1447436 – HSM related denial with Red Hat Cert System

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1447436 - HSM related denial with Red Hat Cert System

Summary: HSM related denial with Red Hat Cert System

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.4
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1445519
TreeView+	depends on / blocked

Reported:	2017-05-02 19:05 UTC by Jack Magne
Modified:	2017-08-01 15:26 UTC (History)
CC List:	9 users (show)
Fixed In Version:	selinux-policy-3.13.1-152.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-08-01 15:26:23 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Audit log for the CA install with HSM throwing AVC messages. (17.67 KB, text/plain) 2017-05-17 22:32 UTC, Asha Akkiangady	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:1861	0	normal	SHIPPED_LIVE	selinux-policy bug fix update	2017-08-01 17:50:24 UTC

Description Jack Magne 2017-05-02 19:05:22 UTC

Description of problem:

Red Hat Certificate System must be able to access various HSM hardware tokens in order to perform sensitive crypto operations.

We currently have a bug where we can't install an instance of our CA server, using any hsm we support, lunasa or nchiper.


Version-Release number of selected component (if applicable):

We tested this with  selinux-policy-targeted-3.13.1-147.el7.noarch
of libselinux-2.5-11.el7 . We wanted to make sure this was still a problem with the latest we could find.

How reproducible:

Always

Steps to Reproduce:
1. Simply attempt to install a CA server using some hsm module.
2. Observe a failure to find the pkcs#11 token in question in the installation log of RHCS.
3. Make sure selinux is in enforcing mode.

Actual results:

The server fails to install , due to the fact that it can not find the pkcs#11 module associated with the hsm. The only module the installer can recognize is the NSS "internal" software module.  

Expected results:

A complete install of RHCS CA subsystem.


Additional info:

Putting selinux in permissive mode causes the installation to complete successfully.

More info:

The server is a tomcat webapp. This problem appears to be specific to java UNDER tomcat. This is because we have some pure java command line tools that do not show this issue.

Piece of CA installer file having to do with the hsm:

[DEFAULT]
pki_hsm_enable=True
pki_hsm_libfile=/opt/nfast/toolkits/pkcs11/libcknfast.so
pki_hsm_modulename=nfast
pki_token_name=NHSM6000-OCS
pki_token_password=xxxxxxxxx

Sample denial:

time->Tue May  2 03:34:36 2017
type=SYSCALL msg=audit(1493688876.988:458325): arch=c000003e syscall=2 success=no exit=-13 a0=7f69cc73a660 a1=80000 a2=7f69cc6ea250 a3=6b6362696c2f3131 items=0 ppid=1 pid=19365 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1493688876.988:458325): avc:  denied  { search } for  pid=19365 comm="java" name="nfast" dev="dm-0" ino=566293 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=dir


time->Tue May  2 02:19:52 2017
type=SYSCALL msg=audit(1493684392.741:457407): arch=c000003e syscall=42 success=yes exit=0 a0=4a a1=7fa46fa0f8a0 a2=6e a3=7fa46fa0f580 items=0 ppid=1 pid=16959 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1493684392.741:457407): avc:  denied  { connectto } for  pid=16959 comm="java" path="/opt/nfast/sockets/nserver" scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1493684392.741:457407): avc:  denied  { write } for  pid=16959 comm="java" name="nserver" dev="dm-0" ino=18216682 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=sock_file
----
time->Tue May  2 02:20:04 2017
type=SYSCALL msg=audit(1493684404.415:457410): arch=c000003e syscall=257 success=yes exit=75 a0=ffffffffffffff9c a1=7fa4680f0440 a2=90800 a3=0 items=0 ppid=1 pid=16959 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-9.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1493684404.415:457410): avc:  denied  { open } for  pid=16959 comm="java" path="/opt/nfast/kmdata/local" dev="dm-0" ino=26010226 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=dir
type=AVC msg=audit(1493684404.415:457410): avc:  denied  { read } for  pid=16959 comm="java" name="local" dev="dm-0" ino=26010226 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=dir

Comment 5 Asha Akkiangady 2017-05-10 19:34:47 UTC

I have following selinux packages on the system:
selinux-policy-3.13.1-148.el7.noarch
selinux-policy-targeted-3.13.1-148.el7.noarch

Installing CA server using HSM shows following denial:

time->Wed May 10 15:24:30 2017
type=PROCTITLE msg=audit(1494444270.438:2123): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69
type=SYSCALL msg=audit(1494444270.438:2123): arch=c000003e syscall=2 success=no exit=-13 a0=7f5418686850 a1=80000 a2=7f5418674dd0 a3=6b6362696c2f3131 items=0 ppid=1 pid=14233 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-7.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1494444270.438:2123): avc:  denied  { read } for  pid=14233 comm="java" name="libcknfast.so" dev="dm-0" ino=33571641 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=file

Comment 6 Asha Akkiangady 2017-05-11 16:21:18 UTC

Hi Lucas,
When I put the system in permissive mode and install CA, it throws following AVC denials. Could you please make sure all of them are taken care?
Thanks,
Asha

----
time->Thu May 11 11:49:45 2017
type=PROCTITLE msg=audit(1494517785.103:131): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69
type=SYSCALL msg=audit(1494517785.103:131): arch=c000003e syscall=2 success=yes exit=74 a0=7f6c907265e0 a1=80000 a2=7f6c90714b60 a3=6b6362696c2f3131 items=0 ppid=1 pid=14057 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-7.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1494517785.103:131): avc:  denied  { open } for  pid=14057 comm="java" path="/opt/nfast/toolkits/pkcs11/libcknfast.so" dev="dm-0" ino=33571641 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=file
type=AVC msg=audit(1494517785.103:131): avc:  denied  { read } for  pid=14057 comm="java" name="libcknfast.so" dev="dm-0" ino=33571641 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=file
----
time->Thu May 11 11:49:45 2017
type=PROCTITLE msg=audit(1494517785.103:132): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69
type=SYSCALL msg=audit(1494517785.103:132): arch=c000003e syscall=5 success=yes exit=0 a0=4a a1=7f6c99f889c0 a2=7f6c99f889c0 a3=6b6362696c2f3131 items=0 ppid=1 pid=14057 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-7.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1494517785.103:132): avc:  denied  { getattr } for  pid=14057 comm="java" path="/opt/nfast/toolkits/pkcs11/libcknfast.so" dev="dm-0" ino=33571641 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=file
----
time->Thu May 11 11:49:45 2017
type=PROCTITLE msg=audit(1494517785.104:133): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69
type=SYSCALL msg=audit(1494517785.104:133): arch=c000003e syscall=9 success=yes exit=140103743201280 a0=0 a1=49c8c0 a2=5 a3=802 items=0 ppid=1 pid=14057 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-7.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1494517785.104:133): avc:  denied  { execute } for  pid=14057 comm="java" path="/opt/nfast/toolkits/pkcs11/libcknfast.so" dev="dm-0" ino=33571641 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=file
----
time->Thu May 11 11:49:45 2017
type=PROCTITLE msg=audit(1494517785.105:134): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69
type=SYSCALL msg=audit(1494517785.105:134): arch=c000003e syscall=42 success=yes exit=0 a0=4a a1=7f6c99f88890 a2=6e a3=7f6c99f88570 items=0 ppid=1 pid=14057 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-7.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1494517785.105:134): avc:  denied  { connectto } for  pid=14057 comm="java" path="/opt/nfast/sockets/nserver" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
----
time->Thu May 11 11:49:51 2017
type=PROCTITLE msg=audit(1494517791.745:135): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69
type=SYSCALL msg=audit(1494517791.745:135): arch=c000003e syscall=257 success=yes exit=75 a0=ffffffffffffff9c a1=7f6c901343b0 a2=90800 a3=0 items=0 ppid=1 pid=14057 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-7.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1494517791.745:135): avc:  denied  { read } for  pid=14057 comm="java" name="local" dev="dm-0" ino=69042662 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=dir
----
time->Thu May 11 11:50:46 2017
type=PROCTITLE msg=audit(1494517846.608:136): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69
type=SYSCALL msg=audit(1494517846.608:136): arch=c000003e syscall=2 success=yes exit=127 a0=7f6c5c361660 a1=241 a2=1b6 a3=24 items=0 ppid=1 pid=14057 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-7.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1494517846.608:136): avc:  denied  { write open } for  pid=14057 comm="java" path="/opt/nfast/kmdata/local/key_pkcs11_ucdf32e4c01b41d2f7a653126c9f2f75700a1ce00a-3903fbe33a4e077beaa209a403a2930e48cb6ce3.new" dev="dm-0" ino=67518191 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_common_t:s0 tclass=file
type=AVC msg=audit(1494517846.608:136): avc:  denied  { create } for  pid=14057 comm="java" name="key_pkcs11_ucdf32e4c01b41d2f7a653126c9f2f75700a1ce00a-3903fbe33a4e077beaa209a403a2930e48cb6ce3.new" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_common_t:s0 tclass=file
type=AVC msg=audit(1494517846.608:136): avc:  denied  { add_name } for  pid=14057 comm="java" name="key_pkcs11_ucdf32e4c01b41d2f7a653126c9f2f75700a1ce00a-3903fbe33a4e077beaa209a403a2930e48cb6ce3.new" scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=dir
type=AVC msg=audit(1494517846.608:136): avc:  denied  { write } for  pid=14057 comm="java" name="local" dev="dm-0" ino=69042662 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=dir
----
time->Thu May 11 11:50:46 2017
type=PROCTITLE msg=audit(1494517846.608:137): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69
type=SYSCALL msg=audit(1494517846.608:137): arch=c000003e syscall=5 success=yes exit=0 a0=7f a1=7f6c4fef6ef0 a2=7f6c4fef6ef0 a3=1 items=0 ppid=1 pid=14057 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-7.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1494517846.608:137): avc:  denied  { getattr } for  pid=14057 comm="java" path="/opt/nfast/kmdata/local/key_pkcs11_ucdf32e4c01b41d2f7a653126c9f2f75700a1ce00a-3903fbe33a4e077beaa209a403a2930e48cb6ce3.new" dev="dm-0" ino=67518191 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_common_t:s0 tclass=file
----
time->Thu May 11 11:50:46 2017
type=PROCTITLE msg=audit(1494517846.609:138): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69
type=SYSCALL msg=audit(1494517846.609:138): arch=c000003e syscall=82 success=yes exit=0 a0=7f6c5c361660 a1=7f6c5c358b50 a2=fffffffffffffef0 a3=7f6c4fef6d60 items=0 ppid=1 pid=14057 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-7.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1494517846.609:138): avc:  denied  { rename } for  pid=14057 comm="java" name="key_pkcs11_ucdf32e4c01b41d2f7a653126c9f2f75700a1ce00a-3903fbe33a4e077beaa209a403a2930e48cb6ce3.new" dev="dm-0" ino=67518191 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_common_t:s0 tclass=file
type=AVC msg=audit(1494517846.609:138): avc:  denied  { remove_name } for  pid=14057 comm="java" name="key_pkcs11_ucdf32e4c01b41d2f7a653126c9f2f75700a1ce00a-3903fbe33a4e077beaa209a403a2930e48cb6ce3.new" dev="dm-0" ino=67518191 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=dir
----
time->Thu May 11 11:50:46 2017
type=PROCTITLE msg=audit(1494517846.650:139): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69
type=SYSCALL msg=audit(1494517846.650:139): arch=c000003e syscall=2 success=yes exit=127 a0=7f6c5c35cbe0 a1=0 a2=1b6 a3=24 items=0 ppid=1 pid=14057 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-7.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1494517846.650:139): avc:  denied  { read } for  pid=14057 comm="java" name="key_pkcs11_ucdf32e4c01b41d2f7a653126c9f2f75700a1ce00a-3903fbe33a4e077beaa209a403a2930e48cb6ce3" dev="dm-0" ino=67518191 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_common_t:s0 tclass=file
----
time->Thu May 11 11:50:46 2017
type=PROCTITLE msg=audit(1494517846.650:140): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69
type=SYSCALL msg=audit(1494517846.650:140): arch=c000003e syscall=82 success=yes exit=0 a0=7f6c5c35df30 a1=7f6c5c35cbe0 a2=7f6c5c000078 a3=7a items=0 ppid=1 pid=14057 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-7.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1494517846.650:140): avc:  denied  { unlink } for  pid=14057 comm="java" name="key_pkcs11_ucdf32e4c01b41d2f7a653126c9f2f75700a1ce00a-3903fbe33a4e077beaa209a403a2930e48cb6ce3" dev="dm-0" ino=67518191 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_common_t:s0 tclass=file
----
time->Thu May 11 11:51:06 2017
type=PROCTITLE msg=audit(1494517866.457:144): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69
type=SYSCALL msg=audit(1494517866.457:144): arch=c000003e syscall=42 success=yes exit=0 a0=4a a1=7fbe6c118890 a2=6e a3=7fbe6c118570 items=0 ppid=1 pid=14476 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-7.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1494517866.457:144): avc:  denied  { connectto } for  pid=14476 comm="java" path="/opt/nfast/sockets/nserver" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
----
time->Thu May 11 11:51:13 2017
type=PROCTITLE msg=audit(1494517873.406:146): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69
type=SYSCALL msg=audit(1494517873.406:146): arch=c000003e syscall=5 success=yes exit=0 a0=4c a1=7fbe6c118ab0 a2=7fbe6c118ab0 a3=0 items=0 ppid=1 pid=14476 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-7.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1494517873.406:146): avc:  denied  { getattr } for  pid=14476 comm="java" path="/opt/nfast/kmdata/local/key_pkcs11_ucdf32e4c01b41d2f7a653126c9f2f75700a1ce00a-3903fbe33a4e077beaa209a403a2930e48cb6ce3" dev="dm-0" ino=69219270 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_common_t:s0 tclass=file
----
time->Thu May 11 11:51:13 2017
type=PROCTITLE msg=audit(1494517873.406:145): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69
type=SYSCALL msg=audit(1494517873.406:145): arch=c000003e syscall=2 success=yes exit=76 a0=7fbe64160c20 a1=0 a2=1b6 a3=24 items=0 ppid=1 pid=14476 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-7.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1494517873.406:145): avc:  denied  { open } for  pid=14476 comm="java" path="/opt/nfast/kmdata/local/key_pkcs11_ucdf32e4c01b41d2f7a653126c9f2f75700a1ce00a-3903fbe33a4e077beaa209a403a2930e48cb6ce3" dev="dm-0" ino=69219270 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_common_t:s0 tclass=file
type=AVC msg=audit(1494517873.406:145): avc:  denied  { read } for  pid=14476 comm="java" name="key_pkcs11_ucdf32e4c01b41d2f7a653126c9f2f75700a1ce00a-3903fbe33a4e077beaa209a403a2930e48cb6ce3" dev="dm-0" ino=69219270 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:pki_common_t:s0 tclass=file

Comment 7 Lukas Vrabec 2017-05-12 12:23:51 UTC

Hi, 

These AVCs will be fixed in next selinux-policy build.

Comment 11 Asha Akkiangady 2017-05-17 22:32:15 UTC

Created attachment 1279819 [details]
Audit log for the CA install with HSM throwing AVC messages.

Comment 12 Asha Akkiangady 2017-05-17 22:33:55 UTC

I've installed  selinux-policy-3.13.1-149.el7 on a RHEL 7.4 Server x86_64 system, CA installation with HSM results in same AVCs as above. Audit log attached.

#  audit2allow -i /var/log/audit/audit.log


#============= tomcat_t ==============

#!!!! The file '/opt/nfast/sockets/nserver' is mislabeled on your system.  
#!!!! Fix with $ restorecon -R -v /opt/nfast/sockets/nserver
allow tomcat_t initrc_t:unix_stream_socket connectto;
allow tomcat_t pki_common_t:dir { add_name read remove_name write };
allow tomcat_t pki_common_t:file { create execute rename unlink write };


I applied the restorecon, the avcs recur. 

Re-opening the bug.

Comment 13 Lukas Vrabec 2017-05-18 11:38:55 UTC

Asha, 

I added following rules to tomcat_t policy:
allow tomcat_t pki_common_t:dir { add_name read remove_name write };
allow tomcat_t pki_common_t:file { create execute rename unlink write };

But, could you attach output of ps command when you catch these AVCs? 

1. Please run tests
2. run: # ps -efZ | grep initrc_t

Thanks. 
Lukas.

Comment 16 Asha Akkiangady 2017-05-18 15:07:34 UTC

Hi Lukas,
Here is the ps command output after the test run:
# ps -efZ | grep initrc_t
unconfined_u:system_r:initrc_t:s0 nfast  15419     1  0 May17 ?        00:00:11 ../sbin/hardserver -p hardserver.pid -Lhardserver.log
unconfined_u:system_r:initrc_t:s0 nfast  15422 15419  0 May17 ?        00:00:00 ../sbin/hardserver --spawn-svc
unconfined_u:system_r:initrc_t:s0 root   15460     1  0 May17 ?        00:00:00 su raserv -c          set -e         echo $$ >raserv.pid         exec ../sbin/raserv -Lraserv.log 
unconfined_u:system_r:initrc_t:s0 raserv 15463 15460  0 May17 ?        00:00:01 ../sbin/raserv -Lraserv.log
unconfined_u:system_r:initrc_t:s0 ncsnmpd 15514    1  0 May17 ?        00:00:01 ../sbin/snmpd -p /opt/nfast/log/ncsnmpd.pid -Lf /opt/nfast/log/ncsnmpd.log -A
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 19704 13189  0 11:07 pts/1 00:00:00 grep --color=auto initrc_t

Thanks,
Asha

Comment 18 Asha Akkiangady 2017-05-19 08:01:28 UTC

I tested with selinux-policy-3.13.1-151.el7 on a RHEL 7.4 x86_64 system with Thales and LunaSA HSMs. It still did not work.

CA installation with Thales HSM shows following AVCs:
----
time->Fri May 19 03:01:44 2017
type=PROCTITLE msg=audit(1495177304.229:856): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69
type=SYSCALL msg=audit(1495177304.229:856): arch=c000003e syscall=9 success=yes exit=139660883202048 a0=0 a1=49c8c0 a2=5 a3=802 items=0 ppid=1 pid=15224 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-7.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1495177304.229:856): avc:  denied  { execute } for  pid=15224 comm="java" path="/opt/nfast/toolkits/pkcs11/libcknfast.so" dev="dm-0" ino=33565238 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=file
----
time->Fri May 19 03:01:44 2017
type=PROCTITLE msg=audit(1495177304.230:857): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69
type=SYSCALL msg=audit(1495177304.230:857): arch=c000003e syscall=42 success=yes exit=0 a0=4b a1=7f057d617890 a2=6e a3=7f057d617570 items=0 ppid=1 pid=15224 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-7.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1495177304.230:857): avc:  denied  { connectto } for  pid=15224 comm="java" path="/opt/nfast/sockets/nserver" scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=unix_stream_socket
----
time->Fri May 19 03:03:11 2017
type=PROCTITLE msg=audit(1495177391.415:861): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69
type=SYSCALL msg=audit(1495177391.415:861): arch=c000003e syscall=9 success=yes exit=140645169864704 a0=0 a1=49c8c0 a2=5 a3=802 items=0 ppid=1 pid=15642 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-7.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1495177391.415:861): avc:  denied  { execute } for  pid=15642 comm="java" path="/opt/nfast/toolkits/pkcs11/libcknfast.so" dev="dm-0" ino=33565238 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=file
----
time->Fri May 19 03:03:11 2017
type=PROCTITLE msg=audit(1495177391.417:862): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69
type=SYSCALL msg=audit(1495177391.417:862): arch=c000003e syscall=42 success=yes exit=0 a0=4b a1=7feac3a38890 a2=6e a3=7feac3a38570 items=0 ppid=1 pid=15642 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-7.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1495177391.417:862): avc:  denied  { connectto } for  pid=15642 comm="java" path="/opt/nfast/sockets/nserver" scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=unix_stream_socket



CA installation with Lunasa HSM shows following AVCs:
----
time->Fri May 19 03:44:26 2017
type=SYSCALL msg=audit(1495179866.490:123246): arch=c000003e syscall=42 success=no exit=-115 a0=4a a1=7f3f41906b60 a2=10 a3=7f3f419059e0 items=0 ppid=1 pid=20597 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-8.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1495179866.490:123246): avc:  denied  { name_connect } for  pid=20597 comm="java" dest=1792 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
----
time->Fri May 19 03:45:38 2017
type=SYSCALL msg=audit(1495179938.443:123250): arch=c000003e syscall=42 success=no exit=-115 a0=4a a1=7fbf3e07db60 a2=10 a3=7fbf3e07c9e0 items=0 ppid=1 pid=21070 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-8.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1495179938.443:123250): avc:  denied  { name_connect } for  pid=21070 comm="java" dest=1792 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket

Comment 23 Asha Akkiangady 2017-06-09 17:15:55 UTC

Tested RHCS installs with nCipher and Lunasa HSMs using selinux-policy-3.13.1-160.el7, no AVCs found. 

# rpm -q selinux-policy selinux-policy-targeted pki-ca
selinux-policy-3.13.1-160.el7.noarch
selinux-policy-targeted-3.13.1-160.el7.noarch
pki-ca-10.4.1-8.el7.noarch

Marking the bug verified.

Comment 24 errata-xmlrpc 2017-08-01 15:26:23 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861

Note You need to log in before you can comment on or make changes to this bug.