Bug 1488404 - SELinux denials during ipa-server-install
Summary: SELinux denials during ipa-server-install
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 27
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks: F27BetaBlocker
TreeView+ depends on / blocked
 
Reported: 2017-09-05 10:09 UTC by Tomas Krizek
Modified: 2017-09-13 06:19 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-09-12 08:06:14 UTC
Type: Bug


Attachments (Terms of Use)

Description Tomas Krizek 2017-09-05 10:09:16 UTC
Description of problem: The following SELinux denials occur during FreeIPA 4.6.0 installation.

----                                           
time->Tue Sep  5 09:31:18 2017                 
type=AVC msg=audit(1504603878.452:858): avc:  denied  { map } for  pid=12968 comm="ns-slapd" path="/dev/shm/FKLfFg" dev="tmpfs" ino=63946 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:dirsrv_tmpfs_t:s0 tclass=file permissive=1                                     
----                                           
time->Tue Sep  5 09:31:21 2017                 
type=AVC msg=audit(1504603881.903:859): avc:  denied  { map } for  pid=12968 comm="ns-slapd" path="/var/lib/dirsrv/slapd-DOMAIN-LOCAL/db/__db.001" dev="vda1" ino=395726 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:dirsrv_var_lib_t:s0 tclass=file permissive=1    
----                                           
time->Tue Sep  5 09:31:24 2017                 
type=AVC msg=audit(1504603884.703:862): avc:  denied  { link } for  pid=13049 comm="ns-slapd" name="dse.ldif" dev="vda1" ino=1573872 scontext=system_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=1                                          
----                                           
time->Tue Sep  5 09:31:24 2017                 
type=AVC msg=audit(1504603884.706:863): avc:  denied  { rename } for  pid=13049 comm="ns-slapd" name="dse.ldif" dev="vda1" ino=1573872 scontext=system_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=1                                        
----                                           
time->Tue Sep  5 09:31:28 2017                 
type=AVC msg=audit(1504603888.423:866): avc:  denied  { unlink } for  pid=13049 comm="ns-slapd" name="dse.ldif.bak" dev="vda1" ino=1573872 scontext=system_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=1                                    
----                                           
time->Tue Sep  5 09:31:28 2017                 
type=AVC msg=audit(1504603888.161:864): avc:  denied  { map } for  pid=13049 comm="ns-slapd" path="/var/lib/dirsrv/slapd-DOMAIN-LOCAL/db/__db.001" dev="vda1" ino=395726 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:dirsrv_var_lib_t:s0 tclass=file permissive=1    
----                                           
time->Tue Sep  5 09:31:31 2017                 
type=AVC msg=audit(1504603891.024:869): avc:  denied  { map } for  pid=13160 comm="ns-slapd" path="/dev/shm/iPHdin" dev="tmpfs" ino=67005 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:dirsrv_tmpfs_t:s0 tclass=file permissive=1                                     
----
time->Tue Sep  5 09:31:47 2017                                                                                                                                                       [2/1887]
type=AVC msg=audit(1504603907.620:876): avc:  denied  { write } for  pid=13521 comm="pkidaemon" name="nss" dev="vda1" ino=262289 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=1                                     
----                                           
time->Tue Sep  5 09:32:34 2017
type=AVC msg=audit(1504603954.877:880): avc:  denied  { write } for  pid=13935 comm="pkidaemon" name="nss" dev="vda1" ino=262289 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u
:object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=1
----
time->Tue Sep  5 09:32:54 2017
type=AVC msg=audit(1504603974.038:885): avc:  denied  { write } for  pid=14473 comm="pkidaemon" name="nss" dev="vda1" ino=262289 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u
:object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=1
----
time->Tue Sep  5 09:33:26 2017
type=AVC msg=audit(1504604006.568:891): avc:  denied  { map } for  pid=15182 comm="ns-slapd" path="/dev/shm/w2f6iy" dev="tmpfs" ino=85432 scontext=system_u:system_r:dirsrv_t:s0 tcontext=sys
tem_u:object_r:dirsrv_tmpfs_t:s0 tclass=file permissive=1
----
time->Tue Sep  5 09:33:29 2017
type=AVC msg=audit(1504604009.951:892): avc:  denied  { map } for  pid=15182 comm="ns-slapd" path="/var/lib/dirsrv/slapd-DOMAIN-LOCAL/db/__db.001" dev="vda1" ino=394193 scontext=system_u:sy
stem_r:dirsrv_t:s0 tcontext=system_u:object_r:dirsrv_var_lib_t:s0 tclass=file permissive=1
----
time->Tue Sep  5 09:33:38 2017
type=AVC msg=audit(1504604018.902:896): avc:  denied  { map } for  pid=15291 comm="ns-slapd" path="/var/lib/dirsrv/slapd-DOMAIN-LOCAL/db/__db.001" dev="vda1" ino=394193 scontext=system_u:sy
stem_r:dirsrv_t:s0 tcontext=system_u:object_r:dirsrv_var_lib_t:s0 tclass=file permissive=1
----
time->Tue Sep  5 09:33:41 2017
type=AVC msg=audit(1504604021.939:901): avc:  denied  { map } for  pid=15397 comm="ns-slapd" path="/dev/shm/BMRSFF" dev="tmpfs" ino=85710 scontext=system_u:system_r:dirsrv_t:s0 tcontext=sys
tem_u:object_r:dirsrv_tmpfs_t:s0 tclass=file permissive=1
----
time->Tue Sep  5 09:33:45 2017
type=AVC msg=audit(1504604025.568:903): avc:  denied  { write } for  pid=15458 comm="pkidaemon" name="nss" dev="vda1" ino=262289 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u
:object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=1
----
time->Tue Sep  5 09:34:00 2017
type=AVC msg=audit(1504604040.817:918): avc:  denied  { map } for  pid=15930 comm="nss_pcache" path="/etc/pki/ca-trust/source/README" dev="vda1" ino=1573186 scontext=system_u:system_r:httpd
_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
----
time->Tue Sep  5 09:34:08 2017
type=AVC msg=audit(1504604048.505:928): avc:  denied  { map } for  pid=16348 comm="ns-slapd" path="/dev/shm/QARgAt" dev="tmpfs" ino=90834 scontext=system_u:system_r:dirsrv_t:s0 tcontext=sys
tem_u:object_r:dirsrv_tmpfs_t:s0 tclass=file permissive=1
----
time->Tue Sep  5 09:34:12 2017
type=AVC msg=audit(1504604052.035:929): avc:  denied  { map } for  pid=16348 comm="ns-slapd" path="/var/lib/dirsrv/slapd-DOMAIN-LOCAL/db/__db.001" dev="vda1" ino=394193 scontext=system_u:sy
stem_r:dirsrv_t:s0 tcontext=system_u:object_r:dirsrv_var_lib_t:s0 tclass=file permissive=1
----
time->Tue Sep  5 09:35:47 2017
type=AVC msg=audit(1504604147.062:940): avc:  denied  { map } for  pid=16662 comm="nss_pcache" path="/etc/pki/ca-trust/source/README" dev="vda1" ino=1573186 scontext=system_u:system_r:httpd
_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
----
time->Tue Sep  5 09:35:48 2017
type=AVC msg=audit(1504604148.078:945): avc:  denied  { map } for  pid=16969 comm="named-pkcs11" path="/usr/share/GeoIP/GeoLiteCountry.dat" dev="vda1" ino=1969420 scontext=system_u:system_r
:named_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
----
time->Tue Sep  5 09:35:56 2017
type=AVC msg=audit(1504604156.162:948): avc:  denied  { map } for  pid=17006 comm="httpd" path="/etc/pki/ca-trust/source/README" dev="vda1" ino=1573186 scontext=system_u:system_r:httpd_t:s0
 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1



Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-277.fc27.noarch
freeipa-server-4.6.0-1.fc27.x86_64
389-ds-base-1.3.7.3-1.fc27.x86_64
pki-base-10.4.8-5.fc27.noarch
GeoIP-1.6.11-3.fc27.x86_64
bind-9.11.1-6.P3.fc27.x86_64

How reproducible:
always

Comment 1 Adam Williamson 2017-09-05 15:59:46 UTC
I've already reported several of these to Lukas and I believe he's fixed several. Can you test with selinux-policy-3.13.1-279.fc27 (it's in Koji, not yet Bodhi) and see which if any remain? Thanks.

Comment 2 Adam Williamson 2017-09-05 23:11:29 UTC
Here's the list I get with the latest openQA test with the F27 update that makes FreeIPA kinda-work again, including USER_AVCs:

Sep 05 14:59:48 localhost.localdomain audit[587]: AVC avc:  denied  { map } for  pid=587 comm="ldconfig" path="/var/cache/ldconfig/aux-cache" dev="dm-0" ino=4925999 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:ldconfig_cache_t:s0 tclass=file permissive=1
Sep 05 14:59:48 localhost.localdomain kernel: audit: type=1400 audit(1504648788.937:75): avc:  denied  { map } for  pid=587 comm="ldconfig" path="/var/cache/ldconfig/aux-cache" dev="dm-0" ino=4925999 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:ldconfig_cache_t:s0 tclass=file permissive=1
Sep 05 14:59:49 localhost.localdomain audit[603]: AVC avc:  denied  { map } for  pid=603 comm="auditd" path="/etc/audit/auditd.conf" dev="dm-0" ino=8844075 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:auditd_etc_t:s0 tclass=file permissive=1
Sep 05 15:03:35 ipa001.domain.local audit[4636]: AVC avc:  denied  { map } for  pid=4636 comm="abrt-dump-journ" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8685729 scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
Sep 05 15:03:59 ipa001.domain.local audit[13043]: AVC avc:  denied  { map } for  pid=13043 comm="abrt-dump-journ" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8685729 scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
Sep 05 15:04:55 ipa001.domain.local audit[512]: AVC avc:  denied  { read } for  pid=512 comm="sh" name="passwd" dev="dm-0" ino=8685729 scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
Sep 05 15:04:55 ipa001.domain.local audit[512]: AVC avc:  denied  { open } for  pid=512 comm="sh" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8685729 scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
Sep 05 15:04:55 ipa001.domain.local audit[512]: AVC avc:  denied  { getattr } for  pid=512 comm="sh" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8685729 scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
Sep 05 15:04:55 ipa001.domain.local audit[512]: AVC avc:  denied  { map } for  pid=512 comm="sh" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8685729 scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
Sep 05 15:04:55 ipa001.domain.local audit[512]: AVC avc:  denied  { write } for  pid=512 comm="sh" name="nss" dev="dm-0" ino=12922699 scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=1
Sep 05 15:04:56 ipa001.domain.local audit[666]: AVC avc:  denied  { map } for  pid=666 comm="abrt-dump-journ" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8685729 scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
Sep 05 15:05:46 ipa001.domain.local audit[628]: USER_AVC pid=628 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.16 spid=1 tpid=1033 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:rpm_script_t:s0 tclass=dbus permissive=1
Sep 05 15:05:46 ipa001.domain.local audit[628]: USER_AVC pid=628 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=LookupDynamicUserByName dest=org.freedesktop.systemd1 spid=1034 tpid=1 scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=1
Sep 05 15:05:46 ipa001.domain.local audit[628]: USER_AVC pid=628 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.17 spid=1 tpid=1034 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:groupadd_t:s0 tclass=dbus permissive=1
Sep 05 15:05:49 ipa001.domain.local audit[628]: USER_AVC pid=628 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=LookupDynamicUserByName dest=org.freedesktop.systemd1 spid=1084 tpid=1 scontext=system_u:system_r:useradd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=1
Sep 05 15:05:49 ipa001.domain.local audit[628]: USER_AVC pid=628 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.22 spid=1 tpid=1084 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:useradd_t:s0 tclass=dbus permissive=1
Sep 05 15:05:52 ipa001.domain.local audit[628]: USER_AVC pid=628 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.27 spid=1 tpid=1128 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:rpm_script_t:s0 tclass=dbus permissive=1
Sep 05 15:05:52 ipa001.domain.local audit[628]: USER_AVC pid=628 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=LookupDynamicUserByName dest=org.freedesktop.systemd1 spid=1129 tpid=1 scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=1
Sep 05 15:05:52 ipa001.domain.local audit[628]: USER_AVC pid=628 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.28 spid=1 tpid=1129 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:groupadd_t:s0 tclass=dbus permissive=1
