Bug 1351153
| Summary: | AVC seen on Replica during ipa-server upgrade test execution to 7.3 | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Nikhil Dehadrai <ndehadra> | ||||
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Kaleem <ksiddiqu> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 7.3 | CC: | jcholast, pvoborni, rcritten | ||||
| Target Milestone: | rc | Keywords: | Regression | ||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | ipa-4.4.0-1.el7 | Doc Type: | If docs needed, set a value | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2016-11-04 05:55:51 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
are we talink only about the:
ype=SYSCALL msg=audit(1467184701.231:571): arch=c000003e syscall=42 success=no exit=-13 a0=6 a1=7ffded06bd80 a2=26 a3=0 items=0 ppid=20830 pid=20898 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dogtag-ipa-ca-r" exe="/usr/bin/python2.7" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1467184701.231:571): avc: denied { connectto } for pid=20898 comm="dogtag-ipa-ca-r" path="/run/ipa_memcached/ipa_memcached" scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:memcached_t:s0 tclass=unix_stream_socket
or also some other?
Upstream ticket: https://fedorahosted.org/freeipa/ticket/5988 Fixed upstream master: https://fedorahosted.org/freeipa/changeset/dcf8b47471a1795eb00f3aee09ba48b5c4847923 https://fedorahosted.org/freeipa/changeset/a901ec1ce988b0b3d0c8e7a063de260eb9ede7e8 https://fedorahosted.org/freeipa/changeset/7d9afd988aef0ae570683d387770995a8f21dc9f https://fedorahosted.org/freeipa/changeset/2615103c68e68596473260064dbe84585073eb51 Server version: ipa-server-4.4.0-2.1.el7.x86_64 Verified the bug on the basis of following points: 1. Verified that IPA server is successfully upgraded to latest version of RHEL 7.3 and the IPA -server service is restarted correctly after the upgrade. 2. No AVC error message is observed during the upgrade both on Master as well as Replica. 3. Refer the attached console output log. Thus on the basis of above observations, marking the status of bug to "VERIFIED". Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2404.html |
Created attachment 1173812 [details] AVC denial message on Replica during upgrade to 7.3 Description of problem: AVC seen on Replica during ipa-server upgrade test execution to 7.3 How reproducible: Always Steps to Reproduce: 1. Setup IPA server for ipa-upgrade test suite execution on beaker. 2. Make sure latest repo links are set correctly for test execution. 3. Initiate automation for ipa-upgrade test suite on beaker.(In my case 7.2.z to 7.3) Actual results: 1. After step3, avc denial message is observed for Replica. 2. Refer attachment for additional information. Expected results: No AVC messages should be observed.