#3161 AVCs during pkispawn of subsystems using non "pkiuser"
Closed: migrated 3 years ago by dmoluguw. Opened 4 years ago by cipherboy.

Description of problem:
AVCs during pkispawn of subsystems using non "pkiuser"

Version-Release number of selected component (if applicable):
pki-ca-10.5.1-7.el7.noarch

How reproducible:
always

Steps to Reproduce:
1. Following the steps in https://bugzilla.redhat.com/show_bug.cgi?id=1523410#c10
for pki-spawn

Actual results:
Noticed the following AVCs

type=AVC msg=audit(1517954202.178:10244): avc:  denied  { search } for  pid=19017 comm="server" name="rpattath" dev="dm-2" ino=134217839 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=SYSCALL msg=audit(1517954202.178:10244): arch=c000003e syscall=4 success=no exit=-13 a0=1eca230 a1=7ffc18d7d120 a2=7ffc18d7d120 a3=8 items=0 ppid=1 pid=19017 auid=4294967295 uid=1010 gid=1010 euid=1010 suid=1010 fsuid=1010 egid=1010 sgid=1010 fsgid=1010 tty=(none) ses=4294967295 comm="server" exe="/usr/bin/bash" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=PROCTITLE msg=audit(1517954202.178:10244): proctitle=2F62696E2F62617368002F7573722F6C6962657865632F746F6D6361742F7365727665720073746F70
type=AVC msg=audit(1517954202.194:10245): avc:  denied  { search } for  pid=19024 comm="build-classpath" name="rpattath" dev="dm-2" ino=134217839 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=SYSCALL msg=audit(1517954202.194:10245): arch=c000003e syscall=4 success=no exit=-13 a0=1dce770 a1=7fff5e47eae0 a2=7fff5e47eae0 a3=8 items=0 ppid=19023 pid=19024 auid=4294967295 uid=1010 gid=1010 euid=1010 suid=1010 fsuid=1010 egid=1010 sgid=1010 fsgid=1010 tty=(none) ses=4294967295 comm="build-classpath" exe="/usr/bin/bash" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=PROCTITLE msg=audit(1517954202.194:10245): proctitle=2F62696E2F7368002F7573722F62696E2F6275696C642D636C6173737061746800636F6D6D6F6E732D6461656D6F6E
type=AVC msg=audit(1517954202.352:10246): avc:  denied  { signull } for  pid=19017 comm="java" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process
type=SYSCALL msg=audit(1517954202.352:10246): arch=c000003e syscall=62 success=no exit=-13 a0=2bda a1=0 a2=a a3=2bda items=0 ppid=1 pid=19017 auid=4294967295 uid=1010 gid=1010 euid=1010 suid=1010 fsuid=1010 egid=1010 sgid=1010 fsgid=1010 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.161-2.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=PROCTITLE msg=audit(1517954202.352:10246): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69
type=AVC msg=audit(1517954202.353:10247): avc:  denied  { signull } for  pid=19017 comm="java" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process
type=SYSCALL msg=audit(1517954202.353:10247): arch=c000003e syscall=62 success=no exit=-13 a0=356a a1=0 a2=a a3=356a items=0 ppid=1 pid=19017 auid=4294967295 uid=1010 gid=1010 euid=1010 suid=1010 fsuid=1010 egid=1010 sgid=1010 fsgid=1010 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.161-2.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=PROCTITLE msg=audit(1517954202.353:10247): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69
type=AVC msg=audit(1517954202.353:10248): avc:  denied  { signull } for  pid=19017 comm="java" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process
type=SYSCALL msg=audit(1517954202.353:10248): arch=c000003e syscall=62 success=no exit=-13 a0=3a60 a1=0 a2=a a3=3a60 items=0 ppid=1 pid=19017 auid=4294967295 uid=1010 gid=1010 euid=1010 suid=1010 fsuid=1010 egid=1010 sgid=1010 fsgid=1010 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.161-2.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=PROCTITLE msg=audit(1517954202.353:10248): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69
type=AVC msg=audit(1517954202.353:10249): avc:  denied  { signull } for  pid=19017 comm="java" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process
type=SYSCALL msg=audit(1517954202.353:10249): arch=c000003e syscall=62 success=no exit=-13 a0=4331 a1=0 a2=a a3=4331 items=0 ppid=1 pid=19017 auid=4294967295 uid=1010 gid=1010 euid=1010 suid=1010 fsuid=1010 egid=1010 sgid=1010 fsgid=1010 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.161-2.b14.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)

Expected results:

Additional info:

pkispawn is successful and the instances are up and running.


Metadata Update from @cipherboy:
- Custom field component adjusted to None
- Custom field feature adjusted to None
- Custom field origin adjusted to None
- Custom field proposedmilestone adjusted to None
- Custom field proposedpriority adjusted to None
- Custom field reviewer adjusted to None
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1543042
- Custom field type adjusted to None
- Custom field version adjusted to None

4 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/3278

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Metadata Update from @dmoluguw:
- Issue close_status updated to: migrated
- Issue status updated to: Closed (was: Open)

3 years ago

Login to comment on this ticket.

Metadata