Bug 1211995
Summary: | IPA install fails with AVC denial message for pki-core component | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Kaleem <ksiddiqu> | ||||
Component: | pki-core | Assignee: | Matthew Harmsen <mharmsen> | ||||
Status: | CLOSED DUPLICATE | QA Contact: | Asha Akkiangady <aakkiang> | ||||
Severity: | urgent | Docs Contact: | |||||
Priority: | urgent | ||||||
Version: | 6.7 | CC: | alee, edewata, jgalipea, mkosek, nsoman, pvoborni | ||||
Target Milestone: | rc | Keywords: | Regression, TestBlocker | ||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2015-04-17 17:20:04 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 1175457 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
interesting -- A rule based on the above would look like this: [root@alee-workpc ~]# audit2allow -R -i test.avc require { type tmp_t; type pki_ca_t; class file execute; } #============= pki_ca_t ============== allow pki_ca_t tmp_t:file execute; I wonder whats going on ... Updating steps taken to troubleshoot so far: Last clean install - rhel 0408 build with upgraded ipa-server-46 Saw failure - rhel 0415 build. Some pkgs that are different between the two builds: ipa-server-3.0.0-46.el6.x86_64 selinux-policy-3.7.19-265.el6.noarch sssd-1.12.4-29.el6.x86_64 nss-3.18.0-1.el6.x86_64 nspr-4.10.8-1.el6.x86_64 ipaserver-install.log has: <..snip..> 2015-04-15T15:20:44Z DEBUG [3/21]: configuring certificate server instance 2015-04-15T15:20:44Z DEBUG args=/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname qe-blade-10.testrelm.test -cs_port 9445 -client_certdb_dir /tmp/tmp-ttXb3E -client_certdb_pwd XXXXXXXX -preop_pin 9oZTUFC2dPedL4cxWKqL -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=TESTRELM.TEST -ldap_host qe-blade-10.testrelm.test -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TESTRELM.TEST -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TESTRELM.TEST -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=TESTRELM.TEST -ca_server_cert_subject_name CN=qe-blade-10.testrelm.test,O=TESTRELM.TEST -ca_audit_signing_cert_subject_name CN=CA Audit,O=TESTRELM.TEST -ca_sign_cert_subject_name CN=Certificate Authority,O=TESTRELM.TEST -external false -clone false 2015-04-15T15:20:44Z DEBUG stdout=libpath=/usr/lib64 ####################################################################### CRYPTO INIT WITH CERTDB:/tmp/tmp-ttXb3E tokenpwdXXXXXXX ############################################# Attempting to connect to: qe-blade-10.testrelm.test:9445 Exception in LoginPanel(): java.lang.NullPointerException ERROR: ConfigureCA: LoginPanel() failure ERROR: unable to create CA ####################################################################### 2015-04-15T15:20:44Z DEBUG stderr=Exception: Unable to Send Request:java.net.ConnectException: Connection refused java.net.ConnectException: Connection refused at gnu.java.net.PlainSocketImpl.connect(libgcj.so.10) at java.net.Socket.connect(libgcj.so.10) at java.net.Socket.connect(libgcj.so.10) at java.net.Socket.<init>(libgcj.so.10) at java.net.Socket.<init>(libgcj.so.10) at HTTPClient.sslConnect(HTTPClient.java:300) at ConfigureCA.LoginPanel(ConfigureCA.java:244) at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157) at ConfigureCA.main(ConfigureCA.java:1672) java.lang.NullPointerException at ConfigureCA.LoginPanel(ConfigureCA.java:245) at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157) at ConfigureCA.main(ConfigureCA.java:1672) <..snip..> catalina.out has: <..snip..> Apr 16, 2015 1:05:12 a.m. org.apache.catalina.users.MemoryUserDatabase open WARNING: Exception configuring digester to permit java encoding names in XML files. Only IANA encoding names will be supported. org.xml.sax.SAXNotSupportedException: http://apache.org/xml/features/allow-java-encodings at gnu.xml.stream.SAXParserFactory.setFeature(libgcj.so.10) at org.apache.tomcat.util.digester.Digester.setFeature(Digester.java:556) at org.apache.catalina.users.MemoryUserDatabase.open(MemoryUserDatabase.java:391) at org.apache.catalina.users.MemoryUserDatabaseFactory.getObjectInstance(MemoryUserDatabaseFactory.java:103) at org.apache.naming.factory.ResourceFactory.getObjectInstance(ResourceFactory.java:140) at javax.naming.spi.NamingManager.getObjectInstance(libgcj.so.10) at org.apache.naming.NamingContext.lookup(NamingContext.java:793) at org.apache.naming.NamingContext.lookup(NamingContext.java:140) at org.apache.naming.NamingContextBindingsEnumeration.nextElementInternal(NamingContextBindingsEnumeration.java:113) at org.apache.naming.NamingContextBindingsEnumeration.next(NamingContextBindingsEnumeration.java:71) at org.apache.catalina.mbeans.GlobalResourcesLifecycleListener.createMBeans(GlobalResourcesLifecycleListener.java:137) at org.apache.catalina.mbeans.GlobalResourcesLifecycleListener.createMBeans(GlobalResourcesLifecycleListener.java:109) at org.apache.catalina.mbeans.GlobalResourcesLifecycleListener.lifecycleEvent(GlobalResourcesLifecycleListener.java:81) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:142) at org.apache.catalina.core.StandardServer.start(StandardServer.java:703) at org.apache.catalina.startup.Catalina.start(Catalina.java:593) at java.lang.reflect.Method.invoke(libgcj.so.10) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) Apr 16, 2015 1:05:12 a.m. org.apache.catalina.core.StandardService start INFO: Starting service Catalina Apr 16, 2015 1:05:12 a.m. org.apache.catalina.core.StandardEngine start INFO: Starting Servlet Engine: Apache Tomcat/6.0.24 Apr 16, 2015 1:05:12 a.m. org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory ca Apr 16, 2015 1:05:13 a.m. org.apache.catalina.startup.TldConfig lifecycleEvent SEVERE: Error processing TLD files for context path /ca java.lang.IllegalArgumentException: URI "file:./" is not hierarchical at java.io.File.<init>(libgcj.so.10) at org.apache.catalina.startup.TldConfig.getJarPaths(TldConfig.java:636) at org.apache.catalina.startup.TldConfig.execute(TldConfig.java:305) at org.apache.catalina.startup.TldConfig.lifecycleEvent(TldConfig.java:688) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:142) at org.apache.catalina.core.StandardContext.start(StandardContext.java:4616) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771) <..snip..> Tried combinations: Start at 0408 - upgraded selinux-policy - install was successful Start at 0415 - install in permissive mode, then downgraded and upgraded individually - selinux-policy, ipa-server, nss, nspr Also switched java alternative to openjdk. Did this because Nathan noticed something is installing gcj 1.5.0, and it's set as the default java This got install further but gave new error: in ipaserver-install.log: <..snip..> 2015-04-16T18:26:08Z DEBUG stderr=[Fatal Error] :-1:-1: Premature end of file. org.xml.sax.SAXParseException; Premature end of file. at org.apache.xerces.parsers.DOMParser.parse(DOMParser.java:239) at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(DocumentBuilderImpl.java:283) at javax.xml.parsers.DocumentBuilder.parse(DocumentBuilder.java:121) at ParseXML.parse(ParseXML.java:258) at ConfigureCA.getStatus(ConfigureCA.java:205) at ConfigureCA.checkStatus(ConfigureCA.java:221) at ConfigureCA.checkStatus(ConfigureCA.java:216) at ConfigureCA.CertSubjectPanel(ConfigureCA.java:644) at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1242) at ConfigureCA.main(ConfigureCA.java:1672) <..snip..> The installation works if I use java-1.7.0-openjdk. Fails with java-1.8.0-openjdk, jre-1.5.0-gcj. Same case in bug 1212557 but there it failed with Oracle Java version "1.7.0_79". Dogtag 9 will be changed to use java-1.7.0-openjdk specifically: * https://fedorahosted.org/pki/ticket/1350 * https://bugzilla.redhat.com/show_bug.cgi?id=1212557 This bug is probably identical to bug 1212557, but once we use java-1.7.0-openjdk the SELinux issues described in this ticket will no longer be relevant and therefore will not be fixed (at least for now). *** This bug has been marked as a duplicate of bug 1212557 *** |
Created attachment 1014687 [details] related log files Description of problem: IPA Server install in latest RHEL6.7 compose(RHEL-6.7-20150415.n.0) fails with CA instance creation not successful, AVC denial messages for pki component in audit.log. time->Wed Apr 15 19:13:19 2015 type=SYSCALL msg=audit(1429105399.793:52): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=1000 a2=5 a3=1 items=0 ppid=1 pid=2255 auid=0 uid=496 gid=496 euid=496 suid=496 fsuid=496 egid=496 sgid=496 fsgid=496 tty=(none) ses=1 comm="java" exe="/usr/bin/gij" subj=unconfined_u:system_r:pki_ca_t:s0 key=(null) type=AVC msg=audit(1429105399.793:52): avc: denied { execute } for pid=2255 comm="java" path=2F746D702F666669364C4C59776B202864656C6574656429 dev=dm-0 ino=260105 scontext=unconfined_u:system_r:pki_ca_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file Version-Release number of selected component (if applicable): [root@dhcp207-230 ~]# rpm -q ipa-server pki-ca tomcat6 selinux-policy ipa-server-3.0.0-46.el6.x86_64 pki-ca-9.0.3-40.el6.noarch tomcat6-6.0.24-88.el6.x86_64 selinux-policy-3.7.19-264.el6.noarch [root@dhcp207-230 ~]# How reproducible: Always Steps to Reproduce: 1.Install latest RHEL6.7 compose Actual results: IPA Server install fails Expected results: IPA Server install should be successful. Additional info: (1) Please find the attached tar file which contain log files (ipa-server-install.log, pki-ca-install.log and audit.log)