The pkispawn operation for CA instance results in following AVC denial messages:
time->Thu Jun 13 19:54:46 2013 type=SYSCALL msg=audit(1371167686.823:449): arch=c000003e syscall=59 success=yes exit=0 a0=24cb490 a1=24caf60 a2=24c7910 a3=7fff88077ca0 items=0 ppid=21791 pid=21792 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="useradd" exe="/usr/sbin/useradd" subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1371167686.823:449): avc: denied { write } for pid=21792 comm="useradd" path="/var/log/pki/pki-ca-spawn.20130613195446.log" dev="dm-1" ino=658261 scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:pki_log_t:s0 tclass=file ---- time->Thu Jun 13 19:54:48 2013 type=SYSCALL msg=audit(1371167688.989:451): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7f83000074e0 a2=90800 a3=0 items=0 ppid=1 pid=21988 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.19.x86_64/jre/bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null) type=AVC msg=audit(1371167688.989:451): avc: denied { read } for pid=21988 comm="java" name="hsperfdata_root" dev="tmpfs" ino=23275 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir ---- time->Thu Jun 13 19:54:48 2013 type=SYSCALL msg=audit(1371167688.989:452): arch=c000003e syscall=2 success=no exit=-13 a0=7f8300007500 a1=242 a2=180 a3=0 items=0 ppid=1 pid=21988 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.19.x86_64/jre/bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null) type=AVC msg=audit(1371167688.989:452): avc: denied { write } for pid=21988 comm="java" name="hsperfdata_root" dev="tmpfs" ino=23275 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir ---- time->Thu Jun 13 19:55:16 2013 type=SYSCALL msg=audit(1371167716.841:454): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7fe0f4007030 a2=90800 a3=0 items=0 ppid=22371 pid=22389 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.19.x86_64/jre/bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null) type=AVC msg=audit(1371167716.841:454): avc: denied { read } for pid=22389 comm="java" name="hsperfdata_root" dev="tmpfs" ino=23275 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir ---- time->Thu Jun 13 19:55:16 2013 type=SYSCALL msg=audit(1371167716.842:455): arch=c000003e syscall=2 success=no exit=-13 a0=7fe0f4007050 a1=242 a2=180 a3=0 items=0 ppid=22371 pid=22389 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.19.x86_64/jre/bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null) type=AVC msg=audit(1371167716.842:455): avc: denied { write } for pid=22389 comm="java" name="hsperfdata_root" dev="tmpfs" ino=23275 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir ---- time->Thu Jun 13 19:55:19 2013 type=SYSCALL msg=audit(1371167719.230:458): arch=c000003e syscall=2 success=no exit=-13 a0=7fa9f4007500 a1=242 a2=180 a3=0 items=0 ppid=1 pid=22606 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.19.x86_64/jre/bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null) type=AVC msg=audit(1371167719.230:458): avc: denied { write } for pid=22606 comm="java" name="hsperfdata_root" dev="tmpfs" ino=23275 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir ---- time->Thu Jun 13 19:55:19 2013 type=SYSCALL msg=audit(1371167719.230:457): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7fa9f40074e0 a2=90800 a3=0 items=0 ppid=1 pid=22606 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.19.x86_64/jre/bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null) type=AVC msg=audit(1371167719.230:457): avc: denied { read } for pid=22606 comm="java" name="hsperfdata_root" dev="tmpfs" ino=23275 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir
Closing, as this is being dealt with by a bug against selinux-policy.
Metadata Update from @aakkiang: - Issue set to the milestone: N/A
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/1228
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.