Description of problem: The following SELinux denials occur during FreeIPA 4.6.0 installation. ---- time->Tue Sep 5 09:31:18 2017 type=AVC msg=audit(1504603878.452:858): avc: denied { map } for pid=12968 comm="ns-slapd" path="/dev/shm/FKLfFg" dev="tmpfs" ino=63946 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:dirsrv_tmpfs_t:s0 tclass=file permissive=1 ---- time->Tue Sep 5 09:31:21 2017 type=AVC msg=audit(1504603881.903:859): avc: denied { map } for pid=12968 comm="ns-slapd" path="/var/lib/dirsrv/slapd-DOMAIN-LOCAL/db/__db.001" dev="vda1" ino=395726 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:dirsrv_var_lib_t:s0 tclass=file permissive=1 ---- time->Tue Sep 5 09:31:24 2017 type=AVC msg=audit(1504603884.703:862): avc: denied { link } for pid=13049 comm="ns-slapd" name="dse.ldif" dev="vda1" ino=1573872 scontext=system_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=1 ---- time->Tue Sep 5 09:31:24 2017 type=AVC msg=audit(1504603884.706:863): avc: denied { rename } for pid=13049 comm="ns-slapd" name="dse.ldif" dev="vda1" ino=1573872 scontext=system_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=1 ---- time->Tue Sep 5 09:31:28 2017 type=AVC msg=audit(1504603888.423:866): avc: denied { unlink } for pid=13049 comm="ns-slapd" name="dse.ldif.bak" dev="vda1" ino=1573872 scontext=system_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=1 ---- time->Tue Sep 5 09:31:28 2017 type=AVC msg=audit(1504603888.161:864): avc: denied { map } for pid=13049 comm="ns-slapd" path="/var/lib/dirsrv/slapd-DOMAIN-LOCAL/db/__db.001" dev="vda1" ino=395726 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:dirsrv_var_lib_t:s0 tclass=file permissive=1 ---- time->Tue Sep 5 09:31:31 2017 type=AVC msg=audit(1504603891.024:869): avc: denied { map } for pid=13160 comm="ns-slapd" path="/dev/shm/iPHdin" dev="tmpfs" ino=67005 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:dirsrv_tmpfs_t:s0 tclass=file permissive=1 ---- time->Tue Sep 5 09:31:47 2017 [2/1887] type=AVC msg=audit(1504603907.620:876): avc: denied { write } for pid=13521 comm="pkidaemon" name="nss" dev="vda1" ino=262289 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=1 ---- time->Tue Sep 5 09:32:34 2017 type=AVC msg=audit(1504603954.877:880): avc: denied { write } for pid=13935 comm="pkidaemon" name="nss" dev="vda1" ino=262289 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u :object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=1 ---- time->Tue Sep 5 09:32:54 2017 type=AVC msg=audit(1504603974.038:885): avc: denied { write } for pid=14473 comm="pkidaemon" name="nss" dev="vda1" ino=262289 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u :object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=1 ---- time->Tue Sep 5 09:33:26 2017 type=AVC msg=audit(1504604006.568:891): avc: denied { map } for pid=15182 comm="ns-slapd" path="/dev/shm/w2f6iy" dev="tmpfs" ino=85432 scontext=system_u:system_r:dirsrv_t:s0 tcontext=sys tem_u:object_r:dirsrv_tmpfs_t:s0 tclass=file permissive=1 ---- time->Tue Sep 5 09:33:29 2017 type=AVC msg=audit(1504604009.951:892): avc: denied { map } for pid=15182 comm="ns-slapd" path="/var/lib/dirsrv/slapd-DOMAIN-LOCAL/db/__db.001" dev="vda1" ino=394193 