Sep 05 15:05:52 ipa001.domain.local audit[628]: USER_AVC pid=628 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=LookupDynamicUserByName dest=org.freedesktop.systemd1 spid=1134 tpid=1 scontext=system_u:system_r:useradd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=1
Sep 05 15:05:52 ipa001.domain.local audit[628]: USER_AVC pid=628 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.30 spid=1 tpid=1134 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:useradd_t:s0 tclass=dbus permissive=1
Sep 05 15:06:33 ipa001.domain.local audit[3761]: AVC avc:  denied  { map } for  pid=3761 comm="ns-slapd" path="/dev/shm/2zc8lm" dev="tmpfs" ino=31196 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:dirsrv_tmpfs_t:s0 tclass=file permissive=1
Sep 05 15:06:39 ipa001.domain.local audit[3761]: AVC avc:  denied  { map } for  pid=3761 comm="ns-slapd" path="/var/lib/dirsrv/slapd-DOMAIN-LOCAL/db/__db.001" dev="dm-0" ino=13552045 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:dirsrv_var_lib_t:s0 tclass=file permissive=1
Sep 05 15:06:41 ipa001.domain.local audit[3812]: AVC avc:  denied  { write } for  pid=3812 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=13552048 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=1
Sep 05 15:06:41 ipa001.domain.local audit[3812]: AVC avc:  denied  { link } for  pid=3812 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=13552048 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=1
Sep 05 15:06:41 ipa001.domain.local audit[3812]: AVC avc:  denied  { rename } for  pid=3812 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=13552048 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=1
Sep 05 15:06:47 ipa001.domain.local audit[3812]: AVC avc:  denied  { unlink } for  pid=3812 comm="ns-slapd" name="dse.ldif.bak" dev="dm-0" ino=13552048 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=1
Sep 05 15:06:55 ipa001.domain.local audit[3900]: AVC avc:  denied  { map } for  pid=3900 comm="ns-slapd" path="/var/lib/dirsrv/slapd-DOMAIN-LOCAL/db/__db.001" dev="dm-0" ino=13552044 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:dirsrv_var_lib_t:s0 tclass=file permissive=1
Sep 05 15:07:03 ipa001.domain.local audit[4012]: AVC avc:  denied  { map } for  pid=4012 comm="ns-slapd" path="/var/lib/dirsrv/slapd-DOMAIN-LOCAL/db/__db.001" dev="dm-0" ino=13552044 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:dirsrv_var_lib_t:s0 tclass=file permissive=1
Sep 05 15:07:09 ipa001.domain.local audit[4206]: AVC avc:  denied  { read } for  pid=4206 comm="pkidaemon" name="passwd" dev="dm-0" ino=8652896 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
Sep 05 15:07:09 ipa001.domain.local audit[4206]: AVC avc:  denied  { open } for  pid=4206 comm="pkidaemon" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8652896 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
Sep 05 15:07:09 ipa001.domain.local audit[4206]: AVC avc:  denied  { getattr } for  pid=4206 comm="pkidaemon" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8652896 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
Sep 05 15:07:09 ipa001.domain.local audit[4206]: AVC avc:  denied  { map } for  pid=4206 comm="pkidaemon" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8652896 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
Sep 05 15:08:22 ipa001.domain.local audit[4602]: AVC avc:  denied  { read } for  pid=4602 comm="pkidaemon" name="passwd" dev="dm-0" ino=8652896 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
Sep 05 15:08:22 ipa001.domain.local audit[4602]: AVC avc:  denied  { open } for  pid=4602 comm="pkidaemon" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8652896 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
Sep 05 15:08:22 ipa001.domain.local audit[4602]: AVC avc:  denied  { getattr } for  pid=4602 comm="pkidaemon" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8652896 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
Sep 05 15:08:22 ipa001.domain.local audit[4602]: AVC avc:  denied  { map } for  pid=4602 comm="pkidaemon" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8652896 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
Sep 05 15:08:56 ipa001.domain.local audit[5119]: AVC avc:  denied  { read } for  pid=5119 comm="pkidaemon" name="passwd" dev="dm-0" ino=8652896 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
Sep 05 15:08:56 ipa001.domain.local audit[5119]: AVC avc:  denied  { open } for  pid=5119 comm="pkidaemon" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8652896 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
Sep 05 15:08:56 ipa001.domain.local audit[5119]: AVC avc:  denied  { getattr } for  pid=5119 comm="pkidaemon" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8652896 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
Sep 05 15:08:56 ipa001.domain.local audit[5119]: AVC avc:  denied  { map } for  pid=5119 comm="pkidaemon" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8652896 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
Sep 05 15:09:49 ipa001.domain.local audit[5838]: AVC avc:  denied  { map } for  pid=5838 comm="ns-slapd" path="/dev/shm/DoJNc7" dev="tmpfs" ino=52885 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:dirsrv_tmpfs_t:s0 tclass=file permissive=1
Sep 05 15:09:54 ipa001.domain.local audit[5838]: AVC avc:  denied  { map } for  pid=5838 comm="ns-slapd" path="/var/lib/dirsrv/slapd-DOMAIN-LOCAL/db/__db.001" dev="dm-0" ino=13552044 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:dirsrv_var_lib_t:s0 tclass=file permissive=1
Sep 05 15:10:02 ipa001.domain.local audit[5930]: AVC avc:  denied  { map } for  pid=5930 comm="ns-slapd" path="/dev/shm/m96aV6" dev="tmpfs" ino=53303 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:dirsrv_tmpfs_t:s0 tclass=file permissive=1
Sep 05 15:10:08 ipa001.domain.local audit[5930]: AVC avc:  denied  { map } for  pid=5930 comm="ns-slapd" path="/var/lib/dirsrv/slapd-DOMAIN-LOCAL/db/__db.001" dev="dm-0" ino=13552044 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:dirsrv_var_lib_t:s0 tclass=file permissive=1
Sep 05 15:10:16 ipa001.domain.local audit[6059]: AVC avc:  denied  { read } for  pid=6059 comm="pkidaemon" name="passwd" dev="dm-0" ino=8652896 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
Sep 05 15:10:16 ipa001.domain.local audit[6059]: AVC avc:  denied  { open } for  pid=6059 comm="pkidaemon" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8652896 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
Sep 05 15:10:16 ipa001.domain.local audit[6059]: AVC avc:  denied  { getattr } for  pid=6059 comm="pkidaemon" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8652896 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
Sep 05 15:10:16 ipa001.domain.local audit[6059]: AVC avc:  denied  { map } for  pid=6059 comm="pkidaemon" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8652896 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
Sep 05 15:10:39 ipa001.domain.local audit[6520]: AVC avc:  denied  { map } for  pid=6520 comm="nss_pcache" path="/etc/pki/ca-trust/source/README" dev="dm-0" ino=34287 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
Sep 05 15:10:47 ipa001.domain.local audit[6909]: AVC avc:  denied  { map } for  pid=6909 comm="ns-slapd" path="/dev/shm/rR8fi8" dev="tmpfs" ino=59817 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:dirsrv_tmpfs_t:s0 tclass=file permissive=1
Sep 05 15:10:53 ipa001.domain.local audit[6909]: AVC avc:  denied  { map } for  pid=6909 comm="ns-slapd" path="/var/lib/dirsrv/slapd-DOMAIN-LOCAL/db/__db.001" dev="dm-0" ino=13552044 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:dirsrv_var_lib_t:s0 tclass=file permissive=1
Sep 05 15:12:22 ipa001.domain.local audit[7055]: AVC avc:  denied  { map } for  pid=7055 comm="ns-slapd" path="/var/lib/dirsrv/slapd-DOMAIN-LOCAL/db/__db.001" dev="dm-0" ino=13552044 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:dirsrv_var_lib_t:s0 tclass=file permissive=1
Sep 05 15:12:27 ipa001.domain.local audit[7177]: AVC avc:  denied  { map } for  pid=7177 comm="nss_pcache" path="/etc/pki/ca-trust/source/README" dev="dm-0" ino=34287 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
Sep 05 15:12:28 ipa001.domain.local audit[7453]: AVC avc:  denied  { map } for  pid=7453 comm="named-pkcs11" path="/usr/share/GeoIP/GeoLiteCountry.dat" dev="dm-0" ino=34619 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
Sep 05 15:12:30 ipa001.domain.local audit[7494]: AVC avc:  denied  { map } for  pid=7494 comm="httpd" path="/etc/pki/ca-trust/source/README" dev="dm-0" ino=34287 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
Sep 05 15:18:00 ipa001.domain.local audit[7181]: AVC avc:  denied  { execmem } for  pid=7181 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=1
Sep 05 15:25:06 ipa001.domain.local audit[1]: AVC avc:  denied  { unlink } for  pid=1 comm="systemd" name="krb5cc-httpd" dev="tmpfs" ino=61277 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=file permissive=1

Comment 3 Adam Williamson 2017-09-06 18:48:05 UTC
With -279 in the latest Rawhide compose, these denials still appear during a successful server deployment with enforcing=0:

[adamw@adam tmp]$ journalctl --file var/log/journal/9d9e6135d4644e03b7fba286745fef02/system.journal  | grep -i denied
Sep 06 06:37:38 localhost.localdomain audit[605]: AVC avc:  denied  { map } for  pid=605 comm="ldconfig" path="/var/cache/ldconfig/aux-cache" dev="dm-0" ino=8887546 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:ldconfig_cache_t:s0 tclass=file permissive=0
Sep 06 06:46:03 localhost.localdomain audit[526]: AVC avc:  denied  { read } for  pid=526 comm="sh" name="passwd" dev="dm-0" ino=8888275 scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
Sep 06 06:46:03 localhost.localdomain audit[526]: AVC avc:  denied  { open } for  pid=526 comm="sh" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8888275 scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
Sep 06 06:46:03 localhost.localdomain audit[526]: AVC avc:  denied  { getattr } for  pid=526 comm="sh" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8888275 scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
Sep 06 06:46:03 localhost.localdomain audit[526]: AVC avc:  denied  { map } for  pid=526 comm="sh" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=8888275 scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
Sep 06 06:46:03 localhost.localdomain audit[526]: AVC avc:  denied  { write } for  pid=526 comm="sh" name="nss" dev="dm-0" ino=12848641 scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=1
Sep 06 06:48:22 ipa001.domain.local audit[636]: USER_AVC pid=636 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.23 spid=1 tpid=1159 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:rpm_script_t:s0 tclass=dbus permissive=1
Sep 06 06:48:22 ipa001.domain.local audit[636]: USER_AVC pid=636 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=LookupDynamicUserByName dest=org.freedesktop.systemd1 spid=1160 tpid=1 scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=1
Sep 06 06:48:22 ipa001.domain.local audit[636]: USER_AVC pid=636 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.24 spid=1 tpid=1160 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:groupadd_t:s0 tclass=dbus permissive=1
Sep 06 06:48:24 ipa001.domain.local audit[636]: USER_AVC pid=636 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=LookupDynamicUserByName dest=org.freedesktop.systemd1 spid=1211 tpid=1 scontext=system_u:system_r:useradd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=1
Sep 06 06:48:24 ipa001.domain.local audit[636]: USER_AVC pid=636 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.31 spid=1 tpid=1211 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:useradd_t:s0 tclass=dbus permissive=1
Sep 06 06:48:40 ipa001.domain.local audit[636]: USER_AVC pid=636 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=LookupDynamicUserByName dest=org.freedesktop.systemd1 spid=1258 tpid=1 scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=1
Sep 06 06:48:40 ipa001.domain.local audit[636]: USER_AVC pid=636 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.34 spid=1 tpid=1258 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:groupadd_t:s0 tclass=dbus permissive=1
Sep 06 06:48:45 ipa001.domain.local audit[636]: USER_AVC pid=636 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.35 spid=1 tpid=1268 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:rpm_script_t:s0 tclass=dbus permissive=1
Sep 06 06:48:45 ipa001.domain.local audit[636]: USER_AVC pid=636 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=LookupDynamicUserByName dest=org.freedesktop.systemd1 spid=1274 tpid=1 scontext=system_u:system_r:useradd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=1
Sep 06 06:48:45 ipa001.domain.local audit[636]: USER_AVC pid=636 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=error error_name=org.freedesktop.systemd1.NoSuchDynamicUser dest=:1.38 spid=1 tpid=1274 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:useradd_t:s0 tclass=dbus permissive=1
Sep 06 06:49:40 ipa001.domain.local audit[5748]: AVC avc:  denied  { write } for  pid=5748 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=936382 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=1
Sep 06 06:49:40 ipa001.domain.local audit[5748]: AVC avc:  denied  { link } for  pid=5748 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=936382 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=1
Sep 06 06:49:40 ipa001.domain.local audit[5748]: AVC avc:  denied  { rename } for  pid=5748 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=936382 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=1
Sep 06 06:49:46 ipa001.domain.local audit[5748]: AVC avc:  denied  { unlink } for  pid=5748 comm="ns-slapd" name="dse.ldif.bak" dev="dm-0" ino=936382 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=1
Sep 06 06:54:00 ipa001.domain.local audit[8457]: AVC avc:  denied  { map } for  pid=8457 comm="nss_pcache" path="/etc/pki/ca-trust/source/README" dev="dm-0" ino=253126 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
Sep 06 06:55:50 ipa001.domain.local audit[9116]: AVC avc:  denied  { map } for  pid=9116 comm="nss_pcache" path="/etc/pki/ca-trust/source/README" dev="dm-0" ino=253126 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
Sep 06 06:55:53 ipa001.domain.local audit[9417]: AVC avc:  denied  { map } for  pid=9417 comm="named-pkcs11" path="/usr/share/GeoIP/GeoLiteCountry.dat" dev="dm-0" ino=253450 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
Sep 06 06:55:56 ipa001.domain.local audit[9441]: AVC avc:  denied  { map } for  pid=9441 comm="httpd" path="/etc/pki/ca-trust/source/README" dev="dm-0" ino=253126 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
Sep 06 07:05:28 ipa001.domain.local audit[1]: AVC avc:  denied  { unlink } for  pid=1 comm="systemd" name="krb5cc-httpd" dev="tmpfs" ino=65276 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=file permissive=1

Comment 4 Adam Williamson 2017-09-06 18:50:14 UTC
This bug isn't really 'blocking' the CA_UNREACHABLE bug, that's something else entirely. Instead, nominating this one directly as a Beta blocker, for the same reason as all the others: these denials prevent FreeIPA server deployment, which is a core requirement of a release-blocking Server role, from working. (One of the earlier denials *does* cause the server deployment test to fail on openQA production, where the test is run with SELinux in enforcing mode; I got the full list of denials from the logs of the same test on openQA staging, where we're currently running the test with SELinux in permissive mode).

Comment 5 Fedora Update System 2017-09-07 12:12:49 UTC
selinux-policy-3.13.1-280.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-edf1be580e

Comment 6 Fedora Update System 2017-09-07 14:34:06 UTC
selinux-policy-3.13.1-280.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-edf1be580e

Comment 7 Fedora Update System 2017-09-09 04:11:23 UTC
selinux-policy-3.13.1-280.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 8 Adam Williamson 2017-09-12 02:03:23 UTC
-280 did not fix all the denials I mentioned, these remain:

Sep 11 12:04:07 ipa001.domain.local audit[5710]: AVC avc:  denied  { write } for  pid=5710 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=9435129 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=0
Sep 11 12:04:07 ipa001.domain.local audit[5710]: AVC avc:  denied  { write } for  pid=5710 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=9435129 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=0
Sep 11 12:04:07 ipa001.domain.local audit[5710]: AVC avc:  denied  { write } for  pid=5710 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=9435129 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=0
Sep 11 12:04:07 ipa001.domain.local audit[5710]: AVC avc:  denied  { link } for  pid=5710 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=9435129 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=0

note the unusual tcontext there (presumably because the deployment is being run via rolekit).

Comment 9 Lukas Slebodnik 2017-09-12 08:06:14 UTC
(In reply to Adam Williamson from comment #8)
> -280 did not fix all the denials I mentioned, these remain:
> 
> Sep 11 12:04:07 ipa001.domain.local audit[5710]: AVC avc:  denied  { write }
> for  pid=5710 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=9435129
> scontext=system_u:system_r:dirsrv_t:s0
> tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=0
> Sep 11 12:04:07 ipa001.domain.local audit[5710]: AVC avc:  denied  { write }
> for  pid=5710 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=9435129
> scontext=system_u:system_r:dirsrv_t:s0
> tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=0
> Sep 11 12:04:07 ipa001.domain.local audit[5710]: AVC avc:  denied  { write }
> for  pid=5710 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=9435129
> scontext=system_u:system_r:dirsrv_t:s0
> tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=0
> Sep 11 12:04:07 ipa001.domain.local audit[5710]: AVC avc:  denied  { link }
> for  pid=5710 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=9435129
> scontext=system_u:system_r:dirsrv_t:s0
> tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=0
> 
> note the unusual tcontext there (presumably because the deployment is being
> run via rolekit).

becasue it is a bug in freeipa-server and not in selinux-policy BZ1490762

Comment 10 Adam Williamson 2017-09-12 22:47:16 UTC
There's one more denial I see during the FreeIPA tests on openQA staging (with enforcing=0), I think this one comes during decommissioning:

Sep 12 13:10:02 ipa001.domain.local audit[1]: AVC avc:  denied  { unlink } for  pid=1 comm="systemd" name="krb5cc-httpd" dev="tmpfs" ino=65496 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=file permissive=1

Comment 11 Lukas Slebodnik 2017-09-13 06:17:12 UTC
(In reply to Adam Williamson from comment #10)
> There's one more denial I see during the FreeIPA tests on openQA staging
> (with enforcing=0), I think this one comes during decommissioning:
> 
> Sep 12 13:10:02 ipa001.domain.local audit[1]: AVC avc:  denied  { unlink }
> for  pid=1 comm="systemd" name="krb5cc-httpd" dev="tmpfs" ino=65496
> scontext=system_u:system_r:init_t:s0
> tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=file permissive=1

It is a harmless AVC. "krb5cc-httpd" is kerberos ccache file used in httd.service
and this AVC occurs when httd.service is stopped and systemd tries to clean all files in PrivateTmp. So it will not cause any critical problems but it woudl probably nice to allow it.

Comment 12 Lukas Slebodnik 2017-09-13 06:19:24 UTC
BTW it can be tracked in different BZ because it usually does not happen as part of ipa-server-install but later and moreover it is related to httpd+systemd then freeipa use-case


Note You need to log in before you can comment on or make changes to this bug.