 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1491512400.016:493): avc:  denied  { getattr } for  pid=23553 comm="java" path="/var/lib/ipa" dev="dm-0" ino=885401 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:ipa_var_lib_t:s0 tclass=dir
----
time->Thu Apr  6 17:00:00 2017
type=PATH msg=audit(1491512400.021:494): item=0 name="/var/lib/ipa/pki-ca/publish/MasterCRL.bin" inode=35056407 dev=fd:00 mode=0120777 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_cert_t:s0 objtype=NORMAL
type=CWD msg=audit(1491512400.021:494):  cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1491512400.021:494): arch=c000003e syscall=89 success=yes exit=57 a0=7f4022ef1920 a1=7f4022eef7b0 a2=fff a3=7f4061052440 items=1 ppid=1 pid=23553 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1491512400.021:494): avc:  denied  { read } for  pid=23553 comm="java" name="MasterCRL.bin" dev="dm-0" ino=35056407 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=lnk_file
----
time->Thu Apr  6 17:00:00 2017
type=PATH msg=audit(1491512400.021:495): item=3 name="/var/lib/ipa/pki-ca/publish/MasterCRL.bin.old" inode=35056407 dev=fd:00 mode=0120777 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_cert_t:s0 objtype=CREATE
type=PATH msg=audit(1491512400.021:495): item=2 name="/var/lib/ipa/pki-ca/publish/MasterCRL.bin" inode=35056407 dev=fd:00 mode=0120777 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_cert_t:s0 objtype=DELETE
type=PATH msg=audit(1491512400.021:495): item=1 name="/var/lib/ipa/pki-ca/publish/" inode=35031941 dev=fd:00 mode=040775 ouid=0 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_cert_t:s0 objtype=PARENT
type=PATH msg=audit(1491512400.021:495): item=0 name="/var/lib/ipa/pki-ca/publish/" inode=35031941 dev=fd:00 mode=040775 ouid=0 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_cert_t:s0 objtype=PARENT
type=CWD msg=audit(1491512400.021:495):  cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1491512400.021:495): arch=c000003e syscall=82 success=yes exit=0 a0=7f4054011990 a1=7f40540119d0 a2=0 a3=4 items=4 ppid=1 pid=23553 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1491512400.021:495): avc:  denied  { rename } for  pid=23553 comm="java" name="MasterCRL.bin" dev="dm-0" ino=35056407 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=lnk_file
----
time->Thu Apr  6 17:00:00 2017
type=PATH msg=audit(1491512400.021:496): item=1 name="/var/lib/ipa/pki-ca/publish/MasterCRL.bin.old" inode=35056407 dev=fd:00 mode=0120777 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_cert_t:s0 objtype=DELETE
type=PATH msg=audit(1491512400.021:496): item=0 name="/var/lib/ipa/pki-ca/publish/" inode=35031941 dev=fd:00 mode=040775 ouid=0 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_cert_t:s0 objtype=PARENT
type=CWD msg=audit(1491512400.021:496):  cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1491512400.021:496): arch=c000003e syscall=87 success=yes exit=0 a0=7f4054011990 a1=7f40540193c8 a2=0 a3=7f4061052440 items=2 ppid=1 pid=23553 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1491512400.021:496): avc:  denied  { unlink } for  pid=23553 comm="java" name="MasterCRL.bin.old" dev="dm-0" ino=35056407 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=lnk_file
----
time->Thu Apr  6 18:09:31 2017
type=PATH msg=audit(1491516571.970:532): item=0 name="/proc/sys/net/ipv6/conf/all/disable_ipv6" inode=9583 dev=00:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:sysctl_net_t:s0 objtype=NORMAL
type=CWD msg=audit(1491516571.970:532):  cwd="/var/spool/mqueue"
type=SYSCALL msg=audit(1491516571.970:532): arch=c000003e syscall=2 success=yes exit=10 a0=7f504c7d84b0 a1=80000 a2=1b6 a3=24 items=1 ppid=1126 pid=27515 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:sendmail_t:s0 key=(null)
type=AVC msg=audit(1491516571.970:532): avc:  denied  { open } for  pid=27515 comm="sendmail" path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=9583 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
type=AVC msg=audit(1491516571.970:532): avc:  denied  { read } for  pid=27515 comm="sendmail" name="disable_ipv6" dev="proc" ino=9583 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
----
time->Thu Apr  6 18:09:31 2017
type=SYSCALL msg=audit(1491516571.970:533): arch=c000003e syscall=5 success=yes exit=0 a0=a a1=7fff09ec3590 a2=7fff09ec3590 a3=0 items=0 ppid=1126 pid=27515 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:sendmail_t:s0 key=(null)
type=AVC msg=audit(1491516571.970:533): avc:  denied  { getattr } for  pid=27515 comm="sendmail" path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=9583 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
----
time->Thu Apr  6 21:00:00 2017
type=PATH msg=audit(1491526800.016:590): item=0 name="/var/lib/ipa" inode=885401 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ipa_var_lib_t:s0 objtype=NORMAL
