"RA" and "TPS" apache-based instances fail to start on Fedora 15 if SELinux is configured in the "Enforcing" mode (they startup successfully if SELinux is reset to the "Permissive" mode). Using an "RA" instance on "goofy-vm17.dsdev.sjc.redhat.com" running "32-bit Fedora 15" with SELinux set to "Enforcing" as an example: [root@goofy-vm17 ~]# /sbin/service pki-rad start Starting pki-ra: [FAILED] [root@goofy-vm17 /var/log/audit] tail -f audit.log ... type=AVC msg=audit(1310409988.240:3816): avc: denied { read } for pid=16367 comm="httpd.worker" path="/usr/sbin/httpd.worker" dev=dm-1 ino=1338685 scontext=unconfined_u:system_r:pki_ra_t:s0 tcontext=system_u:object_r:httpd_exec_t:s0 tclass=file type=SYSCALL msg=audit(1310409988.240:3816): arch=40000003 syscall=125 success=no exit=-13 a0=19e000 a1=2000 a2=1 a3=19e000 items=0 ppid=16366 pid=16367 auid=10015 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=472 comm="httpd.worker" exe="/usr/sbin/httpd.worker" subj=unconfined_u:system_r:pki_ra_t:s0 key=(null) [root@goofy-vm17 ~]# cat /var/log/audit/audit.log |audit2allow -R require { type xauth_t; type sshd_t; type pki_tps_t; type pki_ra_t; } #============= pki_ra_t ============== apache_exec(pki_ra_t) #============= pki_tps_t ============== apache_exec(pki_tps_t) #============= sshd_t ============== fs_search_nfs(sshd_t) #============= xauth_t ============== fs_manage_nfs_dirs(xauth_t) fs_manage_nfs_files(xauth_t)
Created attachment 512733 [details] patch to fix
tip: [vakwetu@dhcp231-121 base]$ svn ci -m "Bugzilla #720503 - RA and TPS require additional SELinux permissions to run in "Enforcing" mode" selinux Sending selinux/src/pki.if Sending selinux/src/pki.te Transmitting file data .. Committed revision 2056.