RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1458420 - AVC denials during RHCS subsystems install
Summary: AVC denials during RHCS subsystems install
Keywords:
Status: CLOSED DUPLICATE of bug 1436689
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-06-02 19:41 UTC by Asha Akkiangady
Modified: 2020-10-04 21:31 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-06-05 12:44:58 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github dogtagpki pki issues 2845 0 None None None 2020-10-04 21:31:41 UTC

Description Asha Akkiangady 2017-06-02 19:41:20 UTC 
Description of problem:
pkispawn of RHCS subsystems shows AVC denials for /usr/sbin/ldconfig.

Version-Release number of selected component (if applicable):
pki-server-10.4.1-7.el7.noarch
selinux-policy-3.13.1-157.el7.noarch

How reproducible:


Steps to Reproduce:
1. pkispawn a CA instance with internal soft token.
2. Installation is successful.


Actual results:
3. Following AVCs are thrown:

time->Fri Jun  2 10:41:48 2017
type=PROCTITLE msg=audit(1496414508.546:90): proctitle=7368002D63002F7362696E2F6C64636F6E666967202D7020323E2F6465762F6E756C6C
type=SYSCALL msg=audit(1496414508.546:90): arch=c000003e syscall=59 success=no exit=-13 a0=1517250 a1=15165a0 a2=1515960 a3=7ffe07dfaea0 items=0 ppid=11540 pid=11541 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1496414508.546:90): avc:  denied  { execute } for  pid=11541 comm="sh" name="ldconfig" dev="dm-0" ino=33577980 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
----
time->Fri Jun  2 10:41:48 2017
type=PROCTITLE msg=audit(1496414508.546:91): proctitle=7368002D63002F7362696E2F6C64636F6E666967202D7020323E2F6465762F6E756C6C
type=SYSCALL msg=audit(1496414508.546:91): arch=c000003e syscall=4 success=no exit=-13 a0=1517250 a1=7ffe07dfb0e0 a2=7ffe07dfb0e0 a3=7ffe07dfaea0 items=0 ppid=11540 pid=11541 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1496414508.546:91): avc:  denied  { getattr } for  pid=11541 comm="sh" path="/usr/sbin/ldconfig" dev="dm-0" ino=33577980 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
----
time->Fri Jun  2 10:41:48 2017
type=PROCTITLE msg=audit(1496414508.546:92): proctitle=7368002D63002F7362696E2F6C64636F6E666967202D7020323E2F6465762F6E756C6C
type=SYSCALL msg=audit(1496414508.546:92): arch=c000003e syscall=4 success=no exit=-13 a0=1517250 a1=7ffe07dfb0c0 a2=7ffe07dfb0c0 a3=7ffe07dfaea0 items=0 ppid=11540 pid=11541 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1496414508.546:92): avc:  denied  { getattr } for  pid=11541 comm="sh" path="/usr/sbin/ldconfig" dev="dm-0" ino=33577980 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
----
time->Fri Jun  2 10:41:48 2017
type=PROCTITLE msg=audit(1496414508.557:93): proctitle=7368002D63002F7362696E2F6C64636F6E666967202D7020323E2F6465762F6E756C6C
type=SYSCALL msg=audit(1496414508.557:93): arch=c000003e syscall=59 success=no exit=-13 a0=2116250 a1=21155a0 a2=2114960 a3=7ffc72521a70 items=0 ppid=11546 pid=11547 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1496414508.557:93): avc:  denied  { execute } for  pid=11547 comm="sh" name="ldconfig" dev="dm-0" ino=33577980 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
----
time->Fri Jun  2 10:41:48 2017
type=PROCTITLE msg=audit(1496414508.557:94): proctitle=7368002D63002F7362696E2F6C64636F6E666967202D7020323E2F6465762F6E756C6C
type=SYSCALL msg=audit(1496414508.557:94): arch=c000003e syscall=4 success=no exit=-13 a0=2116250 a1=7ffc72521cb0 a2=7ffc72521cb0 a3=7ffc72521a70 items=0 ppid=11546 pid=11547 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1496414508.557:94): avc:  denied  { getattr } for  pid=11547 comm="sh" path="/usr/sbin/ldconfig" dev="dm-0" ino=33577980 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
----
time->Fri Jun  2 10:41:48 2017
type=PROCTITLE msg=audit(1496414508.557:95): proctitle=7368002D63002F7362696E2F6C64636F6E666967202D7020323E2F6465762F6E756C6C
type=SYSCALL msg=audit(1496414508.557:95): arch=c000003e syscall=4 success=no exit=-13 a0=2116250 a1=7ffc72521c90 a2=7ffc72521c90 a3=7ffc72521a70 items=0 ppid=11546 pid=11547 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1496414508.557:95): avc:  denied  { getattr } for  pid=11547 comm="sh" path="/usr/sbin/ldconfig" dev="dm-0" ino=33577980 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
----
time->Fri Jun  2 10:42:17 2017
type=PROCTITLE msg=audit(1496414537.209:99): proctitle=7368002D63002F7362696E2F6C64636F6E666967202D7020323E2F6465762F6E756C6C
type=SYSCALL msg=audit(1496414537.209:99): arch=c000003e syscall=59 success=no exit=-13 a0=f5d250 a1=f5c5a0 a2=f5b960 a3=7ffce84fcdf0 items=0 ppid=12206 pid=12207 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1496414537.209:99): avc:  denied  { execute } for  pid=12207 comm="sh" name="ldconfig" dev="dm-0" ino=33577980 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
----
time->Fri Jun  2 10:42:17 2017
type=PROCTITLE msg=audit(1496414537.209:100): proctitle=7368002D63002F7362696E2F6C64636F6E666967202D7020323E2F6465762F6E756C6C
type=SYSCALL msg=audit(1496414537.209:100): arch=c000003e syscall=4 success=no exit=-13 a0=f5d250 a1=7ffce84fd030 a2=7ffce84fd030 a3=7ffce84fcdf0 items=0 ppid=12206 pid=12207 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1496414537.209:100): avc:  denied  { getattr } for  pid=12207 comm="sh" path="/usr/sbin/ldconfig" dev="dm-0" ino=33577980 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
----
time->Fri Jun  2 10:42:17 2017
type=PROCTITLE msg=audit(1496414537.209:101): proctitle=7368002D63002F7362696E2F6C64636F6E666967202D7020323E2F6465762F6E756C6C
type=SYSCALL msg=audit(1496414537.209:101): arch=c000003e syscall=4 success=no exit=-13 a0=f5d250 a1=7ffce84fd010 a2=7ffce84fd010 a3=7ffce84fcdf0 items=0 ppid=12206 pid=12207 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1496414537.209:101): avc:  denied  { getattr } for  pid=12207 comm="sh" path="/usr/sbin/ldconfig" dev="dm-0" ino=33577980 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
----
time->Fri Jun  2 10:42:17 2017
type=PROCTITLE msg=audit(1496414537.219:102): proctitle=7368002D63002F7362696E2F6C64636F6E666967202D7020323E2F6465762F6E756C6C
type=SYSCALL msg=audit(1496414537.219:102): arch=c000003e syscall=59 success=no exit=-13 a0=1eb6250 a1=1eb55a0 a2=1eb4960 a3=7ffdefdd3b60 items=0 ppid=12212 pid=12213 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1496414537.219:102): avc:  denied  { execute } for  pid=12213 comm="sh" name="ldconfig" dev="dm-0" ino=33577980 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
----
time->Fri Jun  2 10:42:17 2017
type=PROCTITLE msg=audit(1496414537.219:103): proctitle=7368002D63002F7362696E2F6C64636F6E666967202D7020323E2F6465762F6E756C6C
type=SYSCALL msg=audit(1496414537.219:103): arch=c000003e syscall=4 success=no exit=-13 a0=1eb6250 a1=7ffdefdd3da0 a2=7ffdefdd3da0 a3=7ffdefdd3b60 items=0 ppid=12212 pid=12213 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1496414537.219:103): avc:  denied  { getattr } for  pid=12213 comm="sh" path="/usr/sbin/ldconfig" dev="dm-0" ino=33577980 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
----
time->Fri Jun  2 10:42:17 2017
type=PROCTITLE msg=audit(1496414537.219:104): proctitle=7368002D63002F7362696E2F6C64636F6E666967202D7020323E2F6465762F6E756C6C
type=SYSCALL msg=audit(1496414537.219:104): arch=c000003e syscall=4 success=no exit=-13 a0=1eb6250 a1=7ffdefdd3d80 a2=7ffdefdd3d80 a3=7ffdefdd3b60 items=0 ppid=12212 pid=12213 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1496414537.219:104): avc:  denied  { getattr } for  pid=12213 comm="sh" path="/usr/sbin/ldconfig" dev="dm-0" ino=33577980 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file

Expected results:
AVC denials should not occur.

Additional info:
Comment 2 Ade Lee 2017-06-02 21:03:52 UTC 
doing an audit2allow on these gives :

#============= pki_tomcat_t ==============
allow pki_tomcat_t ldconfig_exec_t:file { execute getattr };


This should be added to the policy by the selinu-policy group.
Comment 3 Lukas Vrabec 2017-06-05 12:44:58 UTC 

*** This bug has been marked as a duplicate of bug 1436689 ***
Note You need to log in before you can comment on or make changes to this bug.