Bug 1417846

Summary: KRB proxy cert files creation fails during FreeIPA installation
Product: Red Hat Enterprise Linux 7 Reporter: Standa Laznicka <slaznick>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED DUPLICATE QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.3CC: ksiddiqu, lvrabec, mgrepl, mmalik, nsoman, plautrba, pvrabec, ssekidde, sumenon
Target Milestone: rcKeywords: TestBlocker
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-04-12 10:20:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
SELinux denials from FreeIPA installation run in permissive mode none

Description Standa Laznicka 2017-01-31 09:57:57 UTC
Created attachment 1246121 [details]
SELinux denials from FreeIPA installation run in permissive mode

Description of problem:
Certmonger fails to create "/var/kerberos/krb5kdc/kdc.crt" and "/var/kerberos/krb5kdc/kdc.key" files during FreeIPA installation.

Version-Release number of selected component (if applicable):
3.13.1-102

How reproducible:
Always.

Steps to Reproduce:
1. Get FreeIPA from FreeIPA internal copr repo for RHEL and install it
2. Run `ipa-server-install`

Actual results:
The files fail to create.

Expected results:
The files are created.

Additional info:
Attached are SELinux denials caught in FreeIPA installation (that time in permissive mode).

Comment 4 Sudhir Menon 2017-04-10 08:25:43 UTC
Lukas,
While testing found out that 'ipa-server-install' fails with selinux in enforcing mode on RHEL7.4.

ipa-server-4.5.0-5.el7.x86_64
selinux-policy-3.13.1-140.el7.noarch

[root@qe-blade-01 yum.repos.d]# ipa-server-install
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
     
This includes:
      * Configure a stand-alone CA (dogtag) for certificate management
      * Configure the Network Time Daemon (ntpd)
      * Create and configure an instance of Directory Server
      * Create and configure a Kerberos Key Distribution Center (KDC)
      * Configure Apache (httpd)
      * Configure the KDC to enable PKINIT
     
To accept the default shown in brackets, press the Enter key.
WARNING: conflicting time&date synchronization service 'chronyd' will be disabled in favor of ntpd
Do you want to configure integrated DNS (BIND)? [no]: yes
Enter the fully qualified domain name of the computer
    on which you're setting up server software. Using the form
    <hostname>.<domainname>
    Example: master.example.com.

Server host name [master.testrelm.test]:
Warning: skipping DNS resolution of host master.testrelm.test
The domain name has been determined based on the host name.
     
Please confirm the domain name [testrelm.test]:
The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.
     
Please provide a realm name [TESTRELM.TEST]:
    Certain directory server operations require an administrative user.
    This user is referred to as the Directory Manager and has full access
    to the Directory for system management tasks and will be added to the
    instance of directory server created for IPA.
    The password must be at least 8 characters long.
     
    Directory Manager password:
    Password (confirm):
     
    The IPA server requires an administrative user, named 'admin'.
    This user is a regular system account used for IPA server administration.
     
    IPA admin password:
    Password (confirm):
     
    Checking DNS domain testrelm.test., please wait ...
    Do you want to configure DNS forwarders? [yes]: yes
    Following DNS servers are configured in /etc/resolv.conf: 
    Do you want to configure these servers as DNS forwarders? [yes]:
    All DNS servers from /etc/resolv.conf were added. You can enter additional addresses now:
    Enter an IP address for a DNS forwarder, or press Enter to skip:
    Checking DNS forwarders, please wait ...
    Do you want to search for missing reverse zones? [yes]: no
     
    The IPA Master Server will be configured with:
    Hostname:       master.testrelm.test
    IP address(es): 
    Domain name:    testrelm.test
    Realm name:     TESTRELM.TEST
     
    BIND DNS server will be configured to serve IPA domain with:
    Forwarders:       
    Forward policy:   only
    Reverse zone(s):  No reverse zone
     
    Continue to configure the system with these values? [no]: yes
     
    The following operations may take some minutes to complete.
    Please wait until the prompt is returned.
     
