Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 988495

Summary: SELinux preventing installation for IdM using external CA
Product: Red Hat Enterprise Linux 6 Reporter: Kenny Armstrong <karmstrong>
Component: pki-coreAssignee: Matthew Harmsen <mharmsen>
Status: CLOSED DUPLICATE QA Contact: Asha Akkiangady <aakkiang>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4CC: dwalsh, mgrepl, mkosek, mmalik, nkinder, rcritten
Target Milestone: rcKeywords: Reopened
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-08-09 16:10:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Kenny Armstrong 2013-07-25 17:24:22 UTC 
Description of problem:

Attempting to install the IdM server system with SELinux enabled prevents the CA installation routine from completing properly.

Version-Release number of selected component (if applicable):

java-1.7.0-openjdk-1.7.0.25-2.3.10.4.el6_4.x86_64
java-1.6.0-openjdk-1.6.0.0-1.62.1.11.11.90.el6_4.x86_64
ipa-server-3.0.0-26.el6_4.4.x86_64
libipa_hbac-python-1.9.2-82.7.el6_4.x86_64
ipa-client-3.0.0-26.el6_4.4.x86_64
ipa-server-selinux-3.0.0-26.el6_4.4.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
libipa_hbac-1.9.2-82.7.el6_4.x86_64
ipa-python-3.0.0-26.el6_4.4.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-admintools-3.0.0-26.el6_4.4.x86_64

How reproducible:

Run the following command when using an external CA for IdM (with SELinux enabled):

ipa-server-install --external-ca

Steps to Reproduce:
1. run ipa-server-install --external-ca
2. view output on command line
3. view the audit log for SELinux

Actual results:

[3/4]: configuring certificate server instance
>ipa         : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname lnxrealmtest01.lnxrealmtest.example.com -cs_port 9445 -client_certdb_dir /tmp/tmp-WH9RBT -client_certdb_pwd XXXXXXXX -preop_pin TaLcAevF7piQ1NV0Jmd9 -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=LNXREALMTEST.EXAMPLE.COM -ldap_host lnxrealmtest01.lnxrealmtest.example.com -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.EXAMPLE.COM -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.EXAMPLE.COM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=LNXR!

Expected results:

install completes without issues

Additional info:


SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.x86_64/jre/bin/java from read access on the file /anon_hugepage (deleted).

*****  Plugin restorecon (99.5 confidence) suggests  *************************

If you want to fix the label. 
/anon_hugepage (deleted) default label should be etc_runtime_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /anon_hugepage (deleted)

*****  Plugin catchall (1.49 confidence) suggests  ***************************

If you believe that java should be allowed read access on the anon_hugepage (deleted) file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep java /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


--------------------------------------------------------------------------------

SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.x86_64/jre/bin/java from getattr access on the filesystem /.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that java should be allowed getattr access on the  filesystem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep java /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


----
time->Thu Jul 25 09:59:30 2013
type=SYSCALL msg=audit(1374760770.554:21707): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=200000 a2=3 a3=40022 items=0 ppid=1 pid=3095 auid=0 uid=496 gid=496 euid=496 suid=496 fsuid=496 egid=496 sgid=496 fsgid=496 tty=(none) ses=1 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.x86_64/jre/bin/java" subj=unconfined_u:system_r:pki_ca_t:s0 key=(null)
type=AVC msg=audit(1374760770.554:21707): avc:  denied  { read } for  pid=3095 comm="java" path=2F616E6F6E5F6875676570616765202864656C6574656429 dev=hugetlbfs ino=29376 scontext=unconfined_u:system_r:pki_ca_t:s0 tcontext=unconfined_u:object_r:hugetlbfs_t:s0 tclass=file
----
time->Thu Jul 25 09:59:35 2013
type=SYSCALL msg=audit(1374760775.381:21708): arch=c000003e syscall=137 success=no exit=-13 a0=7fcdf526d910 a1=7fcdf5986bc0 a2=fffffffffff5c9e0 a3=7fcdf5986ad0 items=0 ppid=1 pid=3095 auid=0 uid=496 gid=496 euid=496 suid=496 fsuid=496 egid=496 sgid=496 fsgid=496 tty=(none) ses=1 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.x86_64/jre/bin/java" subj=unconfined_u:system_r:pki_ca_t:s0 key=(null)
type=AVC msg=audit(1374760775.381:21708): avc:  denied  { getattr } for  pid=3095 comm="java" name="/" dev=dm-0 ino=2 scontext=unconfined_u:system_r:pki_ca_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
----
time->Thu Jul 25 11:11:43 2013
type=SYSCALL msg=audit(1374765103.409:21850): arch=c000003e syscall=9 success=no exit=-12 a0=0 a1=200000 a2=3 a3=40022 items=0 ppid=1 pid=28781 auid=0 uid=496 gid=496 euid=496 suid=496 fsuid=496 egid=496 sgid=496 fsgid=496 tty=(none) ses=1 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.x86_64/jre/bin/java" subj=unconfined_u:system_r:pki_ca_t:s0 key=(null)
type=AVC msg=audit(1374765103.409:21850): avc:  denied  { read } for  pid=28781 comm="java" path=2F616E6F6E5F6875676570616765202864656C6574656429 dev=hugetlbfs ino=64772 scontext=unconfined_u:system_r:pki_ca_t:s0 tcontext=unconfined_u:object_r:hugetlbfs_t:s0 tclass=file
----
time->Thu Jul 25 11:11:43 2013
type=SYSCALL msg=audit(1374765103.636:21851): arch=c000003e syscall=137 success=yes exit=0 a0=7fd0eb9c2910 a1=7fd0ece3abc0 a2=fffffffffff5c9e0 a3=7fd0ece3aad0 items=0 ppid=1 pid=28781 auid=0 uid=496 gid=496 euid=496 suid=496 fsuid=496 egid=496 sgid=496 fsgid=496 tty=(none) ses=1 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.x86_64/jre/bin/java" subj=unconfined_u:system_r:pki_ca_t:s0 key=(null)
type=AVC msg=audit(1374765103.636:21851): avc:  denied  { getattr } for  pid=28781 comm="java" name="/" dev=dm-0 ino=2 scontext=unconfined_u:system_r:pki_ca_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
Comment 2 Martin Kosek 2013-07-26 07:19:56 UTC 
Hello Kenny,

I tried to investigate the issue with following packages:
ipa-server-3.0.0-26.el6_4.4.x86_64
selinux-policy-3.7.19-207.el6.noarch
java-1.6.0-openjdk-1.6.0.0-1.62.1.11.11.90.el6_4.x86_64

However, there were no AVCs logged and the installation was successful. Maybe using java-1.6.0-openjdk package is the reason what makes the difference. Anyway, AVC related to /anon_hugepage looks strange, this file is not accessed by IPA.
Comment 3 Miroslav Grepl 2013-07-26 11:36:03 UTC 
Also
# rpm -q selinux-policy-targeted
Comment 5 Martin Kosek 2013-08-09 08:11:13 UTC 
These are pki-ca AVCs, moving to pki component so that they can decide how they want to fix it.
Comment 6 Nathan Kinder 2013-08-09 14:52:43 UTC 
This looks similar to selinux-policy bug 790381, which was fixed in F16.  Was the fix for this bug brought back to RHEL 6.x?
Comment 7 Nathan Kinder 2013-08-09 15:13:24 UTC 
I looked into the selinux-policy source to see how this is handled for other confined processes.  It looks like we need to add the following to the PKI policy module:

  fs_rw_hugetlbfs_files(pki_ca_t)

This will work for RHEL 6, but we should open a bug up against selinux-policy for current Fedora distributions to get this fixed there.  The fix there will likely need to be different since subsystems other than the CA are available.
Comment 8 Nathan Kinder 2013-08-09 16:10:59 UTC 
We actually already have a bug opened to fix this in RHEL 6.5.  I'm closing this as a duplicate.

*** This bug has been marked as a duplicate of bug 895702 ***