Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Hello Kenny,
I tried to investigate the issue with following packages:
ipa-server-3.0.0-26.el6_4.4.x86_64
selinux-policy-3.7.19-207.el6.noarch
java-1.6.0-openjdk-1.6.0.0-1.62.1.11.11.90.el6_4.x86_64
However, there were no AVCs logged and the installation was successful. Maybe using java-1.6.0-openjdk package is the reason what makes the difference. Anyway, AVC related to /anon_hugepage looks strange, this file is not accessed by IPA.
I looked into the selinux-policy source to see how this is handled for other confined processes. It looks like we need to add the following to the PKI policy module:
fs_rw_hugetlbfs_files(pki_ca_t)
This will work for RHEL 6, but we should open a bug up against selinux-policy for current Fedora distributions to get this fixed there. The fix there will likely need to be different since subsystems other than the CA are available.
We actually already have a bug opened to fix this in RHEL 6.5. I'm closing this as a duplicate.
*** This bug has been marked as a duplicate of bug 895702 ***
Description of problem: Attempting to install the IdM server system with SELinux enabled prevents the CA installation routine from completing properly. Version-Release number of selected component (if applicable): java-1.7.0-openjdk-1.7.0.25-2.3.10.4.el6_4.x86_64 java-1.6.0-openjdk-1.6.0.0-1.62.1.11.11.90.el6_4.x86_64 ipa-server-3.0.0-26.el6_4.4.x86_64 libipa_hbac-python-1.9.2-82.7.el6_4.x86_64 ipa-client-3.0.0-26.el6_4.4.x86_64 ipa-server-selinux-3.0.0-26.el6_4.4.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch libipa_hbac-1.9.2-82.7.el6_4.x86_64 ipa-python-3.0.0-26.el6_4.4.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-admintools-3.0.0-26.el6_4.4.x86_64 How reproducible: Run the following command when using an external CA for IdM (with SELinux enabled): ipa-server-install --external-ca Steps to Reproduce: 1. run ipa-server-install --external-ca 2. view output on command line 3. view the audit log for SELinux Actual results: [3/4]: configuring certificate server instance >ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname lnxrealmtest01.lnxrealmtest.example.com -cs_port 9445 -client_certdb_dir /tmp/tmp-WH9RBT -client_certdb_pwd XXXXXXXX -preop_pin TaLcAevF7piQ1NV0Jmd9 -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=LNXREALMTEST.EXAMPLE.COM -ldap_host lnxrealmtest01.lnxrealmtest.example.com -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.EXAMPLE.COM -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.EXAMPLE.COM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=LNXR! Expected results: install completes without issues Additional info: SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.x86_64/jre/bin/java from read access on the file /anon_hugepage (deleted). ***** Plugin restorecon (99.5 confidence) suggests ************************* If you want to fix the label. /anon_hugepage (deleted) default label should be etc_runtime_t. Then you can run restorecon. Do # /sbin/restorecon -v /anon_hugepage (deleted) ***** Plugin catchall (1.49 confidence) suggests *************************** If you believe that java should be allowed read access on the anon_hugepage (deleted) file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep java /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp -------------------------------------------------------------------------------- SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.x86_64/jre/bin/java from getattr access on the filesystem /. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that java should be allowed getattr access on the filesystem by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep java /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp ---- time->Thu Jul 25 09:59:30 2013 type=SYSCALL msg=audit(1374760770.554:21707): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=200000 a2=3 a3=40022 items=0 ppid=1 pid=3095 auid=0 uid=496 gid=496 euid=496 suid=496 fsuid=496 egid=496 sgid=496 fsgid=496 tty=(none) ses=1 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.x86_64/jre/bin/java" subj=unconfined_u:system_r:pki_ca_t:s0 key=(null) type=AVC msg=audit(1374760770.554:21707): avc: denied { read } for pid=3095 comm="java" path=2F616E6F6E5F6875676570616765202864656C6574656429 dev=hugetlbfs ino=29376 scontext=unconfined_u:system_r:pki_ca_t:s0 tcontext=unconfined_u:object_r:hugetlbfs_t:s0 tclass=file ---- time->Thu Jul 25 09:59:35 2013 type=SYSCALL msg=audit(1374760775.381:21708): arch=c000003e syscall=137 success=no exit=-13 a0=7fcdf526d910 a1=7fcdf5986bc0 a2=fffffffffff5c9e0 a3=7fcdf5986ad0 items=0 ppid=1 pid=3095 auid=0 uid=496 gid=496 euid=496 suid=496 fsuid=496 egid=496 sgid=496 fsgid=496 tty=(none) ses=1 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.x86_64/jre/bin/java" subj=unconfined_u:system_r:pki_ca_t:s0 key=(null) type=AVC msg=audit(1374760775.381:21708): avc: denied { getattr } for pid=3095 comm="java" name="/" dev=dm-0 ino=2 scontext=unconfined_u:system_r:pki_ca_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem ---- time->Thu Jul 25 11:11:43 2013 type=SYSCALL msg=audit(1374765103.409:21850): arch=c000003e syscall=9 success=no exit=-12 a0=0 a1=200000 a2=3 a3=40022 items=0 ppid=1 pid=28781 auid=0 uid=496 gid=496 euid=496 suid=496 fsuid=496 egid=496 sgid=496 fsgid=496 tty=(none) ses=1 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.x86_64/jre/bin/java" subj=unconfined_u:system_r:pki_ca_t:s0 key=(null) type=AVC msg=audit(1374765103.409:21850): avc: denied { read } for pid=28781 comm="java" path=2F616E6F6E5F6875676570616765202864656C6574656429 dev=hugetlbfs ino=64772 scontext=unconfined_u:system_r:pki_ca_t:s0 tcontext=unconfined_u:object_r:hugetlbfs_t:s0 tclass=file ---- time->Thu Jul 25 11:11:43 2013 type=SYSCALL msg=audit(1374765103.636:21851): arch=c000003e syscall=137 success=yes exit=0 a0=7fd0eb9c2910 a1=7fd0ece3abc0 a2=fffffffffff5c9e0 a3=7fd0ece3aad0 items=0 ppid=1 pid=28781 auid=0 uid=496 gid=496 euid=496 suid=496 fsuid=496 egid=496 sgid=496 fsgid=496 tty=(none) ses=1 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.x86_64/jre/bin/java" subj=unconfined_u:system_r:pki_ca_t:s0 key=(null) type=AVC msg=audit(1374765103.636:21851): avc: denied { getattr } for pid=28781 comm="java" name="/" dev=dm-0 ino=2 scontext=unconfined_u:system_r:pki_ca_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem