Bug 1024668

Summary: IPA CA replica installation crashes on pkispawn
Product: Red Hat Enterprise Linux 7 Reporter: Martin Kosek <mkosek>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: alee, nkinder
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-10-30 08:35:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Martin Kosek 2013-10-30 08:23:55 UTC 
Description of problem:
When RHEL-7.0 IPA server with CA enabled is being installed against a RHEL-6.5 IPA CA server, installation will crash:

# ipa-replica-install --setup-ca replica-info-ipa.example.com.gpg 
...
  [34/34]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd): Estimated time 33 minutes 30 seconds
  [1/19]: creating certificate server user
  [2/19]: configuring certificate server instance
ipa         : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpvldJpn' returned non-zero exit status 1

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Configuration of CA failed


pkispawn output:
2013-10-30T10:31:50Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpvldJpn
2013-10-30T10:32:09Z DEBUG Process finished, return code=1
2013-10-30T10:32:09Z DEBUG stdout=Loading deployment configuration from /tmp/tmpvldJpn.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
Installation failed.


There is an AVC:

type=AVC msg=audit(1383120863.865:3569): avc:  denied  { name_bind } for  pid=31436 comm="httpd"        src=10443 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:pki_kra_port_t:s0            tclass=tcp_socket


# ausearch -m avc -ts today | audit2allow 

#============= httpd_t ==============
allow httpd_t pki_kra_port_t:tcp_socket name_bind;


Version-Release number of selected component (if applicable):
ipa-server-3.3.2-5.el7.x86_64
selinux-policy-3.12.1-94.el7.noarch
pki-ca-10.0.5-1.el7.noarch


How reproducible:


Steps to Reproduce:
1. Install IPA server on RHEL-6.5
2. Install IPA replica with CA (--setup-ca) on RHEL-7.0
3.

Actual results:
Installation crashes unless SELinux is disabled

Expected results:
Installation succeeds

Additional info:
Comment 1 Martin Kosek 2013-10-30 08:35:06 UTC 
Please disregard this bug (for now, IPA CA installation is still failing) - this AVC is an interference from my investigation of other bug, I was just mislead by the tcontext "system_u:object_r:pki_kra_port_t:s0" that it is related to the crash.