From kashyap -- for pki-ca installation, the following selinux alerts are noticed Apr 2 00:07:47 elu3 setroubleshoot: SELinux is preventing java (pki_ca_t) "getattr" to /var/lib/tomcat5/common/lib/jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealert -l 59af922a-948b-47f3-aacb-6221948498b6 Apr 2 00:07:47 elu3 setroubleshoot: SELinux is preventing java (pki_ca_t) "read" to jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealert -l 5ec0e238-eb3e-4be5-b72f-3070876fc781 Apr 2 00:07:47 elu3 setroubleshoot: SELinux is preventing java (pki_ca_t) "getattr" to /var/lib/tomcat5/server/lib/jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealert -l 647716b7-5dff-4cc6-9d02-2227ef87c70a Apr 2 00:07:47 elu3 setroubleshoot: SELinux is preventing java (pki_ca_t) "read" to jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealert -l 5ec0e238-eb3e-4be5-b72f-3070876fc781 --------------------------- -- for pki-tks installation, the following selinux alerts are noticed pr 2 00:12:44 elu3 setroubleshoot: SELinux is preventing java (pki_tks_t) "getattr" to /var/lib/tomcat5/common/lib/jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealert -l 3b7a221f-4e17-4f0d-a471-5cb1ed046af4 Apr 2 00:12:44 elu3 setroubleshoot: SELinux is preventing java (pki_tks_t) "read" to jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealert -l 4d596b15-c4fc-4c7b-bb53-9d7e2473a038 Apr 2 00:12:44 elu3 setroubleshoot: SELinux is preventing java (pki_tks_t) "getattr" to /var/lib/tomcat5/server/lib/jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealert -l 4eb92085-1623-461e-b06c-a8e4edadca2b Apr 2 00:12:44 elu3 setroubleshoot: SELinux is preventing java (pki_tks_t) "read" to jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealert -l 4d596b15-c4fc-4c7b-bb53-9d7e2473a038 ------------------------------- -- for pki-ocsp installation, the following selinux alerts are noticed Apr 2 00:19:26 elu3 setroubleshoot: SELinux is preventing java (pki_ocsp_t) "signull" to <Unknown> (pki_tks_t). For complete SELinux messages. run sealert -l 4dfa770d-00dd-4738-a7f3-e4af5b61c0d2 Apr 2 00:19:26 elu3 setroubleshoot: SELinux is preventing java (pki_ocsp_t) "signull" to <Unknown> (pki_tks_t). For complete SELinux messages. run sealert -l 4dfa770d-00dd-4738-a7f3-e4af5b61c0d2 Apr 2 00:19:26 elu3 setroubleshoot: SELinux is preventing java (pki_ocsp_t) "getattr" to /var/lib/tomcat5/common/lib/jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealert -l 277e9040-89c3-48a6-ae76-1f3b06ddf19a Apr 2 00:19:26 elu3 setroubleshoot: SELinux is preventing java (pki_ocsp_t) "read" to jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealert -l 9a2c5e54-3da7-47c7-a7cd-159a8c49300f Apr 2 00:19:26 elu3 setroubleshoot: SELinux is preventing java (pki_ocsp_t) "getattr" to /var/lib/tomcat5/server/lib/jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealert -l 3476b067-6997-4b47-b48b-ce660c9fe71e Apr 2 00:19:26 elu3 setroubleshoot: SELinux is preventing java (pki_ocsp_t) "read" to jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealert -l 9a2c5e54-3da7-47c7-a7cd-159a8c49300f ----------------------------- -- for pki-kra installation, the following selinux alerts are noticed Apr 2 00:22:53 elu3 setroubleshoot: SELinux is preventing java (pki_kra_t) "signull" to <Unknown> (pki_tks_t). For complete SELinux messages. run sealert -l 0660ca9c-cc5b-42f3-86be-adda01ffdcd6 Apr 2 00:22:53 elu3 setroubleshoot: SELinux is preventing java (pki_kra_t) "signull" to <Unknown> (pki_ocsp_t). For complete SELinux messages. run sealert -l 3b99cf36-8362-4c45-8177-2895db811514 Apr 2 00:22:53 elu3 setroubleshoot: SELinux is preventing java (pki_kra_t) "signull" to <Unknown> (pki_tks_t). For complete SELinux messages. run sealert -l 0660ca9c-cc5b-42f3-86be-adda01ffdcd6 Apr 2 00:22:53 elu3 setroubleshoot: SELinux is preventing java (pki_kra_t) "signull" to <Unknown> (pki_ocsp_t). For complete SELinux messages. run sealert -l 3b99cf36-8362-4c45-8177-2895db811514 Apr 2 00:22:53 elu3 setroubleshoot: SELinux is preventing java (pki_kra_t) "getattr" to /var/lib/tomcat5/common/lib/jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealert -l c6a815b5-54d0-499f-9438-7dded89c1a1a Apr 2 00:22:53 elu3 setroubleshoot: SELinux is preventing java (pki_kra_t) "read" to jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealert -l 87fa62a1-3aee-475d-a29d-01503598d128 Apr 2 00:22:53 elu3 setroubleshoot: SELinux is preventing java (pki_kra_t) "getattr" to /var/lib/tomcat5/server/lib/jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealert -l abf40fa6-956f-4332-924a-74cf2c59db84 Apr 2 00:22:53 elu3 setroubleshoot: SELinux is preventing java (pki_kra_t) "read" to jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealert -l 87fa62a1-3aee-475d-a29d-01503598d128 ============================================================= from martin poole .. Just installed a brand new machine with GUI to give clean environment to confirm install cert problems I see the following SELinux errors logged during the install. Apr 9 15:40:22 host-51 setroubleshoot: SELinux is preventing java (pki_ocsp_t) "getattr" to /var/lib/tomcat5/common/lib/jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealert -l 800e0753-83fb-426d-9dec-36ce49280b48 Apr 9 15:40:22 host-51 setroubleshoot: SELinux is preventing java (pki_ocsp_t) "read" to jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealert -l ecc78bcd-2049-4b16-b47f-9e0376bc4650 Apr 9 15:40:26 host-51 yum: Installed: pki-ocsp-8.0.0-12.beta.noarch Apr 9 15:40:33 host-51 setroubleshoot: SELinux is preventing java (pki_ca_t) "getattr" to /var/lib/tomcat5/common/lib/jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealert -l 88124fb8-e84c-4d1a-8eab-24d2dcca8815 Apr 9 15:40:33 host-51 setroubleshoot: SELinux is preventing java (pki_ca_t) "read" to jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealert -l 9f697724-2d83-4862-8f17-28b0b0530d0e Apr 9 15:40:37 host-51 yum: Installed: pki-ca-8.0.0-12.beta.noarch Apr 9 15:40:44 host-51 setroubleshoot: SELinux is preventing java (pki_tks_t) "signull" to <Unknown> (pki_ocsp_t). For complete SELinux messages. run sealert -l f75e8fa3-d6b2-4c49-98e9-fbbe561fd129 Apr 9 15:40:44 host-51 setroubleshoot: SELinux is preventing java (pki_tks_t) "getattr" to /var/lib/tomcat5/common/lib/jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealert -l 6df43d5b-617f-4589-9218-81f3e4cd0e77 Apr 9 15:40:44 host-51 setroubleshoot: SELinux is preventing