type=CWD msg=audit(1491526800.016:590):  cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1491526800.016:590): arch=c000003e syscall=6 success=yes exit=0 a0=7f4022ef1800 a1=7f4022ef06d0 a2=7f4022ef06d0 a3=5 items=1 ppid=1 pid=23553 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1491526800.016:590): avc:  denied  { getattr } for  pid=23553 comm="java" path="/var/lib/ipa" dev="dm-0" ino=885401 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:ipa_var_lib_t:s0 tclass=dir
----
time->Thu Apr  6 21:00:00 2017
type=PATH msg=audit(1491526800.021:591): item=0 name="/var/lib/ipa/pki-ca/publish/MasterCRL.bin" inode=34363508 dev=fd:00 mode=0120777 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_cert_t:s0 objtype=NORMAL
type=CWD msg=audit(1491526800.021:591):  cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1491526800.021:591): arch=c000003e syscall=89 success=yes exit=57 a0=7f4022ef1920 a1=7f4022eef7b0 a2=fff a3=7f4061052440 items=1 ppid=1 pid=23553 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1491526800.021:591): avc:  denied  { read } for  pid=23553 comm="java" name="MasterCRL.bin" dev="dm-0" ino=34363508 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=lnk_file
----
time->Thu Apr  6 21:00:00 2017
type=PATH msg=audit(1491526800.021:592): item=3 name="/var/lib/ipa/pki-ca/publish/MasterCRL.bin.old" inode=34363508 dev=fd:00 mode=0120777 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_cert_t:s0 objtype=CREATE
type=PATH msg=audit(1491526800.021:592): item=2 name="/var/lib/ipa/pki-ca/publish/MasterCRL.bin" inode=34363508 dev=fd:00 mode=0120777 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_cert_t:s0 objtype=DELETE
type=PATH msg=audit(1491526800.021:592): item=1 name="/var/lib/ipa/pki-ca/publish/" inode=35031941 dev=fd:00 mode=040775 ouid=0 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_cert_t:s0 objtype=PARENT
type=PATH msg=audit(1491526800.021:592): item=0 name="/var/lib/ipa/pki-ca/publish/" inode=35031941 dev=fd:00 mode=040775 ouid=0 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_cert_t:s0 objtype=PARENT
type=CWD msg=audit(1491526800.021:592):  cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1491526800.021:592): arch=c000003e syscall=82 success=yes exit=0 a0=7f4054012010 a1=7f4054012050 a2=0 a3=4 items=4 ppid=1 pid=23553 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1491526800.021:592): avc:  denied  { rename } for  pid=23553 comm="java" name="MasterCRL.bin" dev="dm-0" ino=34363508 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=lnk_file
----
time->Thu Apr  6 21:00:00 2017
type=PATH msg=audit(1491526800.021:593): item=1 name="/var/lib/ipa/pki-ca/publish/MasterCRL.bin.old" inode=34363508 dev=fd:00 mode=0120777 ouid=17 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_cert_t:s0 objtype=DELETE
type=PATH msg=audit(1491526800.021:593): item=0 name="/var/lib/ipa/pki-ca/publish/" inode=35031941 dev=fd:00 mode=040775 ouid=0 ogid=17 rdev=00:00 obj=system_u:object_r:pki_tomcat_cert_t:s0 objtype=PARENT
type=CWD msg=audit(1491526800.021:593):  cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1491526800.021:593): arch=c000003e syscall=87 success=yes exit=0 a0=7f4054012010 a1=7f40540193c8 a2=0 a3=7f4061052440 items=2 ppid=1 pid=23553 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1491526800.021:593): avc:  denied  { unlink } for  pid=23553 comm="java" name="MasterCRL.bin.old" dev="dm-0" ino=34363508 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=lnk_file
----
time->Thu Apr  6 22:09:32 2017
type=PATH msg=audit(1491530972.022:622): item=0 name="/proc/sys/net/ipv6/conf/all/disable_ipv6" inode=9583 dev=00:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:sysctl_net_t:s0 objtype=NORMAL
type=CWD msg=audit(1491530972.022:622):  cwd="/var/spool/mqueue"
type=SYSCALL msg=audit(1491530972.022:622): arch=c000003e syscall=2 success=yes exit=10 a0=7f504c7d84b0 a1=80000 a2=1b6 a3=24 items=1 ppid=1126 pid=27660 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:sendmail_t:s0 key=(null)
type=AVC msg=audit(1491530972.022:622): avc:  denied  { open } for  pid=27660 comm="sendmail" path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=9583 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
type=AVC msg=audit(1491530972.022:622): avc:  denied  { read } for  pid=27660 comm="sendmail" name="disable_ipv6" dev="proc" ino=9583 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
----
time->Thu Apr  6 22:09:32 2017
type=SYSCALL msg=audit(1491530972.022:623): arch=c000003e syscall=5 success=yes exit=0 a0=a a1=7fff09ec3590 a2=7fff09ec3590 a3=0 items=0 ppid=1126 pid=27660 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:sendmail_t:s0 key=(null)
type=AVC msg=audit(1491530972.022:623): avc:  denied  { getattr } for  pid=27660 comm="sendmail" path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=9583 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file

Comment 12 Varun Mylaraiah 2017-04-10 05:24:28 UTC
Still seeing AVC denied

selinux-policy version
======================
selinux-policy-3.13.1-141.el7.noarch

Log
===
http://lab-02.rhts.eng.bos.redhat.com/beaker/logs/results/266218+/266218664/test_log-ipa-install-topo-default-master-install-Master-in-Default-Topology-avc.log

Comment 14 Lukas Vrabec 2017-04-11 07:35:31 UTC
*** Bug 1438937 has been marked as a duplicate of this bug. ***

Comment 15 Lukas Vrabec 2017-04-11 07:35:54 UTC
*** Bug 1439137 has been marked as a duplicate of this bug. ***

Comment 16 Lukas Vrabec 2017-04-11 07:43:56 UTC
*** Bug 1439179 has been marked as a duplicate of this bug. ***

Comment 17 Lukas Vrabec 2017-04-12 10:20:30 UTC
*** Bug 1417846 has been marked as a duplicate of this bug. ***

Comment 28 Sudhir Menon 2017-04-19 05:01:28 UTC
Created attachment 1272470 [details]
AVC denials

Seeing AVC denials for /var/run/ipa/krb5cc_oddjob_trusts while running trust suites.

Comment 46 Simo Sorce 2017-04-21 13:18:27 UTC
Martin,
ipasession.key is not a session token, it is the key used to encrypt all ipa session cookies. So it cannot be stored in /var/run or sessions will be invalidated if the server is rebooted during maintenance. We could move the key to /var/lib/ipa/something I guess, but /etc/httpd/alias is where we stored long term keys before (certs and keytab) so it seemd the appropriate place for this key.

Comment 47 Jan Pazdziora 2017-04-22 07:54:15 UTC
The question is if /etc should be writable by the process configured with information in /etc. Yes, /etc unlike /usr does not have to be read-only but it should hold configuration which is produced by some tools, and consumed by others. Not serve as read-write data and state storage for applications.

I guess that's the difference against certs and keytabs that are only read by the Web application and managed by ipa-server-install or certmonger, separately from httpd_t.

Comment 51 Simo Sorce 2017-04-24 17:29:11 UTC
About #49:
/var/lib/ipa/gssproxy/http.keytab is moved using python code from /etc/httpd/alias during upgrades.

About #50:
Although I understand your preference I would rather not move the key now to avoid too much churn upstream, which could introduce further issues, and use the second solution.

Comment 52 Lukas Vrabec 2017-04-25 20:54:21 UTC
*** Bug 1444864 has been marked as a duplicate of this bug. ***

Comment 69 Lukas Vrabec 2017-05-09 12:14:34 UTC
*** Bug 1443557 has been marked as a duplicate of this bug. ***

Comment 89 Pavel Vomacka 2017-05-18 12:21:11 UTC
*** Bug 1451695 has been marked as a duplicate of this bug. ***

Comment 93 thierry bordaz 2017-05-18 15:17:25 UTC
*** Bug 1449735 has been marked as a duplicate of this bug. ***

Comment 98 Martin Babinsky 2017-05-24 16:43:19 UTC
We would need SELinux policy updates for incoming ipa-server build due to re-structuring CA certificate access for KDC service (see the following AVCs):

'''
----
type=PROCTITLE msg=audit(05/24/2017 12:36:39.901:596) : proctitle=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid 
type=PATH msg=audit(05/24/2017 12:36:39.901:596) : item=0 name=/var/lib/ipa-client/pki/kdc-ca-bundle.pem objtype=UNKNOWN 
type=CWD msg=audit(05/24/2017 12:36:39.901:596) :  cwd=/ 
type=SYSCALL msg=audit(05/24/2017 12:36:39.901:596) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x559eb83a5e55 a1=O_RDONLY a2=0x1b6 a3=0x24 items=1 ppid=1 pid=8146 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=krb5kdc exe=/usr/sbin/krb5kdc subj=system_u:system_r:krb5kdc_t:s0 key=(null) 
type=AVC msg=audit(05/24/2017 12:36:39.901:596) : avc:  denied  { search } for  pid=8146 comm=krb5kdc name=ipa-client dev="dm-0" ino=50387022 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:realmd_var_lib_t:s0 tclass=dir 
----
type=PROCTITLE msg=audit(05/24/2017 12:37:15.870:601) : proctitle=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid 
type=PATH msg=audit(05/24/2017 12:37:15.870:601) : item=0 name=/etc/selinux/config inode=50485346 dev=fd:00 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:selinux_config_t:s0 objtype=NORMAL 
type=CWD msg=audit(05/24/2017 12:37:15.870:601) :  cwd=/ 
type=SYSCALL msg=audit(05/24/2017 12:37:15.870:601) : arch=x86_64 syscall=open success=yes exit=3 a0=0x7f9981ce205b a1=O_RDONLY a2=0x1b6 a3=0x24 items=1 ppid=1 pid=8158 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=krb5kdc exe=/usr/sbin/krb5kdc subj=system_u:system_r:krb5kdc_t:s0 key=(null) 
type=AVC msg=audit(05/24/2017 12:37:15.870:601) : avc:  denied  { open } for  pid=8158 comm=krb5kdc path=/etc/selinux/config dev="dm-0" ino=50485346 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file 
type=AVC msg=audit(05/24/2017 12:37:15.870:601) : avc:  denied  { read } for  pid=8158 comm=krb5kdc name=config dev="dm-0" ino=50485346 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file 
----
type=PROCTITLE msg=audit(05/24/2017 12:37:15.870:602) : proctitle=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid 
type=SYSCALL msg=audit(05/24/2017 12:37:15.870:602) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x3 a1=0x7fffefa1cd90 a2=0x7fffefa1cd90 a3=0x8 items=0 ppid=1 pid=8158 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=krb5kdc exe=/usr/sbin/krb5kdc subj=system_u:system_r:krb5kdc_t:s0 key=(null) 
type=AVC msg=audit(05/24/2017 12:37:15.870:602) : avc:  denied  { getattr } for  pid=8158 comm=krb5kdc path=/etc/selinux/config dev="dm-0" ino=50485346 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
'''

Should I open a separate BZ for that?

Comment 99 Lukas Vrabec 2017-06-01 13:08:44 UTC
Martin, 

Could you try this scenario with SELinux in permissive mode? 

Thanks.

Comment 102 Lukas Vrabec 2017-06-02 08:03:59 UTC
*** Bug 1457944 has been marked as a duplicate of this bug. ***

Comment 105 Lukas Vrabec 2017-06-05 12:44:58 UTC
*** Bug 1458420 has been marked as a duplicate of this bug. ***

Comment 109 Standa Laznicka 2017-06-08 10:23:01 UTC
Hello Lukas,
I am still seeing these AVC denials. These must have been forgotten about, they appear during a user logging to the IPA Web UI. Sorry about that.

----
time->Thu Jun  8 12:16:21 2017
type=SYSCALL msg=audit(1496916981.507:211514): arch=c000003e syscall=2 success=no exit=-13 a0=7f600cf64275 a1=0 a2=1b6 a3=24 items=0 ppid=50288 pid=50665 auid=4294967295 uid=387 gid=387 euid=387 suid=387 fsuid=387 egid=387 sgid=387 fsgid=387 tty=(none) ses=4294967295 comm="kinit" exe="/usr/bin/kinit" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1496916981.507:211514): avc:  denied  { read } for  pid=50665 comm="kinit" name="kdc-ca-bundle.pem" dev="dm-0" ino=1181 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:realmd_var_lib_t:s0 tclass=file
----
time->Thu Jun  8 12:16:37 2017
type=SYSCALL msg=audit(1496916997.693:211522): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7ffefdb608f0 a2=7ffefdb608f0 a3=0 items=0 ppid=50288 pid=50670 auid=4294967295 uid=387 gid=387 euid=387 suid=387 fsuid=387 egid=387 sgid=387 fsgid=387 tty=(none) ses=4294967295 comm="kinit" exe="/usr/bin/kinit" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1496916997.693:211522): avc:  denied  { getattr } for  pid=50670 comm="kinit" path="/var/lib/ipa-client/pki/kdc-ca-bundle.pem" dev="dm-0" ino=1181 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:realmd_var_lib_t:s0 tclass=file
----
time->Thu Jun  8 12:16:37 2017
type=SYSCALL msg=audit(1496916997.693:211521): arch=c000003e syscall=2 success=yes exit=3 a0=7f2d4a064275 a1=0 a2=1b6 a3=24 items=0 ppid=50288 pid=50670 auid=4294967295 uid=387 gid=387 euid=387 suid=387 fsuid=387 egid=387 sgid=387 fsgid=387 tty=(none) ses=4294967295 comm="kinit" exe="/usr/bin/kinit" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1496916997.693:211521): avc:  denied  { open } for  pid=50670 comm="kinit" path="/var/lib/ipa-client/pki/kdc-ca-bundle.pem" dev="dm-0" ino=1181 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:realmd_var_lib_t:s0 tclass=file
type=AVC msg=audit(1496916997.693:211521): avc:  denied  { read } for  pid=50670 comm="kinit" name="kdc-ca-bundle.pem" dev="dm-0" ino=1181 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:realmd_var_lib_t:s0 tclass=file


