Bug 988495 - SELinux preventing installation for IdM using external CA
SELinux preventing installation for IdM using external CA
Status: CLOSED DUPLICATE of bug 895702
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: pki-core (Show other bugs)
6.4
x86_64 Linux
unspecified Severity unspecified
: rc
: ---
Assigned To: Matthew Harmsen
Asha Akkiangady
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-07-25 13:24 EDT by Kenny Armstrong
Modified: 2013-08-09 12:10 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-08-09 12:10:59 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kenny Armstrong 2013-07-25 13:24:22 EDT
Description of problem:

Attempting to install the IdM server system with SELinux enabled prevents the CA installation routine from completing properly.

Version-Release number of selected component (if applicable):

java-1.7.0-openjdk-1.7.0.25-2.3.10.4.el6_4.x86_64
java-1.6.0-openjdk-1.6.0.0-1.62.1.11.11.90.el6_4.x86_64
ipa-server-3.0.0-26.el6_4.4.x86_64
libipa_hbac-python-1.9.2-82.7.el6_4.x86_64
ipa-client-3.0.0-26.el6_4.4.x86_64
ipa-server-selinux-3.0.0-26.el6_4.4.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
libipa_hbac-1.9.2-82.7.el6_4.x86_64
ipa-python-3.0.0-26.el6_4.4.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-admintools-3.0.0-26.el6_4.4.x86_64

How reproducible:

Run the following command when using an external CA for IdM (with SELinux enabled):

ipa-server-install --external-ca

Steps to Reproduce:
1. run ipa-server-install --external-ca
2. view output on command line
3. view the audit log for SELinux

Actual results:

[3/4]: configuring certificate server instance
>ipa         : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname lnxrealmtest01.lnxrealmtest.example.com -cs_port 9445 -client_certdb_dir /tmp/tmp-WH9RBT -client_certdb_pwd XXXXXXXX -preop_pin TaLcAevF7piQ1NV0Jmd9 -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=LNXREALMTEST.EXAMPLE.COM -ldap_host lnxrealmtest01.lnxrealmtest.example.com -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.EXAMPLE.COM -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.EXAMPLE.COM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=LNXR!

Expected results:

install completes without issues

Additional info:


SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.x86_64/jre/bin/java from read access on the file /anon_hugepage (deleted).

*****  Plugin restorecon (99.5 confidence) suggests  *************************

If you want to fix the label. 
/anon_hugepage (deleted) default label should be etc_runtime_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /anon_hugepage (deleted)

*****  Plugin catchall (1.49 confidence) suggests  ***************************

If you believe that java should be allowed read access on the anon_hugepage (deleted) file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep java /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


--------------------------------------------------------------------------------

SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.x86_64/jre/bin/java from getattr access on the filesystem /.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that java should be allowed getattr access on the  filesystem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep java /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


