Bug 490233 - rhcs80alpha - selinux denies several accesses after a pkicreate
rhcs80alpha - selinux denies several accesses after a pkicreate
Status: CLOSED NOTABUG
Product: Dogtag Certificate System
Classification: Community
Component: SELinux (Show other bugs)
unspecified
All Linux
low Severity medium
: ---
: ---
Assigned To: Ade Lee
Chandrasekar Kannan
:
Depends On:
Blocks: 443788
  Show dependency treegraph
 
Reported: 2009-03-13 18:53 EDT by Marc Sauton
Modified: 2015-01-04 18:37 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-04-02 14:42:14 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Marc Sauton 2009-03-13 18:53:43 EDT
when creating a second instance from pkicreate, selinux in enforce mode prevents it to start by default, details below.

Linux ms2-cs8-1-64.sjc.redhat.com 2.6.18-128.el5xen #1 SMP Wed Dec 17 12:01:40 EST 2008 x86_64 x86_64 x86_64 GNU/Linux

Red Hat Enterprise Linux Server release 5.3 (Tikanga)

getenforce 
Enforcing

pki-selinux-8.0.0-3.alpha
redhat-pki-ca-ui-8.0.0-6.alpha
pki-common-8.0.0-9.alpha
pki-tps-8.0.0-14.alpha
pki-util-8.0.0-9.alpha
pki-kra-8.0.0-11.alpha
pki-setup-8.0.0-9.alpha
redhat-pki-kra-ui-8.0.0-5.alpha
pki-java-tools-8.0.0-10.alpha
redhat-pki-ra-ui-8.0.0-8.alpha
pki-ca-8.0.0-11.alpha
redhat-pki-ocsp-ui-8.0.0-5.alpha
redhat-pki-common-ui-8.0.0-10.alpha
pki-ocsp-8.0.0-11.alpha
pki-ra-8.0.0-13.alpha
pki-native-tools-8.0.0-9.alpha
pki-tks-8.0.0-11.alpha
redhat-pki-tps-ui-8.0.0-11.alpha
redhat-pki-tks-ui-8.0.0-4.alpha


trying to add a second ca instance using pkicreate, like this:

pkicreate -pki_instance_root=/var/lib     \
          -pki_instance_name=pki-subca1      \
          -subsystem_type=ca              \
          -agent_secure_port=10543         \
          -ee_secure_port=10443            \
          -admin_secure_port=10545         \
          -unsecure_port=1080             \
          -tomcat_server_port=10801        \
          -user=pkiuser                   \
          -group=pkiuser                  \
          -verbose


and the ports are only used for this instance:

semanage port -l | egrep "10543 |  10443 | 10545 | 1080 | 10801"
pki_ca_port_t                  tcp      10545, 10543, 10801, 1080, 9180, 9701, 9443, 9444, 9445


catalina.out:
Mar 13, 2009 2:18:32 PM org.apache.catalina.startup.Catalina start
SEVERE: Catalina.start: 
LifecycleException:  service.getName(): "CatalinaEE";  Protocol handler start failed: java.net.BindException: Could not bind to address: (-5966) Access Denied.:10443
        at org.apache.catalina.connector.Connector.start(Connector.java:1097)
        at org.apache.catalina.core.StandardService.start(StandardService.java:457)
        at org.apache.catalina.core.StandardServer.start(StandardServer.java:700)
        at org.apache.catalina.startup.Catalina.start(Catalina.java:552)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:616)
        at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:295)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:433)
Mar 13, 2009 2:18:32 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 12619 ms


system
13762.main - [13/Mar/2009:14:18:32 PDT] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate
13762.main - [13/Mar/2009:14:18:32 PDT] [13] [3] authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value


/var/log/messages

Mar 13 14:18:17 ms2-cs8-1-64 setroubleshoot: SELinux is preventing java (pki_ca_t) "getattr" to /var/lib/tomcat5/common/lib/jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealer
t -l 6034218a-ee75-43f8-a8bd-b440a0191e73
Mar 13 14:18:17 ms2-cs8-1-64 setroubleshoot: SELinux is preventing java (pki_ca_t) "read" to jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealert -l 9d7f86c8-a64a-4554-80c7-ea
c5b26eaa2d
Mar 13 14:18:17 ms2-cs8-1-64 setroubleshoot: SELinux is preventing java (pki_ca_t) "getattr" to /var/lib/tomcat5/server/lib/jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealer
t -l 07377148-c472-4151-bd26-cd44d50ea15a
Mar 13 14:18:17 ms2-cs8-1-64 setroubleshoot: SELinux is preventing java (pki_ca_t) "read" to jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealert -l 9d7f86c8-a64a-4554-80c7-ea
c5b26eaa2d
Mar 13 14:18:19 ms2-cs8-1-64 setroubleshoot: SELinux is preventing java (pki_ca_t) "name_bind" to <Unknown> (pki_kra_port_t). For complete SELinux messages. run sealert -l 31af94d6-c39a-42bf-b49
c-022029102d10





sealert -l 31af94d6-c39a-42bf-b49c-022029102d10|less

Summary:

SELinux is preventing java (pki_ca_t) "name_bind" to <Unknown> (pki_kra_port_t).

Detailed Description:

SELinux denied access requested by java. It is not expected that this access is
required by java and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                root:system_r:pki_ca_t
Target Context                system_u:object_r:pki_kra_port_t
Target Objects                None [ tcp_socket ]
Source                        java
Source Path                   /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre
                              /bin/java
Port                          10443
Host                          ms2-cs8-1-64.sjc.redhat.com
Source RPM Packages           java-1.6.0-openjdk-1.6.0.0-1.0.b12.el5.2
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-203.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     ms2-cs8-1-64.sjc.redhat.com
Platform                      Linux ms2-cs8-1-64.sjc.redhat.com
                              2.6.18-128.el5xen #1 SMP Wed Dec 17 12:01:40 EST
                              2008 x86_64 x86_64
Alert Count                   2
First Seen                    Fri Mar 13 14:18:19 2009
Last Seen                     Fri Mar 13 14:18:32 2009
Local ID                      31af94d6-c39a-42bf-b49c-022029102d10
Line Numbers                  

Raw Audit Messages            

host=ms2-cs8-1-64.sjc.redhat.com type=AVC msg=audit(1236979112.453:178): avc:  denied  { name_bind } for  pid=13763 comm="java" src=10443 scontext=root:system_r:pki_ca_t:s0 tcontext=system_u:obj
ect_r:pki_kra_port_t:s0 tclass=tcp_socket

host=ms2-cs8-1-64.sjc.redhat.com type=SYSCALL msg=audit(1236979112.453:178): arch=c000003e syscall=49 success=no exit=-13 a0=5f a1=40fb1d20 a2=10 a3=1 items=0 ppid=1 pid=13763 auid=0 uid=500 gid
=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="java" exe="/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/java" subj=root:system_r:pki_ca_t:s0 key=(nu
ll)
Comment 1 Marc Sauton 2009-03-13 20:25:51 EDT
added another instance, and worked, so not sure what went wrong in the previous example.

getenforce
Enforcing

netstat -anp| egrep "30543 |  30443 | 30545 | 3080 | 30801"
semanage port -l | egrep "30543 |  30443 | 30545 | 3080 | 30801"

pkicreate -pki_instance_root=/var/lib     \
          -pki_instance_name=pki-subca2      \
          -subsystem_type=ca              \
          -agent_secure_port=30543         \
          -ee_secure_port=30443            \
          -admin_secure_port=30545         \
          -unsecure_port=3080             \
          -tomcat_server_port=30801        \
          -user=pkiuser                   \
          -group=pkiuser                  \
          -verbose

PKI service(s) are available at https://ms2-cs8-1-64.sjc.redhat.com:30543
/sbin/service pki-subca2 start | stop | restart
https://ms2-cs8-1-64.sjc.redhat.com:30443/ca/admin/console/config/login?pin=8WBc6B8madoqCCzRm6y7

semanage port -l | egrep "30543 |  30443 | 30545 | 3080 | 30801"
pki_ca_port_t                  tcp      30545, 30443, 30543, 30801, 3080, 20545, 20443, 20543, 20801, 2080, 9180, 9701, 9443, 9444, 9445
Comment 2 Ade Lee 2009-03-16 10:55:52 EDT
So, what appears to have happened in the first case is that you used the port 10443 (which failed because it was already defined as pki_kra_port_t).  Did you get an error message in pkicreate?

Notice that your semanage port -l does not show 10443.  Thats weird - because I would have expected 10443 to show up as type pki_kra_port_t.
Comment 3 Marc Sauton 2009-03-16 15:37:58 EDT
Correct, that was a mistake from me..do not remember if there were errors with the previous pkicreate, it got me has semanage -l port did not show 10443.
May be there is room for improvement with pkicreate:
Ran pkicreate and asked to use already bound existing tcp ports, pkicreate just went through as if nothing was wrong, only error was:
/usr/sbin/semanage: Port tcp/10443 already defined
Error in setting selinux context pki_ca_port_t for 10443
Comment 4 Ade Lee 2009-03-16 17:21:54 EDT
Well -- that is an error!

You are supposed to check that errors do not happen during the pkicreate,

I can't really make the pkicreate fail more spectacularly, because this server will start up on a system where selinux is running in permissive mode.
Comment 5 Ade Lee 2009-04-02 14:42:14 EDT
closing after discussion with Marc.

Note You need to log in before you can comment on or make changes to this bug.