java (pki_tks_t) "read" to jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealert -l d3f4e401-29f9-4c15-ba81-f23c47a3d452 Apr 9 15:40:49 host-51 yum: Installed: pki-tks-8.0.0-12.beta.noarch Apr 9 15:40:55 host-51 setroubleshoot: SELinux is preventing java (pki_kra_t) "signull" to <Unknown> (pki_ocsp_t). For complete SELinux messages. run sealert -l 186ea94f-1548-4fc3-a57d-179bddd727e9 Apr 9 15:40:55 host-51 setroubleshoot: SELinux is preventing java (pki_kra_t) "signull" to <Unknown> (pki_tks_t). For complete SELinux messages. run sealert -l 5ff3cace-3519-48a2-ae08-e665732eb745 Apr 9 15:40:56 host-51 setroubleshoot: SELinux is preventing java (pki_kra_t) "signull" to <Unknown> (pki_tks_t). For complete SELinux messages. run sealert -l 5ff3cace-3519-48a2-ae08-e665732eb745 Apr 9 15:40:56 host-51 setroubleshoot: SELinux is preventing java (pki_kra_t) "getattr" to /var/lib/tomcat5/common/lib/jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealert -l 962b7320-9d23-4c9f-96e7-24691b072998 Apr 9 15:40:56 host-51 setroubleshoot: SELinux is preventing java (pki_kra_t) "read" to jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealert -l 0e8048f7-a110-4e48-a672-6058c4b018fc During restart of CA at end of wizard. Apr 9 16:01:40 host-51 setroubleshoot: SELinux is preventing java (pki_ca_t) "getattr" to /var/lib/tomcat5/common/lib/jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealert -l 88124fb8-e84c-4d1a-8eab-24d2dcca8815 Apr 9 16:01:40 host-51 setroubleshoot: SELinux is preventing java (pki_ca_t) "read" to jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealert -l 9f697724-2d83-4862-8f17-28b0b0530d0e Apr 9 16:02:17 host-51 setroubleshoot: SELinux is preventing java (pki_ca_t) "getattr" to /var/lib/tomcat5/common/lib/jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealert -l 88124fb8-e84c-4d1a-8eab-24d2dcca8815 Apr 9 16:02:17 host-51 setroubleshoot: SELinux is preventing java (pki_ca_t) "read" to jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealert -l 9f697724-2d83-4862-8f17-28b0b0530d0e During restart of KRA at end of wizard. Apr 9 16:20:40 host-51 setroubleshoot: SELinux is preventing java (pki_kra_t) "signull" to <Unknown> (pki_ocsp_t). For complete SELinux messages. run sealert -l 186ea94f-1548-4fc3-a57d-179bddd727e9 Apr 9 16:20:40 host-51 setroubleshoot: SELinux is preventing java (pki_kra_t) "signull" to <Unknown> (pki_tks_t). For complete SELinux messages. run sealert -l 5ff3cace-3519-48a2-ae08-e665732eb745 Apr 9 16:20:40 host-51 setroubleshoot: SELinux is preventing java (pki_kra_t) "getattr" to /var/lib/tomcat5/common/lib/jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealert -l 962b7320-9d23-4c9f-96e7-24691b072998 Apr 9 16:20:40 host-51 setroubleshoot: SELinux is preventing java (pki_kra_t) "read" to jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealert -l 0e8048f7-a110-4e48-a672-6058c4b018fc Apr 9 16:20:47 host-51 setroubleshoot: SELinux is preventing java (pki_kra_t) "signull" to <Unknown> (pki_tks_t). For complete SELinux messages. run sealert -l 5ff3cace-3519-48a2-ae08-e665732eb745 During restart of OCSP at end of wizard. Apr 9 16:36:14 host-51 setroubleshoot: SELinux is preventing java (pki_ocsp_t) "signull" to <Unknown> (pki_kra_t). For complete SELinux messages. run sealert -l 5cebdd96-d216-46dd-966f-9d794a9dd1b1 Apr 9 16:36:14 host-51 setroubleshoot: SELinux is preventing java (pki_ocsp_t) "signull" to <Unknown> (pki_tks_t). For complete SELinux messages. run sealert -l 3933f73e-969c-4aea-a622-d0f66f6f33a9 Apr 9 16:36:14 host-51 setroubleshoot: SELinux is preventing java (pki_ocsp_t) "getattr" to /var/lib/tomcat5/common/lib/jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealert -l 800e0753-83fb-426d-9dec-36ce49280b48 Apr 9 16:36:14 host-51 setroubleshoot: SELinux is preventing java (pki_ocsp_t) "read" to jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealert -l ecc78bcd-2049-4b16-b47f-9e0376bc4650 Apr 9 16:36:21 host-51 setroubleshoot: SELinux is preventing java (pki_ocsp_t) "signull" to <Unknown> (pki_kra_t). For complete SELinux messages. run sealert -l 5cebdd96-d216-46dd-966f-9d794a9dd1b1 Apr 9 16:36:21 host-51 setroubleshoot: SELinux is preventing java (pki_ocsp_t) "signull" to <Unknown> (pki_tks_t). For complete SELinux messages. run sealert -l 3933f73e-969c-4aea-a622-d0f66f6f33a9 During TKS restart after wizard. Apr 9 16:45:16 host-51 setroubleshoot: SELinux is preventing java (pki_tks_t) "signull" to <Unknown> (pki_ocsp_t). For complete SELinux messages. run sealert -l f75e8fa3-d6b2-4c49-98e9-fbbe561fd129 Apr 9 16:45:17 host-51 setroubleshoot: SELinux is preventing java (pki_tks_t) "getattr" to /var/lib/tomcat5/common/lib/jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealert -l 6df43d5b-617f-4589-9218-81f3e4cd0e77 Apr 9 16:45:17 host-51 setroubleshoot: SELinux is preventing java (pki_tks_t) "read" to jdtcore.jar (rpm_var_lib_t). For complete SELinux messages. run sealert -l d3f4e401-29f9-4c15-ba81-f23c47a3d452 =======================================================================
Changes to be added : Index: ../../base/selinux/src/pki.te =================================================================== --- ../../base/selinux/src/pki.te (revision 389) +++ ../../base/selinux/src/pki.te (working copy) @@ -13,12 +13,12 @@ files_type(pki_ca_tomcat_exec_t) pki_ca_template(pki_ca) -allow pki_ca_t pki_kra_t:process signull; -allow pki_ca_t pki_ocsp_t:process signull; -allow pki_ca_t pki_tks_t:process signull; corenet_tcp_connect_pki_kra_port(pki_ca_t) corenet_tcp_connect_pki_ocsp_port(pki_ca_t) attribute pki_kra_config; attribute pki_kra_executable; attribute pki_kra_var_lib; @@ -32,7 +32,6 @@ files_type(pki_kra_tomcat_exec_t) pki_ca_template(pki_kra) -allow pki_kra_t pki_ca_t:process signull; corenet_tcp_connect_pki_ca_port(pki_kra_t) attribute pki_ocsp_config; @@ -48,7 +47,6 @@ files_type(pki_ocsp_tomcat_exec_t) pki_ca_template(pki_ocsp) -allow pki_ocsp_t pki_ca_t:process signull; corenet_tcp_connect_pki_ca_port(pki_ocsp_t) attribute pki_ra_config; @@ -78,8 +76,6 @@ files_type(pki_tks_tomcat_exec_t) pki_ca_template(pki_tks) -allow pki_tks_t pki_ca_t:process signull; -allow pki_tks_t pki_kra_t:process signull; corenet_tcp_connect_pki_ca_port(pki_tks_t) # needed for token enrollment, list /var/cache/tomcat5/temp @@ -99,4 +95,23 @@ pki_tps_template(pki_tps) +#interprocess communication on process shutdown +allow pki_ca_t pki_kra_t:process signull; +allow pki_ca_t pki_ocsp_t:process signull; +allow pki_ca_t pki_tks_t:process signull; +allow pki_kra_t pki_ca_t:process signull; +allow pki_kra_t pki_ocsp_t:process signull; +allow pki_kra_t pki_tks_t:process signull; + +allow pki_ocsp_t pki_ca_t:process signull; +allow pki_ocsp_t pki_kra_t:process signull; +allow pki_ocsp_t pki_tks_t:process signull; + +allow pki_tks_t pki_ca_t:process signull; +allow pki_tks_t pki_kra_t:process signull; +allow pki_tks_t pki_ocsp_t:process signull; + Index: ../../base/selinux/src/pki.if =================================================================== --- ../../base/selinux/src/pki.if (revision 389) +++ ../../base/selinux/src/pki.if (working copy) @@ -37,6 +37,7 @@ attribute pki_ca_executable, pki_ca_script, pki_ca_var_log; type pki_ca_tomcat_exec_t; type $1_port_t; + type rpm_var_lib_t; ') ######################################## # @@ -93,6 +94,9 @@ can_exec($1_t, $1_tomcat_exec_t) allow $1_t $1_tomcat_exec_t:file {getattr read}; + #installation requires this for access to /var/lib/tomcat5/common/lib/jdtcore.jar + rpm_read_db($1_t) + # Init script handling domain_use_interactive_fds($1_t)
With selinux in permissive mode, I have configured these subsystems. CA,TKS,TPS,DRM. I found these selinux messages in /var/log/messages. Some are duplicates of what we have already seen. But some new. Apr 16 10:21:41 delta setroubleshoot: SELinux is preventing the java (pki_ca_t) from executing /opt/nfast/toolkits/pkcs11/libcknfast.so. For complete SELinux messages. run sealert -l 61f87c6f-7583-4078-8737-168a844422dd Apr 16 10:21:41 delta setroubleshoot: SELinux is preventing java (pki_ca_t) "write" to nserver (device_t). For complete SELinux messages. run sealert -l 5d8f8685-10b0-40ee-9c3c-a0bc2398d306 Apr 16 10:23:33 delta setroubleshoot: SELinux is preventing java (pki_ca_t) "write" to ./local (usr_t). For complete SELinux messages. run sealert -l 2d873fb8-89d0-4050-80b1-49322451addd Apr 16 10:23:33 delta setroubleshoot: SELinux is preventing java (pki_ca_t) "write" to /opt/nfast/kmdata/local/key_pkcs11_uc69b9d052b9027c934f6301689d6c94583b790601-914962497fc3b3db947043adb3ea00f1399ed792.new (usr_t). For complete SELinux messages. run sealert -l b06188d3-8dbe-48b8-8714-962d7f49bd89 Apr 16 10:23:33 delta setroubleshoot: SELinux is preventing java (pki_ca_t) "remove_name" to ./key_pkcs11_uc69b9d052b9027c934f6301689d6c94583b790601-914962497fc3b3db947043adb3ea00f1399ed792.new (usr_t). For complete SELinux messages. run sealert -l 82a7bba7-5143-4cf3-8165-f5c952cb4300 Apr 16 10:23:33 delta setroubleshoot: SELinux is preventing java (pki_ca_t) "unlink" to ./key_pkcs11_uc69b9d052b9027c934f6301689d6c94583b790601-914962497fc3b3db947043adb3ea00f1399ed792 (usr_t). For complete SELinux messages. run sealert -l d9ea7bbb-6964-4c12-850d-64b9f100aa89 Apr 16 10:25:16 delta setroubleshoot: SELinux is preventing the java (pki_ca_t) from executing /opt/nfast/toolkits/pkcs11/libcknfast.so. For complete SELinux messages. run sealert -l 61f87c6f-7583-4078-8737-168a844422dd Apr 16 10:27:53 delta setroubleshoot: SELinux is preventing the java (pki_kra_t) from executing /opt/nfast/toolkits/pkcs11/libcknfast.so. For complete SELinux messages. run sealert -l 021ea8f3-fde8-4c99-aa71-ff6ad1f46c81 Apr 16 10:27:53 delta setroubleshoot: SELinux is preventing java (pki_kra_t) "write" to nserver (device_t). For complete SELinux messages. run sealert -l f9a34096-84c2-47a0-9859-326f6554bf09 Apr 16 10:29:31 delta setroubleshoot: SELinux is preventing the java (pki_tks_t) from executing /opt/nfast/toolkits/pkcs11/libcknfast.so. For complete SELinux messages. run sealert -l 5b47513a-f83e-4009-b9be-f6b2b0415079 Apr 16 10:29:31 delta setroubleshoot: SELinux is preventing java (pki_tks_t) "write" to nserver (device_t). For complete SELinux messages. run sealert -l 212ec482-3405-4f5f-bcac-03af1585172f Apr 16 10:29:39 delta setroubleshoot: SELinux is preventing modutil (pki_tps_t) "write" to nserver (device_t). For complete SELinux messages. run sealert -l ca64ef3b-56ac-4968-9eb2-e28d125849aa Apr 16 10:29:51 delta setroubleshoot: SELinux is preventing modutil (pki_ra_t) "write" to nserver (device_t). For complete SELinux messages. run sealert -l c58787a2-01a6-481f-a6e9-328839c75f16 Apr 16 10:30:34 delta setroubleshoot: SELinux is preventing the java (pki_ocsp_t) from executing /opt/nfast/toolkits/pkcs11/libcknfast.so. For complete SELinux messages. run sealert -l 7310745b-2d5e-4ece-b1d0-9077cf690503 Apr 16 10:30:34 delta setroubleshoot: SELinux is preventing java (pki_ocsp_t) "write" to nserver (device_t). For complete SELinux messages. run sealert -l b63f88e8-0ada-488f-8797-0d9003026837 Apr 16 12:34:58 delta setroubleshoot: SELinux is preventing java (pki_kra_t) "write" to ./local (usr_t). For complete SELinux messages. run sealert -l 46d8bd8f-8816-485a-8a2b-efde416143a8 Apr 16 12:34:58 delta setroubleshoot: SELinux is preventing java (pki_kra_t) "write" to /opt/nfast/kmdata/local/key_pkcs11_uc69b9d052b9027c934f6301689d6c94583b790601-ee412300c960526ca5d5cad02fa911a57fefddde.new (usr_t). For complete SELinux messages. run sealert -l a50e8c72-2e12-4a56-828f-a02c058cf043 Apr 16 12:34:58 delta setroubleshoot: SELinux is preventing java (pki_kra_t) "remove_name" to ./key_pkcs11_uc69b9d052b9027c934f6301689d6c94583b790601-ee412300c960526ca5d5cad02fa911a57fefddde.new (usr_t). For complete SELinux messages. run sealert -l f97f32df-1032-4b77-84c5-ba6d8c616cf8 Apr 16 12:34:58 delta setroubleshoot: SELinux is preventing java (pki_kra_t) "unlink" to ./key_pkcs11_uc69b9d052b9027c934f6301689d6c94583b790601-ee412300c960526ca5d5cad02fa911a57fefddde (usr_t). For complete SELinux messages. run sealert -l 03086cee-1a2a-4a54-90c5-ef4bcac252ff Apr 16 12:36:14 delta setroubleshoot: SELinux is preventing the java (pki_kra_t) from executing /opt/nfast/toolkits/pkcs11/libcknfast.so. For complete SELinux messages. run sealert -l 021ea8f3-fde8-4c99-aa71-ff6ad1f46c81 Apr 16 12:36:14 delta setroubleshoot: SELinux is preventing java (pki_kra_t) "write" to nserver (device_t). For complete SELinux messages. run sealert -l f9a34096-84c2-47a0-9859-326f6554bf09 Apr 16 13:09:35 delta setroubleshoot: SELinux is preventing java (pki_tks_t) "write" to ./local (usr_t). For complete SELinux messages. run sealert -l eb598e4b-d29a-47fa-b502-1df1f7a5cb63 Apr 16 13:09:35 delta setroubleshoot: SELinux is preventing java (pki_tks_t) "write" to /opt/nfast/kmdata/local/key_pkcs11_uc69b9d052b9027c934f6301689d6c94583b790601-fb68ee50fbf33e72516a41ae79cfd97ab666d55e.new (usr_t). For complete SELinux messages. run sealert -l 553e766c-a396-46db-b39b-8112a6eba65b Apr 16 13:09:35 delta setroubleshoot: SELinux is preventing java (pki_tks_t) "remove_name" to ./key_pkcs11_uc69b9d052b9027c934f6301689d6c94583b790601-fb68ee50fbf33e72516a41ae79cfd97ab666d55e.new (usr_t). For complete SELinux messages. run sealert -l f55d79f3-d11d-460b-bd11-a05de0d69cc6 Apr 16 13:09:35 delta setroubleshoot: SELinux is preventing java (pki_tks_t) "unlink" to ./key_pkcs11_uc69b9d052b9027c934f6301689d6c94583b790601-fb68ee50fbf33e72516a41ae79cfd97ab666d55e (usr_t). For complete SELinux messages. run sealert -l 213d2459-b59b-472f-ab2a-c401e8dc0052 Apr 16 13:12:13 delta setroubleshoot: SELinux is preventing the java (pki_tks_t) from executing /opt/nfast/toolkits/pkcs11/libcknfast.so. For complete SELinux messages. run sealert -l 5b47513a-f83e-4009-b9be-f6b2b0415079 Apr 16 13:12:13 delta setroubleshoot: SELinux is preventing java (pki_tks_t) "write" to nserver (device_t). For complete SELinux messages. run sealert -l 212ec482-3405-4f5f-bcac-03af1585172f Apr 16 13:12:13 delta setroubleshoot: SELinux is preventing java (pki_tks_t) "connectto" to /dev/nfast/nserver (unconfined_t). For complete SELinux messages. run sealert -l d6b9bab4-ef0d-4009-b436-cfca99cbc99e Apr 16 13:39:03 delta setroubleshoot: SELinux is preventing sslget (pki_tps_t) "write" to nserver (device_t). For complete SELinux messages. run sealert -l ca64ef3b-56ac-4968-9eb2-e28d125849aa Apr 16 15:15:44 delta setroubleshoot: SELinux is preventing certutil (pki_tps_t) "write" to ./local (usr_t). For complete SELinux messages. run sealert -l 1e58edaf-887e-4a25-9ac4-c475c382d770 Apr 16 15:15:44 delta setroubleshoot: SELinux is preventing certutil (pki_tps_t) "write" to /opt/nfast/kmdata/local/key_pkcs11_uc69b9d052b9027c934f6301689d6c94583b790601-336650d71df50a770f9f3789419ba82126bc99c1.new (usr_t). For complete SELinux messages. run sealert -l a468388d-965b-42f7-af0d-dfec0cd0d86f Apr 16 15:15:44 delta setroubleshoot: SELinux is preventing certutil (pki_tps_t) "remove_name" to ./key_pkcs11_uc69b9d052b9027c934f6301689d6c94583b790601-336650d71df50a770f9f3789419ba82126bc99c1.new (usr_t). For complete SELinux messages. run sealert -l af7781d8-fa45-497f-8ea1-8a3cc0f52f6a Apr 16 15:15:44 delta setroubleshoot: SELinux is preventing certutil (pki_tps_t) "unlink" to ./key_pkcs11_uc69b9d052b9027c934f6301689d6c94583b790601-336650d71df50a770f9f3789419ba82126bc99c1 (usr_t). For complete SELinux messages. run sealert -l d3009a43-b821-4eff-8c5c-d988e29ca558 Apr 16 15:17:38 delta setroubleshoot: SELinux is preventing modutil (pki_tps_t) "write" to nserver (device_t). For complete SELinux messages. run sealert -l ca64ef3b-56ac-4968-9eb2-e28d125849aa Apr 16 15:17:43 delta setroubleshoot: SELinux is preventing httpd.worker (pki_tps_t) "connectto" to /dev/nfast/nserver (unconfined_t). For complete SELinux messages. run sealert -l 98e76d8e-2ba7-418f-bda8-fa933db453a0
I'm fixing all HSM related issues in 495157. The issues indicated in this original bug posting have been addressed by the rules added above and checked into repo version 390 . So, closing this one as modified.
I am still seeing the following: May 28 10:47:13 qe-blade-11 setroubleshoot: SELinux is preventing chmod (pki_tps_t) "fowner" to <Unknown> (pki_tps_t). For complete SELinux messages. run sealert -l 3957d30c-1c40-4a9a-9415-473b3d2ccad2 May 28 10:47:14 qe-blade-11 setroubleshoot: SELinux is preventing chmod (pki_tps_t) "fowner" to <Unknown> (pki_tps_t). For complete SELinux messages. run sealert -l 3957d30c-1c40-4a9a-9415-473b3d2ccad2 May 29 05:04:50 qe-blade-11 setroubleshoot: SELinux is preventing chmod (pki_tps_t) "fowner" to <Unknown> (pki_tps_t). For complete SELinux messages. run sealert -l 3957d30c-1c40-4a9a-9415-473b3d2ccad2 May 29 05:04:51 qe-blade-11 setroubleshoot: SELinux is preventing chmod (pki_tps_t) "fowner" to <Unknown> (pki_tps_t). For complete SELinux messages. run sealert -l 3957d30c-1c40-4a9a-9415-473b3d2ccad2 May 29 07:12:59 qe-blade-11 setroubleshoot: SELinux is preventing java (pki_ca_t) "name_connect" to <Unknown> (smtp_port_t). For complete SELinux messages. run sealert -l bac4cf2a-70d4-47dd-b05e-f1a1924bf60c May 29 07:14:21 qe-blade-11 setroubleshoot: SELinux is preventing java (pki_ca_t) "name_connect" to <Unknown> (smtp_port_t). For complete SELinux messages. run sealert -l bac4cf2a-70d4-47dd-b05e-f1a1924bf60c
Additional Changes: Index: base/selinux/src/pki.if =================================================================== --- base/selinux/src/pki.if (revision 504) +++ base/selinux/src/pki.if (working copy) @@ -177,6 +177,9 @@ allow $1_t self:unix_dgram_socket { write create connect }; allow $1_t syslogd_t:unix_dgram_socket sendto; + #allow sending mail + corenet_tcp_connect_smtp_port($1_t) + ') ######################################## @@ -487,7 +490,8 @@ allow pki_tps_t lib_t:file execute_no_trans; - allow pki_tps_t self:capability { setuid sys_nice setgid dac_override }; + #fowner needed for chmod + allow pki_tps_t self:capability { setuid sys_nice setgid dac_override fowner}; allow pki_tps_t self:process { setsched signal getsched signull execstack execmem}; allow pki_tps_t self:sem all_sem_perms; allow pki_tps_t self:tcp_socket create_stream_socket_perms; Index: base/selinux/src/pki.te =================================================================== --- base/selinux/src/pki.te (revision 504) +++ base/selinux/src/pki.te (working copy) @@ -1,4 +1,4 @@ -policy_module(pki,1.0.7) +policy_module(pki,1.0.8) attribute pki_ca_config; attribute pki_ca_executable; Index: dogtag/selinux/pki-selinux.spec =================================================================== --- dogtag/selinux/pki-selinux.spec (revision 500) +++ dogtag/selinux/pki-selinux.spec (working copy) @@ -33,7 +33,7 @@ ## Package Header Definitions %define base_name %{base_prefix}-%{base_component} %define base_version 1.1.0 -%define base_release 5 +%define base_release 6 %define base_group System Environment/Shells %define base_vendor Red Hat, Inc. %define base_license GPLv2 with exceptions @@ -249,6 +249,8 @@ ############################################################################### %changelog +* Fri May 29 2009 Ade Lee <alee> 1.1.0-6 +- Bugzilla Bug 495212 - selinux messages from startup/ install * Mon May 25 2009 Ade Lee <alee> 1.1.0-5 - Bugzilla Bug 499242 - selinux policy updates needed to ensure that CS works with lunasa hsm * Fri May 1 2009 Ade Lee <alee> 1.1.0-4
[builder@oliver pki]$ cd base; svn ci -m "Bugzilla Bug 495212 - selinux messages from startup/ install" selinux Sending selinux/src/pki.if Sending selinux/src/pki.te Transmitting file data .. Committed revision 505. [builder@oliver base]$ cd ../dogtag; svn ci -m "Bugzilla Bug 495212 - selinux messages from startup/ install" selinux Sending selinux/pki-selinux.spec Transmitting file data . Committed revision 506.
No longer seeing any SElinux messages after installation,configuration and restart of CA and all sub systems. Verified