Bug 495212 - SElinux issues
SElinux issues
Status: CLOSED ERRATA
Product: Dogtag Certificate System
Classification: Community
Component: SELinux (Show other bugs)
unspecified
All Linux
urgent Severity medium
: ---
: ---
Assigned To: Ade Lee
Chandrasekar Kannan
:
Depends On:
Blocks: 443788
  Show dependency treegraph
 
Reported: 2009-04-10 08:54 EDT by Chandrasekar Kannan
Modified: 2015-01-04 18:37 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-07-22 19:34:16 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Chandrasekar Kannan 2009-04-10 08:54:23 EDT
From kashyap

-- for pki-ca installation, the following selinux alerts are noticed

Apr  2 00:07:47 elu3 setroubleshoot: SELinux is preventing java (pki_ca_t) "getattr" to /var/lib/tomcat5/common/lib/jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealert -l 59af922a-948b-47f3-aacb-6221948498b6
Apr  2 00:07:47 elu3 setroubleshoot: SELinux is preventing java (pki_ca_t) "read" to jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealert -l 5ec0e238-eb3e-4be5-b72f-3070876fc781
Apr  2 00:07:47 elu3 setroubleshoot: SELinux is preventing java (pki_ca_t) "getattr" to /var/lib/tomcat5/server/lib/jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealert -l 647716b7-5dff-4cc6-9d02-2227ef87c70a
Apr  2 00:07:47 elu3 setroubleshoot: SELinux is preventing java (pki_ca_t) "read" to jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealert -l 5ec0e238-eb3e-4be5-b72f-3070876fc781

---------------------------


-- for pki-tks installation, the following selinux alerts are noticed

pr  2 00:12:44 elu3 setroubleshoot: SELinux is preventing java (pki_tks_t) "getattr" to /var/lib/tomcat5/common/lib/jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealert -l 3b7a221f-4e17-4f0d-a471-5cb1ed046af4
Apr  2 00:12:44 elu3 setroubleshoot: SELinux is preventing java (pki_tks_t) "read" to jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealert -l 4d596b15-c4fc-4c7b-bb53-9d7e2473a038
Apr  2 00:12:44 elu3 setroubleshoot: SELinux is preventing java (pki_tks_t) "getattr" to /var/lib/tomcat5/server/lib/jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealert -l 4eb92085-1623-461e-b06c-a8e4edadca2b
Apr  2 00:12:44 elu3 setroubleshoot: SELinux is preventing java (pki_tks_t) "read" to jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealert -l 4d596b15-c4fc-4c7b-bb53-9d7e2473a038


-------------------------------


-- for pki-ocsp installation, the following selinux alerts are noticed


Apr  2 00:19:26 elu3 setroubleshoot: SELinux is preventing java (pki_ocsp_t) "signull" to <Unknown> (pki_tks_t). For complete SELinux messages. run sealert -l 4dfa770d-00dd-4738-a7f3-e4af5b61c0d2
Apr  2 00:19:26 elu3 setroubleshoot: SELinux is preventing java (pki_ocsp_t) "signull" to <Unknown> (pki_tks_t). For complete SELinux messages. run sealert -l 4dfa770d-00dd-4738-a7f3-e4af5b61c0d2
Apr  2 00:19:26 elu3 setroubleshoot: SELinux is preventing java (pki_ocsp_t) "getattr" to /var/lib/tomcat5/common/lib/jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealert -l 277e9040-89c3-48a6-ae76-1f3b06ddf19a
Apr  2 00:19:26 elu3 setroubleshoot: SELinux is preventing java (pki_ocsp_t) "read" to jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealert -l 9a2c5e54-3da7-47c7-a7cd-159a8c49300f
Apr  2 00:19:26 elu3 setroubleshoot: SELinux is preventing java (pki_ocsp_t) "getattr" to /var/lib/tomcat5/server/lib/jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealert -l 3476b067-6997-4b47-b48b-ce660c9fe71e
Apr  2 00:19:26 elu3 setroubleshoot: SELinux is preventing java (pki_ocsp_t) "read" to jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealert -l 9a2c5e54-3da7-47c7-a7cd-159a8c49300f

-----------------------------


-- for pki-kra installation, the following selinux alerts are noticed


Apr  2 00:22:53 elu3 setroubleshoot: SELinux is preventing java (pki_kra_t) "signull" to <Unknown> (pki_tks_t). For complete SELinux messages. run sealert -l 0660ca9c-cc5b-42f3-86be-adda01ffdcd6
Apr  2 00:22:53 elu3 setroubleshoot: SELinux is preventing java (pki_kra_t) "signull" to <Unknown> (pki_ocsp_t). For complete SELinux messages. run sealert -l 3b99cf36-8362-4c45-8177-2895db811514
Apr  2 00:22:53 elu3 setroubleshoot: SELinux is preventing java (pki_kra_t) "signull" to <Unknown> (pki_tks_t). For complete SELinux messages. run sealert -l 0660ca9c-cc5b-42f3-86be-adda01ffdcd6
Apr  2 00:22:53 elu3 setroubleshoot: SELinux is preventing java (pki_kra_t) "signull" to <Unknown> (pki_ocsp_t). For complete SELinux messages. run sealert -l 3b99cf36-8362-4c45-8177-2895db811514
Apr  2 00:22:53 elu3 setroubleshoot: SELinux is preventing java (pki_kra_t) "getattr" to /var/lib/tomcat5/common/lib/jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealert -l c6a815b5-54d0-499f-9438-7dded89c1a1a
Apr  2 00:22:53 elu3 setroubleshoot: SELinux is preventing java (pki_kra_t) "read" to jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealert -l 87fa62a1-3aee-475d-a29d-01503598d128
Apr  2 00:22:53 elu3 setroubleshoot: SELinux is preventing java (pki_kra_t) "getattr" to /var/lib/tomcat5/server/lib/jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealert -l abf40fa6-956f-4332-924a-74cf2c59db84
Apr  2 00:22:53 elu3 setroubleshoot: SELinux is preventing java (pki_kra_t) "read" to jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealert -l 87fa62a1-3aee-475d-a29d-01503598d128



=============================================================
from martin poole ..

Just installed a brand new machine with GUI to give clean environment to 
confirm install cert problems I see the following SELinux errors logged 
during the install.


Apr  9 15:40:22 host-51 setroubleshoot: SELinux is preventing java 
(pki_ocsp_t) "getattr" to /var/lib/tomcat5/common/lib/jdtcore.jar 
(rpm_var_lib_t). For complete SELinux messages. run sealert -l 
800e0753-83fb-426d-9dec-36ce49280b48
Apr  9 15:40:22 host-51 setroubleshoot: SELinux is preventing java 
(pki_ocsp_t) "read" to jdtcore.jar (rpm_var_lib_t). For complete SELinux 
messages. run sealert -l ecc78bcd-2049-4b16-b47f-9e0376bc4650
Apr  9 15:40:26 host-51 yum: Installed: pki-ocsp-8.0.0-12.beta.noarch
Apr  9 15:40:33 host-51 setroubleshoot: SELinux is preventing java 
(pki_ca_t) "getattr" to /var/lib/tomcat5/common/lib/jdtcore.jar 
(rpm_var_lib_t). For complete SELinux messages. run sealert -l 
88124fb8-e84c-4d1a-8eab-24d2dcca8815
Apr  9 15:40:33 host-51 setroubleshoot: SELinux is preventing java 
(pki_ca_t) "read" to jdtcore.jar (rpm_var_lib_t). For complete SELinux 
messages. run sealert -l 9f697724-2d83-4862-8f17-28b0b0530d0e
Apr  9 15:40:37 host-51 yum: Installed: pki-ca-8.0.0-12.beta.noarch
Apr  9 15:40:44 host-51 setroubleshoot: SELinux is preventing java 
(pki_tks_t) "signull" to <Unknown> (pki_ocsp_t). For complete SELinux 
messages. run sealert -l f75e8fa3-d6b2-4c49-98e9-fbbe561fd129
Apr  9 15:40:44 host-51 setroubleshoot: SELinux is preventing java 
(pki_tks_t) "getattr" to /var/lib/tomcat5/common/lib/jdtcore.jar 
(rpm_var_lib_t). For complete SELinux messages. run sealert -l 
6df43d5b-617f-4589-9218-81f3e4cd0e77
Apr  9 15:40:44 host-51 setroubleshoot: SELinux is preventing java 
(pki_tks_t) "read" to jdtcore.jar (rpm_var_lib_t). For complete SELinux 
messages. run sealert -l d3f4e401-29f9-4c15-ba81-f23c47a3d452
Apr  9 15:40:49 host-51 yum: Installed: pki-tks-8.0.0-12.beta.noarch
Apr  9 15:40:55 host-51 setroubleshoot: SELinux is preventing java 
(pki_kra_t) "signull" to <Unknown> (pki_ocsp_t). For complete SELinux 
messages. run sealert -l 186ea94f-1548-4fc3-a57d-179bddd727e9
Apr  9 15:40:55 host-51 setroubleshoot: SELinux is preventing java 
(pki_kra_t) "signull" to <Unknown> (pki_tks_t). For complete SELinux 
messages. run sealert -l 5ff3cace-3519-48a2-ae08-e665732eb745
Apr  9 15:40:56 host-51 setroubleshoot: SELinux is preventing java 
(pki_kra_t) "signull" to <Unknown> (pki_tks_t). For complete SELinux 
messages. run sealert -l 5ff3cace-3519-48a2-ae08-e665732eb745
Apr  9 15:40:56 host-51 setroubleshoot: SELinux is preventing java 
(pki_kra_t) "getattr" to /var/lib/tomcat5/common/lib/jdtcore.jar 
(rpm_var_lib_t). For complete SELinux messages. run sealert -l 
962b7320-9d23-4c9f-96e7-24691b072998
Apr  9 15:40:56 host-51 setroubleshoot: SELinux is preventing java 
(pki_kra_t) "read" to jdtcore.jar (rpm_var_lib_t). For complete SELinux 
messages. run sealert -l 0e8048f7-a110-4e48-a672-6058c4b018fc