----
time->Thu Jul 25 09:59:30 2013
type=SYSCALL msg=audit(1374760770.554:21707): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=200000 a2=3 a3=40022 items=0 ppid=1 pid=3095 auid=0 uid=496 gid=496 euid=496 suid=496 fsuid=496 egid=496 sgid=496 fsgid=496 tty=(none) ses=1 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.x86_64/jre/bin/java" subj=unconfined_u:system_r:pki_ca_t:s0 key=(null)
type=AVC msg=audit(1374760770.554:21707): avc:  denied  { read } for  pid=3095 comm="java" path=2F616E6F6E5F6875676570616765202864656C6574656429 dev=hugetlbfs ino=29376 scontext=unconfined_u:system_r:pki_ca_t:s0 tcontext=unconfined_u:object_r:hugetlbfs_t:s0 tclass=file
----
time->Thu Jul 25 09:59:35 2013
type=SYSCALL msg=audit(1374760775.381:21708): arch=c000003e syscall=137 success=no exit=-13 a0=7fcdf526d910 a1=7fcdf5986bc0 a2=fffffffffff5c9e0 a3=7fcdf5986ad0 items=0 ppid=1 pid=3095 auid=0 uid=496 gid=496 euid=496 suid=496 fsuid=496 egid=496 sgid=496 fsgid=496 tty=(none) ses=1 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.x86_64/jre/bin/java" subj=unconfined_u:system_r:pki_ca_t:s0 key=(null)
type=AVC msg=audit(1374760775.381:21708): avc:  denied  { getattr } for  pid=3095 comm="java" name="/" dev=dm-0 ino=2 scontext=unconfined_u:system_r:pki_ca_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
----
time->Thu Jul 25 11:11:43 2013
type=SYSCALL msg=audit(1374765103.409:21850): arch=c000003e syscall=9 success=no exit=-12 a0=0 a1=200000 a2=3 a3=40022 items=0 ppid=1 pid=28781 auid=0 uid=496 gid=496 euid=496 suid=496 fsuid=496 egid=496 sgid=496 fsgid=496 tty=(none) ses=1 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.x86_64/jre/bin/java" subj=unconfined_u:system_r:pki_ca_t:s0 key=(null)
type=AVC msg=audit(1374765103.409:21850): avc:  denied  { read } for  pid=28781 comm="java" path=2F616E6F6E5F6875676570616765202864656C6574656429 dev=hugetlbfs ino=64772 scontext=unconfined_u:system_r:pki_ca_t:s0 tcontext=unconfined_u:object_r:hugetlbfs_t:s0 tclass=file
----
time->Thu Jul 25 11:11:43 2013
type=SYSCALL msg=audit(1374765103.636:21851): arch=c000003e syscall=137 success=yes exit=0 a0=7fd0eb9c2910 a1=7fd0ece3abc0 a2=fffffffffff5c9e0 a3=7fd0ece3aad0 items=0 ppid=1 pid=28781 auid=0 uid=496 gid=496 euid=496 suid=496 fsuid=496 egid=496 sgid=496 fsgid=496 tty=(none) ses=1 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.x86_64/jre/bin/java" subj=unconfined_u:system_r:pki_ca_t:s0 key=(null)
type=AVC msg=audit(1374765103.636:21851): avc:  denied  { getattr } for  pid=28781 comm="java" name="/" dev=dm-0 ino=2 scontext=unconfined_u:system_r:pki_ca_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
Comment 2 Martin Kosek 2013-07-26 03:19:56 EDT
Hello Kenny,

I tried to investigate the issue with following packages:
ipa-server-3.0.0-26.el6_4.4.x86_64
selinux-policy-3.7.19-207.el6.noarch
java-1.6.0-openjdk-1.6.0.0-1.62.1.11.11.90.el6_4.x86_64

However, there were no AVCs logged and the installation was successful. Maybe using java-1.6.0-openjdk package is the reason what makes the difference. Anyway, AVC related to /anon_hugepage looks strange, this file is not accessed by IPA.
Comment 3 Miroslav Grepl 2013-07-26 07:36:03 EDT
Also
# rpm -q selinux-policy-targeted
Comment 5 Martin Kosek 2013-08-09 04:11:13 EDT
These are pki-ca AVCs, moving to pki component so that they can decide how they want to fix it.
Comment 6 Nathan Kinder 2013-08-09 10:52:43 EDT
This looks similar to selinux-policy bug 790381, which was fixed in F16.  Was the fix for this bug brought back to RHEL 6.x?
Comment 7 Nathan Kinder 2013-08-09 11:13:24 EDT
I looked into the selinux-policy source to see how this is handled for other confined processes.  It looks like we need to add the following to the PKI policy module:

  fs_rw_hugetlbfs_files(pki_ca_t)

This will work for RHEL 6, but we should open a bug up against selinux-policy for current Fedora distributions to get this fixed there.  The fix there will likely need to be different since subsystems other than the CA are available.
Comment 8 Nathan Kinder 2013-08-09 12:10:59 EDT
We actually already have a bug opened to fix this in RHEL 6.5.  I'm closing this as a duplicate.

*** This bug has been marked as a duplicate of bug 895702 ***

Note You need to log in before you can comment on or make changes to this bug.