Red Hat Bugzilla – Bug 1462292
AVC denial: scontext=system_u:system_r:pegasus_openlmi_services_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir
Last modified: 2018-04-10 08:33:50 EDT
Description of problem: The following AVC denial was seen on a test machine: time->Fri Jun 16 12:01:23 2017 type=PROCTITLE msg=audit(1497607283.881:189): proctitle=2F7573722F6C6962657865632F706567617375732F63696D70726F766167740031003800313100726F6F7400636D70694C4D495F5265616C6D64 type=SYSCALL msg=audit(1497607283.881:189): arch=c000003e syscall=2 success=no exit=-13 a0=7f4767103622 a1=0 a2=1b6 a3=24 items=0 ppid=18949 pid=18950 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimprovagt" exe="/usr/libexec/pegasus/cimprovagt" subj=system_u:system_r:pegasus_openlmi_services_t:s0 key=(null) type=AVC msg=audit(1497607283.881:189): avc: denied { search } for pid=18950 comm="cimprovagt" name="pki" dev="dm-0" ino=34205826 scontext=system_u:system_r:pegasus_openlmi_services_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir It appeared after the following command: python -m unittest realmd_lmi.TestRealmdFunctions.test_query and when openssl was upgraded to openssl-1.0.2k-1.el7 from openssl-1.0.1e-60.el7. Version-Release number of selected component (if applicable): selinux-policy-3.13.1-162.el7 tog-pegasus-2.14.1-4.el7 openlmi-realmd-0.5.0-4.el7 openssl-1.0.2k-1.el7 How reproducible: always Steps to Reproduce: Join a machine to AD or IPA thorugh openlmi
Could you run the TC in permissive mode so that all SELinux denials are revealed? # ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today
In permissive mode there are no AVC denials at all.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0763