Loading...

Type: Bug
Resolution: Won't Do
Priority: Undefined
Fix Version/s: None
Affects Version/s: rhel-8.6.0
Component/s: fapolicyd
Labels:
- MigratedToJIRA
- Triaged

Regression:
None
Severity:
None

AssignedTeam:
rhel-security-special-projects
Sub-System Group:

ssg_security

Story Points:
None
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
None
Sprint:
None

Preliminary Testing:
None
Test Coverage:
None

Release Note Type:
If docs needed, set a value

Experience:
Architecture:

x86_64
Bugzilla Bug:
RHBZ: 2101919

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None
Internal Target Milestone numeric:
0

Description of problem:
fapolicyd prevents PKI CA from installing on a FIPS + STIG environment

Version-Release number of selected component (if applicable):
fapolicyd-1.1-6.el8.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Install FIPS and STIG
2. Install PKI CA

Actual results:
RHCS CA installation fails when fapolicyd is on. Succeeds when fapolicyd is off.

Expected results:
RHCS CA installation should succeed.

Additional info:

ls -lrt /etc/fapolicyd/rules.d
total 48
~~rw-r~~r-. 1 root fapolicyd 456 Jun 3 19:26 10-languages.rules
~~rw-r~~r-. 1 root fapolicyd 131 Jun 3 19:26 20-dracut.rules
~~rw-r~~r-. 1 root fapolicyd 205 Jun 3 19:26 21-updaters.rules
~~rw-r~~r-. 1 root fapolicyd 225 Jun 3 19:26 30-patterns.rules
~~rw-r~~r-. 1 root fapolicyd 101 Jun 3 19:26 40-bad-elf.rules
~~rw-r~~r-. 1 root fapolicyd 71 Jun 3 19:26 42-trusted-elf.rules
~~rw-r~~r-. 1 root fapolicyd 248 Jun 3 19:26 41-shared-obj.rules
~~rw-r~~r-. 1 root fapolicyd 143 Jun 3 19:26 70-trusted-lang.rules
~~rw-r~~r-. 1 root fapolicyd 96 Jun 3 19:26 72-shell.rules
~~rw-r~~r-. 1 root fapolicyd 76 Jun 3 19:26 90-deny-execute.rules
~~rw-r~~r-. 1 root fapolicyd 69 Jun 3 19:48 95-allow-open.rules
~~rw-r~~r-. 1 root fapolicyd 238 Jun 3 19:52 pki.rules

cat /etc/fapolicyd/rules.d/pki.rules
allow perm=open dir=/usr/lib/jvm/ : dir=/var/lib/pki/topology-02-CA/work/Catalina/localhost/
allow perm=open dir=/usr/lib/jvm/ : dir=/usr/share/tomcat/bin/ ftype=application/java-archive

cat /etc/fapolicyd/rules.d/95-allow-open.rules
Allow everything else to open any file

allow perm=open all : all

CA logs:
Installation failed:
<!doctype html><html lang="en"><head><title>HTTP Status 500 – Internal Server Error</title><style type="text/css">body

{font-family:Tahoma,Arial,sans-serif;}

h1, h2, h3, b

color: Color value is invalid

h1

{font-size:22px;}

h2

{font-size:16px;}

h3

{font-size:14px;}

p

{font-size:12px;}

a

color: Color value is invalid

.line

{height:1px;background-color:#525D76;border:none;}

</style></head><body><h1>HTTP Status 500 – Internal Server Error</h1><hr class="line" /><p><b>Type</b> Exception Report</p><p><b>Message</b> org.apache.jasper.JasperException: Unable to compile class for JSP</p><p><b>Description</b> The server encountered an unexpected condition that prevented it from fulfilling the request.</p><p><b>Exception</b></p><pre>org.apache.jasper.JasperException: org.apache.jasper.JasperException: Unable to compile class for JSP
org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:605)
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:423)
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:385)
org.apache.jasper.servlet.JspServlet.service(JspServlet.java:329)
javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
java.lang.reflect.Method.invoke(Method.java:498)
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
java.security.AccessController.doPrivileged(Native Method)
javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170)
java.security.AccessController.doPrivileged(Native Method)
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
java.lang.reflect.Method.invoke(Method.java:498)
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
java.security.AccessController.doPrivileged(Native Method)
javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
</pre><p><b>Root Cause</b></p><pre>org.apache.jasper.JasperException: Unable to compile class for JSP
org.apache.jasper.compiler.DefaultErrorHandler.javacError(DefaultErrorHandler.java:117)
org.apache.jasper.compiler.ErrorDispatcher.javacError(ErrorDispatcher.java:228)
org.apache.jasper.compiler.AntCompiler.generateClass(AntCompiler.java:266)
org.apache.jasper.compiler.Compiler.compile(Compiler.java:392)
org.apache.jasper.compiler.Compiler.compile(Compiler.java:362)
org.apache.jasper.compiler.Compiler.compile(Compiler.java:346)
org.apache.jasper.JspCompilationContext.compile(JspCompilationContext.java:605)
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:400)
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:385)
org.apache.jasper.servlet.JspServlet.service(JspServlet.java:329)
javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
java.lang.reflect.Method.invoke(Method.java:498)
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
java.security.AccessController.doPrivileged(Native Method)
javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170)
java.security.AccessController.doPrivileged(Native Method)
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
java.lang.reflect.Method.invoke(Method.java:498)
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
java.security.AccessController.doPrivileged(Native Method)
javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
</pre><p><b>Root Cause</b></p><pre>Compile failed; see the compiler error output for details.
org.apache.tools.ant.taskdefs.Javac.compile(Javac.java:1425)
org.apache.tools.ant.taskdefs.Javac.execute(Javac.java:1133)
org.apache.jasper.compiler.AntCompiler.generateClass(AntCompiler.java:232)
org.apache.jasper.compiler.Compiler.compile(Compiler.java:392)
org.apache.jasper.compiler.Compiler.compile(Compiler.java:362)
org.apache.jasper.compiler.Compiler.compile(Compiler.java:346)
org.apache.jasper.JspCompilationContext.compile(JspCompilationContext.java:605)
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:400)
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:385)
org.apache.jasper.servlet.JspServlet.service(JspServlet.java:329)
javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
java.lang.reflect.Method.invoke(Method.java:498)
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
java.security.AccessController.doPrivileged(Native Method)
javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170)
java.security.AccessController.doPrivileged(Native Method)
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
java.lang.reflect.Method.invoke(Method.java:498)
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
java.security.AccessController.doPrivileged(Native Method)
javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
</pre><p><b>Note</b> The full stack trace of the root cause is available in the server logs.</p><hr class="line" /><h3>Apache Tomcat/9.0.30</h3></body></html>

Please check the CA logs in /var/log/pki/topology-02-CA/ca.

external trackers

Red Hat Issue Tracker RHELPLAN-126538

Red Hat Issue Tracker SECENGSP-4668

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates