more selinux AVCS when configured CA with ECC(x64) [root@austin conf]# cat /var/log/audit/* | audit2allow #============= pki_ca_t ============== allow pki_ca_t usr_t:dir { write add_name }; allow pki_ca_t usr_t:file { write create }; [root@austin conf]# ----------------------------------------------------------------------------- [root@austin user1]# sealert -l 3d7234dd-aef9-4d24-be5f-d18c79a3bace Summary: SELinux is preventing java (pki_ca_t) "write" to ./sbcppri.db (usr_t). Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by java. It is not expected that this access is required by java and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./sbcppri.db, restorecon -v './sbcppri.db' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context user_u:system_r:pki_ca_t Target Context user_u:object_r:usr_t Target Objects ./sbcppri.db [ dir ] Source java Source Path /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre /bin/java Port <Unknown> Host austin.pnq.redhat.com Source RPM Packages java-1.6.0-openjdk-1.6.0.0-0.30.b09.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-203.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall_file Host Name austin.pnq.redhat.com Platform Linux austin.pnq.redhat.com 2.6.18-128.el5 #1 SMP Wed Dec 17 11:41:38 EST 2008 x86_64 x86_64 Alert Count 1 First Seen Tue Jun 23 18:52:01 2009 Last Seen Tue Jun 23 18:52:01 2009 Local ID 3d7234dd-aef9-4d24-be5f-d18c79a3bace Line Numbers Raw Audit Messages host=austin.pnq.redhat.com type=AVC msg=audit(1245763321.732:1041): avc: denied { write } for pid=22410 comm="java" name="sbcppri.db" dev=dm-0 ino=1114536 scontext=user_u:system_r:pki_ca_t:s0 tcontext=user_u:object_r:usr_t:s0 tclass=dir host=austin.pnq.redhat.com type=AVC msg=audit(1245763321.732:1041): avc: denied { add_name } for pid=22410 comm="java" name="x01000000" scontext=user_u:system_r:pki_ca_t:s0 tcontext=user_u:object_r:usr_t:s0 tclass=dir host=austin.pnq.redhat.com type=AVC msg=audit(1245763321.732:1041): avc: denied { create } for pid=22410 comm="java" name="x01000000" scontext=user_u:system_r:pki_ca_t:s0 tcontext=user_u:object_r:usr_t:s0 tclass=file host=austin.pnq.redhat.com type=SYSCALL msg=audit(1245763321.732:1041): arch=c000003e syscall=2 success=yes exit=106 a0=a994d80 a1=241 a2=180 a3=0 items=0 ppid=1 pid=22410 auid=500 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=1 comm="java" exe="/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/java" subj=user_u:system_r:pki_ca_t:s0 key=(null) [root@austin user1]# -------------------- [root@austin user1]# sealert -l 180b6a08-e114-4a3a-bf67-afb57c1debb0 Summary: SELinux is preventing java (pki_ca_t) "write" to /usr/share/pki/pkiuser/.certicom/sbcp/sbcppri.db/x01000000 (usr_t). Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by java. It is not expected that this access is required by java and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /usr/share/pki/pkiuser/.certicom/sbcp/sbcppri.db/x01000000, restorecon -v '/usr/share/pki/pkiuser/.certicom/sbcp/sbcppri.db/x01000000' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context user_u:system_r:pki_ca_t Target Context user_u:object_r:usr_t Target Objects /usr/share/pki/pkiuser/.certicom/sbcp/sbcppri.db/x 01000000 [ file ] Source java Source Path /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre /bin/java Port <Unknown> Host austin.pnq.redhat.com Source RPM Packages java-1.6.0-openjdk-1.6.0.0-0.30.b09.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-203.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall_file Host Name austin.pnq.redhat.com Platform Linux austin.pnq.redhat.com 2.6.18-128.el5 #1 SMP Wed Dec 17 11:41:38 EST 2008 x86_64 x86_64 Alert Count 1 First Seen Tue Jun 23 18:52:01 2009 Last Seen Tue Jun 23 18:52:01 2009 Local ID 180b6a08-e114-4a3a-bf67-afb57c1debb0 Line Numbers Raw Audit Messages host=austin.pnq.redhat.com type=AVC msg=audit(1245763321.736:1042): avc: denied { write } for pid=22410 comm="java" path="/usr/share/pki/pkiuser/.certicom/sbcp/sbcppri.db/x01000000" dev=dm-0 ino=1114543 scontext=user_u:system_r:pki_ca_t:s0 tcontext=user_u:object_r:usr_t:s0 tclass=file host=austin.pnq.redhat.com type=SYSCALL msg=audit(1245763321.736:1042): arch=c000003e syscall=1 success=yes exit=309 a0=6a a1=a981870 a2=135 a3=0 items=0 ppid=1 pid=22410 auid=500 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=1 comm="java" exe="/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/java" subj=user_u:system_r:pki_ca_t:s0 key=(null) [root@austin user1]# --------------------------
More avc's with the new initpin from certicom ========================================= [root@rover conf]# cat /var/log/audit/* | audit2allow #============= pki_ca_t ============== allow pki_ca_t usr_t:dir write; ================================================================ [root@rover conf]# sealert -l 8fdea288-2017-4555-af64-176030ead895 Summary: SELinux is preventing java (pki_ca_t) "write" to /usr/share/pki/eccuser/.certicom/sbcp/sbcppri.db/x01000000 (usr_t). Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by java. It is not expected that this access is required by java and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /usr/share/pki/eccuser/.certicom/sbcp/sbcppri.db/x01000000, restorecon -v '/usr/share/pki/eccuser/.certicom/sbcp/sbcppri.db/x01000000' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context user_u:system_r:pki_ca_t Target Context user_u:object_r:usr_t Target Objects /usr/share/pki/eccuser/.certicom/sbcp/sbcppri.db/x 01000000 [ file ] Source java Source Path /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre /bin/java Port <Unknown> Host rover.pnq.redhat.com Source RPM Packages java-1.6.0-openjdk-1.6.0.0-0.30.b09.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-203.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall_file Host Name rover.pnq.redhat.com Platform Linux rover.pnq.redhat.com 2.6.18-128.el5 #1 SMP Wed Dec 17 11:41:38 EST 2008 x86_64 x86_64 Alert Count 1 First Seen Tue Jul 7 21:51:11 2009 Last Seen Tue Jul 7 21:51:11 2009 Local ID 8fdea288-2017-4555-af64-176030ead895 Line Numbers Raw Audit Messages host=rover.pnq.redhat.com type=AVC msg=audit(1246983671.353:265): avc: denied { write } for pid=28888 comm="java" path="/usr/share/pki/eccuser/.certicom/sbcp/sbcppri.db/x01000000" dev=dm-0 ino=100958 scontext=user_u:system_r:pki_ca_t:s0 tcontext=user_u:object_r:usr_t:s0 tclass=file host=rover.pnq.redhat.com type=SYSCALL msg=audit(1246983671.353:265): arch=c000003e syscall=1 success=yes exit=309 a0=5f a1=c077960 a2=135 a3=0 items=0 ppid=1 pid=28888 auid=500 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=2 comm="java" exe="/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/java" subj=user_u:system_r:pki_ca_t:s0 key=(null)
Setting to CLOSED as duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=746701, as the solution is the same. *** This bug has been marked as a duplicate of bug 746701 ***