scontext=system_u:sy stem_r:dirsrv_t:s0 tcontext=system_u:object_r:dirsrv_var_lib_t:s0 tclass=file permissive=1 ---- time->Tue Sep 5 09:33:38 2017 type=AVC msg=audit(1504604018.902:896): avc: denied { map } for pid=15291 comm="ns-slapd" path="/var/lib/dirsrv/slapd-DOMAIN-LOCAL/db/__db.001" dev="vda1" ino=394193 scontext=system_u:sy stem_r:dirsrv_t:s0 tcontext=system_u:object_r:dirsrv_var_lib_t:s0 tclass=file permissive=1 ---- time->Tue Sep 5 09:33:41 2017 type=AVC msg=audit(1504604021.939:901): avc: denied { map } for pid=15397 comm="ns-slapd" path="/dev/shm/BMRSFF" dev="tmpfs" ino=85710 scontext=system_u:system_r:dirsrv_t:s0 tcontext=sys tem_u:object_r:dirsrv_tmpfs_t:s0 tclass=file permissive=1 ---- time->Tue Sep 5 09:33:45 2017 type=AVC msg=audit(1504604025.568:903): avc: denied { write } for pid=15458 comm="pkidaemon" name="nss" dev="vda1" ino=262289 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u :object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=1 ---- time->Tue Sep 5 09:34:00 2017 type=AVC msg=audit(1504604040.817:918): avc: denied { map } for pid=15930 comm="nss_pcache" path="/etc/pki/ca-trust/source/README" dev="vda1" ino=1573186 scontext=system_u:system_r:httpd _t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1 ---- time->Tue Sep 5 09:34:08 2017 type=AVC msg=audit(1504604048.505:928): avc: denied { map } for pid=16348 comm="ns-slapd" path="/dev/shm/QARgAt" dev="tmpfs" ino=90834 scontext=system_u:system_r:dirsrv_t:s0 tcontext=sys tem_u:object_r:dirsrv_tmpfs_t:s0 tclass=file permissive=1 ---- time->Tue Sep 5 09:34:12 2017 type=AVC msg=audit(1504604052.035:929): avc: denied { map } for pid=16348 comm="ns-slapd" path="/var/lib/dirsrv/slapd-DOMAIN-LOCAL/db/__db.001" dev="vda1" ino=394193 scontext=system_u:sy stem_r:dirsrv_t:s0 tcontext=system_u:object_r:dirsrv_var_lib_t:s0 tclass=file permissive=1 ---- time->Tue Sep 5 09:35:47 2017 type=AVC msg=audit(1504604147.062:940): avc: denied { map } for pid=16662 comm="nss_pcache" path="/etc/pki/ca-trust/source/README" dev="vda1" ino=1573186 scontext=system_u:system_r:httpd _t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1 ---- time->Tue Sep 5 09:35:48 2017 type=AVC msg=audit(1504604148.078:945): avc: denied { map } for pid=16969 comm="named-pkcs11" path="/usr/share/GeoIP/GeoLiteCountry.dat" dev="vda1" ino=1969420 scontext=system_u:system_r :named_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 ---- time->Tue Sep 5 09:35:56 2017 type=AVC msg=audit(1504604156.162:948): avc: denied { map } for pid=17006 comm="httpd" path="/etc/pki/ca-trust/source/README" dev="vda1" ino=1573186 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1 Version-Release number of selected component (if applicable): selinux-policy-3.13.1-277.fc27.noarch freeipa-server-4.6.0-1.fc27.x86_64 389-ds-base-1.3.7.3-1.fc27.x86_64 pki-base-10.4.8-5.fc27.noarch GeoIP-1.6.11-3.fc27.x86_64 bind-9.11.1-6.P3.fc27.x86_64 How reproducible: always
I've already reported several of these to Lukas and I believe he's fixed several. Can you test with selinux-policy-3.13.1-279.fc27 (it's in Koji, not yet Bodhi) and see which if any remain? Thanks.