VERSIONS:
ipa-server-4.5.0-16.el7.x86_64
selinux-policy-3.13.1-160.el7.noarch
selinux-policy-targeted-3.13.1-160.el7.noarch

Comment 113 Scott Poore 2017-06-15 14:15:48 UTC
This was missed until now.  This was seen while authenticating with a smart card on an IPA Client.


time->Thu Jun 15 08:08:03 2017
type=PROCTITLE msg=audit(1497535683.475:17558): proctitle=2F7573722F6C6962657865632F737373642F6B7262355F6368696C64002D2D64656275672D6D6963726F7365636F6E64733D30002D2D64656275672D74696D657374616D70733D31002D2D64656275672D66643D3138002D2D64656275672D6C6576656C3D307866376630002D2D63616E6F6E6963616C697A65002D2D666173
type=SYSCALL msg=audit(1497535683.475:17558): arch=c000003e syscall=2 success=yes exit=4 a0=55e6a50b6815 a1=0 a2=1b6 a3=24 items=0 ppid=2271 pid=21804 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="krb5_child" exe="/usr/libexec/sssd/krb5_child" subj=system_u:system_r:sssd_t:s0 key=(null)
type=AVC msg=audit(1497535683.475:17558): avc:  denied  { open } for  pid=21804 comm="krb5_child" path="/var/lib/ipa-client/pki/kdc-ca-bundle.pem" dev="dm-0" ino=202435482 scontext=system_u:system_r:sssd_t:s0 tcontext=unconfined_u:object_r:realmd_var_lib_t:s0 tclass=file
type=AVC msg=audit(1497535683.475:17558): avc:  denied  { read } for  pid=21804 comm="krb5_child" name="kdc-ca-bundle.pem" dev="dm-0" ino=202435482 scontext=system_u:system_r:sssd_t:s0 tcontext=unconfined_u:object_r:realmd_var_lib_t:s0 tclass=file

----

time->Thu Jun 15 08:08:03 2017
type=PROCTITLE msg=audit(1497535683.475:17559): proctitle=2F7573722F6C6962657865632F737373642F6B7262355F6368696C64002D2D64656275672D6D6963726F7365636F6E64733D30002D2D64656275672D74696D657374616D70733D31002D2D64656275672D66643D3138002D2D64656275672D6C6576656C3D307866376630002D2D63616E6F6E6963616C697A65002D2D666173
type=SYSCALL msg=audit(1497535683.475:17559): arch=c000003e syscall=5 success=yes exit=0 a0=4 a1=7fff26bc8940 a2=7fff26bc8940 a3=0 items=0 ppid=2271 pid=21804 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="krb5_child" exe="/usr/libexec/sssd/krb5_child" subj=system_u:system_r:sssd_t:s0 key=(null)
type=AVC msg=audit(1497535683.475:17559): avc:  denied  { getattr } for  pid=21804 comm="krb5_child" path="/var/lib/ipa-client/pki/kdc-ca-bundle.pem" dev="dm-0" ino=202435482 scontext=system_u:system_r:sssd_t:s0 tcontext=unconfined_u:object_r:realmd_var_lib_t:s0 tclass=file

2017-06-15 08:13:38 MDT

Comment 116 Abhijeet Kasurde 2017-06-28 07:49:39 UTC
Verified using IPA build : ipa-server-4.5.0-20.el7.x86_64

Marking BZ as verified as no AVC seen after installation of IPA server.

Comment 118 errata-xmlrpc 2017-08-01 15:24:23 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861


Note You need to log in before you can comment on or make changes to this bug.