As reported in https://www.redhat.com/archives/freeipa-users/2013-December/msg00040.html
AVC while renewing the ipaCert certificate:
node=ipa2.abaqis.com type=PATH msg=audit(1386103646.841:451293): item=0 name="/var/run/certmonger/tmp-xETTca/ccache" inode=944 dev=fd:03 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=NORMAL node=ipa2.abaqis.com type=CWD msg=audit(1386103646.841:451293): cwd="/" node=ipa2.abaqis.com type=SYSCALL msg=audit(1386103646.841:451293): arch=c000003e syscall=4 success=yes exit=0 a0=36e1fd5 a1=7fffcc37ea40 a2=7fffcc37ea40 a3=4 items=1 ppid=3731 pid=23883 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dogtag-ipa-retr" exe="/usr/bin/python" subj=system_u:system_r:certmonger_t:s0 key=(null) node=ipa2.abaqis.com type=AVC msg=audit(1386103646.841:451293): avc: denied { getattr } for pid=23883 comm="dogtag-ipa-retr" path="/var/run/certmonger/tmp-xETTca/ccache" dev=dm-3 ino=944 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
It appears to be blowing up trying to get a host ticket.
The user is on 3.0 in RHEL 6.4.
Honza is checking the AVC in his test environment.
I wasn't able to reproduce this with:
ipa-server-3.0.0-25.el6.x86_64 selinux-policy-targeted-3.7.19-195.el6.noarch
Erinn, could you please share what are the package version in the environment you find the AVC in?
Erinn, we are now trying to reproduce the issue. jcholast was not able to reproduce, the versions of your packages could help. Thank you.
I just reproduced some issue on RHEL-7.0:
type=AVC msg=audit(1389057043.661:380): avc: denied { name_connect } for pid=28804 comm="dogtag-ipa-retr" dest=389 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket
It happened to me when renewing a certificate on a CA clone. The AVC is a bit different, but there indeed is some issue.
Linking to RHEL 7.0 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1049532
The SELinux in RHEL-7.0 was fixed.
Metadata Update from @rcritten: - Issue assigned to mkosek - Issue set to the milestone: FreeIPA 3.3.x - 2014/01 (bug fixing)
Login to comment on this ticket.