Here's the list I get with the latest openQA test with the F27 update that makes FreeIPA kinda-work again, including USER_AVCs: Sep 05 14:59:48 localhost.localdomain audit[587]: AVC avc: denied { map } for pid=587 comm="ldconfig" path="/var/cache/ldconfig/aux-cache" dev="dm-0" ino=4925999 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:ldconfig_cache_t:s0 tclass=file permissive=1 Sep 05 14:59:48 localhost.localdomain kernel: audit: type=1400 audit(1504648788.937:75): avc: denied { map } for pid=587 comm="ldconfig" path="/var/cache/ldconfig/aux-cache" dev="dm-0" ino=4925999 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:ldconfig_cache_t:s0 tclass=file permissive=1 Sep 05 14:59:49 localhost.localdomain audit[603]: AVC avc: denied { map } for pid=603 comm="auditd" path="/etc/audit/auditd.conf" dev="dm-0" ino=8844075 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:auditd_etc_t:s0 tclass=file permissive=1 Sep 05 15:03:35 ipa001.domain.local audit[4636]: AVC avc: denied { map } for pid=4636 comm="abrt-dump-journ" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8685729 scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Sep 05 15:03:59 ipa001.domain.local audit[13043]: AVC avc: denied { map } for pid=13043 comm="abrt-dump-journ" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8685729 scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Sep 05 15:04:55 ipa001.domain.local audit[512]: AVC avc: denied { read } for pid=512 comm="sh" name="passwd" dev="dm-0" ino=8685729 scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Sep 05 15:04:55 ipa001.domain.local audit[512]: AVC avc: denied { open } for pid=512 comm="sh" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8685729 scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Sep 05 15:04:55 ipa001.domain.local audit[512]: AVC avc: denied { getattr } for pid=512 comm="sh" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8685729 scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Sep 05 15:04:55 ipa001.domain.local audit[512]: AVC avc: denied { map } for pid=512 comm="sh" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8685729 scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Sep 05 15:04:55 ipa001.domain.local audit[512]: AVC avc: denied { write } for pid=512 comm="sh" name="nss" dev="dm-0" ino=12922699 scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=1 Sep 05 15:04:56 ipa001.domain.local audit[666]: AVC avc: denied { map } for pid=666 comm="abrt-dump-journ" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8685729 scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Sep 05 15:05:46 ipa001.domain.local audit[628]: USER_AVC pid=628 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.16 spid=1 tpid=1033 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:rpm_script_t:s0 tclass=dbus permissive=1 Sep 05 15:05:46 ipa001.domain.local audit[628]: USER_AVC pid=628 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=LookupDynamicUserByName dest=org.freedesktop.systemd1 spid=1034 tpid=1 scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=1 Sep 05 15:05:46 ipa001.domain.local audit[628]: USER_AVC pid=628 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.17 spid=1 tpid=1034 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:groupadd_t:s0 tclass=dbus permissive=1 Sep 05 15:05:49 ipa001.domain.local audit[628]: USER_AVC pid=628 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=LookupDynamicUserByName dest=org.freedesktop.systemd1 spid=1084 tpid=1 scontext=system_u:system_r:useradd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=1 Sep 05 15:05:49 ipa001.domain.local audit[628]: USER_AVC pid=628 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.22 spid=1 tpid=1084 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:useradd_t:s0 tclass=dbus permissive=1 Sep 05 15:05:52 ipa001.domain.local audit[628]: USER_AVC pid=628 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.27 spid=1 tpid=1128 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:rpm_script_t:s0 tclass=dbus permissive=1 Sep 05 15:05:52 ipa001.domain.local audit[628]: USER_AVC pid=628 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=LookupDynamicUserByName dest=org.freedesktop.systemd1 spid=1129 tpid=1 scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=1 Sep 05 15:05:52 ipa001.domain.local audit[628]: USER_AVC pid=628 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.28 spid=1 tpid=1129 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:groupadd_t:s0 tclass=dbus permissive=1 Sep 05 15:05:52 ipa001.domain.local audit[628]: USER_AVC pid=628 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=LookupDynamicUserByName dest=org.freedesktop.systemd1 spid=1134 tpid=1 scontext=system_u:system_r:useradd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=1 Sep 05 15:05:52 ipa001.domain.local audit[628]: USER_AVC pid=628 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.30 spid=1 tpid=1134 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:useradd_t:s0 tclass=dbus permissive=1 Sep 05 15:06:33 ipa001.domain.local audit[3761]: AVC avc: denied { map } for pid=3761 comm="ns-slapd" path="/dev/shm/2zc8lm" dev="tmpfs" ino=31196 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:dirsrv_tmpfs_t:s0 tclass=file permissive=1 Sep 05 15:06:39 ipa001.domain.local audit[3761]: AVC avc: denied { map } for pid=3761 comm="ns-slapd" path="/var/lib/dirsrv/slapd-DOMAIN-LOCAL/db/__db.001" dev="dm-0" ino=13552045 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:dirsrv_var_lib_t:s0 tclass=file permissive=1 Sep 05 15:06:41 ipa001.domain.local audit[3812]: AVC avc: denied { write } for pid=3812 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=13552048 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=1 Sep 05 15:06:41 ipa001.domain.local audit[3812]: AVC avc: denied { link } for pid=3812 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=13552048 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=1 Sep 05 15:06:41 ipa001.domain.local audit[3812]: AVC avc: denied { rename } for pid=3812 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=13552048 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=1 Sep 05 15:06:47 ipa001.domain.local audit[3812]: AVC avc: denied { unlink } for pid=3812 comm="ns-slapd" name="dse.ldif.bak" dev="dm-0" ino=13552048 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=1 Sep 05 15:06:55 ipa001.domain.local audit[3900]: AVC avc: denied { map } for pid=3900 comm="ns-slapd" path="/var/lib/dirsrv/slapd-DOMAIN-LOCAL/db/__db.001" dev="dm-0" ino=13552044 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:dirsrv_var_lib_t:s0 tclass=file permissive=1 Sep 05 15:07:03 ipa001.domain.local audit[4012]: AVC avc: denied { map } for pid=4012 comm="ns-slapd" path="/var/lib/dirsrv/slapd-DOMAIN-LOCAL/db/__db.001" dev="dm-0" ino=13552044 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:dirsrv_var_lib_t:s0 tclass=file permissive=1 Sep 05 15:07:09 ipa001.domain.local audit[4206]: AVC avc: denied { read } for pid=4206 comm="pkidaemon" name="passwd" dev="dm-0" ino=8652896 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Sep 05 15:07:09 ipa001.domain.local audit[4206]: AVC avc: denied { open } for pid=4206 comm="pkidaemon" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8652896 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Sep 05 15:07:09 ipa001.domain.local audit[4206]: AVC avc: denied { getattr } for pid=4206 comm="pkidaemon" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8652896 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Sep 05 15:07:09 ipa001.domain.local audit[4206]: AVC avc: denied { map } for pid=4206 comm="pkidaemon" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8652896 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Sep 05 15:08:22 ipa001.domain.local audit[4602]: AVC avc: denied { read } for pid=4602 comm="pkidaemon" name="passwd" dev="dm-0" ino=8652896 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Sep 05 15:08:22 ipa001.domain.local audit[4602]: AVC avc: denied { open } for pid=4602 comm="pkidaemon" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8652896 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Sep 05 15:08:22 ipa001.domain.local audit[4602]: AVC avc: denied { getattr } for pid=4602 comm="pkidaemon" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8652896 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Sep 05 15:08:22 ipa001.domain.local audit[4602]: AVC avc: denied { map } for pid=4602 comm="pkidaemon" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8652896 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Sep 05 15:08:56 ipa001.domain.local audit[5119]: AVC avc: denied { read } for pid=5119 comm="pkidaemon" name="passwd" dev="dm-0" ino=8652896 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Sep 05 15:08:56 ipa001.domain.local audit[5119]: AVC avc: denied { open } for pid=5119 comm="pkidaemon" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8652896 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Sep 05 15:08:56 ipa001.domain.local audit[5119]: AVC avc: denied { getattr } for pid=5119 comm="pkidaemon" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8652896 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Sep 05 15:08:56 ipa001.domain.local audit[5119]: AVC avc: denied { map } for pid=5119 comm="pkidaemon" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8652896 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Sep 05 15:09:49 ipa001.domain.local audit[5838]: AVC avc: denied { map } for pid=5838 comm="ns-slapd" path="/dev/shm/DoJNc7" dev="tmpfs" ino=52885 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:dirsrv_tmpfs_t:s0 tclass=file permissive=1 Sep 05 15:09:54 ipa001.domain.local audit[5838]: AVC avc: denied { map } for pid=5838 comm="ns-slapd" path="/var/lib/dirsrv/slapd-DOMAIN-LOCAL/db/__db.001" dev="dm-0" ino=13552044 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:dirsrv_var_lib_t:s0 tclass=file permissive=1 Sep 05 15:10:02 ipa001.domain.local audit[5930]: AVC avc: denied { map } for pid=5930 comm="ns-slapd" path="/dev/shm/m96aV6" dev="tmpfs" ino=53303 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:dirsrv_tmpfs_t:s0 tclass=file permissive=1 Sep 05 15:10:08 ipa001.domain.local audit[5930]: AVC avc: denied { map } for pid=5930 comm="ns-slapd" path="/var/lib/dirsrv/slapd-DOMAIN-LOCAL/db/__db.001" dev="dm-0" ino=13552044 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:dirsrv_var_lib_t:s0 tclass=file permissive=1 Sep 05 15:10:16 ipa001.domain.local audit[6059]: AVC avc: denied { read } for pid=6059 comm="pkidaemon" name="passwd" dev="dm-0" ino=8652896 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Sep 05 15:10:16 ipa001.domain.local audit[6059]: AVC avc: denied { open } for pid=6059 comm="pkidaemon" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8652896 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Sep 05 15:10:16 ipa001.domain.local audit[6059]: AVC avc: denied { getattr } for pid=6059 comm="pkidaemon" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8652896 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Sep 05 15:10:16 ipa001.domain.local audit[6059]: AVC avc: denied { map } for pid=6059 comm="pkidaemon" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8652896 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Sep 05 15:10:39 ipa001.domain.local audit[6520]: AVC avc: denied { map } for pid=6520 comm="nss_pcache" path="/etc/pki/ca-trust/source/README" dev="dm-0" ino=34287 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1 Sep 05 15:10:47 ipa001.domain.local audit[6909]: AVC avc: denied { map } for pid=6909 comm="ns-slapd" path="/dev/shm/rR8fi8" dev="tmpfs" ino=59817 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:dirsrv_tmpfs_t:s0 tclass=file permissive=1 Sep 05 15:10:53 ipa001.domain.local audit[6909]: AVC avc: denied { map } for pid=6909 comm="ns-slapd" path="/var/lib/dirsrv/slapd-DOMAIN-LOCAL/db/__db.001" dev="dm-0" ino=13552044 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:dirsrv_var_lib_t:s0 tclass=file permissive=1 Sep 05 15:12:22 ipa001.domain.local audit[7055]: AVC avc: denied { map } for pid=7055 comm="ns-slapd" path="/var/lib/dirsrv/slapd-DOMAIN-LOCAL/db/__db.001" dev="dm-0" ino=13552044 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:dirsrv_var_lib_t:s0 tclass=file permissive=1 Sep 05 15:12:27 ipa001.domain.local audit[7177]: AVC avc: denied { map } for pid=7177 comm="nss_pcache" path="/etc/pki/ca-trust/source/README" dev="dm-0" ino=34287 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1 Sep 05 15:12:28 ipa001.domain.local audit[7453]: AVC avc: denied { map } for pid=7453 comm="named-pkcs11" path="/usr/share/GeoIP/GeoLiteCountry.dat" dev="dm-0" ino=34619 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 Sep 05 15:12:30 ipa001.domain.local audit[7494]: AVC avc: denied { map } for pid=7494 comm="httpd" path="/etc/pki/ca-trust/source/README" dev="dm-0" ino=34287 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1 Sep 05 15:18:00 ipa001.domain.local audit[7181]: AVC avc: denied { execmem } for pid=7181 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=1 Sep 05 15:25:06 ipa001.domain.local audit[1]: AVC avc: denied { unlink } for pid=1 comm="systemd" name="krb5cc-httpd" dev="tmpfs" ino=61277 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=file permissive=1
With -279 in the latest Rawhide compose, these denials still appear during a successful server deployment with enforcing=0: [adamw@adam tmp]$ journalctl --file var/log/journal/9d9e6135d4644e03b7fba286745fef02/system.journal | grep -i denied Sep 06 06:37:38 localhost.localdomain audit[605]: AVC avc: denied { map } for pid=605 comm="ldconfig" path="/var/cache/ldconfig/aux-cache" dev="dm-0" ino=8887546 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:ldconfig_cache_t:s0 tclass=file permissive=0 Sep 06 06:46:03 localhost.localdomain audit[526]: AVC avc: denied { read } for pid=526 comm="sh" name="passwd" dev="dm-0" ino=8888275 scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Sep 06 06:46:03 localhost.localdomain audit[526]: AVC avc: denied { open } for pid=526 comm="sh" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8888275 scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Sep 06 06:46:03 localhost.localdomain audit[526]: AVC avc: denied { getattr } for pid=526 comm="sh" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8888275 scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Sep 06 06:46:03 localhost.localdomain audit[526]: AVC avc: denied { map } for pid=526 comm="sh" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8888275 scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Sep 06 06:46:03 localhost.localdomain audit[526]: AVC avc: denied { write } for pid=526 comm="sh" name="nss" dev="dm-0" ino=12848641 scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=1 Sep 06 06:48:22 ipa001.domain.local audit[636]: USER_AVC pid=636 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.23 spid=1 tpid=1159 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:rpm_script_t:s0 tclass=dbus permissive=1 Sep 06 06:48:22 ipa001.domain.local audit[636]: USER_AVC pid=636 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=LookupDynamicUserByName dest=org.freedesktop.systemd1 spid=1160 tpid=1 scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=1 Sep 06 06:48:22 ipa001.domain.local audit[636]: USER_AVC pid=636 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.24 spid=1 tpid=1160 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:groupadd_t:s0 tclass=dbus permissive=1 Sep 06 06:48:24 ipa001.domain.local audit[636]: USER_AVC pid=636 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=LookupDynamicUserByName dest=org.freedesktop.systemd1 spid=1211 tpid=1 scontext=system_u:system_r:useradd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=1 Sep 06 06:48:24 ipa001.domain.local audit[636]: USER_AVC pid=636 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.31 spid=1 tpid=1211 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:useradd_t:s0 tclass=dbus permissive=1 Sep 06 06:48:40 ipa001.domain.local audit[636]: USER_AVC pid=636 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=LookupDynamicUserByName dest=org.freedesktop.systemd1 spid=1258 tpid=1 scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=1 Sep 06 06:48:40 ipa001.domain.local audit[636]: USER_AVC pid=636 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.34 spid=1 tpid=1258 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:groupadd_t:s0 tclass=dbus permissive=1 Sep 06 06:48:45 ipa001.domain.local audit[636]: USER_AVC pid=636 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.35 spid=1 tpid=1268 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:rpm_script_t:s0 tclass=dbus permissive=1 Sep 06 06:48:45 ipa001.domain.local audit[636]: USER_AVC pid=636 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=LookupDynamicUserByName dest=org.freedesktop.systemd1 spid=1274 tpid=1 scontext=system_u:system_r:useradd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=1 Sep 06 06:48:45 ipa001.domain.local audit[636]: USER_AVC pid=636 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.38 spid=1 tpid=1274 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:useradd_t:s0 tclass=dbus permissive=1 Sep 06 06:49:40 ipa001.domain.local audit[5748]: AVC avc: denied { write } for pid=5748 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=936382 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=1 Sep 06 06:49:40 ipa001.domain.local audit[5748]: AVC avc: denied { link } for pid=5748 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=936382 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=1 Sep 06 06:49:40 ipa001.domain.local audit[5748]: AVC avc: denied { rename } for pid=5748 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=936382 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=1 Sep 06 06:49:46 ipa001.domain.local audit[5748]: AVC avc: denied { unlink } for pid=5748 comm="ns-slapd" name="dse.ldif.bak" dev="dm-0" ino=936382 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=1 Sep 06 06:54:00 ipa001.domain.local audit[8457]: AVC avc: denied { map } for pid=8457 comm="nss_pcache" path="/etc/pki/ca-trust/source/README" dev="dm-0" ino=253126 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1 Sep 06 06:55:50 ipa001.domain.local audit[9116]: AVC avc: denied { map } for pid=9116 comm="nss_pcache" path="/etc/pki/ca-trust/source/README" dev="dm-0" ino=253126 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1 Sep 06 06:55:53 ipa001.domain.local audit[9417]: AVC avc: denied { map } for pid=9417 comm="named-pkcs11" path="/usr/share/GeoIP/GeoLiteCountry.dat" dev="dm-0" ino=253450 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 Sep 06 06:55:56 ipa001.domain.local audit[9441]: AVC avc: denied { map } for pid=9441 comm="httpd" path="/etc/pki/ca-trust/source/README" dev="dm-0" ino=253126 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1 Sep 06 07:05:28 ipa001.domain.local audit[1]: AVC avc: denied { unlink } for pid=1 comm="systemd" name="krb5cc-httpd" dev="tmpfs" ino=65276 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=file permissive=1
This bug isn't really 'blocking' the CA_UNREACHABLE bug, that's something else entirely. Instead, nominating this one directly as a Beta blocker, for the same reason as all the others: these denials prevent FreeIPA server deployment, which is a core requirement of a release-blocking Server role, from working. (One of the earlier denials *does* cause the server deployment test to fail on openQA production, where the test is run with SELinux in enforcing mode; I got the full list of denials from the logs of the same test on openQA staging, where we're currently running the test with SELinux in permissive mode).
