Bug 1804958 - denied { search } for pid=XXX comm="certmonger" name="opencryptoki" (breaks FreeIPA)
Summary: denied { search } for pid=XXX comm="certmonger" name="opencryptoki" (breaks...
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
Whiteboard: openqa
Depends On:
Blocks: F32BetaBlocker
TreeView+ depends on / blocked
Reported: 2020-02-20 00:31 UTC by Adam Williamson
Modified: 2020-02-22 16:21 UTC (History)
9 users (show)

Fixed In Version: selinux-policy-3.14.6-5.fc33
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2020-02-22 16:21:40 UTC
Type: Bug

Attachments (Terms of Use)

Description Adam Williamson 2020-02-20 00:31:59 UTC
openQA FreeIPA upgrade test in current Rawhide (tests upgrade from Fedora 31 to Rawhide) is hitting a repeated SELinux denial which seems to break the upgrade process:

Feb 19 09:17:41 ipa001.domain.local audit[971]: AVC avc:  denied  { search } for  pid=971 comm="certmonger" name="opencryptoki" dev="tmpfs" ino=26947 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pkcs_slotd_lock_t:s0 tclass=dir permissive=0

I'm assuming this will hit F32 as well for now (can't tell yet as all F32 composes so far have had the Plymouth bug, which caused this test to fail earlier). So proposing as a Beta blocker as a violation of "It must be possible to successfully complete a direct upgrade from a fully updated installation of each of the last two stable Fedora Server releases with the system configured as a FreeIPA domain controller or postgresql server as specified in the relevant criteria." If this turns out *not* to be affecting F32 once we get a testable compose, I'll withdraw the nomination.

Comment 1 Adam Williamson 2020-02-20 00:33:30 UTC
Note - this may also hit fresh FreeIPA deployments on F32/Rawhide, I can't tell yet because those tests are failing earlier due to some silly fedora-repos shenanigans I won't bore you with here. We should be able to tell with the next composes.

Comment 2 Lukas Vrabec 2020-02-20 14:20:51 UTC
commit f7a21a9f173e1c8071718b1dea40eed2271c284d (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Lukas Vrabec <lvrabec>
Date:   Thu Feb 20 15:20:04 2020 +0100

    Allow certmonger_t domain to read pkcs_slotd lock files

Comment 3 Lukas Slebodnik 2020-02-21 09:10:17 UTC
I reported this bug 3 months ago but freeIPA folks
did not invest lot of time with explanation

Note You need to log in before you can comment on or make changes to this bug.