#4070 dogtag-ipa-retrieve-agent-submit AVC
Closed: Fixed None Opened 10 years ago by rcritten.

As reported in https://www.redhat.com/archives/freeipa-users/2013-December/msg00040.html

AVC while renewing the ipaCert certificate:

node=ipa2.abaqis.com type=PATH msg=audit(1386103646.841:451293):
item=0 name="/var/run/certmonger/tmp-xETTca/ccache" inode=944
dev=fd:03 mode=0100600 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:var_run_t:s0 nametype=NORMAL
node=ipa2.abaqis.com type=CWD msg=audit(1386103646.841:451293):  cwd="/"
node=ipa2.abaqis.com type=SYSCALL msg=audit(1386103646.841:451293):
arch=c000003e syscall=4 success=yes exit=0 a0=36e1fd5 a1=7fffcc37ea40
a2=7fffcc37ea40 a3=4 items=1 ppid=3731 pid=23883 auid=4294967295 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="dogtag-ipa-retr" exe="/usr/bin/python"
subj=system_u:system_r:certmonger_t:s0 key=(null)
node=ipa2.abaqis.com type=AVC msg=audit(1386103646.841:451293): avc:
denied  { getattr } for  pid=23883 comm="dogtag-ipa-retr"
path="/var/run/certmonger/tmp-xETTca/ccache" dev=dm-3 ino=944
scontext=system_u:system_r:certmonger_t:s0
tcontext=system_u:object_r:var_run_t:s0 tclass=file

It appears to be blowing up trying to get a host ticket.

The user is on 3.0 in RHEL 6.4.


Honza is checking the AVC in his test environment.

I wasn't able to reproduce this with:

ipa-server-3.0.0-25.el6.x86_64
selinux-policy-targeted-3.7.19-195.el6.noarch

Erinn, could you please share what are the package version in the environment you find the AVC in?

Erinn, we are now trying to reproduce the issue. jcholast was not able to reproduce, the versions of your packages could help. Thank you.

I just reproduced some issue on RHEL-7.0:

type=AVC msg=audit(1389057043.661:380): avc:  denied  { name_connect } for  pid=28804 comm="dogtag-ipa-retr" dest=389 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket

It happened to me when renewing a certificate on a CA clone. The AVC is a bit different, but there indeed is some issue.

The SELinux in RHEL-7.0 was fixed.

Metadata Update from @rcritten:
- Issue assigned to mkosek
- Issue set to the milestone: FreeIPA 3.3.x - 2014/01 (bug fixing)

7 years ago

Login to comment on this ticket.

Metadata