Hide Forgot
Description of problem: Installed ipa-server on 6.5 and seeing AVC errors - on both master and replica installs # ausearch -m avc -ts 13:45 ---- time->Mon Aug 19 13:54:58 2013 type=SYSCALL msg=audit(1376934898.540:77): arch=c000003e syscall=2 success=no exit=-13 a0=7f7752a6b1d8 a1=80000 a2=403ff a3=7f77524e7d55 items=0 ppid=1 pid=3700 auid=0 uid=496 gid=496 euid=496 suid=496 fsuid=496 egid=496 sgid=496 fsgid=496 tty=(none) ses=1 comm="java" exe="/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/java" subj=unconfined_u:system_r:pki_ca_t:s0 key=(null) type=AVC msg=audit(1376934898.540:77): avc: denied { read } for pid=3700 comm="java" name="online" dev=sysfs ino=23 scontext=unconfined_u:system_r:pki_ca_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file ---- time->Mon Aug 19 13:54:59 2013 type=SYSCALL msg=audit(1376934899.008:78): arch=c000003e syscall=2 success=no exit=-13 a0=7f7752a6b1d8 a1=80000 a2=403ff a3=1 items=0 ppid=1 pid=3715 auid=0 uid=496 gid=496 euid=496 suid=496 fsuid=496 egid=496 sgid=496 fsgid=496 tty=(none) ses=1 comm="java" exe="/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/java" subj=unconfined_u:system_r:pki_ca_t:s0 key=(null) type=AVC msg=audit(1376934899.008:78): avc: denied { read } for pid=3715 comm="java" name="online" dev=sysfs ino=23 scontext=unconfined_u:system_r:pki_ca_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file ---- time->Mon Aug 19 13:56:14 2013 type=SYSCALL msg=audit(1376934974.628:87): arch=c000003e syscall=2 success=no exit=-13 a0=7fce356581d8 a1=80000 a2=403ff a3=7fce350d4d55 items=0 ppid=1 pid=4253 auid=0 uid=496 gid=496 euid=496 suid=496 fsuid=496 egid=496 sgid=496 fsgid=496 tty=(none) ses=1 comm="java" exe="/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/java" subj=unconfined_u:system_r:pki_ca_t:s0 key=(null) type=AVC msg=audit(1376934974.628:87): avc: denied { read } for pid=4253 comm="java" name="online" dev=sysfs ino=23 scontext=unconfined_u:system_r:pki_ca_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file # audit2allow -i /var/log/audit/audit.log #============= pki_ca_t ============== allow pki_ca_t sysfs_t:file read; # audit2allow -R -i /var/log/audit/audit.log require { type pki_ca_t; } #============= pki_ca_t ============== dev_read_sysfs(pki_ca_t) Version-Release number of selected component (if applicable): ipa-server-3.0.0-33.el6.x86_64 pki-ca-9.0.3-31.el6.noarch How reproducible: always Steps to Reproduce: 1. Install ipa server Actual results: install seems to work but see AVC denials listed above. Expected results: no avc denials expected. Additional info:
Patch pushed to IPA branch for 6.5: To ssh://vakwetu.org/git/pki.git 96e18f8..25aa37e IPA_v2_RHEL_6_ERRATA_BRANCH -> IPA_v2_RHEL_6_ERRATA_BRANCH
Verified using pki-core-9.0.3-32.el6 Not seeing AVCs while installing master nor replica.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1682.html