During restart of CA at end of wizard.

Apr  9 16:01:40 host-51 setroubleshoot: SELinux is preventing java 
(pki_ca_t) "getattr" to /var/lib/tomcat5/common/lib/jdtcore.jar 
(rpm_var_lib_t). For complete SELinux messages. run sealert -l 
88124fb8-e84c-4d1a-8eab-24d2dcca8815
Apr  9 16:01:40 host-51 setroubleshoot: SELinux is preventing java 
(pki_ca_t) "read" to jdtcore.jar (rpm_var_lib_t). For complete SELinux 
messages. run sealert -l 9f697724-2d83-4862-8f17-28b0b0530d0e
Apr  9 16:02:17 host-51 setroubleshoot: SELinux is preventing java 
(pki_ca_t) "getattr" to /var/lib/tomcat5/common/lib/jdtcore.jar 
(rpm_var_lib_t). For complete SELinux messages. run sealert -l 
88124fb8-e84c-4d1a-8eab-24d2dcca8815
Apr  9 16:02:17 host-51 setroubleshoot: SELinux is preventing java 
(pki_ca_t) "read" to jdtcore.jar (rpm_var_lib_t). For complete SELinux 
messages. run sealert -l 9f697724-2d83-4862-8f17-28b0b0530d0e

During restart of KRA at end of wizard.

Apr  9 16:20:40 host-51 setroubleshoot: SELinux is preventing java 
(pki_kra_t) "signull" to <Unknown> (pki_ocsp_t). For complete SELinux 
messages. run sealert -l 186ea94f-1548-4fc3-a57d-179bddd727e9
Apr  9 16:20:40 host-51 setroubleshoot: SELinux is preventing java 
(pki_kra_t) "signull" to <Unknown> (pki_tks_t). For complete SELinux 
messages. run sealert -l 5ff3cace-3519-48a2-ae08-e665732eb745
Apr  9 16:20:40 host-51 setroubleshoot: SELinux is preventing java 
(pki_kra_t) "getattr" to /var/lib/tomcat5/common/lib/jdtcore.jar 
(rpm_var_lib_t). For complete SELinux messages. run sealert -l 
962b7320-9d23-4c9f-96e7-24691b072998
Apr  9 16:20:40 host-51 setroubleshoot: SELinux is preventing java 
(pki_kra_t) "read" to jdtcore.jar (rpm_var_lib_t). For complete SELinux 
messages. run sealert -l 0e8048f7-a110-4e48-a672-6058c4b018fc
Apr  9 16:20:47 host-51 setroubleshoot: SELinux is preventing java 
(pki_kra_t) "signull" to <Unknown> (pki_tks_t). For complete SELinux 
messages. run sealert -l 5ff3cace-3519-48a2-ae08-e665732eb745

During restart of OCSP at end of wizard.