selinux-policy-3.13.1-280.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-edf1be580e
selinux-policy-3.13.1-280.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-edf1be580e
selinux-policy-3.13.1-280.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
-280 did not fix all the denials I mentioned, these remain: Sep 11 12:04:07 ipa001.domain.local audit[5710]: AVC avc: denied { write } for pid=5710 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=9435129 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=0 Sep 11 12:04:07 ipa001.domain.local audit[5710]: AVC avc: denied { write } for pid=5710 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=9435129 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=0 Sep 11 12:04:07 ipa001.domain.local audit[5710]: AVC avc: denied { write } for pid=5710 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=9435129 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=0 Sep 11 12:04:07 ipa001.domain.local audit[5710]: AVC avc: denied { link } for pid=5710 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=9435129 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=0 note the unusual tcontext there (presumably because the deployment is being run via rolekit).
(In reply to Adam Williamson from comment #8) > -280 did not fix all the denials I mentioned, these remain: > > Sep 11 12:04:07 ipa001.domain.local audit[5710]: AVC avc: denied { write } > for pid=5710 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=9435129 > scontext=system_u:system_r:dirsrv_t:s0 > tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=0 > Sep 11 12:04:07 ipa001.domain.local audit[5710]: AVC avc: denied { write } > for pid=5710 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=9435129 > scontext=system_u:system_r:dirsrv_t:s0 > tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=0 > Sep 11 12:04:07 ipa001.domain.local audit[5710]: AVC avc: denied { write } > for pid=5710 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=9435129 > scontext=system_u:system_r:dirsrv_t:s0 > tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=0 > Sep 11 12:04:07 ipa001.domain.local audit[5710]: AVC avc: denied { link } > for pid=5710 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=9435129 > scontext=system_u:system_r:dirsrv_t:s0 > tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=0 > > note the unusual tcontext there (presumably because the deployment is being > run via rolekit). becasue it is a bug in freeipa-server and not in selinux-policy BZ1490762
There's one more denial I see during the FreeIPA tests on openQA staging (with enforcing=0), I think this one comes during decommissioning: Sep 12 13:10:02 ipa001.domain.local audit[1]: AVC avc: denied { unlink } for pid=1 comm="systemd" name="krb5cc-httpd" dev="tmpfs" ino=65496 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=file permissive=1
(In reply to Adam Williamson from comment #10) > There's one more denial I see during the FreeIPA tests on openQA staging > (with enforcing=0), I think this one comes during decommissioning: > > Sep 12 13:10:02 ipa001.domain.local audit[1]: AVC avc: denied { unlink } > for pid=1 comm="systemd" name="krb5cc-httpd" dev="tmpfs" ino=65496 > scontext=system_u:system_r:init_t:s0 > tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=file permissive=1 It is a harmless AVC. "krb5cc-httpd" is kerberos ccache file used in httd.service and this AVC occurs when httd.service is stopped and systemd tries to clean all files in PrivateTmp. So it will not cause any critical problems but it woudl probably nice to allow it.
BTW it can be tracked in different BZ because it usually does not happen as part of ipa-server-install but later and moreover it is related to httpd+systemd then freeipa use-case