RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1900979 - AVC denial for certmonger during IPA install
Summary: AVC denial for certmonger during IPA install
Keywords:
Status: CLOSED DUPLICATE of bug 1894132
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.4
Hardware: All
OS: Linux
high
unspecified
Target Milestone: rc
: 8.0
Assignee: Zdenek Pytela
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-11-24 06:52 UTC by Kaleem
Modified: 2021-02-26 11:53 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-12-02 14:25:48 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Kaleem 2020-11-24 06:52:42 UTC 
Description of problem:

Following AVC denial seen during IPA install with latest IPA build for RHEL8.4

time->Mon Nov 23 19:28:03 2020
type=PROCTITLE msg=audit(1606177683.382:1708): proctitle="/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit"
type=PATH msg=audit(1606177683.382:1708): item=0 name="/run/lock/opencryptoki/LCK..APIlock" nametype=UNKNOWN cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1606177683.382:1708): cwd="/"
type=SYSCALL msg=audit(1606177683.382:1708): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7f55b6bfda48 a2=0 a3=0 items=1 ppid=33391 pid=33411 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dogtag-ipa-rene" exe="/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1606177683.382:1708): avc:  denied  { search } for  pid=33411 comm="dogtag-ipa-rene" name="opencryptoki" dev="tmpfs" ino=72945 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pkcs_slotd_lock_t:s0 tclass=dir permissive=0
----
time->Mon Nov 23 19:28:14 2020
type=PROCTITLE msg=audit(1606177694.181:1709): proctitle=2F7573722F6C6962657865632F636572746D6F6E6765722F646F677461672D7375626D6974002D2D636166696C65002F7661722F6C69622F6970612F746D705F5F5F6A726D6272002D2D65652D75726C00687474703A2F2F63692D766D2D31302D302D39382D3130312E746573747265616C6D2E746573743A383038302F6361
type=PATH msg=audit(1606177694.181:1709): item=0 name="/run/lock/opencryptoki/LCK..APIlock" nametype=UNKNOWN cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1606177694.181:1709): cwd="/"
type=SYSCALL msg=audit(1606177694.181:1709): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7fa6e1219a48 a2=0 a3=0 items=1 ppid=33391 pid=33512 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dogtag-submit" exe="/usr/libexec/certmonger/dogtag-submit" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1606177694.181:1709): avc:  denied  { search } for  pid=33512 comm="dogtag-submit" name="opencryptoki" dev="tmpfs" ino=72945 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pkcs_slotd_lock_t:s0 tclass=dir permissive=0

Version-Release number of selected component (if applicable):
certmonger-0.79.7-15.el8.x86_64
ipa-selinux-4.8.7-12.module+el8.3.0+8223+6212645f.noarch
selinux-policy-3.14.3-56.el8.noarch
ipa-server-4.9.0-0.1.rc1.module+el8.4.0+8830+62cd648b.x86_64
opencryptoki-3.15.1-1.el8.x86_64


How reproducible:
Always

Steps to Reproduce:
1. Install IPA 

Actual results:
AVC denial seen 

Expected results:
No AVC denial should be there.
Comment 2 Rob Crittenden 2020-11-25 17:03:28 UTC 
The denials point to adding this policy to make the AVC go away (even in permissive).

allow certmonger_t pkcs_slotd_lock_t:dir search;

Note that IPA for a while now, without an AVC reported, has logged:

Nov 25 11:15:06 ipa.example.test dogtag-ipa-renew-agent-submit[10436]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock

Even with a temporary policy in place this error is reported.

My test policy:

module cryptoki 1.0;

require {
        type certmonger_t;
        type pkcs_slotd_lock_t;
        class dir search;
}

#============= certmonger_t ==============
allow certmonger_t pkcs_slotd_lock_t:dir search;

So yes we can make the AVC go away but it has no practical effect AFAICT.

certmonger policy is managed by the selinux team.
Comment 3 Milos Malik 2020-12-02 13:48:46 UTC 
Above-mentioned SELinux denials are already reported in BZ#1894132.
Comment 4 Zdenek Pytela 2020-12-02 14:25:48 UTC 

*** This bug has been marked as a duplicate of bug 1894132 ***
Note You need to log in before you can comment on or make changes to this bug.