on a freshly installed RHEL 5.3 i386 machine, Installing pki-ra hangs.. I see these ... [root@trinity audit]# cat audit.log | audit2allow #============= pki_ra_t ============== allow pki_ra_t port_t:tcp_socket name_connect; [root@trinity audit]# cat audit.log | grep pki type=USER_CHAUTHTOK msg=audit(1246911861.776:31): user pid=4173 uid=0 auid=0 subj=root:system_r:groupadd_t:s0-s0:c0.c1023 msg='op=adding group acct="pkiuser" exe="/usr/sbin/groupadd" (hostname=?, addr=?, terminal=pts/0 res=success)' type=USER_CHAUTHTOK msg=audit(1246911861.882:32): user pid=4178 uid=0 auid=0 subj=root:system_r:useradd_t:s0-s0:c0.c1023 msg='op=adding user acct="pkiuser" exe="/usr/sbin/useradd" (hostname=?, addr=?, terminal=pts/0 res=success)' type=AVC msg=audit(1246911880.524:35): avc: denied { name_connect } for pid=4316 comm="modutil" dest=1792 scontext=root:system_r:pki_ra_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1246911880.524:35): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfc63b30 a2=11efbc4 a3=bfc65330 items=0 ppid=4310 pid=4316 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="modutil" exe="/usr/bin/modutil" subj=root:system_r:pki_ra_t:s0 key=(null) type=AVC msg=audit(1246911880.577:36): avc: denied { name_connect } for pid=4318 comm="modutil" dest=1792 scontext=root:system_r:pki_ra_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1246911880.577:36): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf888110 a2=9e2bc4 a3=bf889910 items=0 ppid=4317 pid=4318 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="modutil" exe="/usr/bin/modutil" subj=root:system_r:pki_ra_t:s0 key=(null) type=AVC msg=audit(1246911880.631:37): avc: denied { name_connect } for pid=4322 comm="modutil" dest=1792 scontext=root:system_r:pki_ra_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1246911880.631:37): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfd8d090 a2=1128bc4 a3=bfd8e890 items=0 ppid=4321 pid=4322 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="modutil" exe="/usr/bin/modutil" subj=root:system_r:pki_ra_t:s0 key=(null) ------------- Jul 6 13:24:40 trinity setroubleshoot: SELinux is preventing the modutil (pki_ra_t) from connecting to port 1792. For complete SELinux messages. run sealert -l efeb1cc3-ee21-4069-ac73-945ee52af264 Jul 6 13:24:40 trinity modutil: SSL cipher list set to RC4-MD5 Jul 6 13:24:40 trinity setroubleshoot: SELinux is preventing the modutil (pki_ra_t) from connecting to port 1792. For complete SELinux messages. run sealert -l efeb1cc3-ee21-4069-ac73-945ee52af264 [root@trinity log]# --------------- Installing : xml-commons-apis [57/88] Installing : perl-XML-LibXML [58/88] could not find ParserDetails.ini in /usr/lib/perl5/vendor_perl/5.8.8/XML/SAX Installing : pki-setup [59/88] Adding default PKI group "pkiuser" (gid=17) to /etc/group. Adding default PKI user "pkiuser" (uid=17) to /etc/passwd. useradd: warning: the home directory already exists. Not copying any file from skel directory into it. Installing : pki-ra [60/88] PKI instance creation Utility ... PKI instance creation completed ... Starting pki-ra: -------------------
[root@trinity audit]# cat audit.log | audit2allow -R require { type pki_ra_t; } #============= pki_ra_t ============== corenet_tcp_connect_generic_port(pki_ra_t)
this is a lunasa port. We allow this rule for the other subsystems already. Index: dogtag/selinux/pki-selinux.spec =================================================================== --- dogtag/selinux/pki-selinux.spec (revision 662) +++ dogtag/selinux/pki-selinux.spec (working copy) @@ -33,7 +33,7 @@ ## Package Header Definitions %define base_name %{base_prefix}-%{base_component} %define base_version 1.1.0 -%define base_release 9 +%define base_release 10 %define base_group System Environment/Shells %define base_vendor Red Hat, Inc. %define base_license GPLv2 with exceptions @@ -249,6 +249,8 @@ ############################################################################### %changelog +* Wed Jul 6 2009 Ade Lee <alee> 1.1.0-10 +- Bugzilla Bug 509917 - RA fails to start with SElinux enforcing (lunasa) * Wed Jun 17 2009 Ade Lee <alee> 1.1.0-9 - Bugzilla Bug 506387 and 506133 - ECC and messages for tps * Mon Jun 15 2009 Ade Lee <alee> 1.1.0-8 Index: base/selinux/src/pki.if =================================================================== --- base/selinux/src/pki.if (revision 662) +++ base/selinux/src/pki.if (working copy) @@ -688,6 +688,7 @@ corenet_tcp_sendrecv_all_nodes(pki_ra_t) corenet_tcp_sendrecv_all_ports(pki_ra_t) corenet_non_ipsec_sendrecv(pki_ra_t) + corenet_tcp_connect_generic_port(pki_ra_t) # talk to other subsystems corenet_tcp_connect_pki_ca_port(pki_ra_t) Index: base/selinux/src/pki.te =================================================================== --- base/selinux/src/pki.te (revision 662) +++ base/selinux/src/pki.te (working copy) @@ -1,4 +1,4 @@ -policy_module(pki,1.0.11) +policy_module(pki,1.0.12) attribute pki_ca_config; attribute pki_ca_executable;
[builder@dhcp231-124 pki]$ svn ci -m "Bugzilla Bug 509917: RA fails to start with SElinux enforcing" base/selinux dogtag/selinux Sending base/selinux/src/pki.if Sending base/selinux/src/pki.te Sending dogtag/selinux/pki-selinux.spec Transmitting file data ... Committed revision 679.
Verified with RC3. - did a cat /dev/null > /var/log/audit/audit.log - restarted RA - then cat /var/log/audit/audit.log |audit2allow -R No audit alerts found