SELinux is preventing /usr/sbin/httpd from getattr access on the file /usr/lib/systemd/system/fedora-domainname.service. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that httpd should be allowed getattr access on the fedora-domainname.service file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'httpd' --raw | audit2allow -M my-httpd # semodule -X 300 -i my-httpd.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:systemd_unit_file_t:s0 Target Objects /usr/lib/systemd/system/fedora-domainname.service [ file ] Source httpd Source Path /usr/sbin/httpd Port <Unknown> Host host.example.test Source RPM Packages httpd-2.4.34-3.fc28.x86_64 Target RPM Packages initscripts-9.80-1.fc28.x86_64 Policy RPM selinux-policy-3.14.1-32.fc28.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name host.example.test Platform Linux host.example.test 4.17.9-200.fc28.x86_64 #1 SMP Mon Jul 23 21:41:29 UTC 2018 x86_64 x86_64 Alert Count 12 First Seen 2018-07-28 04:29:12 EDT Last Seen 2018-07-28 04:31:02 EDT Local ID 5e3ab204-b8c6-4aa4-a783-31a391e13031 Raw Audit Messages type=AVC msg=audit(1532766662.725:619): avc: denied { getattr } for pid=31754 comm="httpd" path="/usr/lib/systemd/system/fedora-domainname.service" dev="dm-0" ino=8738822 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1532766662.725:619): arch=x86_64 syscall=stat success=no exit=EACCES a0=7f323c4f1730 a1=7fffac0f7d00 a2=7fffac0f7d00 a3=7f323c4f1768 items=1 ppid=31744 pid=31754 auid=4294967295 uid=385 gid=385 euid=385 suid=385 fsuid=385 egid=385 sgid=385 fsgid=385 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) type=CWD msg=audit(1532766662.725:619): cwd=/ type=PATH msg=audit(1532766662.725:619): item=0 name=/usr/lib/systemd/system/fedora-domainname.service inode=8738822 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:systemd_unit_file_t:s0 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 Hash: httpd,httpd_t,systemd_unit_file_t,file,getattr Version-Release number of selected component (if applicable): sh$ rpm -q freeipa-server selinux-policy freeipa-server-4.7.0-1.fc28.x86_64 selinux-policy-3.14.1-36.fc28.noarch
I have no idea what freeIPA server tries to do but it did not happen in older version. And IMHO, it is not ideal that it happens as httpd_t. httpd_t shouls not be allowed many things. If it is really needed then there should be special SELinux boolean httpd_ipa_something
Do you know what context this is happening? Is the installer, every time httpd starts?
I saw it as part of installation. I can check restarting of httpd
I've reproduced it and confirmed it appears when httpd is restarted. Still investigating why.
The name of the service that manages the NIS domainname keeps changing so the following was added to the platform code ipaplatform/fedora/services.py: HAS_FEDORA_DOMAINNAME_SERVICE = os.path.isfile( "/usr/lib/systemd/system/fedora-domainname.service" ) if HAS_FEDORA_DOMAINNAME_SERVICE: fedora_system_units['domainname'] = 'fedora-domainname.service' That explains the getattr. That it fails isn't important but we should try to avoid the AVC.
(In reply to Rob Crittenden from comment #4) > I've reproduced it and confirmed it appears when httpd is restarted. Still > investigating why. Thank you very much. I did not have a time to try 2nd case today.
*** Bug 1609476 has been marked as a duplicate of this bug. ***
I disabled the code in my install and the AVC went away. It also got ride of the ipa-dnskeysyncd AVC which had different behavior but the same root cause apparently.
Upstream ticket: https://pagure.io/freeipa/issue/7661
Is there an ETA for fixing this in fedora? It would be good to reduce unnecessary AVC noise?
Fixed upstream master: https://pagure.io/freeipa/c/b8528da5a8e8cf4fdeabb77022cb511043544e9f https://pagure.io/freeipa/c/1c03181e78b8f43e7bfd32e52c5b9d161c326fd6
freeipa-4.7.0-3.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-16f734859d
freeipa-4.7.0-3.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-e407241b53
freeipa-4.7.0-3.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-16f734859d
freeipa-4.7.0-3.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-e407241b53
What is the plan here? The change is in testing for 24 days ... can we move it closer to updates so that automated tests stop showing the AVC noise?
It should go to stable soon.
freeipa-4.7.0-3.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
freeipa-4.7.0-3.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.