Description of problem: FreeIPA server installed in Fedora 17 and upgraded to Fedora 18 reported upgrade issues. The problem was in certmonger who as not allowed to start tracking pki-ca certs due to following AVCs: type=AVC msg=audit(1364732496.007:5713): avc: denied { search } for pid=19923 comm="certmonger" name="pki-ca" dev="md1" ino=14287216 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u: object_r:pki_tomcat_var_lib_t:s0 tclass=dir Version-Release number of selected component (if applicable): selinux-policy-3.11.1-86.fc18.noarch How reproducible: Steps to Reproduce: 1. Install FreeIPA server with Fedora 17 2. Upgrade to Fedora 18 (including FreeIPA) 3. Actual results: FreeIPA upgrade process reports failures in certmonger tracking pki-ca certificates (required in 3.1 certificate renew feature) Expected results: No cert tracking upgrade issues. Additional info:
Here are the actual AVCs from my audit log, one for each attempt of getcert: certmonger failed to start tracking certificate: Command '/usr/bin/getcert start-tracking -d /var/lib/pki-ca/alias -n auditSigningCert cert-pki-ca -c dogtag-ipa-renew-agent -B /usr/lib64/ipa/certmonger/stop_pkicad -C /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" -P XXXXXXXX' returned non-zero exit status 1 certmonger failed to start tracking certificate: Command '/usr/bin/getcert start-tracking -d /var/lib/pki-ca/alias -n ocspSigningCert cert-pki-ca -c dogtag-ipa-renew-agent -B /usr/lib64/ipa/certmonger/stop_pkicad -C /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" -P XXXXXXXX' returned non-zero exit status 1 certmonger failed to start tracking certificate: Command '/usr/bin/getcert start-tracking -d /var/lib/pki-ca/alias -n subsystemCert cert-pki-ca -c dogtag-ipa-renew-agent -B /usr/lib64/ipa/certmonger/stop_pkicad -C /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" -P XXXXXXXX' returned non-zero exit status 1 certmonger failed to start tracking certificate: Command '/usr/bin/getcert start-tracking -d /var/lib/pki-ca/alias -n Server-Cert cert-pki-ca -c dogtag-ipa-renew-agent -P XXXXXXXX' returned non-zero exit status 1 type=SYSCALL msg=audit(1364732495.999:5706): arch=c000003e syscall=2 success=no exit=-13 a0=103f820 a1=242 a2=180 a3=1f items=0 ppid=19902 pid=19918 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="certmonger" exe="/usr/sbin/certmonger" subj=system_u:system_r:certmonger_t:s0 key=(null) type=AVC msg=audit(1364732496.004:5707): avc: denied { search } for pid=19920 comm="certmonger" name="pki-ca" dev="md1" ino=14287216 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1364732496.004:5707): arch=c000003e syscall=4 success=no exit=-13 a0=103fb20 a1=7fffee7a0550 a2=7fffee7a0550 a3=1f items=0 ppid=19902 pid=19920 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="certmonger" exe="/usr/sbin/certmonger" subj=system_u:system_r:certmonger_t:s0 key=(null) type=AVC msg=audit(1364732496.004:5708): avc: denied { search } for pid=19920 comm="certmonger" name="pki-ca" dev="md1" ino=14287216 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1364732496.004:5708): arch=c000003e syscall=2 success=no exit=-13 a0=103fb20 a1=0 a2=180 a3=1f items=0 ppid=19902 pid=19920 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="certmonger" exe="/usr/sbin/certmonger" subj=system_u:system_r:certmonger_t:s0 key=(null) type=AVC msg=audit(1364732496.004:5709): avc: denied { search } for pid=19920 comm="certmonger" name="pki-ca" dev="md1" ino=14287216 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1364732496.004:5709): arch=c000003e syscall=4 success=no exit=-13 a0=103fea0 a1=7fffee7a0580 a2=7fffee7a0580 a3=1f items=0 ppid=19902 pid=19920 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="certmonger" exe="/usr/sbin/certmonger" subj=system_u:system_r:certmonger_t:s0 key=(null) type=AVC msg=audit(1364732496.004:5710): avc: denied { search } for pid=19920 comm="certmonger" name="pki-ca" dev="md1" ino=14287216 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
And the following custom policy 'fixes' the issue. module fixcertmongerpkica 1.0; require { type certmonger_t; type pki_tomcat_var_lib_t; class dir search; } #============= certmonger_t ============== allow certmonger_t pki_tomcat_var_lib_t:dir search;
Martin, could you re-test it in permissive mode to see if we get more AVCs. Thank you.
This is what I see when I upgrade Fedora 17 with IPA installed to Fedora 18: # getenforce Permissive # grep AVC /var/log/audit/audit.log # yum distro-sync --releasever=18 ... Complete! # grep AVC /var/log/audit/audit.log type=AVC msg=audit(1364990307.573:116): avc: denied { read } for pid=438 comm="dbus-daemon" name="passwd" dev="dm-0" ino=410092 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:shadow_t:s0 tclass=file type=AVC msg=audit(1364990307.573:116): avc: denied { open } for pid=438 comm="dbus-daemon" path="/etc/passwd" dev="dm-0" ino=410092 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:shadow_t:s0 tclass=file type=AVC msg=audit(1364990307.573:117): avc: denied { getattr } for pid=438 comm="dbus-daemon" path="/etc/passwd" dev="dm-0" ino=410092 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:shadow_t:s0 tclass=file type=AVC msg=audit(1364990320.938:122): avc: denied { read } for pid=438 comm="dbus-daemon" name="passwd" dev="dm-0" ino=410092 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:shadow_t:s0 tclass=file type=AVC msg=audit(1364990320.938:122): avc: denied { open } for pid=438 comm="dbus-daemon" path="/etc/passwd" dev="dm-0" ino=410092 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:shadow_t:s0 tclass=file type=AVC msg=audit(1364990320.940:123): avc: denied { getattr } for pid=438 comm="dbus-daemon" path="/etc/passwd" dev="dm-0" ino=410092 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:shadow_t:s0 tclass=file type=USER_AVC msg=audit(1364990422.481:135): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=2) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=AVC msg=audit(1364990520.748:161): avc: denied { unlink } for pid=1093 comm="java" name="1085" dev="dm-0" ino=15753 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file From that list, only this one looks relevant to IPA: type=AVC msg=audit(1364990520.748:161): avc: denied { unlink } for pid=1093 comm="java" name="1085" dev="dm-0" ino=15753 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file When I then update to freeipa-server-3.1.3, I see the reported AVC: # yum update freeipa-server --enablerepo=updates-testing ... # grep AVC /var/log/audit/audit.log ... type=AVC msg=audit(1364994343.817:33): avc: denied { search } for pid=779 comm="certmonger" name="pki-ca" dev="dm-0" ino=17861 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_var_lib_t:s0 tclass=dir
That makes sense to me. When I do a distro-sync, it's always in permissive mode, as there is no real way to recover from SELinux issues during the upgrade. Then after a 'touch /.autorelabel' and cleaning up other *.conf files, etc, I reboot. It wasn't until the further upgrade of freeipa-server that I got the certmonger SELinux denials issues. Your example basically replicated my situation with certmonger.
Hello, was there any update to this Bugzilla? Do you need more information? Thanks, Martin
Fixed in selinux-policy-3.11.1-90.fc18
selinux-policy-3.11.1-90.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-90.fc18
Package selinux-policy-3.11.1-90.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-90.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-5742/selinux-policy-3.11.1-90.fc18 then log in and leave karma (feedback).
selinux-policy-3.11.1-90.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.