Bug 1127211
Summary: | ipa-server-install --uninstall produces avc | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | David Spurek <dspurek> | ||||
Component: | ipa | Assignee: | Pavel Picka <ppicka> | ||||
Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 6.5 | CC: | dpal, ebenes, ksiddiqu, mbasti, mgrepl, pkis, ppicka, pvoborni, rcritten | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | ipa-3.0.0-49.el6 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2016-05-11 00:07:34 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
David Spurek
2014-08-06 12:00:32 UTC
Your steps are incomplete. I assume you are configuring IPA with DNS? What are the exact options you are passing to the installer. Are you sure this is a regression? I have the feeling the SELinux context isn't being restored for /etc/resolv.conf. What is the context before installation, after installation and after uninstall? selinux context of /etc/resolv.conf is the same before and after installation, I checked it. ls -lZ /etc/resolv.conf -rw-r--r--. root root system_u:object_r:net_conf_t:s0 /etc/resolv.conf Maybe its context is changed for a while and restored immediately with restorecon, I don't know. I am quite sure that this is a regression, I didn't see this avc with rhel 6.5. I may check it. I don't configure IPA with DNS (if dns still isn't default option). I use following command: ipa-server-install --hostname=`hostname` -r "TESTREALM" -n `hostname -d` -p "Secret123" -P "Secret123" -a "Secret123" --unattended --ip-address `hostname -I` (In reply to David Spurek from comment #3) ... > I am quite sure that this is a regression, I didn't see this avc with rhel > 6.5. > I may check it. Please do. The uninstall part did not change in RHEL-6.6, maybe nscd changed. My best bet is that nscd has an INOTIFY enabled on the resolv.conf after being started in "Removing IPA client configuration". When resolv.conf is then being restored from /var/lib/ipa/... (note the SELinux context var_lib_t) in "Unconfiguring named", nscd tries to read resolv.conf before it's context is restored as a next step: # restorecon -Fvv /etc/resolv.conf restorecon reset /etc/resolv.conf context unconfined_u:object_r:net_conf_t:s0->system_u:object_r:net_conf_t:s0 # ipa-server-install --uninstall --unattended Shutting down all IPA services Removing IPA client configuration Unconfiguring ntpd Unconfiguring CA directory server Unconfiguring CA Unconfiguring named Unconfiguring web server Unconfiguring krb5kdc Unconfiguring kadmin Unconfiguring directory server Unconfiguring ipa_memcached # ausearch -m AVC -ts today ---- time->Thu Aug 7 03:01:29 2014 type=SYSCALL msg=audit(1407394889.954:923): arch=c000003e syscall=2 success=no exit=-13 a0=7f4be83b985a a1=0 a2=1b6 a3=2 items=0 ppid=1 pid=3825 auid=0 uid=28 gid=28 euid=28 suid=28 fsuid=28 egid=28 sgid=28 fsgid=28 tty=(none) ses=89 comm="nscd" exe="/usr/sbin/nscd" subj=unconfined_u:system_r:nscd_t:s0 key=(null) type=AVC msg=audit(1407394889.954:923): avc: denied { read } for pid=3825 comm="nscd" name="resolv.conf" dev=dm-1 ino=141639 scontext=unconfined_u:system_r:nscd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file ---- time->Thu Aug 7 03:01:29 2014 type=SYSCALL msg=audit(1407394889.954:924): arch=c000003e syscall=2 success=no exit=-13 a0=7f4be83b985a a1=0 a2=1b6 a3=2 items=0 ppid=1 pid=3825 auid=0 uid=28 gid=28 euid=28 suid=28 fsuid=28 egid=28 sgid=28 fsgid=28 tty=(none) ses=89 comm="nscd" exe="/usr/sbin/nscd" subj=unconfined_u:system_r:nscd_t:s0 key=(null) type=AVC msg=audit(1407394889.954:924): avc: denied { read } for pid=3825 comm="nscd" name="resolv.conf" dev=dm-1 ino=141639 scontext=unconfined_u:system_r:nscd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file # ls -lZ /etc/resolv.conf -rw-r--r--. root root unconfined_u:object_r:net_conf_t:s0 /etc/resolv.conf The AVCs seem to be benign though: # service nscd status nscd (pid 3825) is running... Update for comment#3, you are right Rob, I am using setup with DNS: ipa-server-install --hostname=`hostname` -r "TESTREALM" -n `hostname -d` -p "Secret123" -P "Secret123" -a "Secret123" --unattended --ip-address `hostname -I` --setup-dns --no-forwarders I tried downgrade ipa-server to ipa-server-3.0.0-37.el6 and I see avcs either. So probably other component is changed. So if this is not a regression should it be reassigned to some other package? It may still be a regression, just not caused by IPA package. David, what leads you to Regression keyword then? Did you try to downgrade selinux-policy and nscd package to RHEL-6.5 variants and saw that the AVC goes away? If this is the case and we know what package caused it, we have our villain. Yes, it should be reassigned to other package but I have to determine which package. I added Regression keyword because I haven't seen these avcs on rhel 6.5 system so some package has to be changed. I tried downgrade authconfig but it is ok. selinux-policy and nscd are next candidates, I will check it. I downgraded nscd, glibc, bind, selinux-policy. I still see avcs. I don't know what 'Unconfiguring named' part of uninstall script do. Do you have any other hints what packages can I try downgrade? Hm, to me, these packages seems as the most of the packages involved in the process. Are you sure that AVCs cannot be seen in this scenario when tested on a 6.5 snapshot? (In reply to David Spurek from comment #9) > I don't know what 'Unconfiguring named' part of uninstall script do. 'Unconfiguring named' restores /etc/named.conf and /etc/resolv.conf from a backup in /var/lib/ipa/... and restores their SELinux context afterwards. Check ipaserver-uninstall.log for details. It also stops and disables named.service. I tried this issue on rhel 6.5 and I still see the avcs. Unfortunately I didn't see this messages before so I expected this a 'Regression'. Sorry for the confusion. Ok, thanks. I wonder thought what is the proper way to fix it. This is the task: - we have a back up of resolv.conf in /var/lib/... with var_lib_t context - we want to restore it to /etc/resolv.conf and restore the SELinux context as well - we seem to need to do that atomically because programs like nscd can have INOTIFY on that file and touch it between move and context restoration steps. CCing Mirek to advise. Mirek, any help on this one (see Comment 13)? Is this something solvable or should we just close as CANTFIX? Is ipa-server-install running as unconfined_t? Do you just move it form /var/lib to /etc using "mv"? (In reply to Miroslav Grepl from comment #16) > Is ipa-server-install running as unconfined_t? Yes: # ps axZ ... unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5163 pts/2 S+ 0:00 /usr/bin/python -E /usr/sbin/ipa-server-install > Do you just move it form > /var/lib to /etc using "mv"? Yes - by mv (well, Python variant of it) and then restorecon. The point is we could run "mv -Z". If this would be an atomic, INOTIFY proof operation, it could work. However, my mv (coreutils-8.21-21.fc20.x86_64) does not have any -Z option: # mv -Z /var/lib/ipa/sysrestore/58ef664b3f90b963-resolv.conf /etc/resolv.conf mv: invalid option -- 'Z' Try 'mv --help' for more information. It is by default in F21. Upstream ticket: https://fedorahosted.org/freeipa/ticket/4923 related RHEL7 bug: 1195339 Fix for bz1195339 fixes this issue too. https://bugzilla.redhat.com/show_bug.cgi?id=1195339#c8 https://bugzilla.redhat.com/show_bug.cgi?id=1195339#c10 Created attachment 1129468 [details]
evidence
Verified
3.0.0-50.el6
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-0874.html |