Bug 1868432 - Unhandled Python exception in '/usr/libexec/ipa/ipa-pki-retrieve-key'
Summary: Unhandled Python exception in '/usr/libexec/ipa/ipa-pki-retrieve-key'
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: ipa
Version: 8.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 8.0
Assignee: François Cami
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-08-12 16:26 UTC by Sudhir Menon
Modified: 2021-09-03 15:13 UTC (History)
10 users (show)

Fixed In Version: ipa-4.8.7-12
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-11-04 02:51:20 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:4670 0 None None None 2020-11-04 02:51:37 UTC

Description Sudhir Menon 2020-08-12 16:26:13 UTC 
Description of problem: Unhandled Python exception in '/usr/libexec/ipa/ipa-pki-retrieve-key
 

Version-Release number of selected component (if applicable):
ipa-server-4.8.7-7.module+el8.3.0+7376+c83e4fcd.x86_64
ipa-selinux-4.8.7-7.module+el8.3.0+7376+c83e4fcd.noarch
selinux-policy-3.14.3-49.el8.noarch

How reproducible:
Always

Steps to Reproduce:
1. 
2.
3.

Actual results:
Jul 24 17:42:48 replica.testrelm.test dbus-daemon[728]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Jul 24 17:42:48 replica.testrelm.test dbus-daemon[728]: [system] Activating service name='org.fedoraproject.SetroubleshootPrivileged' requested by ':1.301' (uid=995 pid=32378 comm="/usr/libexec/platform-python -Es /usr/sbin/setroub" label="system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023") (using servicehelper)
Jul 24 17:42:48 replica.testrelm.test dbus-daemon[32391]: [system] Failed to reset fd limit before activating service: org.freedesktop.DBus.Error.AccessDenied: Failed to restore old fd limit: Operation not permitted
Jul 24 17:42:49 replica.testrelm.test dbus-daemon[728]: [system] Successfully activated service 'org.fedoraproject.SetroubleshootPrivileged'
Jul 24 17:42:49 replica.testrelm.test platform-python[32372]: detected unhandled Python exception in '/usr/libexec/ipa/ipa-pki-retrieve-key'
Jul 24 17:42:49 replica.testrelm.test server[31444]: Traceback (most recent call last):
Jul 24 17:42:49 replica.testrelm.test server[31444]:   File "/usr/libexec/ipa/ipa-pki-retrieve-key", line 54, in main
Jul 24 17:42:49 replica.testrelm.test server[31444]:     resp = client.fetch_key(path, store=False)
Jul 24 17:42:49 replica.testrelm.test server[31444]:   File "/usr/lib/python3.6/site-packages/ipaserver/secrets/client.py", line 120, in fetch_key
Jul 24 17:42:49 replica.testrelm.test server[31444]:     r.raise_for_status()
Jul 24 17:42:49 replica.testrelm.test server[31444]:   File "/usr/lib/python3.6/site-packages/requests/models.py", line 940, in raise_for_status
Jul 24 17:42:49 replica.testrelm.test server[31444]:     raise HTTPError(http_error_msg, response=self)
Jul 24 17:42:49 replica.testrelm.test server[31444]: requests.exceptions.HTTPError: 404 Client Error: Not Found for url: https://master.testrelm.test/ipa/keys/ca_wrapped/caSigningCert%20cert-pki-ca%20b0394d40-93b2-4f5e-a3a3-ac6136915f95/2.16.840.1.101.3.4.1.2?type=kem&value=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOm51bGx9.fWFV5auRitWflK0fMB47Hj35pQirhDtsjgcEAQdteY_Qw0WylLpjtCIpIbpwXFVKo9A4Sp6SE5ziJGyT3_yxW8HTE6gBea1EZPJlY33gveufhCEp80gDpi0oDwS4uR0iYWUVPfdEKMfowcmseg7W9Q9nm9OP7g2LzcAKHUPPcBAlciPzdhVYnB-wJXMxBHE5jFjAurQYun0cDuyqURwn_6uoByyl4RmOLRGH4X7BMPDVZwYCF21Ae5NMy9DlvILlbkyBwKQuwInzvVAi6Yb5K9FUYvlywX0FAMWrFvYlq5x_kFYjNp0U9t6-gyQmmbjaa7BdnbZ4GNVd-dd8vUPzwA.FI_xg-UAYNTThGSwQQPkqw.B74SHXA0axK88CU0k9YYEVPBCR6Bbz3O0lfVveaP9WEqQ7UTBthTB1jcLmXtEXsuGqdDNRTqhxmw1BvmTQIs-lUmZO4riJlZyPZ3Biqm5YsvCa3RH69PrNy103lLygCKD7FUNesUmSfSxZhF31qE1b4xKTmfOt9Hi0GAz7jrLyWAzZhyfC0MkrAm_xpAa2ceXjUTKPLRM23VBmi9Qb8A7DGhwPzPJxL740vikfchPpK4r-GZFlKA24yDQOUnh7dqGVuAD2z4ycLLeAKWxB7YTD1PyQHuFe2odOiCJ9r8rtLblXu17kOZ1RIwhnbk5ma2ZZy2FPs5wATcqYjXe3F3Gue5kSu46u3MlpPmITbaYLCKPPo31r7RoG8ZnNdkXDYLrECgSBrnUA1YcxpQmfLg-ZxM02RcmUxi3d235j0amoGRmNQeu37qSvRuYxiOm36mZnwLbWlasd83jnYISzIoq_c0FLpWtZAhcuPYs9HuP1Njs8uPeEAuAoNciEGnR3P7-fTDt5z0m0uUg7Tl7PuyjncxgOkXO1GglsoCnsUOmtvKUju8AtRSwV_O4-5GEH7IAnkGHAXO5wN4pC763FQpNc40tBK1XvI8p3bIhlAqexjb6y_arlVtEKe_GdVu2RE8H4Jfhy3lAvodaZk85GZEf4OllyjyPftbOIakAG_ZvTeQ_o1OXtmC4ILNtCaF9-TZUuxBV7czLY9xRtIRNetglDcsSZhsx-KjHiOHbAtLYU97wQoTb9uCb9Y339YVASHgsjFmSuiYSIFGJA7uJSDumjwCk3HmHXp4e0bnRt8__LA.ay3AP4cXl-v8CBLRHGAJnPsJekrBFLku33DdPgko6Zw
Jul 24 17:42:49 replica.testrelm.test server[31444]: During handling of the above exception, another exception occurred:
Jul 24 17:42:49 replica.testrelm.test server[31444]: Traceback (most recent call last):
Jul 24 17:42:49 replica.testrelm.test server[31444]:   File "/usr/libexec/ipa/ipa-pki-retrieve-key", line 81, in <module>
Jul 24 17:42:49 replica.testrelm.test server[31444]:     main()
Jul 24 17:42:49 replica.testrelm.test server[31444]:   File "/usr/libexec/ipa/ipa-pki-retrieve-key", line 71, in main
Jul 24 17:42:49 replica.testrelm.test server[31444]:     resp = client.fetch_key(keyname, store=False)
Jul 24 17:42:49 replica.testrelm.test server[31444]:   File "/usr/lib/python3.6/site-packages/ipaserver/secrets/client.py", line 120, in fetch_key
Jul 24 17:42:49 replica.testrelm.test server[31444]:     r.raise_for_status()
Jul 24 17:42:49 replica.testrelm.test server[31444]:   File "/usr/lib/python3.6/site-packages/requests/models.py", line 940, in raise_for_status
Jul 24 17:42:49 replica.testrelm.test server[31444]:     raise HTTPError(http_error_msg, response=self)
Jul 24 17:42:49 replica.testrelm.test server[31444]: requests.exceptions.HTTPError: 404 Client Error: Not Found for url: https://master.testrelm.test/ipa/keys/ca_wrapped/caSigningCert%20cert-pki-ca%20b0394d40-93b2-4f5e-a3a3-ac6136915f95?type=kem&value=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOm51bGx9.feMDgxWiJcLX0oj8Riu9XlugM83_Uh-JIL_Wor8LWDQijFbQNOnAPctidyXHJtUq34uVJS_JS-0E7khZcvKLlp7zflY5XsR3JkkYP8-bOf2w6D9GLjUSTKhXBBZV5KBeyXAhARNoaURGc4UIn2qCwepzuxCIO86XNwoEncC09C6hxPXDO7Dn48p9BPVr_Jr43Mm2_IN72b4QqRw4pY_C484o8crT3KaoYD-THBT9KvLWx8BHZ938o8JukejH-2JkXXtiywsGypQXk6pbZeh1WPc8dPUP7GgiiJWa5f2lP9gxS8XiqlmAq7gkSWWNov4mX0I0dCyumIbqyR_EcptWMA.8FDmzkm7CbQz6Ka9ENQ3dQ.0Fr9ir33n-eUsfdsgBRnYTrdyQeIkg44D8_QCTCYXP1KOhEbDDI4zU5klYmtZtGCdu0VcH9lvlUbxVsoZ21dbNr8y_hqaKrLrwL4LGllZhsRYHZn6BfaE9ZjLe5MZu0aQrCUf6yZDtng_LPLQQRbvIk0bILfuRSauAELP4-ehQRb6NqhFV1rGA5vi0o76oUsL65hRwAkG6zPQqyeaKtNanVkDtCDA1R4iG1qrDO3Lwj-yvtUKY-L7h9mEwLAXhfbRWSfqQxJYDaty2X6TkMvQuRA9n_BJVW9pXLuRhItG3jpjQrHa3V8lDZA-vGNKGtXcz_iSamjeXEoMyzsPLCLEyG9dP07_qOoaH28X2cKuXpd6UQutSvse0qKKzSCeophsXjgxOi2YBUqRGjBqqLfV6PJTlkNGqAGwqWcJVXjnKMQRrPAnRuaEfPD3DLKqa1wFM1xbkF7tvM208oj6JoaKA13Y3f0H791yC9gg5g3BzMVFjY9K8_uRI2XB9m6y6LxJXC_Kc86Ds4_ClWOf0iJvYvnVPtmCJBpb7FkCe65U7HsaHQXmd_2sghgo0DiNinBMrn8t-gm_AR9kqYj-gURMFFwx6KFILOxdBATIU9ySh4k7jiSRnjshJ0qtL7vCwyhN9uGdzqmg9XHNCRvFphhKoLDSKKMD5CCDq_u2RBLNLHzzZt8crG52mnOC14aBqK9zMuHijSldUhp-EV1VQ6kMowAfVMkQdFsZBWh_veQh7F3eafxy3tdwXuQyTDB759K.bo97qxXB4ECBnD_D69KKF3wb_org0_5Qgiq0JpiqDjc
Jul 24 17:42:50 replica.testrelm.test dbus-daemon[728]: [system] Activating service name='org.freedesktop.problems' requested by ':1.305' (uid=0 pid=32418 comm="/usr/libexec/platform-python /usr/bin/abrt-action-" label="system_u:system_r:abrt_t:s0-s0:c0.c1023") (using servicehelper)
Jul 24 17:42:50 replica.testrelm.test dbus-daemon[32420]: [system] Failed to reset fd limit before activating service: org.freedesktop.DBus.Error.AccessDenied: Failed to restore old fd limit: Operation not permitted
Jul 24 17:42:50 replica.testrelm.test dbus-daemon[728]: [system] Successfully activated service 'org.freedesktop.problems'
Jul 24 17:42:50 replica.testrelm.test abrt-server[32394]: /bin/sh: reporter-systemd-journal: command not found
Jul 24 17:42:50 replica.testrelm.test setroubleshoot[32378]: SELinux is preventing /usr/libexec/platform-python3.6 from search access on the directory krb5. For complete SELinux messages run: sealert -l e3514db6-a4fb-4acc-ac69-03e17e028844
Jul 24 17:42:50 replica.testrelm.test platform-python[32378]: SELinux is preventing /usr/libexec/platform-python3.6 from search access on the directory krb5.

Expected results:


Additional info:
Comment 3 Sudhir Menon 2020-08-12 16:30:37 UTC 
Jul 24 17:43:04 replica.testrelm.test setroubleshoot[32378]: SELinux is preventing /usr/libexec/platform-python3.6 from search access on the directory krb5. 
For complete SELinux messages run: sealert -l e3514db6-a4fb-4acc-ac69-03e17e028844
Jul 24 17:43:04 replica.testrelm.test platform-python[32378]: SELinux is preventing /usr/libexec/platform-python3.6 from search access on the directory krb5.
 *****  Plugin catchall (100. confidence) suggests   **************************
                                                              
If you believe that platform-python3.6 should be allowed search access on the krb5 directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'ipa-pki-retriev' --raw | audit2allow -M my-ipapkiretriev
# semodule -X 300 -i my-ipapkiretriev.pp
Comment 4 Kaleem 2020-08-13 07:22:40 UTC 
(In reply to Sudhir Menon from comment #3)
> Jul 24 17:43:04 replica.testrelm.test setroubleshoot[32378]: SELinux is
> preventing /usr/libexec/platform-python3.6 from search access on the
> directory krb5. 
> For complete SELinux messages run: sealert -l
> e3514db6-a4fb-4acc-ac69-03e17e028844
> Jul 24 17:43:04 replica.testrelm.test platform-python[32378]: SELinux is
> preventing /usr/libexec/platform-python3.6 from search access on the
> directory krb5.
>  *****  Plugin catchall (100. confidence) suggests  
> **************************
>                                                               
> If you believe that platform-python3.6 should be allowed search access on
> the krb5 directory by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # ausearch -c 'ipa-pki-retriev' --raw | audit2allow -M my-ipapkiretriev
> # semodule -X 300 -i my-ipapkiretriev.pp

Sudhir,

Can you try this manually with steps? If reproducible with manual steps, please share the steps.
Comment 5 Sudhir Menon 2020-08-13 11:35:29 UTC 
Reproduce Steps:

Master:
[root@master alias]# ipa ca-add test_subca_master --subject 'cn=test_subca_master' --desc='subca'
[root@master alias]# certutil -d . -L 

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
caSigningCert cert-pki-ca d156a636-121b-4ed5-a2e0-14dc3d1ebcd0 u,u,u

Replica:
[root@replica alias]#ipa ca-find
  Name: test_subca_master
  Description: subca
  Authority ID: d156a636-121b-4ed5-a2e0-14dc3d1ebcd0
  Subject DN: CN=test_subca_master
  Issuer DN: CN=Certificate Authority,O=RHEL83.TEST

[root@replica alias]#ipa ca-add test_subca_replica --subject 'cn=test_subca_replica' --desc='subca'
[root@replica alias]#ipa ca-find
  Name: test_subca_replica
  Description: subca
  Authority ID: 5f3fd4d8-5d22-4f97-92c4-a49e31edef5c
  Subject DN: CN=test_subca_replica
  Issuer DN: CN=Certificate Authority,O=RHEL83.TEST

[root@replica alias]# certutil -d . -L 
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
caSigningCert cert-pki-ca 5f3fd4d8-5d22-4f97-92c4-a49e31edef5c u,u,u

[root@replica alias]# certutil -d . -L -n 'caSigningCert cert-pki-ca d156a636-121b-4ed5-a2e0-14dc3d1ebcd0'
certutil: Could not find cert: caSigningCert cert-pki-ca d156a636-121b-4ed5-a2e0-14dc3d1ebcd0
: PR_FILE_NOT_FOUND_ERROR: File not found

[root@replica alias]# ausearch -m AVC
time->Thu Aug 13 16:36:52 2020
type=PROCTITLE msg=audit(1597316812.733:836): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002D49002F7573722F6C6962657865632F6970612F6970612D706B692D72657472696576652D6B65790063615369676E696E674365727420636572742D706B692D63612064313536613633362D313231622D346564352D613265302D3134646333643165
type=SYSCALL msg=audit(1597316812.733:836): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=55fc20814360 a2=0 a3=0 items=0 ppid=31417 pid=31469 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="ipa-pki-retriev" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1597316812.733:836): avc:  denied  { search } for  pid=31469 comm="ipa-pki-retriev" name="krb5" dev="dm-0" ino=33907336 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=0

[root@replica alias]# cat /var/log/messages
Aug 13 16:37:00 vm-idm-026 server[31417]: Traceback (most recent call last):
Aug 13 16:37:00 vm-idm-026 server[31417]:  File "/usr/libexec/ipa/ipa-pki-retrieve-key", line 54, in main
Aug 13 16:37:00 vm-idm-026 server[31417]:    resp = client.fetch_key(path, store=False)
Aug 13 16:37:00 vm-idm-026 server[31417]:  File "/usr/lib/python3.6/site-packages/ipaserver/secrets/client.py", line 120, in fetch_key
Aug 13 16:37:00 vm-idm-026 server[31417]:    r.raise_for_status()
Aug 13 16:37:00 vm-idm-026 server[31417]:  File "/usr/lib/python3.6/site-packages/requests/models.py", line 940, in raise_for_status
Aug 13 16:37:00 vm-idm-026 server[31417]:    raise HTTPError(http_error_msg, response=self)
Aug 13 16:37:00 vm-idm-026 server[31417]: requests.exceptions.HTTPError: 404 Client Error: Not Found for url: https://master.rhel83.test/ipa/keys/ca_wrapped/caSigningCert%20cert-pki-ca%20d156a636-121b-4ed5-a2e0-14dc3d1ebcd0/2.16.840.1.101.3.4.1.2?type=kem&value=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOm51bGx9.EeBh-exmW-pDOWiwkVBt8xE9RS9g-Ffb0QO_XhpzmebAalrN0R53z0TOG0QnQ3tNtayXRHMG_et1eDqFV0PYpuvw1BBqhBnWxaTZxcAeHDBzFVwW6K6AwJ8w-A2pvuFFM4iehwEoqebqkHeI41bqfrRkEPVSOYC_aOljgCezfmMCbl7or2qctKDVUnURhUQOAXDU4atVBHOg8pkkMqtR6_7DZ5S960Y9HlTiUln_IMpzZ0yqMrPd8CKYij0xrAlr8mmg4Kdbn4syu6F00UHO5ENUVlqeVsSvf4xUWcSP7abpZ1P76ZDAM9IF-igo6nHiOP3mJFs5auPH7SUswU16eg.Fg-gC97LXlYEglZKxIgPJQ.T9iVxzHGeL8DNnoGWUuIaWkWepbmY0oP5LUzB7y7zDy-JGeJDz-FaBJVTx1Z9gKwxQyOyzZP9u8NP3-smLGTfAe-qK9O54DHdj1wMnSrv4_kgqeZu7_82-myVJYmyaJL7WrE_o688mD8TTcN15o5KCEJSs3Eo3-a-dfRAtkD8zYydgrcGetkcNf1V31eUgWq8o8aOSK4en4BiSxa0B3W5dxgVpv4PAkuc5nbqcGEX1JuxqykByvMlRKyOkQhGDaO2v29v9R9qpKOd_2YhTwjo7fDy7ZWhSDNgVbOgGO8yMvz6LqrMazhFS5NHzNQr4wX_TP4uTzJIh2dOzPkNOOKnehDXBI-q6ZGArHy07e1J7rfG2GodyZNxoEVCOW6Z3Q-7WOll9tAJuS4Q9H67P3mv1bsgMgkFGBGX568lt7dDNJPtwkycAyZW-J4p7l2aMGtpxgnyys8vB9avEmkGZTJ8MU5RoDPEeSPw-T82-Cg04u3aoZYXNXNzo3-eHJttq9l_Af5jUxYHZSdTKGvSRaUnywfomtHmLLEvkaW7xDyq8EK2SseQtrts2wvM3hN2RL9dAVYn2pjWHIZzVIBhHJHBRTGSfxom6_is0B9ULHNgnC9IK31kQTTadcQHhfsbpGONH7SK4fEouOCe0R8_4qdI5g1_s8wScoHL7AVH71L6R2ifpSUxTvoe12KKYTnqhX1faxF2u-dWopqVTwicBxWRkfigSieMocq1GAZI0YdjoxkXArCIGRBB6KQC_ysDfW83wVxmpxlGtnXohr9q3rVqA.SDnFby8462I1AwxuAGjYvAVJav1l4xRKfbVWJwkVuL8
Comment 6 François Cami 2020-09-03 15:43:40 UTC 
Sudhir,

Could you reproduce the issue with SELinux set to Permissive on both VMs and post the results e.g. "ausearch -m AVC"?
There might be more than one AVC there but in Enforcing mode the first AVC will hide the others.

Thank you,
François
Comment 11 François Cami 2020-09-04 15:49:47 UTC 
Minimal reproducer:

* on master:
$ kinit admin
$ ipa ca-add test_subca_master --subject cn=test_subca_master --desc subca
$ ipa ca-show test_subca_master

* on replica:
$ kinit admin
$ ipa ca-show test_subca_master
$ /usr/bin/certutil -d /etc/pki/pki-tomcat/alias -L -n "caSigningCert cert-pki-ca <ID>"
$ echo $?

The following module on the master side fixes the issue:

#################
module local 1.0;

require {
	type pki_tomcat_cert_t;
	type ipa_custodia_t;
	type node_t;
	class tcp_socket { bind create node_bind };
	class process execmem;
	class file { create unlink };
	class dir remove_name;
}

#============= ipa_custodia_t ==============

allow ipa_custodia_t self:tcp_socket { bind create };
allow ipa_custodia_t node_t:tcp_socket node_bind;
allow ipa_custodia_t pki_tomcat_cert_t:dir remove_name;
allow ipa_custodia_t pki_tomcat_cert_t:file create;
allow ipa_custodia_t pki_tomcat_cert_t:file unlink;
allow ipa_custodia_t self:process execmem;
#################

There are remaining AVCs on the master:
type=AVC msg=audit(1599232734.116:171): avc:  denied  { read } for  pid=2020 comm="java" name="cpu" dev="sysfs" ino=33 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1599232734.117:172): avc:  denied  { map } for  pid=2020 comm="java" path="/tmp/hsperfdata_pkiuser/2020" dev="dm-0" ino=9534196 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:ipa_custodia_tmp_t:s0 tclass=file permissive=0
type=AVC msg=audit(1599232734.801:173): avc:  denied  { read } for  pid=2020 comm="java" name="if_inet6" dev="proc" ino=4026532230 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0
type=AVC msg=audit(1599232734.801:174): avc:  denied  { read } for  pid=2020 comm="java" name="ipv6_route" dev="proc" ino=4026532231 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0
type=AVC msg=audit(1599232734.801:175): avc:  denied  { read } for  pid=2020 comm="java" name="if_inet6" dev="proc" ino=4026532230 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0
type=AVC msg=audit(1599232735.032:176): avc:  denied  { read } for  pid=2020 comm="java" name="random" dev="devtmpfs" ino=9223 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1599232735.032:177): avc:  denied  { read } for  pid=2020 comm="java" name="random" dev="devtmpfs" ino=9223 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1599232735.032:178): avc:  denied  { read } for  pid=2020 comm="java" name="random" dev="devtmpfs" ino=9223 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1599232736.514:179): avc:  denied  { read } for  pid=2045 comm="java" name="cpu" dev="sysfs" ino=33 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1599232736.515:180): avc:  denied  { map } for  pid=2045 comm="java" path="/tmp/hsperfdata_pkiuser/2045" dev="dm-0" ino=9534196 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:ipa_custodia_tmp_t:s0 tclass=file permissive=0
type=AVC msg=audit(1599232737.665:181): avc:  denied  { read } for  pid=2045 comm="java" name="if_inet6" dev="proc" ino=4026532230 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0
type=AVC msg=audit(1599232737.665:182): avc:  denied  { read } for  pid=2045 comm="java" name="ipv6_route" dev="proc" ino=4026532231 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0
type=AVC msg=audit(1599232737.665:183): avc:  denied  { read } for  pid=2045 comm="java" name="if_inet6" dev="proc" ino=4026532230 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0
type=AVC msg=audit(1599232737.880:184): avc:  denied  { read } for  pid=2045 comm="java" name="random" dev="devtmpfs" ino=9223 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1599232737.880:185): avc:  denied  { read } for  pid=2045 comm="java" name="random" dev="devtmpfs" ino=9223 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1599232737.880:186): avc:  denied  { read } for  pid=2045 comm="java" name="random" dev="devtmpfs" ino=9223 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=0

And on the replica:
type=AVC msg=audit(1599232733.330:92): avc:  denied  { search } for  pid=1837 comm="ipa-pki-retriev" name="krb5" dev="dm-0" ino=8620822 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1599232733.344:93): avc:  denied  { search } for  pid=1837 comm="ipa-pki-retriev" name="krb5" dev="dm-0" ino=8620822 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1599232733.411:94): avc:  denied  { search } for  pid=1837 comm="ipa-pki-retriev" name="krb5" dev="dm-0" ino=8620822 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1599232733.422:95): avc:  denied  { search } for  pid=1837 comm="ipa-pki-retriev" name="krb5" dev="dm-0" ino=8620822 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=0

I'll work on adapting FreeIPA's SELinux policy so that this works OOTB.
Comment 16 Rob Crittenden 2020-09-09 21:50:57 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/68328299c881df497dab32b145157d6e0e42d6c6
Comment 17 François Cami 2020-09-10 06:59:25 UTC 
Fixed upstream
ipa-4-8:
https://pagure.io/freeipa/c/438285470610dee4aa6a56523df22307840ede87
Comment 18 François Cami 2020-09-10 07:01:34 UTC 
Upstream ticket: https://pagure.io/freeipa/issue/8488
Comment 19 François Cami 2020-09-10 11:55:24 UTC 
Data points:
- upstream test results, SELinux in Enforcing mode, without the fix: http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/ea5f1404-f1dd-11ea-b70d-fa163e53827b/report.html
- upstream test results, SELinux in Enforcing mode, with the fix: http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/a4c68fec-f1e9-11ea-ab26-fa163eef7a64/report.html

Complete diff:
https://github.com/freeipa/freeipa/commit/68328299c881df497dab32b145157d6e0e42d6c6

No code change, only SELinux policy change.
Comment 28 François Cami 2020-09-22 16:07:30 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/dfeea1644a35307d95a62fd47a71e9c97f20e066
https://pagure.io/freeipa/c/7823da0630379d642f4a19b3ae0c063963041a82
https://pagure.io/freeipa/c/ea9db4a9032b768486b0a93e4222a087053f87bb
https://pagure.io/freeipa/c/820beca4ac2aaa00a713e0bf5e50ecf79fe89dfc
https://pagure.io/freeipa/c/09816f4dbcb00e6c58754c2d74a6d8072e2871c3
https://pagure.io/freeipa/c/4b3c4b84d4ca80019d27a7643fcb1a03bb208072
https://pagure.io/freeipa/c/f774642b6384c5e2da644c1c812d8dd48946dacc
https://pagure.io/freeipa/c/2f2bce43108db5f1fa651a63eea38b33242495cf
Comment 29 François Cami 2020-09-22 21:42:38 UTC 
Fixed upstream
ipa-4-8:
https://pagure.io/freeipa/c/52929cbadf0252fcac1019b74663a2808061ea1b
https://pagure.io/freeipa/c/5a5962426d8174212f0b7efef1a9e53aaecb5901
https://pagure.io/freeipa/c/c126610ea6605a1ff36cecf2e2f5b2cb97130831
https://pagure.io/freeipa/c/310dbd6eec337f0747d73fa87363083a742fc5dc
https://pagure.io/freeipa/c/0518c63768b50973f3d3129547f5b4b95335f4a8
https://pagure.io/freeipa/c/25cf7af0d41bbd34621f37c95802675b42baeae9
https://pagure.io/freeipa/c/7ad04841245668e3126cb1718ef7ec1b744526e8
https://pagure.io/freeipa/c/6a31605c1d249416ed7627755bca23a1cc45a581
Comment 30 Christian Heimes 2020-09-23 13:25:05 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/7651d335b3fe7c644ae9b8de2590b315303375cf
https://pagure.io/freeipa/c/36c6a2e7493f8135b0adaaf1c056486a9d576c84
Comment 31 François Cami 2020-09-23 16:35:44 UTC 
This bug has two root causes:
* IPA SELinux policy not allowing subca key replication to happen properly. This is fixed with the above commits.
* A race condition in nss that randomly causes rapid-fire subca creation/deletion to fail. This is tracked in https://bugzilla.redhat.com/show_bug.cgi?id=1881999#c2
Comment 32 François Cami 2020-09-23 16:39:33 UTC 
Fixed upstream
ipa-4-8:
https://pagure.io/freeipa/c/58c3343a67a3922dcc84d3d4b1deca515c48a6f8
Comment 41 errata-xmlrpc 2020-11-04 02:51:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:4670
Note You need to log in before you can comment on or make changes to this bug.