Description of problem: During installation of freeIPA and every time I restart ipa-otpd.socket, I'm getting an AVC for /run/krb5kdc/DEFAULT.socket Version-Release number of selected component (if applicable): selinux-policy-3.14.1-7.fc28.noarch freeipa-server-4.6.90.dev201802081725+gitbbda914e8-0.fc28.x86_64 krb5-server-1.16-4.x86_64 How reproducible: always Steps to Reproduce: 1. run ipa-server-install (currently needs special build with rawhide fixes) 2. systemctl restart ipa-otpd.socket Actual results: avc: denied { write } for pid=1 comm="systemd" name="DEFAULT.socket" dev="tmpfs" ino=191528 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:krb5kdc_var_run_t:s0 tclass=sock_file permissive=1 Expected results: no AVC Additional info: ipa-otpd.socket creates the socket: # cat /usr/lib/systemd/system/ipa-otpd.socket [Unit] Description=ipa-otpd socket [Socket] ListenStream=/var/run/krb5kdc/DEFAULT.socket RemoveOnStop=true SocketMode=0600 Accept=true [Install] WantedBy=krb5kdc.service
I'm also getting a very similar AVC for freeIPA's DNSSEC support: avc: denied { write } for pid=1 comm="systemd" name="engine.sock" dev="tmpfs" ino=229583 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:opendnssec_var_run_t:s0 tclass=sock_file permissive=1 # cat /usr/lib/systemd/system/ipa-ods-exporter.socket [Socket] ListenStream=/var/run/opendnssec/engine.sock [Install] WantedBy=sockets.target
This bug appears to have been reported against 'rawhide' during the Fedora 28 development cycle. Changing version to '28'.
The AVC is still reproducible with selinux-policy-3.14.1-8.fc28.noarch and freeipa-server-4.6.90.dev201802231329+git0aaee0a97-0.fc28.x86_64 on latest F28. time->Fri Feb 23 15:04:48 2018 type=AVC msg=audit(1519394688.802:1005): avc: denied { write } for pid=1 comm="systemd" name="DEFAULT.socket" dev="tmpfs" ino=187168 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:krb5kdc_var_run_t:s0 tclass=sock_file permissive=1
selinux-policy-3.14.1-13.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-59cbf1effc
selinux-policy-3.14.1-13.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-59cbf1effc
selinux-policy-3.14.1-14.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-59cbf1effc
selinux-policy-3.14.1-14.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-59cbf1effc
selinux-policy-3.14.1-14.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.