Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 1117739
Description of problem: While installing IPA Server a lot of avc deninal messages are shown though this is not blocker and installation is successful. Version-Release number of selected component (if applicable): [root@hp-dl380pgen8-02-vm-4 ~]# rpm -q ipa-server pki-ca ipa-server-3.0.0-42.el6.x86_64 pki-ca-9.0.3-36.el6.noarch [root@hp-dl380pgen8-02-vm-4 ~]# How reproducible: Always Steps to Reproduce: 1.Install IPA server on latest RHEL-6.6 build 2.Look in audit.log 3. Actual results: There are lot of avc denined messages in audit.log Expected results: There should not be any avc denined message in audit.log Additional info: (1) [root@hp-dl380pgen8-02-vm-4 ~]# cat /var/log/audit/audit.log |audit2allow #============= certmonger_t ============== #!!!! The source type 'certmonger_t' can write to a 'dir' of the following types: # cert_t, mnt_t, pki_tks_cert_t, pki_ocsp_cert_t, dirsrv_config_t, var_lib_t, var_run_t, pki_ca_cert_t, pki_kra_cert_t, certmonger_var_lib_t, certmonger_var_run_t, cluster_var_lib_t, cluster_var_run_t, root_t, cluster_conf_t allow certmonger_t tmp_t:dir write; allow certmonger_t tmpfs_t:dir search; #============= chkpwd_t ============== #!!!! The source type 'chkpwd_t' can write to a 'dir' of the following type: # mnt_t allow chkpwd_t tmp_t:dir write; #============= dirsrv_t ============== allow dirsrv_t lib_t:file relabelto; #============= httpd_t ============== allow httpd_t httpd_tmp_t:file relabelfrom; #============= kadmind_t ============== allow kadmind_t kadmind_tmp_t:file relabelfrom; #============= krb5kdc_t ============== allow krb5kdc_t krb5kdc_tmp_t:file relabelfrom; #============= named_t ============== allow named_t named_tmp_t:file relabelfrom; #============= pki_ca_t ============== allow pki_ca_t tmp_t:file relabelfrom; #============= prelink_t ============== allow prelink_t initrc_t:fifo_file setattr; allow prelink_t system_cronjob_t:fifo_file setattr; #============= sshd_t ============== allow sshd_t lib_t:file relabelto; #============= sssd_t ============== allow sssd_t lib_t:file relabelto; [root@hp-dl380pgen8-02-vm-4 ~]#
These AVCs are not seen in Fedora - others can be seen though. I filed https://bugzilla.redhat.com/show_bug.cgi?id=1122110 to track it.
We will track in 4.0.2 time frame.
I did not see any AVCs with freeipa-server-4.0.0GIT359dfe5-0.fc20.x86_64 and selinux-policy-3.12.1-181.fc20.noarch, selinux-policy Bugzilla was fixed.
This ticket can be therefore closed.
Metadata Update from @dpal: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.0.2
Login to comment on this ticket.