SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.i386/jre/bin/java (deleted) from write access on the directory /var/lib/ipa/pki-ca/publish. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that java (deleted) should be allowed write access on the publish directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep java /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:pki_tomcat_t:s0 Target Context system_u:object_r:cert_t:s0 Target Objects /var/lib/ipa/pki-ca/publish [ dir ] Source java Source Path /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.i386/jre/ bin/java (deleted) Port <Unknown> Host ipa Source RPM Packages java-1.7.0-openjdk-1.7.0.25-2.3.10.4.fc19.i686 Target RPM Packages freeipa-server-3.2.1-1.fc19.i686 Policy RPM selinux-policy-3.12.1-59.fc19.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name ipa Platform Linux ipa 3.9.9-301.fc19.i686.PAE #1 SMP Thu Jul 4 15:25:09 UTC 2013 i686 i686 Alert Count 13 First Seen 2013-07-11 09:00:00 CEST Last Seen 2013-07-13 09:00:00 CEST Local ID 49b481f4-8305-4560-aa8e-cfebdff96b26 Raw Audit Messages type=AVC msg=audit(1373698800.639:785): avc: denied { write } for pid=6609 comm="java" name="publish" dev="dm-1" ino=524567 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir type=SYSCALL msg=audit(1373698800.639:785): arch=i386 syscall=open success=no exit=EACCES a0=b4637b48 a1=8241 a2=1b6 a3=0 items=0 ppid=1 pid=6609 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=java exe=/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.i386/jre/bin/java subj=system_u:system_r:pki_tomcat_t:s0 key=(null) Hash: java,pki_tomcat_t,cert_t,dir,write
Since this started there has been no updates to the published CRL's in that directory. I tried to use audit2allow to make a local policy for this, but when trying to load it I get this message: [root@ipa Policy]# semodule -i net.guldbrand.ipa_dogtag.pp /etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /var/lib/ipa/pki-ca/publish(/.*)?. /etc/selinux/targeted/contexts/files/file_contexts: Invalid argument libsemanage.semanage_install_active: setfiles returned error code 1. semodule: Failed! The policy module I'm trying to load atm. is: module net.guldbrand.ipa_dogtag 1.0; require { type cert_t; type pki_tomcat_t; class dir write; } #============= pki_tomcat_t ============== allow pki_tomcat_t cert_t:dir write; I have tried to relabel on boot, but that didn't fix anything.
After some digging, I found this comment in the freeipa.spec file: # With FreeIPA 3.3, package freeipa-server-selinux was obsoleted as the # entire SELinux policy is stored in the system policy Obsoletes: freeipa-server-selinux < 3.3.0 With that in mind, I tried to disable the ipa_dogtag and ipa_httpd modules from that package and the error has disappeared, so it seems like a conflict between the normal policy and the freeipa provided one.
*** This bug has been marked as a duplicate of bug 979379 ***