#3158 certmonger selinux context errors on install in F-18
Closed: Fixed None Opened 11 years ago by rcritten.

Testing 3.0 RC2 installation in F-18 I came across some SELinux errors from certmonger trying to enable tracking of CA subsytem certificates:

type=AVC msg=audit(1349795232.380:359): avc:  denied  { getattr } for  pid=5598 comm="certmonger" path="/etc/pki/pki-tomcat/alias" dev="sda3" ino=397659 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=dir
type=AVC msg=audit(1349795232.397:360): avc:  denied  { getattr } for  pid=5602 comm="certmonger" path="/etc/pki/pki-tomcat/alias/cert8.db" dev="sda3" ino=397732 scontext=system_u:system_r:certmonger_t:s0 tcontext=unconfined_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
type=AVC msg=audit(1349795232.397:361): avc:  denied  { read } for  pid=5602 comm="certmonger" name="cert8.db" dev="sda3" ino=397732 scontext=system_u:system_r:certmonger_t:s0 tcontext=unconfined_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
type=AVC msg=audit(1349795232.397:361): avc:  denied  { open } for  pid=5602 comm="certmonger" path="/etc/pki/pki-tomcat/alias/cert8.db" dev="sda3" ino=397732 scontext=system_u:system_r:certmonger_t:s0 tcontext=unconfined_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
type=AVC msg=audit(1349795232.415:362): avc:  denied  { write } for  pid=5603 comm="certmonger" name="cert8.db" dev="sda3" ino=397732 scontext=system_u:system_r:certmonger_t:s0 tcontext=unconfined_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
type=AVC msg=audit(1349795266.410:371): avc:  denied  { getattr } for  pid=5853 comm="certmonger" path="/etc/pki/pki-tomcat/alias/cert8.db" dev="sda3" ino=397732 scontext=system_u:system_r:certmonger_t:s0 tcontext=unconfined_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
type=AVC msg=audit(1349795266.410:372): avc:  denied  { read } for  pid=5853 comm="certmonger" name="cert8.db" dev="sda3" ino=397732 scontext=system_u:system_r:certmonger_t:s0 tcontext=unconfined_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
type=AVC msg=audit(1349795266.410:372): avc:  denied  { open } for  pid=5853 comm="certmonger" path="/etc/pki/pki-tomcat/alias/cert8.db" dev="sda3" ino=397732 scontext=system_u:system_r:certmonger_t:s0 tcontext=unconfined_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
type=AVC msg=audit(1349795266.418:373): avc:  denied  { write } for  pid=5854 comm="certmonger" name="cert8.db" dev="sda3" ino=397732 scontext=system_u:system_r:certmonger_t:s0 tcontext=unconfined_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
type=AVC msg=audit(1349795300.495:383): avc:  denied  { getattr } for  pid=6057 comm="certmonger" path="/etc/pki/pki-tomcat/alias/cert8.db" dev="sda3" ino=397732 scontext=system_u:system_r:certmonger_t:s0 tcontext=unconfined_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
type=AVC msg=audit(1349795300.495:384): avc:  denied  { read } for  pid=6057 comm="certmonger" name="cert8.db" dev="sda3" ino=397732 scontext=system_u:system_r:certmonger_t:s0 tcontext=unconfined_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
type=AVC msg=audit(1349795300.495:384): avc:  denied  { open } for  pid=6057 comm="certmonger" path="/etc/pki/pki-tomcat/alias/cert8.db" dev="sda3" ino=397732 scontext=system_u:system_r:certmonger_t:s0 tcontext=unconfined_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file
type=AVC msg=audit(1349795300.503:385): avc:  denied  { write } for  pid=6058 comm="certmonger" name="cert8.db" dev="sda3" ino=397732 scontext=system_u:system_r:certmonger_t:s0 tcontext=unconfined_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file

IPA already has policy around this for Dogtag 9. The Dogtag 10 equivalent would be:

allow certmonger_t pki_tomcat_etc_rw_t:dir { search getattr} ;
allow certmonger_t pki_tomcat_etc_rw_t:file { read write getattr open };

Ade checked with mgrepl and they decided to create a new type pki_tomcat_cert_t and give certmonger access to that. As dogtag owns the directory where the cert files are located, dogtag will add the rule and interfaces for certmonger to access the files.

Ade is going to try to get this checked in today and build tomorrow.

Reducing priority. This issue will be resolved by the dogtag team.

FreeIPA 3.0.0 GA has been released, moving the ticket to 3.0 bugfixing release.

The majority of the issues are fixed in pki-ca-10.0.0-0.44.b1

The last certmonger-related AVC is this one:

type=AVC msg=audit(1350065706.955:6827): avc: denied { block_suspend } for pid=15593 comm="certmonger" capability=36 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:certmonger_t:s0 tclass=capability2

Nalin pointed me to https://bugzilla.redhat.com/show_bug.cgi?id=830860

Should be fixed in selinux-policy-3.11.1-38

We can update the Fedora spec and close this when updated selinux-policy package gets submitted to bohdi.

dogtag policy has been moved into pki-core 10.0.0-0.45.b1.fc18 so we'll need to bump the requires on that as well. It and selinux-policy 3.11.1-43.fc18 are pending push to updates-testing.

Petr, ccing you as a heads-up.

Ade tells me we will want 10.0.0-0.46.b1 to pick up an Obsoletes pki-selinux. It is marked as stable in bohdi but hasn't hit the mirrors yet.

Updated in Fedora f18 branch, freeipa-3.0.0-3.

The required packages aren't built in rawhide yet so that has yet to be updated. We'll catch it up eventually.

Metadata Update from @rcritten:
- Issue assigned to rcritten
- Issue set to the milestone: FreeIPA 3.0.1 (bug fixing)

7 years ago

Login to comment on this ticket.

Metadata