Loading...

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: rhel-9.6
Affects Version/s: rhel-9.6
Component/s: pki-core
Labels:
None

Fixed in Build:
pki-core-11.6.0-1.el9
Regression:
Yes
Severity:
Important

Pool Team:

rhel-sst-idm-cs
Sub-System Group:

ssg_idm

Story Points:
0
ACKs Check:

Dev ack
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
None
Sprint:
None

Preliminary Testing:
Pass
Testable Builds:

Hide
idm-jss-5.6.0-0.1.alpha1.el9.x86_64
idm-jss-tomcat-5.6.0-0.1.alpha1.el9.x86_64
idm-ldapjdk-5.6.0-0.2.alpha1.el9.noarch
idm-pki-base-11.6.0-3.el9.noarch
idm-pki-ca-11.6.0-3.el9.noarch
idm-pki-java-11.6.0-3.el9.noarch
idm-pki-kra-11.6.0-3.el9.noarch
idm-pki-server-11.6.0-3.el9.noarch
idm-pki-tools-11.6.0-3.el9.x86_64
pki-jackson-annotations-2.14.1-1.el9.noarch
pki-jackson-core-2.14.1-2.el9.noarch
pki-jackson-databind-2.14.1-2.el9.noarch
pki-jackson-jaxrs-json-provider-2.14.1-2.el9.noarch
pki-jackson-jaxrs-providers-2.14.1-2.el9.noarch
pki-jackson-module-jaxb-annotations-2.14.1-2.el9.noarch
pki-resteasy-client-3.0.26-19.el9.noarch
pki-resteasy-core-3.0.26-19.el9.noarch
pki-resteasy-jackson2-provider-3.0.26-19.el9.noarch
pki-resteasy-servlet-initializer-3.0.26-19.el9.noarch
python3-idm-pki-11.6.0-3.el9.noarch
selinux-policy-38.1.53-1.el9.noarch
selinux-policy-targeted-38.1.53-1.el9.noarch

Show
idm-jss-5.6.0-0.1.alpha1.el9.x86_64 idm-jss-tomcat-5.6.0-0.1.alpha1.el9.x86_64 idm-ldapjdk-5.6.0-0.2.alpha1.el9.noarch idm-pki-base-11.6.0-3.el9.noarch idm-pki-ca-11.6.0-3.el9.noarch idm-pki-java-11.6.0-3.el9.noarch idm-pki-kra-11.6.0-3.el9.noarch idm-pki-server-11.6.0-3.el9.noarch idm-pki-tools-11.6.0-3.el9.x86_64 pki-jackson-annotations-2.14.1-1.el9.noarch pki-jackson-core-2.14.1-2.el9.noarch pki-jackson-databind-2.14.1-2.el9.noarch pki-jackson-jaxrs-json-provider-2.14.1-2.el9.noarch pki-jackson-jaxrs-providers-2.14.1-2.el9.noarch pki-jackson-module-jaxb-annotations-2.14.1-2.el9.noarch pki-resteasy-client-3.0.26-19.el9.noarch pki-resteasy-core-3.0.26-19.el9.noarch pki-resteasy-jackson2-provider-3.0.26-19.el9.noarch pki-resteasy-servlet-initializer-3.0.26-19.el9.noarch python3-idm-pki-11.6.0-3.el9.noarch selinux-policy-38.1.53-1.el9.noarch selinux-policy-targeted-38.1.53-1.el9.noarch
Errata Link:
https://errata.engineering.redhat.com/advisory/144001
Test Coverage:

Automated

Experience:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

CA/KRA installations with custom instance names generate AVC denial error messages and incorrect selinux fcontext.

What is the impact of this issue to you?

Incorrect fcontext and AVC denial error messages possibly might affect the file/directory read permissions at the time of installation and pkidestroy.

Please provide the package NVR for which the bug is seen:

pki-core-11.6.0-0.3.alpha2.el9.src.rpm

jss-5.6.0-0.1.alpha1.el9.src.rpm

SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33

How reproducible is this bug?:

Always

Steps to reproduce

Install CA subsystem with custom name i.e. topology-00-CA on RHEL 9.6 nightly build
Check /var/log/audit/audit.log file
Check fcontext of the PKI CA directories

Expected results

Selinux fcontext should be correctly configured at installations.

Actual results

Content of /var/log/audit/audit.log:

type=AVC msg=audit(1737470696.116:999): avc:  denied  { read } for  pid=11876 comm="pkidaemon" name="conf" dev="vda1" ino=41962882 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0
type=SYSCALL msg=audit(1737470696.116:999): arch=c000003e syscall=262 success=no exit=-13 a0=ffffff9c a1=555bc5f6e440 a2=7ffc3661da50 a3=0 items=0 ppid=1 pid=11876 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="pkidaemon" exe="/usr/bin/bash" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)ARCH=x86_64 SYSCALL=newfstatat AUID="unset" UID="pkiuser" GID="pkiuser" EUID="pkiuser" SUID="pkiuser" FSUID="pkiuser" EGID="pkiuser" SGID="pkiuser" FSGID="pkiuser"
type=PROCTITLE msg=audit(1737470696.116:999): proctitle=2F7573722F62696E2F7368002F7573722F62696E2F706B696461656D6F6E00737461727400746F706F6C6F67792D30302D4341
type=AVC msg=audit(1737470696.116:1000): avc:  denied  { read } for  pid=11876 comm="pkidaemon" name="conf" dev="vda1" ino=41962882 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0
type=SYSCALL msg=audit(1737470696.116:1000): arch=c000003e syscall=262 success=no exit=-13 a0=ffffff9c a1=555bc5f6e330 a2=7ffc3661da50 a3=0 items=0 ppid=1 pid=11876 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="pkidaemon" exe="/usr/bin/bash" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)ARCH=x86_64 SYSCALL=newfstatat AUID="unset" UID="pkiuser" GID="pkiuser" EUID="pkiuser" SUID="pkiuser" FSUID="pkiuser" EGID="pkiuser" SGID="pkiuser" FSGID="pkiuser"
type=PROCTITLE msg=audit(1737470696.116:1000): proctitle=2F7573722F62696E2F7368002F7573722F62696E2F706B696461656D6F6E00737461727400746F706F6C6F67792D30302D4341
type=AVC msg=audit(1737470696.116:1001): avc:  denied  { read } for  pid=11876 comm="pkidaemon" name="conf" dev="vda1" ino=41962882 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0
type=SYSCALL msg=audit(1737470696.116:1001): arch=c000003e syscall=262 success=no exit=-13 a0=ffffff9c a1=555bc5f6dfb0 a2=7ffc3661da50 a3=0 items=0 ppid=1 pid=11876 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="pkidaemon" exe="/usr/bin/bash" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)ARCH=x86_64 SYSCALL=newfstatat AUID="unset" UID="pkiuser" GID="pkiuser" EUID="pkiuser" SUID="pkiuser" FSUID="pkiuser" EGID="pkiuser" SGID="pkiuser" FSGID="pkiuser"
type=PROCTITLE msg=audit(1737470696.116:1001): proctitle=2F7573722F62696E2F7368002F7573722F62696E2F706B696461656D6F6E00737461727400746F706F6C6F67792D30302D4341
type=AVC msg=audit(1737470696.116:1002): avc:  denied  { read } for  pid=11876 comm="pkidaemon" name="conf" dev="vda1" ino=41962882 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0
type=SYSCALL msg=audit(1737470696.116:1002): arch=c000003e syscall=262 success=no exit=-13 a0=ffffff9c a1=555bc5f6df10 a2=7ffc3661da50 a3=0 items=0 ppid=1 pid=11876 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="pkidaemon" exe="/usr/bin/bash" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)ARCH=x86_64 SYSCALL=newfstatat AUID="unset" UID="pkiuser" GID="pkiuser" EUID="pkiuser" SUID="pkiuser" FSUID="pkiuser" EGID="pkiuser" SGID="pkiuser" FSGID="pkiuser"
type=PROCTITLE msg=audit(1737470696.116:1002): proctitle=2F7573722F62696E2F7368002F7573722F62696E2F706B696461656D6F6E00737461727400746F706F6C6F67792D30302D4341
type=AVC msg=audit(1737470696.116:1003): avc:  denied  { read } for  pid=11876 comm="pkidaemon" name="conf" dev="vda1" ino=41962882 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0
type=SYSCALL msg=audit(1737470696.116:1003): arch=c000003e syscall=262 success=no exit=-13 a0=ffffff9c a1=555bc5f4be80 a2=7ffc3661da50 a3=0 items=0 ppid=1 pid=11876 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="pkidaemon" exe="/usr/bin/bash" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)ARCH=x86_64 SYSCALL=newfstatat AUID="unset" UID="pkiuser" GID="pkiuser" EUID="pkiuser" SUID="pkiuser" FSUID="pkiuser" EGID="pkiuser" SGID="pkiuser" FSGID="pkiuser"
type=PROCTITLE msg=audit(1737470696.116:1003): proctitle=2F7573722F62696E2F7368002F7573722F62696E2F706B696461656D6F6E00737461727400746F706F6C6F67792D30302D4341
type=SERVICE_START msg=audit(1737470696.121:1004): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pki-tomcatd@topology-00-CA comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"

Selinux context:

[root@pki1 test_dir]# ls -lZ /var/lib/pki/
total 0
drwxrwx---. 7 pkiuser pkiuser unconfined_u:object_r:var_lib_t:s0 128 Jan 21 09:44 topology-00-CA


[root@pki1 test_dir]# ls -lZ /var/lib/pki/topology-00-CA/
total 0
lrwxrwxrwx. 1 pkiuser pkiuser unconfined_u:object_r:var_lib_t:s0    38 Jan 21 09:43 alias -> /var/lib/pki/topology-00-CA/conf/alias
lrwxrwxrwx. 1 pkiuser pkiuser unconfined_u:object_r:var_lib_t:s0    21 Jan 21 09:43 bin -> /usr/share/tomcat/bin
drwxrwx---. 2 pkiuser pkiuser unconfined_u:object_r:var_lib_t:s0    89 Jan 21 09:43 ca
drwxrwx---. 2 pkiuser pkiuser unconfined_u:object_r:var_lib_t:s0    17 Jan 21 09:43 common
lrwxrwxrwx. 1 pkiuser pkiuser unconfined_u:object_r:var_lib_t:s0    23 Jan 21 09:43 conf -> /etc/pki/topology-00-CA
lrwxrwxrwx. 1 pkiuser pkiuser unconfined_u:object_r:var_lib_t:s0    25 Jan 21 09:43 lib -> /usr/share/pki/server/lib
lrwxrwxrwx. 1 pkiuser pkiuser unconfined_u:object_r:var_lib_t:s0    27 Jan 21 09:43 logs -> /var/log/pki/topology-00-CA
drwxrwx---. 2 pkiuser pkiuser unconfined_u:object_r:var_lib_t:s0     6 Jan 21 09:43 temp
drwxr-xr-x. 2 pkiuser pkiuser system_u:object_r:tomcat_var_lib_t:s0  6 Jan 21 09:44 webapps
drwxrwx---. 3 pkiuser pkiuser unconfined_u:object_r:var_lib_t:s0    22 Jan 21 09:44 work



[root@pki1 test_dir]# ls -lZ /var/lib/pki/topology-00-CA/conf/
total 48
drwxrwx---. 2 pkiuser pkiuser unconfined_u:object_r:cert_t:s0    95 Jan 21 09:44 alias
drwxrwx---. 4 pkiuser pkiuser unconfined_u:object_r:cert_t:s0  4096 Jan 21 09:43 ca
drwxrwx---. 3 pkiuser pkiuser unconfined_u:object_r:cert_t:s0    23 Jan 21 09:43 Catalina
-rw-r--r--. 1 pkiuser pkiuser system_u:object_r:cert_t:s0     19222 Jan 21 09:44 catalina.policy
lrwxrwxrwx. 1 pkiuser pkiuser unconfined_u:object_r:cert_t:s0    46 Jan 21 09:43 catalina.properties -> /usr/share/pki/server/conf/catalina.properties
drwxrwx---. 2 pkiuser pkiuser unconfined_u:object_r:cert_t:s0   145 Jan 21 09:44 certs
lrwxrwxrwx. 1 pkiuser pkiuser unconfined_u:object_r:cert_t:s0    23 Jan 21 09:43 context.xml -> /etc/tomcat/context.xml
lrwxrwxrwx. 1 pkiuser pkiuser unconfined_u:object_r:cert_t:s0    45 Jan 21 09:43 logging.properties -> /usr/share/pki/server/conf/logging.properties
-rw-rw----. 1 pkiuser pkiuser unconfined_u:object_r:cert_t:s0    71 Jan 21 09:43 password.conf
-rw-rw----. 1 pkiuser pkiuser unconfined_u:object_r:cert_t:s0    32 Jan 21 09:44 serverCertNick.conf
-rw-rw----. 1 pkiuser pkiuser unconfined_u:object_r:cert_t:s0  8250 Jan 21 09:44 server.xml
-rw-rw----. 1 pkiuser pkiuser unconfined_u:object_r:cert_t:s0  1896 Jan 21 09:44 tomcat.conf
lrwxrwxrwx. 1 pkiuser pkiuser unconfined_u:object_r:cert_t:s0    19 Jan 21 09:43 web.xml -> /etc/tomcat/web.xml

relates to

RHEL-75585 AVC denial error messages and incorrect selinux fcontext in PKI installations with custom instance name

Integration

links to

RHBA-2024:144001 pki-core bug fix and enhancement update

Details

Description

What were you trying to do that didn't work?

What is the impact of this issue to you?

Please provide the package NVR for which the bug is seen:

How reproducible is this bug?:

Steps to reproduce

Expected results

Actual results

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates