A standard Custodia daemon can work with limited permission and as non-root user. However a ipa-custodia instance requires more privileges and access to very sensitive files in order to provide functionality for ipa-replica-install. Therefore it must run as root user with a different SELinux context.
ipa-custodia
ipa-replica-install
Custodia must be able to read:
Additional resources:
For reference, here is an old Custodia ticket that explains the SELinux policies in greater details, https://github.com/latchset/custodia/issues/56
Metadata Update from @pvoborni: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1434032
Issue linked to bug 1434032
Metadata Update from @pvoborni: - Issue priority set to: 1 - Issue set to the milestone: FreeIPA 4.5.1
Metadata Update from @pvoborni: - Issue assigned to cheimes
Metadata Update from @pvoborni: - Issue tagged with: integration, rfe
ipa-4-5:
403263d Use Custodia 0.3.1 features master:
f5bf546 Use Custodia 0.3.1 features
Metadata Update from @pvomacka: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
sepolicy generate --init -u system_u -r system_r -n ipa_custodia -w /etc/ipa/custodia -- /usr/libexec/ipa/ipa-custodia
type=SERVICE_START msg=audit(1492619860.221:1135): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=ipa-custodia comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=AVC msg=audit(1492619860.226:1136): avc: denied { execute } for pid=32681 comm="ipa-custodia" path="/usr/bin/python2.7" dev="vda3" ino=99582 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492619860.234:1137): avc: denied { read } for pid=32681 comm="ipa-custodia" name="passwd" dev="vda3" ino=4302880 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492619860.234:1138): avc: denied { open } for pid=32681 comm="ipa-custodia" path="/etc/passwd" dev="vda3" ino=4302880 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492619860.234:1139): avc: denied { getattr } for pid=32681 comm="ipa-custodia" path="/etc/passwd" dev="vda3" ino=4302880 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492619860.361:1140): avc: denied { execute } for pid=32682 comm="ipa-custodia" name="ldconfig" dev="vda3" ino=4273573 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492619860.361:1141): avc: denied { read open } for pid=32682 comm="ipa-custodia" path="/usr/sbin/ldconfig" dev="vda3" ino=4273573 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492619860.361:1142): avc: denied { execute_no_trans } for pid=32682 comm="ipa-custodia" path="/usr/sbin/ldconfig" dev="vda3" ino=4273573 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492619860.386:1143): avc: denied { getattr } for pid=32681 comm="ipa-custodia" path="/run/httpd/ipa-custodia.sock" dev="tmpfs" ino=126130 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=sock_file permissive=1 type=AVC msg=audit(1492619860.386:1144): avc: denied { write } for pid=32681 comm="ipa-custodia" name="httpd" dev="tmpfs" ino=18434 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1492619860.386:1145): avc: denied { remove_name } for pid=32681 comm="ipa-custodia" name="ipa-custodia.sock" dev="tmpfs" ino=126130 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1492619860.386:1146): avc: denied { unlink } for pid=32681 comm="ipa-custodia" name="ipa-custodia.sock" dev="tmpfs" ino=126130 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=sock_file permissive=1 type=AVC msg=audit(1492619860.386:1147): avc: denied { add_name } for pid=32681 comm="ipa-custodia" name="ipa-custodia.sock" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1492619860.386:1148): avc: denied { create } for pid=32681 comm="ipa-custodia" name="ipa-custodia.sock" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1492619971.570:1165): avc: denied { connectto } for pid=32033 comm="httpd" path="/run/httpd/ipa-custodia.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_ r:ipa_custodia_t:s0 tclass=unix_stream_socket permissive=1 type=AVC msg=audit(1492619971.615:1166): avc: denied { read } for pid=32707 comm="ipa-custodia" name="resolv.conf" dev="vda3" ino=4302896 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=s ystem_u:object_r:net_conf_t:s0 tclass=lnk_file permissive=1 type=AVC msg=audit(1492619971.615:1167): avc: denied { read } for pid=32707 comm="ipa-custodia" name="resolv.conf" dev="tmpfs" ino=21863 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=sy stem_u:object_r:net_conf_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492619971.616:1168): avc: denied { open } for pid=32707 comm="ipa-custodia" path="/run/NetworkManager/resolv.conf" dev="tmpfs" ino=21863 scontext=system_u:system_r:ipa_custo dia_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492619971.616:1169): avc: denied { getattr } for pid=32707 comm="ipa-custodia" path="/run/NetworkManager/resolv.conf" dev="tmpfs" ino=21863 scontext=system_u:system_r:ipa_cu stodia_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492619971.616:1170): avc: denied { write } for pid=32707 comm="ipa-custodia" name="slapd-IPA-EXAMPLE.socket" dev="tmpfs" ino=138276 scontext=system_u:system_r:ipa_custodia_t :s0 tcontext=system_u:object_r:dirsrv_var_run_t:s0 tclass=sock_file permissive=1 type=AVC msg=audit(1492619971.617:1171): avc: denied { connectto } for pid=32707 comm="ipa-custodia" path="/run/slapd-IPA-EXAMPLE.socket" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=s ystem_u:system_r:dirsrv_t:s0 tclass=unix_stream_socket permissive=1 type=AVC msg=audit(1492619971.623:1172): avc: denied { dac_override } for pid=32707 comm="ipa-custodia" capability=1 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa _custodia_t:s0 tclass=capability permissive=1 type=AVC msg=audit(1492619971.624:1173): avc: denied { search } for pid=32707 comm="ipa-custodia" name="pki-tomcat" dev="vda3" ino=4194412 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext= system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1492619971.624:1174): avc: denied { read } for pid=32707 comm="ipa-custodia" name="password.conf" dev="vda3" ino=4561084 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext =system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492619971.624:1175): avc: denied { open } for pid=32707 comm="ipa-custodia" path="/etc/pki/pki-tomcat/password.conf" dev="vda3" ino=4561084 scontext=system_u:system_r:ipa_cu stodia_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492619971.624:1176): avc: denied { getattr } for pid=32707 comm="ipa-custodia" path="/etc/pki/pki-tomcat/password.conf" dev="vda3" ino=4561084 scontext=system_u:system_r:ipa _custodia_t:s0 tcontext=system_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492619971.625:1177): avc: denied { write } for pid=32707 comm="ipa-custodia" name="tmp" dev="tmpfs" ino=145482 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u :object_r:tmp_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1492619971.625:1178): avc: denied { add_name } for pid=32707 comm="ipa-custodia" name="tmp1NDOoL" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:tmp_ t:s0 tclass=dir permissive=1 type=AVC msg=audit(1492619971.626:1179): avc: denied { create } for pid=32707 comm="ipa-custodia" name="tmp1NDOoL" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:tmp_t: s0 tclass=dir permissive=1 type=AVC msg=audit(1492619971.626:1180): avc: denied { create } for pid=32707 comm="ipa-custodia" name="nsspwfile" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:tmp_t: s0 tclass=file permissive=1 type=AVC msg=audit(1492619971.626:1181): avc: denied { write open } for pid=32707 comm="ipa-custodia" path="/tmp/tmp1NDOoL/nsspwfile" dev="tmpfs" ino=145681 scontext=system_u:system_r:ipa_custo dia_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492619971.628:1182): avc: denied { execute } for pid=32708 comm="ipa-custodia" name="pk12util" dev="vda3" ino=105109 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492619971.628:1183): avc: denied { execute_no_trans } for pid=32708 comm="ipa-custodia" path="/usr/bin/pk12util" dev="vda3" ino=105109 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492619971.631:1184): avc: denied { getattr } for pid=32708 comm="pk12util" path="/etc/pki/pki-tomcat/alias/secmod.db" dev="vda3" ino=12660086 scontext=system_u:system_r:ipa custodia_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492619971.631:1185): avc: denied { read } for pid=32708 comm="pk12util" name="secmod.db" dev="vda3" ino=12660086 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492619971.631:1186): avc: denied { open } for pid=32708 comm="pk12util" path="/etc/pki/pki-tomcat/alias/secmod.db" dev="vda3" ino=12660086 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492619971.631:1187): avc: denied { getattr } for pid=32708 comm="pk12util" path="/etc/passwd" dev="vda3" ino=4302880 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492619971.631:1188): avc: denied { read } for pid=32708 comm="pk12util" name="passwd" dev="vda3" ino=4302880 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492619971.631:1189): avc: denied { open } for pid=32708 comm="pk12util" path="/etc/passwd" dev="vda3" ino=4302880 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492619971.632:1190): avc: denied { read } for pid=32708 comm="pk12util" name="tmp" dev="tmpfs" ino=145482 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1492619971.632:1191): avc: denied { write } for pid=32708 comm="pk12util" name="cert8.db" dev="vda3" ino=12660087 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492619971.639:1192): avc: denied { remove_name } for pid=32707 comm="ipa-custodia" name="pk12file" dev="tmpfs" ino=145686 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1492619971.639:1193): avc: denied { unlink } for pid=32707 comm="ipa-custodia" name="pk12file" dev="tmpfs" ino=145686 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492619971.639:1194): avc: denied { rmdir } for pid=32707 comm="ipa-custodia" name="tmp1NDOoL" dev="tmpfs" ino=145680 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1492619971.641:1195): avc: denied { write } for pid=32707 comm="ipa-custodia" name="/" dev="vda3" ino=96 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1492619971.641:1196): avc: denied { add_name } for pid=32707 comm="ipa-custodia" name="custodia.audit.log" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1492619971.642:1197): avc: denied { create } for pid=32707 comm="ipa-custodia" name="custodia.audit.log" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492619971.642:1198): avc: denied { read append } for pid=32707 comm="ipa-custodia" name="custodia.audit.log" dev="vda3" ino=337570 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492619971.642:1199): avc: denied { open } for pid=32707 comm="ipa-custodia" path="/custodia.audit.log" dev="vda3" ino=337570 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492619971.642:1200): avc: denied { getattr } for pid=32707 comm="ipa-custodia" path="/custodia.audit.log" dev="vda3" ino=337570 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492619973.033:1201): avc: denied { read } for pid=32716 comm="openssl" name="openssl.cnf" dev="vda3" ino=4274427 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492619973.033:1202): avc: denied { open } for pid=32716 comm="openssl" path="/etc/pki/tls/openssl.cnf" dev="vda3" ino=4274427 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492619973.033:1203): avc: denied { getattr } for pid=32716 comm="openssl" path="/etc/pki/tls/openssl.cnf" dev="vda3" ino=4274427 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492619973.033:1204): avc: denied { read } for pid=32716 comm="openssl" name="ra-agent.pem" dev="vda3" ino=4593205 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:ipa_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492619973.033:1205): avc: denied { open } for pid=32716 comm="openssl" path="/var/lib/ipa/ra-agent.pem" dev="vda3" ino=4593205 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:ipa_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492619973.033:1206): avc: denied { getattr } for pid=32716 comm="openssl" path="/var/lib/ipa/ra-agent.key" dev="vda3" ino=4593204 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:ipa_var_lib_t:s0 tclass=file permissive=1
No AVA?
type=AVC msg=audit(1492620275.833:1207): avc: denied { write } for pid=369 comm="ipa-custodia" name="slapd-IPA-EXAMPLE.socket" dev="tmpfs" ino=138276 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:dirsrv_var_run_t:s0 tclass=sock_file permissive=1 type=AVC msg=audit(1492620275.854:1208): avc: denied { read append } for pid=369 comm="ipa-custodia" name="custodia.audit.log" dev="vda3" ino=337570 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492620275.854:1209): avc: denied { open } for pid=369 comm="ipa-custodia" path="/custodia.audit.log" dev="vda3" ino=337570 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492620275.854:1210): avc: denied { getattr } for pid=369 comm="ipa-custodia" path="/custodia.audit.log" dev="vda3" ino=337570 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492620275.960:1220): avc: denied { connectto } for pid=371 comm="ipa-custodia" path="/run/slapd-IPA-EXAMPLE.socket" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:dirsrv_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1492620422.930:1224): avc: denied { connectto } for pid=32037 comm="httpd" path="/run/httpd/ipa-custodia.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=unix_stream_socket permissive=1 type=AVC msg=audit(1492620422.990:1225): avc: denied { write } for pid=426 comm="ipa-custodia" name="tmp" dev="tmpfs" ino=145482 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1492620422.990:1226): avc: denied { add_name } for pid=426 comm="ipa-custodia" name="tmpXRGWNf" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1492620422.990:1227): avc: denied { create } for pid=426 comm="ipa-custodia" name="tmpXRGWNf" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1492620422.990:1228): avc: denied { create } for pid=426 comm="ipa-custodia" name="nsspwfile" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492620422.990:1229): avc: denied { write open } for pid=426 comm="ipa-custodia" path="/tmp/tmpXRGWNf/nsspwfile" dev="tmpfs" ino=147831 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492620423.021:1230): avc: denied { execute } for pid=428 comm="pki" name="ldconfig" dev="vda3" ino=4273573 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492620423.021:1231): avc: denied { read open } for pid=428 comm="pki" path="/usr/sbin/ldconfig" dev="vda3" ino=4273573 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492620423.021:1232): avc: denied { execute_no_trans } for pid=428 comm="pki" path="/usr/sbin/ldconfig" dev="vda3" ino=4273573 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492620423.040:1233): avc: denied { execute } for pid=429 comm="pki" name="bash" dev="vda3" ino=54879 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492620423.040:1234): avc: denied { execute_no_trans } for pid=429 comm="pki" path="/usr/bin/bash" dev="vda3" ino=54879 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492620423.049:1235): avc: denied { read } for pid=433 comm="java" name="cpu" dev="sysfs" ino=37 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1492620423.050:1236): avc: denied { read } for pid=433 comm="java" name="hsperfdata_root" dev="tmpfs" ino=147840 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1492620423.050:1237): avc: denied { execmem } for pid=433 comm="java" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=process permissive=1 type=AVC msg=audit(1492620423.252:1238): avc: denied { create } for pid=433 comm="java" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=tcp_socket permissive=1 type=AVC msg=audit(1492620423.252:1239): avc: denied { read } for pid=433 comm="java" name="if_inet6" dev="proc" ino=4026532096 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492620423.252:1240): avc: denied { open } for pid=433 comm="java" path="/proc/433/net/if_inet6" dev="proc" ino=4026532096 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492620423.252:1241): avc: denied { getattr } for pid=433 comm="java" path="/proc/433/net/if_inet6" dev="proc" ino=4026532096 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492620423.255:1242): avc: denied { getattr } for pid=433 comm="java" path="/etc/pki/pki-tomcat/alias" dev="vda3" ino=12660069 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1492620423.288:1243): avc: denied { read } for pid=433 comm="java" name="random" dev="devtmpfs" ino=1032 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(1492620423.288:1244): avc: denied { open } for pid=433 comm="java" path="/dev/random" dev="devtmpfs" ino=1032 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(1492620423.288:1245): avc: denied { getattr } for pid=433 comm="java" path="/dev/random" dev="devtmpfs" ino=1032 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(1492620423.338:1246): avc: denied { read } for pid=433 comm="java" name="cacerts" dev="vda3" ino=74910 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=lnk_file permissive=1 type=AVC msg=audit(1492620423.339:1247): avc: denied { getattr } for pid=433 comm="java" path="/etc/pki/ca-trust/extracted/java/cacerts" dev="vda3" ino=8711278 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=unconfined_u:object_r:cert_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492620423.339:1248): avc: denied { read } for pid=433 comm="java" name="cacerts" dev="vda3" ino=8711278 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=unconfined_u:object_r:cert_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492620423.339:1249): avc: denied { open } for pid=433 comm="java" path="/etc/pki/ca-trust/extracted/java/cacerts" dev="vda3" ino=8711278 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=unconfined_u:object_r:cert_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492620423.756:1250): avc: denied { remove_name } for pid=433 comm="java" name="433" dev="tmpfs" ino=147841 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1492620423.756:1251): avc: denied { unlink } for pid=433 comm="java" name="433" dev="tmpfs" ino=147841 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492620423.770:1252): avc: denied { rmdir } for pid=426 comm="ipa-custodia" name="tmpXRGWNf" dev="tmpfs" ino=147830 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1492620450.606:1253): avc: denied { execute } for pid=482 comm="ipa-custodia" name="pki" dev="vda3" ino=830563 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492620450.606:1254): avc: denied { execute_no_trans } for pid=482 comm="ipa-custodia" path="/usr/bin/pki" dev="vda3" ino=830563 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492620601.214:1255): avc: denied { read } for pid=592 comm="java" name="if_inet6" dev="proc" ino=4026532096 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492620601.214:1256): avc: denied { open } for pid=592 comm="java" path="/proc/592/net/if_inet6" dev="proc" ino=4026532096 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492620601.214:1257): avc: denied { getattr } for pid=592 comm="java" path="/proc/592/net/if_inet6" dev="proc" ino=4026532096 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492620638.926:1258): avc: denied { read } for pid=617 comm="ipa-custodia" name="resolv.conf" dev="tmpfs" ino=21863 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492620638.926:1259): avc: denied { open } for pid=617 comm="ipa-custodia" path="/run/NetworkManager/resolv.conf" dev="tmpfs" ino=21863 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492620638.926:1260): avc: denied { getattr } for pid=617 comm="ipa-custodia" path="/run/NetworkManager/resolv.conf" dev="tmpfs" ino=21863 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=1 type=AVC msg=audit(1492620638.995:1261): avc: denied { execmem } for pid=624 comm="java" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=process permissive=1 type=AVC msg=audit(1492620639.221:1262): avc: denied { create } for pid=624 comm="java" scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=tcp_socket permissive=1 type=AVC msg=audit(1492620639.250:1263): avc: denied { read } for pid=624 comm="java" name="random" dev="devtmpfs" ino=1032 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(1492620639.250:1264): avc: denied { open } for pid=624 comm="java" path="/dev/random" dev="devtmpfs" ino=1032 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(1492620639.250:1265): avc: denied { getattr } for pid=624 comm="java" path="/dev/random" dev="devtmpfs" ino=1032 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(1492620639.299:1266): avc: denied { read } for pid=624 comm="java" name="cacerts" dev="vda3" ino=74910 scontext=system_u:system_r:ipa_custodia_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=lnk_file permissive=1
<img alt="ipa-custodia-selinux.tar.gz" src="/freeipa/issue/raw/files/7fde4485733c544ba61a549ddf5f2a1b7a1b4b04f7ce1e03e9185b70ca678549-ipa-custodia-selinux.tar.gz" />
Cheimes, I added almost all AVCs from your log. Could you repeat the scenario with the new policy?
Thanks.
<img alt="ipa-custodia-selinux.tar.gz" src="/freeipa/issue/raw/files/d9af71f47adf4c9efbda9ef2d552b6e067ff4cb06e5150840c9c133d1a1e7e92-ipa-custodia-selinux.tar.gz" />
SELinux policy is now hosted on Github, https://github.com/latchset/ipa-custodia-selinux
Ticket is blocked by https://pagure.io/freeipa/issue/6888
Metadata Update from @cheimes: - Issue status updated to: Open (was: Closed)
PS: So far I have tested the policy on F25 only. It needs to be tested on F26 and RHEL 7.4, too.
I have released a first version of the SELinux policy for ipa-custodia. The policy won't work until /usr/libexec/ipa/ipa-custodia-fixperm.sh is executed after ipa-server-install or ipa-replica-install.
https://github.com/latchset/ipa-custodia-selinux/releases/tag/v0.1.0
As discussed in other channel, finishing this bug in 4.5.1 is out of scope.
Metadata Update from @pvoborni: - Issue priority set to: critical (was: blocker) - Issue set to the milestone: FreeIPA 4.7 (was: FreeIPA 4.5.1)
Metadata Update from @rcritten: - Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)
FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone
Log in to comment on this ticket.