Apr  9 16:36:14 host-51 setroubleshoot: SELinux is preventing java 
(pki_ocsp_t) "signull" to <Unknown> (pki_kra_t). For complete SELinux 
messages. run sealert -l 5cebdd96-d216-46dd-966f-9d794a9dd1b1
Apr  9 16:36:14 host-51 setroubleshoot: SELinux is preventing java 
(pki_ocsp_t) "signull" to <Unknown> (pki_tks_t). For complete SELinux 
messages. run sealert -l 3933f73e-969c-4aea-a622-d0f66f6f33a9
Apr  9 16:36:14 host-51 setroubleshoot: SELinux is preventing java 
(pki_ocsp_t) "getattr" to /var/lib/tomcat5/common/lib/jdtcore.jar 
(rpm_var_lib_t). For complete SELinux messages. run sealert -l 
800e0753-83fb-426d-9dec-36ce49280b48
Apr  9 16:36:14 host-51 setroubleshoot: SELinux is preventing java 
(pki_ocsp_t) "read" to jdtcore.jar (rpm_var_lib_t). For complete SELinux 
messages. run sealert -l ecc78bcd-2049-4b16-b47f-9e0376bc4650
Apr  9 16:36:21 host-51 setroubleshoot: SELinux is preventing java 
(pki_ocsp_t) "signull" to <Unknown> (pki_kra_t). For complete SELinux 
messages. run sealert -l 5cebdd96-d216-46dd-966f-9d794a9dd1b1
Apr  9 16:36:21 host-51 setroubleshoot: SELinux is preventing java 
(pki_ocsp_t) "signull" to <Unknown> (pki_tks_t). For complete SELinux 
messages. run sealert -l 3933f73e-969c-4aea-a622-d0f66f6f33a9

During TKS restart after wizard.

Apr  9 16:45:16 host-51 setroubleshoot: SELinux is preventing java 
(pki_tks_t) "signull" to <Unknown> (pki_ocsp_t). For complete SELinux 
messages. run sealert -l f75e8fa3-d6b2-4c49-98e9-fbbe561fd129
Apr  9 16:45:17 host-51 setroubleshoot: SELinux is preventing java 
(pki_tks_t) "getattr" to /var/lib/tomcat5/common/lib/jdtcore.jar 
(rpm_var_lib_t). For complete SELinux messages. run sealert -l 
6df43d5b-617f-4589-9218-81f3e4cd0e77
Apr  9 16:45:17 host-51 setroubleshoot: SELinux is preventing java 
(pki_tks_t) "read" to jdtcore.jar (rpm_var_lib_t). For complete SELinux 
messages. run sealert -l d3f4e401-29f9-4c15-ba81-f23c47a3d452



=======================================================================
Comment 1 Ade Lee 2009-04-15 12:09:14 EDT
Changes to be added :

Index: ../../base/selinux/src/pki.te
===================================================================
--- ../../base/selinux/src/pki.te       (revision 389)
+++ ../../base/selinux/src/pki.te       (working copy)
@@ -13,12 +13,12 @@
 files_type(pki_ca_tomcat_exec_t)
 
 pki_ca_template(pki_ca)
-allow pki_ca_t pki_kra_t:process signull;
-allow pki_ca_t pki_ocsp_t:process signull;
-allow pki_ca_t pki_tks_t:process signull;
 corenet_tcp_connect_pki_kra_port(pki_ca_t)
 corenet_tcp_connect_pki_ocsp_port(pki_ca_t)
 
 attribute pki_kra_config;
 attribute pki_kra_executable;
 attribute pki_kra_var_lib;
@@ -32,7 +32,6 @@
 files_type(pki_kra_tomcat_exec_t)
 
 pki_ca_template(pki_kra)
-allow pki_kra_t pki_ca_t:process signull;
 corenet_tcp_connect_pki_ca_port(pki_kra_t)
 
 attribute pki_ocsp_config;
@@ -48,7 +47,6 @@
 files_type(pki_ocsp_tomcat_exec_t)
 
 pki_ca_template(pki_ocsp)
-allow pki_ocsp_t pki_ca_t:process signull;
 corenet_tcp_connect_pki_ca_port(pki_ocsp_t)
 
 attribute pki_ra_config;
@@ -78,8 +76,6 @@
 files_type(pki_tks_tomcat_exec_t)
 
 pki_ca_template(pki_tks)
-allow pki_tks_t pki_ca_t:process signull;
-allow pki_tks_t pki_kra_t:process signull;
 corenet_tcp_connect_pki_ca_port(pki_tks_t)
 
 # needed for token enrollment, list /var/cache/tomcat5/temp
@@ -99,4 +95,23 @@
 
 pki_tps_template(pki_tps)
 
+#interprocess communication on process shutdown
+allow pki_ca_t pki_kra_t:process signull;
+allow pki_ca_t pki_ocsp_t:process signull;
+allow pki_ca_t pki_tks_t:process signull;
 
+allow pki_kra_t pki_ca_t:process signull;
+allow pki_kra_t pki_ocsp_t:process signull;
+allow pki_kra_t pki_tks_t:process signull;
+
+allow pki_ocsp_t pki_ca_t:process signull;
+allow pki_ocsp_t pki_kra_t:process signull;
+allow pki_ocsp_t pki_tks_t:process signull;
+
+allow pki_tks_t pki_ca_t:process signull;
+allow pki_tks_t pki_kra_t:process signull;
+allow pki_tks_t pki_ocsp_t:process signull;
+

Index: ../../base/selinux/src/pki.if
===================================================================
--- ../../base/selinux/src/pki.if       (revision 389)
+++ ../../base/selinux/src/pki.if       (working copy)
@@ -37,6 +37,7 @@
                attribute pki_ca_executable, pki_ca_script, pki_ca_var_log;
                type pki_ca_tomcat_exec_t;
                type $1_port_t;
+                type rpm_var_lib_t;
        ')
        ########################################
        #
@@ -93,6 +94,9 @@
        can_exec($1_t, $1_tomcat_exec_t)
         allow $1_t $1_tomcat_exec_t:file {getattr read};
 
+        #installation requires this for access to /var/lib/tomcat5/common/lib/jdtcore.jar 
+        rpm_read_db($1_t)
+
        # Init script handling
        domain_use_interactive_fds($1_t)
Comment 2 Chandrasekar Kannan 2009-04-17 01:36:48 EDT
With selinux in permissive mode, I have configured these subsystems.

CA,TKS,TPS,DRM. I found these selinux messages in /var/log/messages.
Some are duplicates of what we have already seen. But some new. 

Apr 16 10:21:41 delta setroubleshoot: SELinux is preventing the java (pki_ca_t) from executing /opt/nfast/toolkits/pkcs11/libcknfast.so. For complete SELinux messages. run sealert -l 61f87c6f-7583-4078-8737-168a844422dd
Apr 16 10:21:41 delta setroubleshoot: SELinux is preventing java (pki_ca_t) "write" to nserver (device_t). For complete SELinux messages. run sealert -l 5d8f8685-10b0-40ee-9c3c-a0bc2398d306
Apr 16 10:23:33 delta setroubleshoot: SELinux is preventing java (pki_ca_t) "write" to ./local (usr_t). For complete SELinux messages. run sealert -l 2d873fb8-89d0-4050-80b1-49322451addd
Apr 16 10:23:33 delta setroubleshoot: SELinux is preventing java (pki_ca_t) "write" to /opt/nfast/kmdata/local/key_pkcs11_uc69b9d052b9027c934f6301689d6c94583b790601-914962497fc3b3db947043adb3ea00f1399ed792.new (usr_t). For complete SELinux messages. run sealert -l b06188d3-8dbe-48b8-8714-962d7f49bd89
Apr 16 10:23:33 delta setroubleshoot: SELinux is preventing java (pki_ca_t) "remove_name" to ./key_pkcs11_uc69b9d052b9027c934f6301689d6c94583b790601-914962497fc3b3db947043adb3ea00f1399ed792.new (usr_t). For complete SELinux messages. run sealert -l 82a7bba7-5143-4cf3-8165-f5c952cb4300
Apr 16 10:23:33 delta setroubleshoot: SELinux is preventing java (pki_ca_t) "unlink" to ./key_pkcs11_uc69b9d052b9027c934f6301689d6c94583b790601-914962497fc3b3db947043adb3ea00f1399ed792 (usr_t). For complete SELinux messages. run sealert -l d9ea7bbb-6964-4c12-850d-64b9f100aa89
Apr 16 10:25:16 delta setroubleshoot: SELinux is preventing the java (pki_ca_t) from executing /opt/nfast/toolkits/pkcs11/libcknfast.so. For complete SELinux messages. run sealert -l 61f87c6f-7583-4078-8737-168a844422dd
Apr 16 10:27:53 delta setroubleshoot: SELinux is preventing the java (pki_kra_t) from executing /opt/nfast/toolkits/pkcs11/libcknfast.so. For complete SELinux messages. run sealert -l 021ea8f3-fde8-4c99-aa71-ff6ad1f46c81
Apr 16 10:27:53 delta setroubleshoot: SELinux is preventing java (pki_kra_t) "write" to nserver (device_t). For complete SELinux messages. run sealert -l f9a34096-84c2-47a0-9859-326f6554bf09
Apr 16 10:29:31 delta setroubleshoot: SELinux is preventing the java (pki_tks_t) from executing /opt/nfast/toolkits/pkcs11/libcknfast.so. For complete SELinux messages. run sealert -l 5b47513a-f83e-4009-b9be-f6b2b0415079
Apr 16 10:29:31 delta setroubleshoot: SELinux is preventing java (pki_tks_t) "write" to nserver (device_t). For complete SELinux messages. run sealert -l 212ec482-3405-4f5f-bcac-03af1585172f
Apr 16 10:29:39 delta setroubleshoot: SELinux is preventing modutil (pki_tps_t) "write" to nserver (device_t). For complete SELinux messages. run sealert -l ca64ef3b-56ac-4968-9eb2-e28d125849aa
Apr 16 10:29:51 delta setroubleshoot: SELinux is preventing modutil (pki_ra_t) "write" to nserver (device_t). For complete SELinux messages. run sealert -l c58787a2-01a6-481f-a6e9-328839c75f16
Apr 16 10:30:34 delta setroubleshoot: SELinux is preventing the java (pki_ocsp_t) from executing /opt/nfast/toolkits/pkcs11/libcknfast.so. For complete SELinux messages. run sealert -l 7310745b-2d5e-4ece-b1d0-9077cf690503
Apr 16 10:30:34 delta setroubleshoot: SELinux is preventing java (pki_ocsp_t) "write" to nserver (device_t). For complete SELinux messages. run sealert -l b63f88e8-0ada-488f-8797-0d9003026837
Apr 16 12:34:58 delta setroubleshoot: SELinux is preventing java (pki_kra_t) "write" to ./local (usr_t). For complete SELinux messages. run sealert -l 46d8bd8f-8816-485a-8a2b-efde416143a8
Apr 16 12:34:58 delta setroubleshoot: SELinux is preventing java (pki_kra_t) "write" to /opt/nfast/kmdata/local/key_pkcs11_uc69b9d052b9027c934f6301689d6c94583b790601-ee412300c960526ca5d5cad02fa911a57fefddde.new (usr_t). For complete SELinux messages. run sealert -l a50e8c72-2e12-4a56-828f-a02c058cf043
Apr 16 12:34:58 delta setroubleshoot: SELinux is preventing java (pki_kra_t) "remove_name" to ./key_pkcs11_uc69b9d052b9027c934f6301689d6c94583b790601-ee412300c960526ca5d5cad02fa911a57fefddde.new (usr_t). For complete SELinux messages. run sealert -l f97f32df-1032-4b77-84c5-ba6d8c616cf8
Apr 16 12:34:58 delta setroubleshoot: SELinux is preventing java (pki_kra_t) "unlink" to ./key_pkcs11_uc69b9d052b9027c934f6301689d6c94583b790601-ee412300c960526ca5d5cad02fa911a57fefddde (usr_t). For complete SELinux messages. run sealert -l 03086cee-1a2a-4a54-90c5-ef4bcac252ff
Apr 16 12:36:14 delta setroubleshoot: SELinux is preventing the java (pki_kra_t) from executing /opt/nfast/toolkits/pkcs11/libcknfast.so. For complete SELinux messages. run sealert -l 021ea8f3-fde8-4c99-aa71-ff6ad1f46c81
Apr 16 12:36:14 delta setroubleshoot: SELinux is preventing java (pki_kra_t) "write" to nserver (device_t). For complete SELinux messages. run sealert -l f9a34096-84c2-47a0-9859-326f6554bf09
Apr 16 13:09:35 delta setroubleshoot: SELinux is preventing java (pki_tks_t) "write" to ./local (usr_t). For complete SELinux messages. run sealert -l eb598e4b-d29a-47fa-b502-1df1f7a5cb63
Apr 16 13:09:35 delta setroubleshoot: SELinux is preventing java (pki_tks_t) "write" to /opt/nfast/kmdata/local/key_pkcs11_uc69b9d052b9027c934f6301689d6c94583b790601-fb68ee50fbf33e72516a41ae79cfd97ab666d55e.new (usr_t). For complete SELinux messages. run sealert -l 553e766c-a396-46db-b39b-8112a6eba65b
Apr 16 13:09:35 delta setroubleshoot: SELinux is preventing java (pki_tks_t) "remove_name" to ./key_pkcs11_uc69b9d052b9027c934f6301689d6c94583b790601-fb68ee50fbf33e72516a41ae79cfd97ab666d55e.new (usr_t). For complete SELinux messages. run sealert -l f55d79f3-d11d-460b-bd11-a05de0d69cc6
Apr 16 13:09:35 delta setroubleshoot: SELinux is preventing java (pki_tks_t) "unlink" to ./key_pkcs11_uc69b9d052b9027c934f6301689d6c94583b790601-fb68ee50fbf33e72516a41ae79cfd97ab666d55e (usr_t). For complete SELinux messages. run sealert -l 213d2459-b59b-472f-ab2a-c401e8dc0052
Apr 16 13:12:13 delta setroubleshoot: SELinux is preventing the java (pki_tks_t) from executing /opt/nfast/toolkits/pkcs11/libcknfast.so. For complete SELinux messages. run sealert -l 5b47513a-f83e-4009-b9be-f6b2b0415079
Apr 16 13:12:13 delta setroubleshoot: SELinux is preventing java (pki_tks_t) "write" to nserver (device_t). For complete SELinux messages. run sealert -l 212ec482-3405-4f5f-bcac-03af1585172f
Apr 16 13:12:13 delta setroubleshoot: SELinux is preventing java (pki_tks_t) "connectto" to /dev/nfast/nserver (unconfined_t). For complete SELinux messages. run sealert -l d6b9bab4-ef0d-4009-b436-cfca99cbc99e
Apr 16 13:39:03 delta setroubleshoot: SELinux is preventing sslget (pki_tps_t) "write" to nserver (device_t). For complete SELinux messages. run sealert -l ca64ef3b-56ac-4968-9eb2-e28d125849aa
Apr 16 15:15:44 delta setroubleshoot: SELinux is preventing certutil (pki_tps_t) "write" to ./local (usr_t). For complete SELinux messages. run sealert -l 1e58edaf-887e-4a25-9ac4-c475c382d770
Apr 16 15:15:44 delta setroubleshoot: SELinux is preventing certutil (pki_tps_t) "write" to /opt/nfast/kmdata/local/key_pkcs11_uc69b9d052b9027c934f6301689d6c94583b790601-336650d71df50a770f9f3789419ba82126bc99c1.new (usr_t). For complete SELinux messages. run sealert -l a468388d-965b-42f7-af0d-dfec0cd0d86f
Apr 16 15:15:44 delta setroubleshoot: SELinux is preventing certutil (pki_tps_t) "remove_name" to ./key_pkcs11_uc69b9d052b9027c934f6301689d6c94583b790601-336650d71df50a770f9f3789419ba82126bc99c1.new (usr_t). For complete SELinux messages. run sealert -l af7781d8-fa45-497f-8ea1-8a3cc0f52f6a
Apr 16 15:15:44 delta setroubleshoot: SELinux is preventing certutil (pki_tps_t) "unlink" to ./key_pkcs11_uc69b9d052b9027c934f6301689d6c94583b790601-336650d71df50a770f9f3789419ba82126bc99c1 (usr_t). For complete SELinux messages. run sealert -l d3009a43-b821-4eff-8c5c-d988e29ca558
Apr 16 15:17:38 delta setroubleshoot: SELinux is preventing modutil (pki_tps_t) "write" to nserver (device_t). For complete SELinux messages. run sealert -l ca64ef3b-56ac-4968-9eb2-e28d125849aa
Apr 16 15:17:43 delta setroubleshoot: SELinux is preventing httpd.worker (pki_tps_t) "connectto" to /dev/nfast/nserver (unconfined_t). For complete SELinux messages. run sealert -l 98e76d8e-2ba7-418f-bda8-fa933db453a0
Comment 3 Ade Lee 2009-04-17 10:16:05 EDT
I'm fixing all HSM related issues in 495157.

The issues indicated in this original bug posting have been addressed by the rules added above and checked into repo version 390 .

So, closing this one as modified.
Comment 4 Jenny Galipeau 2009-05-29 11:29:42 EDT
I am still seeing the following:

May 28 10:47:13 qe-blade-11 setroubleshoot: SELinux is preventing chmod (pki_tps_t) "fowner" to <Unknown> (pki_tps_t). For complete SELinux messages. run sealert -l 3957d30c-1c40-4a9a-9415-473b3d2ccad2
May 28 10:47:14 qe-blade-11 setroubleshoot: SELinux is preventing chmod (pki_tps_t) "fowner" to <Unknown> (pki_tps_t). For complete SELinux messages. run sealert -l 3957d30c-1c40-4a9a-9415-473b3d2ccad2
May 29 05:04:50 qe-blade-11 setroubleshoot: SELinux is preventing chmod (pki_tps_t) "fowner" to <Unknown> (pki_tps_t). For complete SELinux messages. run sealert -l 3957d30c-1c40-4a9a-9415-473b3d2ccad2
May 29 05:04:51 qe-blade-11 setroubleshoot: SELinux is preventing chmod (pki_tps_t) "fowner" to <Unknown> (pki_tps_t). For complete SELinux messages. run sealert -l 3957d30c-1c40-4a9a-9415-473b3d2ccad2
May 29 07:12:59 qe-blade-11 setroubleshoot: SELinux is preventing java (pki_ca_t) "name_connect" to <Unknown> (smtp_port_t). For complete SELinux messages. run sealert -l bac4cf2a-70d4-47dd-b05e-f1a1924bf60c
May 29 07:14:21 qe-blade-11 setroubleshoot: SELinux is preventing java (pki_ca_t) "name_connect" to <Unknown> (smtp_port_t). For complete SELinux messages. run sealert -l bac4cf2a-70d4-47dd-b05e-f1a1924bf60c
Comment 5 Ade Lee 2009-05-29 16:48:09 EDT
Additional Changes:

Index: base/selinux/src/pki.if
===================================================================
--- base/selinux/src/pki.if     (revision 504)
+++ base/selinux/src/pki.if     (working copy)
@@ -177,6 +177,9 @@
        allow $1_t self:unix_dgram_socket { write create connect };
        allow $1_t syslogd_t:unix_dgram_socket sendto;
 
+       #allow sending mail
+       corenet_tcp_connect_smtp_port($1_t)
+
 ')
 
 ########################################
@@ -487,7 +490,8 @@
 
         allow pki_tps_t lib_t:file execute_no_trans;
 
-        allow pki_tps_t self:capability { setuid sys_nice setgid dac_override };
+        #fowner needed for chmod
+        allow pki_tps_t self:capability { setuid sys_nice setgid dac_override fowner};
         allow pki_tps_t self:process { setsched signal getsched  signull execstack execmem};
         allow pki_tps_t self:sem all_sem_perms;
         allow pki_tps_t self:tcp_socket create_stream_socket_perms;
Index: base/selinux/src/pki.te
===================================================================
--- base/selinux/src/pki.te     (revision 504)
+++ base/selinux/src/pki.te     (working copy)
@@ -1,4 +1,4 @@
-policy_module(pki,1.0.7)
+policy_module(pki,1.0.8)
 
 attribute pki_ca_config;
 attribute pki_ca_executable;
Index: dogtag/selinux/pki-selinux.spec
===================================================================
--- dogtag/selinux/pki-selinux.spec     (revision 500)
+++ dogtag/selinux/pki-selinux.spec     (working copy)
@@ -33,7 +33,7 @@
 ## Package Header Definitions
 %define base_name         %{base_prefix}-%{base_component}
 %define base_version      1.1.0
-%define base_release      5
+%define base_release      6
 %define base_group        System Environment/Shells
 %define base_vendor       Red Hat, Inc.
 %define base_license      GPLv2 with exceptions
@@ -249,6 +249,8 @@
 ###############################################################################
 
 %changelog
+* Fri May 29 2009 Ade Lee <alee@redhat.com> 1.1.0-6
+- Bugzilla Bug 495212 - selinux messages from startup/ install
 * Mon May 25 2009 Ade Lee <alee@redhat.com> 1.1.0-5
 - Bugzilla Bug 499242 -  selinux policy updates needed to ensure that CS works with lunasa hsm
 * Fri May 1 2009 Ade Lee <alee@redhat.com> 1.1.0-4
Comment 6 Ade Lee 2009-05-29 16:49:46 EDT
[builder@oliver pki]$ cd base; svn ci -m "Bugzilla Bug 495212 - selinux messages from startup/ install" selinux
Sending        selinux/src/pki.if
Sending        selinux/src/pki.te
Transmitting file data ..
Committed revision 505.
[builder@oliver base]$ cd ../dogtag;  svn ci -m "Bugzilla Bug 495212 - selinux messages from startup/ install" selinux
Sending        selinux/pki-selinux.spec
Transmitting file data .
Committed revision 506.
Comment 7 Jenny Galipeau 2009-06-04 09:34:02 EDT
No longer seeing any SElinux messages after installation,configuration and restart of CA and all sub systems.
Verified

Note You need to log in before you can comment on or make changes to this bug.