freeipa

Clone
Source Code
GIT

#4438 Lots of avc denial messages while installing IPA Server
Closed: Fixed None Opened 9 years ago by dpal.

Closed: Fixed
Reopen Issue

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 1117739

Description of problem:
While installing IPA Server a lot of avc deninal messages are shown though this
is not blocker and installation is successful.

Version-Release number of selected component (if applicable):
[root@hp-dl380pgen8-02-vm-4 ~]# rpm -q ipa-server pki-ca
ipa-server-3.0.0-42.el6.x86_64
pki-ca-9.0.3-36.el6.noarch
[root@hp-dl380pgen8-02-vm-4 ~]#

How reproducible:
Always

Steps to Reproduce:
1.Install IPA server on latest RHEL-6.6 build
2.Look in audit.log
3.

Actual results:
There are lot of avc denined messages in audit.log

Expected results:
There should not be any avc denined message in audit.log

Additional info:
(1)
[root@hp-dl380pgen8-02-vm-4 ~]# cat /var/log/audit/audit.log |audit2allow


#============= certmonger_t ==============
#!!!! The source type 'certmonger_t' can write to a 'dir' of the following
types:
# cert_t, mnt_t, pki_tks_cert_t, pki_ocsp_cert_t, dirsrv_config_t, var_lib_t,
var_run_t, pki_ca_cert_t, pki_kra_cert_t, certmonger_var_lib_t,
certmonger_var_run_t, cluster_var_lib_t, cluster_var_run_t, root_t,
cluster_conf_t

allow certmonger_t tmp_t:dir write;
allow certmonger_t tmpfs_t:dir search;

#============= chkpwd_t ==============
#!!!! The source type 'chkpwd_t' can write to a 'dir' of the following type:
# mnt_t

allow chkpwd_t tmp_t:dir write;

#============= dirsrv_t ==============
allow dirsrv_t lib_t:file relabelto;

#============= httpd_t ==============
allow httpd_t httpd_tmp_t:file relabelfrom;

#============= kadmind_t ==============
allow kadmind_t kadmind_tmp_t:file relabelfrom;

#============= krb5kdc_t ==============
allow krb5kdc_t krb5kdc_tmp_t:file relabelfrom;

#============= named_t ==============
allow named_t named_tmp_t:file relabelfrom;

#============= pki_ca_t ==============
allow pki_ca_t tmp_t:file relabelfrom;

#============= prelink_t ==============
allow prelink_t initrc_t:fifo_file setattr;
allow prelink_t system_cronjob_t:fifo_file setattr;

#============= sshd_t ==============
allow sshd_t lib_t:file relabelto;

#============= sssd_t ==============
allow sssd_t lib_t:file relabelto;
[root@hp-dl380pgen8-02-vm-4 ~]#

These AVCs are not seen in Fedora - others can be seen though. I filed https://bugzilla.redhat.com/show_bug.cgi?id=1122110 to track it.

We will track in 4.0.2 time frame.

I did not see any AVCs with freeipa-server-4.0.0GIT359dfe5-0.fc20.x86_64 and selinux-policy-3.12.1-181.fc20.noarch, selinux-policy Bugzilla was fixed.

This ticket can be therefore closed.

Metadata Update from @dpal:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.0.2
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
defect
None
None
IPA
None
0
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=1117739, https://bugzilla.redhat.com/show_bug.cgi?id=1122110
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.