Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-75585

AVC denial error messages and incorrect selinux fcontext in PKI installations with custom instance name

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • rhel-10.0
    • rhel-10.0
    • dogtag-pki
    • None
    • dogtag-pki-11.6.0-1.el10
    • Yes
    • Important
    • rhel-sst-idm-cs
    • ssg_idm
    • 0
    • Dev ack
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • Pass
    • Hide
      python3-idm-pki-11.6.0-1.el10.noarch
      idm-pki-base-11.6.0-1.el10.noarch
      idm-jss-5.6.0-1.el10.x86_64
      idm-pki-java-11.6.0-1.el10.noarch
      idm-pki-tools-11.6.0-1.el10.x86_64
      idm-jss-tomcat-5.6.0-1.el10.x86_64
      idm-pki-server-11.6.0-1.el10.noarch
      idm-pki-ca-11.6.0-1.el10.noarch
      idm-pki-kra-11.6.0-1.el10.noarch
      Show
      python3-idm-pki-11.6.0-1.el10.noarch idm-pki-base-11.6.0-1.el10.noarch idm-jss-5.6.0-1.el10.x86_64 idm-pki-java-11.6.0-1.el10.noarch idm-pki-tools-11.6.0-1.el10.x86_64 idm-jss-tomcat-5.6.0-1.el10.x86_64 idm-pki-server-11.6.0-1.el10.noarch idm-pki-ca-11.6.0-1.el10.noarch idm-pki-kra-11.6.0-1.el10.noarch
    • Automated
    • Unspecified Release Note Type - Unknown
    • None

      What were you trying to do that didn't work?

      CA/KRA installations with custom instance names generate AVC denial error messages and incorrect selinux fcontext.

      What is the impact of this issue to you?

      Incorrect fcontext and AVC denial error messages affecting the file/directory read permissions at the time of installation and pkidestroy.

      Please provide the package NVR for which the bug is seen:

      dogtag-pki-11.6.0-0.2.alpha2.el10.src.rpm

      jss-5.6.0-0.1.alpha1.el10.src.rpm

      SELinux status:                 enabled
      SELinuxfs mount:                /sys/fs/selinux
      SELinux root directory:         /etc/selinux
      Loaded policy name:             targeted
      Current mode:                   enforcing
      Mode from config file:          enforcing
      Policy MLS status:              enabled
      Policy deny_unknown status:     allowed
      Memory protection checking:     actual (secure)
      Max kernel policy version:      33

      How reproducible is this bug?:

      Always

      Steps to reproduce

      1. Install CA subsystem with custom name i.e. topology-00-CA on RHEL 10.0 nightly build
      2. Check /var/log/audit/audit.log file
      3. Check fcontext of the PKI CA directories

      Expected results

      Selinux fcontext should be correctly configured at installations.

      Actual results

      Content of /var/log/audit/audit.log:

      type=AVC msg=audit(1737461549.580:1797): avc:  denied  { read } for  pid=10499 comm="pkidaemon" name="conf" dev="vda2" ino=20973542 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0
type=SYSCALL msg=audit(1737461549.580:1797): arch=c000003e syscall=262 success=no exit=-13 a0=ffffff9c a1=5566a1e8e290 a2=7ffde0d94bd0 a3=0 items=0 ppid=1 pid=10499 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="pkidaemon" exe="/usr/bin/bash" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)ARCH=x86_64 SYSCALL=newfstatat AUID="unset" UID="pkiuser" GID="pkiuser" EUID="pkiuser" SUID="pkiuser" FSUID="pkiuser" EGID="pkiuser" SGID="pkiuser" FSGID="pkiuser"
type=PROCTITLE msg=audit(1737461549.580:1797): proctitle=2F7573722F62696E2F7368002F7573722F62696E2F706B696461656D6F6E00737461727400746F706F6C6F67792D30302D4341
type=AVC msg=audit(1737461549.580:1798): avc:  denied  { read } for  pid=10499 comm="pkidaemon" name="conf" dev="vda2" ino=20973542 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0
type=SYSCALL msg=audit(1737461549.580:1798): arch=c000003e syscall=262 success=no exit=-13 a0=ffffff9c a1=5566a1e8e180 a2=7ffde0d94bd0 a3=0 items=0 ppid=1 pid=10499 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="pkidaemon" exe="/usr/bin/bash" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)ARCH=x86_64 SYSCALL=newfstatat AUID="unset" UID="pkiuser" GID="pkiuser" EUID="pkiuser" SUID="pkiuser" FSUID="pkiuser" EGID="pkiuser" SGID="pkiuser" FSGID="pkiuser"
type=PROCTITLE msg=audit(1737461549.580:1798): proctitle=2F7573722F62696E2F7368002F7573722F62696E2F706B696461656D6F6E00737461727400746F706F6C6F67792D30302D4341
type=AVC msg=audit(1737461549.581:1799): avc:  denied  { read } for  pid=10499 comm="pkidaemon" name="conf" dev="vda2" ino=20973542 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0
type=SYSCALL msg=audit(1737461549.581:1799): arch=c000003e syscall=262 success=no exit=-13 a0=ffffff9c a1=5566a1e8de00 a2=7ffde0d94bd0 a3=0 items=0 ppid=1 pid=10499 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="pkidaemon" exe="/usr/bin/bash" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)ARCH=x86_64 SYSCALL=newfstatat AUID="unset" UID="pkiuser" GID="pkiuser" EUID="pkiuser" SUID="pkiuser" FSUID="pkiuser" EGID="pkiuser" SGID="pkiuser" FSGID="pkiuser"
type=PROCTITLE msg=audit(1737461549.581:1799): proctitle=2F7573722F62696E2F7368002F7573722F62696E2F706B696461656D6F6E00737461727400746F706F6C6F67792D30302D4341
type=AVC msg=audit(1737461549.581:1800): avc:  denied  { read } for  pid=10499 comm="pkidaemon" name="conf" dev="vda2" ino=20973542 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0
type=SYSCALL msg=audit(1737461549.581:1800): arch=c000003e syscall=262 success=no exit=-13 a0=ffffff9c a1=5566a1e8dd60 a2=7ffde0d94bd0 a3=0 items=0 ppid=1 pid=10499 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="pkidaemon" exe="/usr/bin/bash" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)ARCH=x86_64 SYSCALL=newfstatat AUID="unset" UID="pkiuser" GID="pkiuser" EUID="pkiuser" SUID="pkiuser" FSUID="pkiuser" EGID="pkiuser" SGID="pkiuser" FSGID="pkiuser"
type=PROCTITLE msg=audit(1737461549.581:1800): proctitle=2F7573722F62696E2F7368002F7573722F62696E2F706B696461656D6F6E00737461727400746F706F6C6F67792D30302D4341
type=AVC msg=audit(1737461549.581:1801): avc:  denied  { read } for  pid=10499 comm="pkidaemon" name="conf" dev="vda2" ino=20973542 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0
type=SYSCALL msg=audit(1737461549.581:1801): arch=c000003e syscall=262 success=no exit=-13 a0=ffffff9c a1=5566a1e6bc80 a2=7ffde0d94bd0 a3=0 items=0 ppid=1 pid=10499 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="pkidaemon" exe="/usr/bin/bash" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)ARCH=x86_64 SYSCALL=newfstatat AUID="unset" UID="pkiuser" GID="pkiuser" EUID="pkiuser" SUID="pkiuser" FSUID="pkiuser" EGID="pkiuser" SGID="pkiuser" FSGID="pkiuser"
type=PROCTITLE msg=audit(1737461549.581:1801): proctitle=2F7573722F62696E2F7368002F7573722F62696E2F706B696461656D6F6E00737461727400746F706F6C6F67792D30302D4341
type=SERVICE_START msg=audit(1737461549.585:1802): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pki-tomcatd@topology-00-CA comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"

      Selinux context:

      # ls -lZ /var/lib/pki/
total 0
drwxrwx---. 7 pkiuser pkiuser unconfined_u:object_r:var_lib_t:s0 128 Jan 21 07:12 topology-00-CA


[root@pki1 test_dir]# ls -lZ /var/lib/pki/topology-00-CA/
total 0
lrwxrwxrwx. 1 pkiuser pkiuser unconfined_u:object_r:var_lib_t:s0    38 Jan 21 07:10 alias -> /var/lib/pki/topology-00-CA/conf/alias
lrwxrwxrwx. 1 pkiuser pkiuser unconfined_u:object_r:var_lib_t:s0    21 Jan 21 07:10 bin -> /usr/share/tomcat/bin
drwxrwx---. 2 pkiuser pkiuser unconfined_u:object_r:var_lib_t:s0    89 Jan 21 07:10 ca
drwxrwx---. 2 pkiuser pkiuser unconfined_u:object_r:var_lib_t:s0    17 Jan 21 07:10 common
lrwxrwxrwx. 1 pkiuser pkiuser unconfined_u:object_r:var_lib_t:s0    23 Jan 21 07:10 conf -> /etc/pki/topology-00-CA
lrwxrwxrwx. 1 pkiuser pkiuser unconfined_u:object_r:var_lib_t:s0    25 Jan 21 07:10 lib -> /usr/share/pki/server/lib
lrwxrwxrwx. 1 pkiuser pkiuser unconfined_u:object_r:var_lib_t:s0    27 Jan 21 07:10 logs -> /var/log/pki/topology-00-CA
drwxrwx---. 2 pkiuser pkiuser unconfined_u:object_r:var_lib_t:s0     6 Jan 21 07:10 temp
drwxr-xr-x. 2 pkiuser pkiuser system_u:object_r:tomcat_var_lib_t:s0  6 Jan 21 07:12 webapps
drwxrwx---. 3 pkiuser pkiuser unconfined_u:object_r:var_lib_t:s0    22 Jan 21 07:12 work


[root@pki1 test_dir]# ls -lZ /var/lib/pki/topology-00-CA/conf/
total 48
drwxrwx---. 2 pkiuser pkiuser unconfined_u:object_r:cert_t:s0    95 Jan 21 07:12 alias
drwxrwx---. 4 pkiuser pkiuser unconfined_u:object_r:cert_t:s0  4096 Jan 21 07:10 ca
drwxrwx---. 3 pkiuser pkiuser unconfined_u:object_r:cert_t:s0    23 Jan 21 07:10 Catalina
-rw-r--r--. 1 pkiuser pkiuser system_u:object_r:cert_t:s0     19379 Jan 21 07:12 catalina.policy
lrwxrwxrwx. 1 pkiuser pkiuser unconfined_u:object_r:cert_t:s0    46 Jan 21 07:10 catalina.properties -> /usr/share/pki/server/conf/catalina.properties
drwxrwx---. 2 pkiuser pkiuser unconfined_u:object_r:cert_t:s0   145 Jan 21 07:11 certs
lrwxrwxrwx. 1 pkiuser pkiuser unconfined_u:object_r:cert_t:s0    23 Jan 21 07:10 context.xml -> /etc/tomcat/context.xml
lrwxrwxrwx. 1 pkiuser pkiuser unconfined_u:object_r:cert_t:s0    45 Jan 21 07:10 logging.properties -> /usr/share/pki/server/conf/logging.properties
-rw-rw----. 1 pkiuser pkiuser unconfined_u:object_r:cert_t:s0    71 Jan 21 07:10 password.conf
-rw-rw----. 1 pkiuser pkiuser unconfined_u:object_r:cert_t:s0    32 Jan 21 07:12 serverCertNick.conf
-rw-rw----. 1 pkiuser pkiuser unconfined_u:object_r:cert_t:s0  8250 Jan 21 07:12 server.xml
-rw-rw----. 1 pkiuser pkiuser unconfined_u:object_r:cert_t:s0  1896 Jan 21 07:12 tomcat.conf
lrwxrwxrwx. 1 pkiuser pkiuser unconfined_u:object_r:cert_t:s0    19 Jan 21 07:10 web.xml -> /etc/tomcat/web.xml

              rh-ee-mfargett Marco Fargetta
              prisingh@redhat.com Pritam Singh
              RHCS Maintenance RHCS Maintenance
              IdM CS QE IdM CS QE
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: