Bug 1241941

On locally that beaker machine shows no avc denial

[root@nocp6 ~]# ausearch -m AVC -ts today
<no matches>
[root@nocp6 ~]# cat /var/log/audit/audit.log |audit2allow
Nothing to do
[root@nocp6 ~]#

But strange, beaker logs showing following avc denial

time->Fri Jul 10 07:15:27 2015
type=PATH msg=audit(1436526927.841:91): item=0 name="/var/lib/kdcproxy" inode=203270270 dev=fd:00 mode=040000 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_lib_t:s0 objtype=NORMAL
type=CWD msg=audit(1436526927.841:91):  cwd="/"
type=SYSCALL msg=audit(1436526927.841:91): arch=c000003e syscall=92 success=no exit=-13 a0=7ffc32b96189 a1=3e0 a2=3dd a3=65726373662f7274 items=1 ppid=15690 pid=15697 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="useradd" exe="/usr/sbin/useradd" subj=system_u:unconfined_r:useradd_t:s0 key=(null)
type=AVC msg=audit(1436526927.841:91): avc:  denied  { setattr } for  pid=15697 comm="useradd" name="kdcproxy" dev="dm-0" ino=203270270 scontext=system_u:unconfined_r:useradd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
----
time->Fri Jul 10 07:15:27 2015
type=PATH msg=audit(1436526927.841:92): item=0 name="/var/lib/kdcproxy" inode=203270270 dev=fd:00 mode=040000 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_lib_t:s0 objtype=NORMAL
type=CWD msg=audit(1436526927.841:92):  cwd="/"
type=SYSCALL msg=audit(1436526927.841:92): arch=c000003e syscall=90 success=no exit=-13 a0=7ffc32b96189 a1=1c0 a2=0 a3=3f items=1 ppid=15690 pid=15697 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="useradd" exe="/usr/sbin/useradd" subj=system_u:unconfined_r:useradd_t:s0 key=(null)
type=AVC msg=audit(1436526927.841:92): avc:  denied  { setattr } for  pid=15697 comm="useradd" name="kdcproxy" dev="dm-0" ino=203270270 scontext=system_u:unconfined_r:useradd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
----
time->Fri Jul 10 07:15:27 2015
type=PATH msg=audit(1436526927.843:94): item=1 name="/var/lib/kdcproxy/.bash_logout" objtype=CREATE
type=PATH msg=audit(1436526927.843:94): item=0 name="/var/lib/kdcproxy/" inode=203270270 dev=fd:00 mode=040000 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_lib_t:s0 objtype=PARENT
type=CWD msg=audit(1436526927.843:94):  cwd="/"
type=SYSCALL msg=audit(1436526927.843:94): arch=c000003e syscall=2 success=no exit=-13 a0=7f876dd12210 a1=241 a2=1a4 a3=65726373662f7274 items=2 ppid=15690 pid=15697 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="useradd" exe="/usr/sbin/useradd" subj=system_u:unconfined_r:useradd_t:s0 key=(null)
type=AVC msg=audit(1436526927.843:94): avc:  denied  { create } for  pid=15697 comm="useradd" name=".bash_logout" scontext=system_u:unconfined_r:useradd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file

moving to IPA, it was not build against correct version of krb5

more info:
>>>> kadmin.local: Unsupported argument "ipa-setup-override-restrictions" for
>>>> db2 while initializing kadmin.local interface
>>>>
>>>> And also when trying to start kadmin.service, there is:
>>>> kadmind: kadmind: Database module does not match KDC version while
>>>> initializing, aborting
>>>
>>> What MIT krb packages version has IPA been built against ?
>>> Has it change since the build ?
>>>
>>> The KDB Driver interface is private and changes from release to release,
>>> so there are safeguards to prevent loading the module if the MIT version
>>> changes.
>>>
>>> Simo.
>>>
>>
>> In build root.log from yesterday
>> there is:
>> DEBUG util.py:257:  Installed:
>>    ...
>>    krb5-devel.x86_64 0:1.12.2-14.el7
>>
>> Latest RHEL7.2 package is: krb5-1.13.2-3.el7(2015-06-01).
>>
>> krb5-1.12.2-14.el7 is a RHEL 7.1 package.
>>
>> Version installed on the test machine is krb5-server-1.13.2-3.el7.x86_64.
>
> At the very least the RHEL packages will need a strict version
> dependency on the krb5 package both at build time and install time.
>
> I suggest in RHEL you add
> BuildRequires >= 1.13.0 < 1.14.0
> Requires >= 1.13.0 < 1.14.0
>
> Simo.

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5132

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/d6e701a79333c0d732323a1f4250aa698625e889
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/5678e211af604af5ed20df5d4282df8a0275aa14

from which repositories did you install to get this to work?  I'm using the following repos:

    rhel7:
        name: rhel7
        baseurl: http://download.eng.bos.redhat.com/composes/nightly/latest-RHEL-7/compose/Server/x86_64/os/
        enabled: true
        gpgcheck: false
    rhel7-optional:
        name: rhel7-optional
        baseurl: http://download.eng.bos.redhat.com/composes/nightly/latest-RHEL-7/compose/Server-optional/x86_64/os/
        enabled: true
        gpgcheck: false

I tried the following:
yum -y install http://download.eng.bos.redhat.com/brewroot/packages/ipa/4.2.0/2.el7/x86_64/ipa-admintools-4.2.0-2.el7.x86_64.rpm \
    http://download.eng.bos.redhat.com/brewroot/packages/ipa/4.2.0/2.el7/x86_64/ipa-client-4.2.0-2.el7.x86_64.rpm \
    http://download.eng.bos.redhat.com/brewroot/packages/ipa/4.2.0/2.el7/x86_64/ipa-debuginfo-4.2.0-2.el7.x86_64.rpm \
    http://download.eng.bos.redhat.com/brewroot/packages/ipa/4.2.0/2.el7/x86_64/ipa-python-4.2.0-2.el7.x86_64.rpm \
    http://download.eng.bos.redhat.com/brewroot/packages/ipa/4.2.0/2.el7/x86_64/ipa-server-4.2.0-2.el7.x86_64.rpm \
    http://download.eng.bos.redhat.com/brewroot/packages/ipa/4.2.0/2.el7/x86_64/ipa-server-trust-ad-4.2.0-2.el7.x86_64.rpm


I got the following error:
Error: Package: ipa-python-4.2.0-2.el7.x86_64.rpm
   Requires: python-cryptography

rich: i've noticed python-cryptography missing from other nightlys as well. It appears to be there in the latest.

Verified.

IPA version:
============
[root@vm-idm-001 ~]# rpm -q ipa-server
ipa-server-4.2.0-2.el7.x86_64
[root@vm-idm-001 ~]# 


[root@vm-idm-001 ~]# /usr/sbin/ipa-server-install --setup-dns --forwarder=10.65.201.89 --hostname=vm-idm-001.testrelm.test -r TESTRELM.TEST -n testrelm.test -p xxxxxxxx -a xxxxxxxx --ip-address=10.65.206.135 -U

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)

..
...
....
==============================================================================
Setup complete

Next steps:
	1. You must make sure these network ports are open:
		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		  * 53: bind
		UDP Ports:
		  * 88, 464: kerberos
		  * 53: bind
		  * 123: ntp

	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	   and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
[root@vm-idm-001 ~]#

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2362.html