Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1857675

Summary: AVC denial for comm="java" name="hsperfdata_pkiuser"
Product: Red Hat Enterprise Linux 8 Reporter: Sumedh Sidhaye <ssidhaye>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: urgent Docs Contact:
Priority: medium    
Version: 8.3CC: ahughes, aph, ascheel, cheimes, edewata, ksiddiqu, lmiksik, lvrabec, mmalik, plautrba, rhcs-maint, sorlov, ssekidde, zpytela
Target Milestone: rcKeywords: Regression, TestBlocker, Triaged
Target Release: 8.3Flags: pm-rhel: mirror+
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 01:57:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
AVC failures after ipa-server-install in permissive mode
none
AVC failures after ipactl restart in permissive mode none

Description Sumedh Sidhaye 2020-07-16 10:33:03 UTC 
Description of problem:

Multiple AVC denials seen for comm="java" name="hsperfdata_pkiuser"

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      31
selinux-policy-3.14.3-41.el8_2.5.noarch
----
time->Wed Jul 15 20:15:33 2020
type=PROCTITLE msg=audit(1594824333.771:963): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D636C61737370617468002F7573722F73686172652F746F6D6361742F62696E2F626F6F7473747261702E6A61723A2F7573722F73686172652F746F6D6361742F62696E2F746F6D6361742D6A756C692E6A61723A2F7573
type=PATH msg=audit(1594824333.771:963): item=0 name="/tmp/hsperfdata_pkiuser" inode=34472437 dev=fd:00 mode=040755 ouid=17 ogid=17 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1594824333.771:963): cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1594824333.771:963): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7fc27404b960 a2=20000 a3=0 items=1 ppid=1 pid=52840 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.262.b10-0.el8_2.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1594824333.771:963): avc:  denied  { read } for  pid=52840 comm="java" name="hsperfdata_pkiuser" dev="dm-0" ino=34472437 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=0
----
time->Wed Jul 15 20:16:12 2020
type=PROCTITLE msg=audit(1594824372.055:966): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D636C61737370617468002F7573722F73686172652F746F6D6361742F62696E2F626F6F7473747261702E6A61723A2F7573722F73686172652F746F6D6361742F62696E2F746F6D6361742D6A756C692E6A61723A2F7573
type=PATH msg=audit(1594824372.055:966): item=0 name="/tmp/hsperfdata_pkiuser" inode=34472437 dev=fd:00 mode=040755 ouid=17 ogid=17 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1594824372.055:966): cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1594824372.055:966): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7f7b9804b760 a2=20000 a3=0 items=1 ppid=1 pid=53047 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.262.b10-0.el8_2.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1594824372.055:966): avc:  denied  { read } for  pid=53047 comm="java" name="hsperfdata_pkiuser" dev="dm-0" ino=34472437 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=0
----
time->Wed Jul 15 20:16:16 2020
type=PROCTITLE msg=audit(1594824376.054:969): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D636C61737370617468002F7573722F73686172652F746F6D6361742F62696E2F626F6F7473747261702E6A61723A2F7573722F73686172652F746F6D6361742F62696E2F746F6D6361742D6A756C692E6A61723A2F7573
type=PATH msg=audit(1594824376.054:969): item=0 name="/tmp/hsperfdata_pkiuser" inode=34472437 dev=fd:00 mode=040755 ouid=17 ogid=17 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1594824376.054:969): cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1594824376.054:969): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7f686804b960 a2=20000 a3=0 items=1 ppid=1 pid=53187 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.262.b10-0.el8_2.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1594824376.054:969): avc:  denied  { read } for  pid=53187 comm="java" name="hsperfdata_pkiuser" dev="dm-0" ino=34472437 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=0
----
time->Wed Jul 15 20:16:33 2020
type=PROCTITLE msg=audit(1594824393.218:970): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D636C61737370617468002F7573722F73686172652F746F6D6361742F62696E2F626F6F7473747261702E6A61723A2F7573722F73686172652F746F6D6361742F62696E2F746F6D6361742D6A756C692E6A61723A2F7573
type=PATH msg=audit(1594824393.218:970): item=0 name="/tmp/hsperfdata_pkiuser" inode=34472437 dev=fd:00 mode=040755 ouid=17 ogid=17 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1594824393.218:970): cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1594824393.218:970): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7fc30c04b760 a2=20000 a3=0 items=1 ppid=1 pid=53373 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.262.b10-0.el8_2.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1594824393.218:970): avc:  denied  { read } for  pid=53373 comm="java" name="hsperfdata_pkiuser" dev="dm-0" ino=34472437 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=0
----
time->Wed Jul 15 20:16:36 2020
type=PROCTITLE msg=audit(1594824396.763:973): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D636C61737370617468002F7573722F73686172652F746F6D6361742F62696E2F626F6F7473747261702E6A61723A2F7573722F73686172652F746F6D6361742F62696E2F746F6D6361742D6A756C692E6A61723A2F7573
type=PATH msg=audit(1594824396.763:973): item=0 name="/tmp/hsperfdata_pkiuser" inode=34472437 dev=fd:00 mode=040755 ouid=17 ogid=17 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1594824396.763:973): cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1594824396.763:973): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7fad6c04b960 a2=20000 a3=0 items=1 ppid=1 pid=53509 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.262.b10-0.el8_2.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1594824396.763:973): avc:  denied  { read } for  pid=53509 comm="java" name="hsperfdata_pkiuser" dev="dm-0" ino=34472437 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=0
----
time->Wed Jul 15 20:17:19 2020
type=PROCTITLE msg=audit(1594824439.281:978): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D636C61737370617468002F7573722F73686172652F746F6D6361742F62696E2F626F6F7473747261702E6A61723A2F7573722F73686172652F746F6D6361742F62696E2F746F6D6361742D6A756C692E6A61723A2F7573
type=PATH msg=audit(1594824439.281:978): item=0 name="/tmp/hsperfdata_pkiuser" inode=34472437 dev=fd:00 mode=040755 ouid=17 ogid=17 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1594824439.281:978): cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1594824439.281:978): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7f127404b760 a2=20000 a3=0 items=1 ppid=1 pid=53821 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.262.b10-0.el8_2.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1594824439.281:978): avc:  denied  { read } for  pid=53821 comm="java" name="hsperfdata_pkiuser" dev="dm-0" ino=34472437 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=0
----
time->Wed Jul 15 20:17:27 2020
type=PROCTITLE msg=audit(1594824447.270:981): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D636C61737370617468002F7573722F73686172652F746F6D6361742F62696E2F626F6F7473747261702E6A61723A2F7573722F73686172652F746F6D6361742F62696E2F746F6D6361742D6A756C692E6A61723A2F7573
type=PATH msg=audit(1594824447.270:981): item=0 name="/tmp/hsperfdata_pkiuser" inode=34472437 dev=fd:00 mode=040755 ouid=17 ogid=17 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1594824447.270:981): cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1594824447.270:981): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7f2c1c04b960 a2=20000 a3=0 items=1 ppid=1 pid=53973 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.262.b10-0.el8_2.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1594824447.270:981): avc:  denied  { read } for  pid=53973 comm="java" name="hsperfdata_pkiuser" dev="dm-0" ino=34472437 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=0
----
time->Wed Jul 15 20:17:48 2020
type=PROCTITLE msg=audit(1594824468.271:983): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D636C61737370617468002F7573722F73686172652F746F6D6361742F62696E2F626F6F7473747261702E6A61723A2F7573722F73686172652F746F6D6361742F62696E2F746F6D6361742D6A756C692E6A61723A2F7573
type=PATH msg=audit(1594824468.271:983): item=0 name="/tmp/hsperfdata_pkiuser" inode=34472437 dev=fd:00 mode=040755 ouid=17 ogid=17 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1594824468.271:983): cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1594824468.271:983): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7fcf9004b760 a2=20000 a3=0 items=1 ppid=1 pid=54132 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.262.b10-0.el8_2.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1594824468.271:983): avc:  denied  { read } for  pid=54132 comm="java" name="hsperfdata_pkiuser" dev="dm-0" ino=34472437 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=0
----
time->Wed Jul 15 20:17:52 2020
type=PROCTITLE msg=audit(1594824472.779:985): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D636C61737370617468002F7573722F73686172652F746F6D6361742F62696E2F626F6F7473747261702E6A61723A2F7573722F73686172652F746F6D6361742F62696E2F746F6D6361742D6A756C692E6A61723A2F7573
type=PATH msg=audit(1594824472.779:985): item=0 name="/tmp/hsperfdata_pkiuser" inode=34472437 dev=fd:00 mode=040755 ouid=17 ogid=17 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1594824472.779:985): cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1594824472.779:985): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7fdba004b960 a2=20000 a3=0 items=1 ppid=1 pid=54261 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.262.b10-0.el8_2.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1594824472.779:985): avc:  denied  { read } for  pid=54261 comm="java" name="hsperfdata_pkiuser" dev="dm-0" ino=34472437 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=0
----
time->Wed Jul 15 20:22:32 2020
type=PROCTITLE msg=audit(1594824752.376:1001): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D636C61737370617468002F7573722F73686172652F746F6D6361742F62696E2F626F6F7473747261702E6A61723A2F7573722F73686172652F746F6D6361742F62696E2F746F6D6361742D6A756C692E6A61723A2F7573
type=PATH msg=audit(1594824752.376:1001): item=0 name="/tmp/hsperfdata_pkiuser" inode=34472437 dev=fd:00 mode=040755 ouid=17 ogid=17 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1594824752.376:1001): cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1594824752.376:1001): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7fbdc004b760 a2=20000 a3=0 items=1 ppid=1 pid=54624 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.262.b10-0.el8_2.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1594824752.376:1001): avc:  denied  { read } for  pid=54624 comm="java" name="hsperfdata_pkiuser" dev="dm-0" ino=34472437 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=0
----
time->Wed Jul 15 20:22:43 2020
type=PROCTITLE msg=audit(1594824763.025:1006): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D636C61737370617468002F7573722F73686172652F746F6D6361742F62696E2F626F6F7473747261702E6A61723A2F7573722F73686172652F746F6D6361742F62696E2F746F6D6361742D6A756C692E6A61723A2F7573
type=PATH msg=audit(1594824763.025:1006): item=0 name="/tmp/hsperfdata_pkiuser" inode=34472437 dev=fd:00 mode=040755 ouid=17 ogid=17 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1594824763.025:1006): cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1594824763.025:1006): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7fb7f404b960 a2=20000 a3=0 items=1 ppid=1 pid=54802 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.262.b10-0.el8_2.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1594824763.025:1006): avc:  denied  { read } for  pid=54802 comm="java" name="hsperfdata_pkiuser" dev="dm-0" ino=34472437 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=0
----
time->Wed Jul 15 20:25:14 2020
type=PROCTITLE msg=audit(1594824914.187:1067): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D636C61737370617468002F7573722F73686172652F746F6D6361742F62696E2F626F6F7473747261702E6A61723A2F7573722F73686172652F746F6D6361742F62696E2F746F6D6361742D6A756C692E6A61723A2F7573
type=PATH msg=audit(1594824914.187:1067): item=0 name="/tmp/hsperfdata_pkiuser" inode=34472437 dev=fd:00 mode=040755 ouid=17 ogid=17 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1594824914.187:1067): cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1594824914.187:1067): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7f19a404b760 a2=20000 a3=0 items=1 ppid=1 pid=56396 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.262.b10-0.el8_2.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1594824914.187:1067): avc:  denied  { read } for  pid=56396 comm="java" name="hsperfdata_pkiuser" dev="dm-0" ino=34472437 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=0
----
time->Wed Jul 15 20:25:43 2020
type=PROCTITLE msg=audit(1594824943.043:1090): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D636C61737370617468002F7573722F73686172652F746F6D6361742F62696E2F626F6F7473747261702E6A61723A2F7573722F73686172652F746F6D6361742F62696E2F746F6D6361742D6A756C692E6A61723A2F7573
type=PATH msg=audit(1594824943.043:1090): item=0 name="/tmp/hsperfdata_pkiuser" inode=34472437 dev=fd:00 mode=040755 ouid=17 ogid=17 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1594824943.043:1090): cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1594824943.043:1090): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7fa5ec04b960 a2=20000 a3=0 items=1 ppid=1 pid=56946 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.262.b10-0.el8_2.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1594824943.043:1090): avc:  denied  { read } for  pid=56946 comm="java" name="hsperfdata_pkiuser" dev="dm-0" ino=34472437 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=0
----
time->Wed Jul 15 20:28:12 2020
type=PROCTITLE msg=audit(1594825092.227:1113): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D636C61737370617468002F7573722F73686172652F746F6D6361742F62696E2F626F6F7473747261702E6A61723A2F7573722F73686172652F746F6D6361742F62696E2F746F6D6361742D6A756C692E6A61723A2F7573
type=PATH msg=audit(1594825092.227:1113): item=0 name="/tmp/hsperfdata_pkiuser" inode=34472437 dev=fd:00 mode=040755 ouid=17 ogid=17 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1594825092.227:1113): cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1594825092.227:1113): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7f8e1804b760 a2=20000 a3=0 items=1 ppid=1 pid=57753 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.262.b10-0.el8_2.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1594825092.227:1113): avc:  denied  { read } for  pid=57753 comm="java" name="hsperfdata_pkiuser" dev="dm-0" ino=34472437 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=0
----
time->Wed Jul 15 20:28:40 2020
type=PROCTITLE msg=audit(1594825120.932:1132): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D636C61737370617468002F7573722F73686172652F746F6D6361742F62696E2F626F6F7473747261702E6A61723A2F7573722F73686172652F746F6D6361742F62696E2F746F6D6361742D6A756C692E6A61723A2F7573
type=PATH msg=audit(1594825120.932:1132): item=0 name="/tmp/hsperfdata_pkiuser" inode=34472437 dev=fd:00 mode=040755 ouid=17 ogid=17 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1594825120.932:1132): cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1594825120.932:1132): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7f573404b960 a2=20000 a3=0 items=1 ppid=1 pid=58298 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.262.b10-0.el8_2.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1594825120.932:1132): avc:  denied  { read } for  pid=58298 comm="java" name="hsperfdata_pkiuser" dev="dm-0" ino=34472437 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=0

Version-Release number of selected component (if applicable):

ipa-client.x86_64                                                                                4.8.7-4.module+el8.3.0+7221+eedbd403 
ipa-client-common.noarch                                                                         4.8.7-4.module+el8.3.0+7221+eedbd403 
ipa-common.noarch                                                                                4.8.7-4.module+el8.3.0+7221+eedbd403 
ipa-healthcheck.noarch                                                                           0.4-4.module+el8.2.0+5489+95477d9f   
ipa-healthcheck-core.noarch                                                                      0.4-4.module+el8.2.0+5489+95477d9f   
ipa-server.x86_64                                                                                4.8.7-4.module+el8.3.0+7221+eedbd403 
ipa-server-common.noarch                                                                         4.8.7-4.module+el8.3.0+7221+eedbd403 
ipa-server-dns.noarch                                                                            4.8.7-4.module+el8.3.0+7221+eedbd403 
selinux-policy.noarch                                                                            3.14.3-49.el8                        
selinux-policy-targeted.noarch                                                                   3.14.3-49.el8

How reproducible:
Always

Steps to Reproduce:
This was observed in one of our beaker jobs


Actual results:


Expected results:


Additional info:
Comment 2 Milos Malik 2020-07-16 14:39:35 UTC 
Based on SELinux denials listed in comment#0, we know that they appeared when SELinux was in enforcing mode.
To find out which SELinux rules are needed to fix the issue, we want to see SELinux denials from permissive mode too.

Can re-run your beaker jobs and collect SELinux denials in permissive mode?

The permissive mode can be achieved by adding one of the following bkr workflow-tomorrow options to your bkr ... commands:

 a) --init-task "! setenforce 0"

 b) --init-task "! semanage permissive -a tomcat_t"

The option a) affects the whole machine. All processes on the machine will run in permissive mode.

The option b) affects only processes labeled tomcat_t (java+tomcat), they will run in permissive mode. The rest of processes will run in enforcing mode.
Comment 3 Christian Heimes 2020-07-16 14:40:49 UTC 
The issue is likely a duplicate of #1782437. This issue is for RHEL 8.3 while the other issue is for RHEL 8.2.

I'm reassigning the issue to pki-core because I believe it's a Dogtag issue. Dogtag creates a "pkiuser" with home directory "/usr/share/pki". That home directory is not owned by pkiuser but by root. The SELinux context of the directory is usr_t:

# getent passwd pkiuser
pkiuser:x:17:17:Certificate System:/usr/share/pki:/sbin/nologin
# stat /usr/share/pki
  File: /usr/share/pki
  Size: 277             Blocks: 0          IO Block: 4096   directory
Device: fc04h/64516d    Inode: 285621      Links: 18
Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Context: system_u:object_r:usr_t:s0

Since Dogtag's java process does not have permission to create hsperfdata information in the home directory of the pkiuser any way, Dogtag should either disable perf data gathering completely or use a different directory to collect JVM performance statistics. The JVM option -XX:-UsePerfData disables perf gathering. I don't know if recent JVM versions still support a different directory for hsperfdata and hs_error, see https://bugs.java.com/bugdatabase/view_bug.do?bug_id=8189674
Comment 4 Christian Heimes 2020-07-17 14:23:41 UTC 
By the way this may be a regression in JDK. Dogtag sets -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp but according to bug JDK-8189674 and posting https://stackoverflow.com/questions/76327/how-can-i-prevent-java-from-creating-hsperfdata-files the flag "java.io.tmpdir" no longer affects the location of hsperfdata.
Comment 8 Dinesh Prasanth 2020-07-23 14:42:44 UTC 
(In reply to Christian Heimes from comment #3)
> The issue is likely a duplicate of #1782437. This issue is for RHEL 8.3
> while the other issue is for RHEL 8.2.
> 
> I'm reassigning the issue to pki-core because I believe it's a Dogtag issue.
> Dogtag creates a "pkiuser" with home directory "/usr/share/pki". That home
> directory is not owned by pkiuser but by root. The SELinux context of the
> directory is usr_t:
> 
> # getent passwd pkiuser
> pkiuser:x:17:17:Certificate System:/usr/share/pki:/sbin/nologin
> # stat /usr/share/pki
>   File: /usr/share/pki
>   Size: 277             Blocks: 0          IO Block: 4096   directory
> Device: fc04h/64516d    Inode: 285621      Links: 18
> Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
> Context: system_u:object_r:usr_t:s0

This is correct. The contents of /usr/share/pki are created during pki-core
rpms installation. IIUC, the `pkiuser` owns only the dir/files that are
created during instance installation (That is, during pkispawn)

> 
> Since Dogtag's java process does not have permission to create hsperfdata
> information in the home directory of the pkiuser any way, Dogtag should
> either disable perf data gathering completely or use a different directory
> to collect JVM performance statistics. The JVM option -XX:-UsePerfData
> disables perf gathering. I don't know if recent JVM versions still support a
> different directory for hsperfdata and hs_error, see
> https://bugs.java.com/bugdatabase/view_bug.do?bug_id=8189674

I'd very much like to keep the PerfData to allow us in debugging performance issues
(eg: recent memory leak with JSS). 


(In reply to Christian Heimes from comment #4)
> By the way this may be a regression in JDK. Dogtag sets
> -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp but according to bug
> JDK-8189674 and posting
> https://stackoverflow.com/questions/76327/how-can-i-prevent-java-from-
> creating-hsperfdata-files the flag "java.io.tmpdir" no longer affects the
> location of hsperfdata.

As per [1], the "java.io.tmpdir" no longer works. Instead, should we be using a
less destructive option `-XX:+PerfDataDisableSharedMem`. Thoughts? Alex? Endi?


[1] https://bugs.openjdk.java.net/browse/JDK-8189674?focusedCommentId=14124592&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-14124592
[2] https://bugs.openjdk.java.net/browse/JDK-6447182?focusedCommentId=12444582&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-12444582
Comment 9 Endi Sukma Dewata 2020-07-23 16:27:45 UTC 
Correction to comment #4, the java.io.tmpdir is actually set by Tomcat:
- Fedora: https://src.fedoraproject.org/rpms/tomcat/blob/master/f/tomcat-server#_11
- RHEL: http://pkgs.devel.redhat.com/cgit/rpms/pki-servlet-engine/tree/tomcat-server?h=stream-pki-10.7-rhel-8.3.0#n11

PKI does set java.io.tmpdir too, but it's only used when running PKI server or commands
in the foreground (e.g. using pki-server run command) to mimic Tomcat environment:
- https://github.com/dogtagpki/pki/blob/master/base/server/python/pki/server/__init__.py#L366
- https://github.com/dogtagpki/pki/blob/master/base/server/python/pki/server/subsystem.py#L1120

IPA runs PKI server in the background as systemd service, so it uses the java.io.tmpdir
set by Tomcat, not PKI.

Just to clarify again, this is a regression in JDK, not PKI. There's no code change
in PKI that caused this problem.
Comment 11 Christian Heimes 2020-07-23 18:30:06 UTC 
IPA's test suite ensures that there no AVCs occur during installation and operation. Since there is now a series of AVCs related th hsperfdata our tests are failing.
Comment 23 Zdenek Pytela 2020-07-29 13:44:50 UTC 
*** Bug 1782437 has been marked as a duplicate of this bug. ***
Comment 35 Milos Malik 2020-08-05 15:38:02 UTC 
Based on the logs in comment#34, the SELinux denials contain { write } instead of { read }. Which means they differ slightly from those mentioned in this bug. But I agree, they need to be fixed. Candidate for a respin?
Comment 36 Kaleem 2020-08-06 07:24:49 UTC 
(In reply to Milos Malik from comment #35)
> Based on the logs in comment#34, the SELinux denials contain { write }
> instead of { read }. Which means they differ slightly from those mentioned
> in this bug. But I agree, they need to be fixed. Candidate for a respin?

I do not know question for respin is for whom but definitely we need fix for it.
Comment 37 Sergey Orlov 2020-08-06 14:24:29 UTC 
Hello Milos.

Actually, if we suppress this new { write } failure, we get two more. 
We did not see any of those three new errors before original { read } failure was fixed (it was ignored using "semodule -i module.pp")

Do you think those additional { add_name }  and { create } can be fixed as part of this BZ or should I create a new one?
Should the BZ be moved to MODIFIED state?


time->Thu Aug  6 07:13:09 2020
type=PROCTITLE msg=audit(1596712389.290:1386): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D44636F6D2E7265646861742E666970733D66616C7365002D636C61737370617468002F7573722F73686172652F746F6D6361742F62696E2F626F6F7473747261702E6A61723A2F7573722F73686172652F746F6D636174
type=PATH msg=audit(1596712389.290:1386): item=0 name="/tmp/hsperfdata_pkiuser" inode=109109922 dev=fc:03 mode=040755 ouid=17 ogid=17 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1596712389.290:1386): cwd="/tmp/hsperfdata_pkiuser"
type=SYSCALL msg=audit(1596712389.290:1386): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7f0b7804baa8 a2=20042 a3=180 items=1 ppid=1 pid=31820 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.265.b01-1.el8.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1596712389.290:1386): avc:  denied  { add_name } for  pid=31820 comm="java" name="31820" scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=0


time->Thu Aug  6 08:39:02 2020
type=PROCTITLE msg=audit(1596717542.342:1393): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D44636F6D2E7265646861742E666970733D66616C7365002D636C61737370617468002F7573722F73686172652F746F6D6361742F62696E2F626F6F7473747261702E6A61723A2F7573722F73686172652F746F6D636174
type=PATH msg=audit(1596717542.342:1393): item=0 name="/tmp/hsperfdata_pkiuser" inode=33591307 dev=fc:03 mode=040755 ouid=17 ogid=17 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1596717542.342:1393): cwd="/tmp/hsperfdata_pkiuser"
type=SYSCALL msg=audit(1596717542.342:1393): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7fd0f004baa8 a2=20042 a3=180 items=1 ppid=1 pid=31911 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.265.b01-1.el8.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1596717542.342:1393): avc:  denied  { create } for  pid=31911 comm="java" name="31911" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=file permissive=0
Comment 38 Sergey Orlov 2020-08-06 14:28:04 UTC 
Small clarification to previous comment: only the original { read } failures was suppressed, before the fix and no other failures were seen.
Comment 41 Sergey Orlov 2020-08-07 10:50:17 UTC 
Created attachment 1710783 [details]
AVC failures after ipa-server-install in permissive mode
Comment 42 Sergey Orlov 2020-08-07 10:51:03 UTC 
Created attachment 1710784 [details]
AVC failures after ipactl restart in permissive mode
Comment 62 errata-xmlrpc 2020-11-04 01:57:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4528