Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1605174 - AVC Denials seen during ipa-server-install
Summary: AVC Denials seen during ipa-server-install
Keywords:
Status: CLOSED DUPLICATE of bug 1603135
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.6
Hardware: Unspecified
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-07-20 11:39 UTC by Sudhir Menon
Modified: 2018-07-23 10:07 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-07-20 11:50:47 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Sudhir Menon 2018-07-20 11:39:37 UTC
Description of problem: AVC Denials seen during ipa-server-install


Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-207.el7.noarch
ipa-server-4.6.4-2.el7.x86_64

How reproducible: Always


Steps to Reproduce:
1. Install IPA Server

Actual results:
time->Fri Jul 20 06:07:14 2018
type=PROCTITLE msg=audit(1532081234.362:410): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69
type=PATH msg=audit(1532081234.362:410): item=0 name="/sys/fs/cgroup/memory/memory.limit_in_bytes" objtype=UNKNOWN cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1532081234.362:410):  cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1532081234.362:410): arch=c000003e syscall=2 success=no exit=-13 a0=7f956ecae950 a1=0 a2=1b6 a3=24 items=1 ppid=1 pid=20747 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.181-7.b13.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1532081234.362:410): avc:  denied  { search } for  pid=20747 comm="java" name="/" dev="tmpfs" ino=2293 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=0

time->Fri Jul 20 06:07:14 2018
type=PROCTITLE msg=audit(1532081234.362:411): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69
type=PATH msg=audit(1532081234.362:411): item=0 name="/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us" objtype=UNKNOWN cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1532081234.362:411):  cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1532081234.362:411): arch=c000003e syscall=2 success=no exit=-13 a0=7f956ecb2b30 a1=0 a2=1b6 a3=24 items=1 ppid=1 pid=20747 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.181-7.b13.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1532081234.362:411): avc:  denied  { search } for  pid=20747 comm="java" name="/" dev="tmpfs" ino=2293 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=0
----
time->Fri Jul 20 06:07:14 2018
type=PROCTITLE msg=audit(1532081234.362:412): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69
type=PATH msg=audit(1532081234.362:412): item=0 name="/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_period_us" objtype=UNKNOWN cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1532081234.362:412):  cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1532081234.362:412): arch=c000003e syscall=2 success=no exit=-13 a0=7f956ecb2b30 a1=0 a2=1b6 a3=24 items=1 ppid=1 pid=20747 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.181-7.b13.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1532081234.362:412): avc:  denied  { search } for  pid=20747 comm="java" name="/" dev="tmpfs" ino=2293 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=0
----
time->Fri Jul 20 06:07:14 2018
type=PROCTITLE msg=audit(1532081234.362:413): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69
type=PATH msg=audit(1532081234.362:413): item=0 name="/sys/fs/cgroup/cpu,cpuacct/cpu.shares" objtype=UNKNOWN cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1532081234.362:413):  cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1532081234.362:413): arch=c000003e syscall=2 success=no exit=-13 a0=7f956ecb2b30 a1=0 a2=1b6 a3=24 items=1 ppid=1 pid=20747 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.181-7.b13.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1532081234.362:413): avc:  denied  { search } for  pid=20747 comm="java" name="/" dev="tmpfs" ino=2293 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=0
----

Running '/usr/sbin/sestatus'
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31
Running 'rpm -q selinux-policy || true'
selinux-policy-3.13.1-207.el7.noarch


Expected results: Fix the AVC denials
Additional info:

Comment 2 Lukas Vrabec 2018-07-20 11:50:47 UTC

*** This bug has been marked as a duplicate of bug 1603135 ***


Note You need to log in before you can comment on or make changes to this bug.