Description of problem: Attempting to install the IdM server system with SELinux enabled prevents the CA installation routine from completing properly. Version-Release number of selected component (if applicable): java-1.7.0-openjdk-1.7.0.25-2.3.10.4.el6_4.x86_64 java-1.6.0-openjdk-1.6.0.0-1.62.1.11.11.90.el6_4.x86_64 ipa-server-3.0.0-26.el6_4.4.x86_64 libipa_hbac-python-1.9.2-82.7.el6_4.x86_64 ipa-client-3.0.0-26.el6_4.4.x86_64 ipa-server-selinux-3.0.0-26.el6_4.4.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch libipa_hbac-1.9.2-82.7.el6_4.x86_64 ipa-python-3.0.0-26.el6_4.4.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-admintools-3.0.0-26.el6_4.4.x86_64 How reproducible: Run the following command when using an external CA for IdM (with SELinux enabled): ipa-server-install --external-ca Steps to Reproduce: 1. run ipa-server-install --external-ca 2. view output on command line 3. view the audit log for SELinux Actual results: [3/4]: configuring certificate server instance >ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname lnxrealmtest01.lnxrealmtest.example.com -cs_port 9445 -client_certdb_dir /tmp/tmp-WH9RBT -client_certdb_pwd XXXXXXXX -preop_pin TaLcAevF7piQ1NV0Jmd9 -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=LNXREALMTEST.EXAMPLE.COM -ldap_host lnxrealmtest01.lnxrealmtest.example.com -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.EXAMPLE.COM -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.EXAMPLE.COM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=LNXR! Expected results: install completes without issues Additional info: SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.x86_64/jre/bin/java from read access on the file /anon_hugepage (deleted). ***** Plugin restorecon (99.5 confidence) suggests ************************* If you want to fix the label. /anon_hugepage (deleted) default label should be etc_runtime_t. Then you can run restorecon. Do # /sbin/restorecon -v /anon_hugepage (deleted) ***** Plugin catchall (1.49 confidence) suggests *************************** If you believe that java should be allowed read access on the anon_hugepage (deleted) file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep java /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp -------------------------------------------------------------------------------- SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.x86_64/jre/bin/java from getattr access on the filesystem /. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that java should be allowed getattr access on the filesystem by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep java /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp ---- time->Thu Jul 25 09:59:30 2013 type=SYSCALL msg=audit(1374760770.554:21707): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=200000 a2=3 a3=40022 items=0 ppid=1 pid=3095 auid=0 uid=496 gid=496 euid=496 suid=496 fsuid=496 egid=496 sgid=496 fsgid=496 tty=(none) ses=1 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.x86_64/jre/bin/java" subj=unconfined_u:system_r:pki_ca_t:s0 key=(null) type=AVC msg=audit(1374760770.554:21707): avc: denied { read } for pid=3095 comm="java" path=2F616E6F6E5F6875676570616765202864656C6574656429 dev=hugetlbfs ino=29376 scontext=unconfined_u:system_r:pki_ca_t:s0 tcontext=unconfined_u:object_r:hugetlbfs_t:s0 tclass=file ---- time->Thu Jul 25 09:59:35 2013 type=SYSCALL msg=audit(1374760775.381:21708): arch=c000003e syscall=137 success=no exit=-13 a0=7fcdf526d910 a1=7fcdf5986bc0 a2=fffffffffff5c9e0 a3=7fcdf5986ad0 items=0 ppid=1 pid=3095 auid=0 uid=496 gid=496 euid=496 suid=496 fsuid=496 egid=496 sgid=496 fsgid=496 tty=(none) ses=1 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.x86_64/jre/bin/java" subj=unconfined_u:system_r:pki_ca_t:s0 key=(null) type=AVC msg=audit(1374760775.381:21708): avc: denied { getattr } for pid=3095 comm="java" name="/" dev=dm-0 ino=2 scontext=unconfined_u:system_r:pki_ca_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem ---- time->Thu Jul 25 11:11:43 2013 type=SYSCALL msg=audit(1374765103.409:21850): arch=c000003e syscall=9 success=no exit=-12 a0=0 a1=200000 a2=3 a3=40022 items=0 ppid=1 pid=28781 auid=0 uid=496 gid=496 euid=496 suid=496 fsuid=496 egid=496 sgid=496 fsgid=496 tty=(none) ses=1 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.x86_64/jre/bin/java" subj=unconfined_u:system_r:pki_ca_t:s0 key=(null) type=AVC msg=audit(1374765103.409:21850): avc: denied { read } for pid=28781 comm="java" path=2F616E6F6E5F6875676570616765202864656C6574656429 dev=hugetlbfs ino=64772 scontext=unconfined_u:system_r:pki_ca_t:s0 tcontext=unconfined_u:object_r:hugetlbfs_t:s0 tclass=file ---- time->Thu Jul 25 11:11:43 2013 type=SYSCALL msg=audit(1374765103.636:21851): arch=c000003e syscall=137 success=yes exit=0 a0=7fd0eb9c2910 a1=7fd0ece3abc0 a2=fffffffffff5c9e0 a3=7fd0ece3aad0 items=0 ppid=1 pid=28781 auid=0 uid=496 gid=496 euid=496 suid=496 fsuid=496 egid=496 sgid=496 fsgid=496 tty=(none) ses=1 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.x86_64/jre/bin/java" subj=unconfined_u:system_r:pki_ca_t:s0 key=(null) type=AVC msg=audit(1374765103.636:21851): avc: denied { getattr } for pid=28781 comm="java" name="/" dev=dm-0 ino=2 scontext=unconfined_u:system_r:pki_ca_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
Hello Kenny, I tried to investigate the issue with following packages: ipa-server-3.0.0-26.el6_4.4.x86_64 selinux-policy-3.7.19-207.el6.noarch java-1.6.0-openjdk-1.6.0.0-1.62.1.11.11.90.el6_4.x86_64 However, there were no AVCs logged and the installation was successful. Maybe using java-1.6.0-openjdk package is the reason what makes the difference. Anyway, AVC related to /anon_hugepage looks strange, this file is not accessed by IPA.
Also # rpm -q selinux-policy-targeted
These are pki-ca AVCs, moving to pki component so that they can decide how they want to fix it.
This looks similar to selinux-policy bug 790381, which was fixed in F16. Was the fix for this bug brought back to RHEL 6.x?
I looked into the selinux-policy source to see how this is handled for other confined processes. It looks like we need to add the following to the PKI policy module: fs_rw_hugetlbfs_files(pki_ca_t) This will work for RHEL 6, but we should open a bug up against selinux-policy for current Fedora distributions to get this fixed there. The fix there will likely need to be different since subsystems other than the CA are available.
We actually already have a bug opened to fix this in RHEL 6.5. I'm closing this as a duplicate. *** This bug has been marked as a duplicate of bug 895702 ***