Description of problem: I'm getting multiple SELinux AVCs for gssproxy during installation of latest freeIPA master (4.7-dev) Version-Release number of selected component (if applicable): selinux-policy-3.14.1-8.fc28.noarch freeipa-server-4.6.90.dev201802231329+git0aaee0a97-0.fc28.x86_64 gssproxy-0.8.0-1.fc28.x86_64 httpd-2.4.29-5.fc28.x86_64 How reproducible: Always Steps to Reproduce: 1. Build latest freeIPA from git master 2. ipa-server-install 3. Actual results: type=AVC msg=audit(1519395012.557:1182): avc: denied { sys_ptrace } for pid=62136 comm="gssproxy" capability=19 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=capability permissive=1 type=AVC msg=audit(1519395012.557:1183): avc: denied { read } for pid=62136 comm="gssproxy" scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=file permissive=1 type=AVC msg=audit(1519395012.557:1184): avc: denied { getattr } for pid=62136 comm="gssproxy" path="/usr/sbin/httpd" dev="dm-0" ino=148624 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:object_r:httpd_exec_t:s0 tclass=file permissive=1 Expected results: No AVC Additional info:
Created attachment 1399886 [details] All AVCs related to gssproxy
Christian, Is there any possibility that it was built with some debug flags if it from dev branch? Lukas.
It's very well possible. I'll do another test installation by the end of the week and will update the ticket.
I'm still getting AVC with mod_auth_gssapi-1.6.0-1.fc28.x86_64 gssproxy-0.8.0-2.fc28.x86_64 selinux-policy-3.14.1-13.fc28.noarch ---- time->Wed Mar 14 15:42:11 2018 type=AVC msg=audit(1521038531.229:385): avc: denied { search } for pid=6257 comm="gssproxy" name="6380" dev="proc" ino=84247 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=dir permissive=1 ---- time->Wed Mar 14 15:42:11 2018 type=AVC msg=audit(1521038531.229:386): avc: denied { getattr } for pid=6257 comm="gssproxy" path="/proc/6380/exe" dev="proc" ino=83119 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=lnk_file permissive=1 ---- time->Wed Mar 14 15:42:11 2018 type=AVC msg=audit(1521038531.229:387): avc: denied { read } for pid=6257 comm="gssproxy" name="exe" dev="proc" ino=83119 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=lnk_file permissive=1 ---- time->Wed Mar 14 15:42:11 2018 type=AVC msg=audit(1521038531.229:388): avc: denied { read } for pid=6257 comm="gssproxy" scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=file permissive=1 ---- time->Wed Mar 14 15:42:11 2018 type=AVC msg=audit(1521038531.229:384): avc: denied { getattr } for pid=6257 comm="gssproxy" path="/proc/6380" dev="proc" ino=84247 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=dir permissive=1 ---- time->Wed Mar 14 15:42:11 2018 type=AVC msg=audit(1521038531.230:389): avc: denied { getattr } for pid=6257 comm="gssproxy" path="/usr/sbin/httpd" dev="dm-0" ino=172160 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:object_r:httpd_exec_t:s0 tclass=file permissive=1
selinux-policy-3.14.1-17.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-b8cb71b345
selinux-policy-3.14.1-17.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-b8cb71b345
selinux-policy-3.14.1-18.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-7821b2e7c4
selinux-policy-3.14.1-18.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.