    Adding [master.testrelm.test] to your /etc/hosts file
    Adding [master.testrelm.test] to your /etc/hosts file
    Configuring NTP daemon (ntpd)
      [1/4]: stopping ntpd
      [2/4]: writing configuration
      [3/4]: configuring ntpd to start on boot
      [4/4]: starting ntpd
    Done configuring NTP daemon (ntpd).
    Configuring directory server (dirsrv). Estimated time: 30 seconds
      [1/47]: creating directory server user
      [2/47]: creating directory server instance
      [3/47]: enabling ldapi
      [4/47]: configure autobind for root
      [5/47]: stopping directory server
      [6/47]: updating configuration in dse.ldif
      [7/47]: starting directory server
      [8/47]: adding default schema
      [9/47]: enabling memberof plugin
      [10/47]: enabling winsync plugin
      [11/47]: configuring replication version plugin
      [12/47]: enabling IPA enrollment plugin
      [13/47]: configuring uniqueness plugin
      [14/47]: configuring uuid plugin
      [15/47]: configuring modrdn plugin
      [16/47]: configuring DNS plugin
      [17/47]: enabling entryUSN plugin
      [18/47]: configuring lockout plugin
      [19/47]: configuring topology plugin
      [20/47]: creating indices
      [21/47]: enabling referential integrity plugin
      [22/47]: configuring certmap.conf
      [23/47]: configure new location for managed entries
      [24/47]: configure dirsrv ccache
      [25/47]: enabling SASL mapping fallback
      [26/47]: restarting directory server
      [27/47]: adding sasl mappings to the directory
      [28/47]: adding default layout
      [29/47]: adding delegation layout
      [30/47]: creating container for managed entries
      [31/47]: configuring user private groups
      [32/47]: configuring netgroups from hostgroups
      [33/47]: creating default Sudo bind user
      [34/47]: creating default Auto Member layout
      [35/47]: adding range check plugin
      [36/47]: creating default HBAC rule allow_all
      [37/47]: adding entries for topology management
      [38/47]: initializing group membership
      [39/47]: adding master entry
      [40/47]: initializing domain level
      [41/47]: configuring Posix uid/gid generation
      [42/47]: adding replication acis
      [43/47]: enabling compatibility plugin
      [44/47]: activating sidgen plugin
      [45/47]: activating extdom plugin
      [46/47]: tuning directory server
      [47/47]: configuring directory to start on boot
    Done configuring directory server (dirsrv).
    Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
      [1/30]: creating certificate server user
      [2/30]: configuring certificate server instance
      [3/30]: exporting Dogtag certificate store pin
      [4/30]: stopping certificate server instance to update CS.cfg
      [5/30]: backing up CS.cfg
      [6/30]: disabling nonces
      [7/30]: set up CRL publishing
      [8/30]: enable PKIX certificate path discovery and validation
      [9/30]: starting certificate server instance
      [10/30]: configure certmonger for renewals
      [11/30]: requesting RA certificate from CA
      [12/30]: setting up signing cert profile
      [13/30]: setting audit signing renewal to 2 years
      [14/30]: restarting certificate server
      [15/30]: publishing the CA certificate
      [16/30]: adding RA agent as a trusted user
      [17/30]: authorizing RA to modify profiles
      [18/30]: authorizing RA to manage lightweight CAs
      [19/30]: Ensure lightweight CAs container exists
      [20/30]: configure certificate renewals
      [21/30]: configure Server-Cert certificate renewal
      [22/30]: Configure HTTP to proxy connections
      [23/30]: restarting certificate server
      [24/30]: migrating certificate profiles to LDAP
      [25/30]: importing IPA certificate profiles
      [26/30]: adding default CA ACL
      [27/30]: adding 'ipa' CA entry
      [28/30]: updating IPA configuration
      [29/30]: enabling CA instance
      [30/30]: configuring certmonger renewal for lightweight CAs
    Done configuring certificate server (pki-tomcatd).
    Configuring directory server (dirsrv)
      [1/3]: configuring TLS for DS instance
      [2/3]: restarting directory server
      [3/3]: adding CA certificate entry
    Done configuring directory server (dirsrv).
    Configuring Kerberos KDC (krb5kdc)
      [1/10]: adding kerberos container to the directory
      [2/10]: configuring KDC
      [3/10]: initialize kerberos container
    WARNING: Your system is running out of entropy, you may experience long delays
      [4/10]: adding default ACIs
      [5/10]: creating a keytab for the directory
      [6/10]: creating a keytab for the machine
      [7/10]: adding the password extension to the directory
      [8/10]: creating anonymous principal
      [9/10]: starting the KDC
      [10/10]: configuring KDC to start on boot
    Done configuring Kerberos KDC (krb5kdc).
    Configuring kadmin
      [1/2]: starting kadmin
      [2/2]: configuring kadmin to start on boot
    Done configuring kadmin.
    Restarting directory server to enable password extension plugin
    Configuring ipa-otpd
      [1/2]: starting ipa-otpd
      [2/2]: configuring ipa-otpd to start on boot
    Done configuring ipa-otpd.
    Configuring ipa-custodia
      [1/5]: Generating ipa-custodia config file
      [2/5]: Making sure custodia container exists
      [3/5]: Generating ipa-custodia keys
      [4/5]: starting ipa-custodia
      [5/5]: configuring ipa-custodia to start on boot
    Done configuring ipa-custodia.
    Configuring the web interface (httpd)
      [1/22]: setting mod_nss port to 443
      [2/22]: setting mod_nss cipher suite
      [3/22]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
      [4/22]: setting mod_nss password file
      [5/22]: enabling mod_nss renegotiate
      [6/22]: adding URL rewriting rules
      [7/22]: configuring httpd
      [8/22]: setting up httpd keytab
      [9/22]: retrieving anonymous keytab
      [10/22]: configuring Gssproxy
      [11/22]: setting up ssl
      [12/22]: configure certmonger for renewals
      [13/22]: importing CA certificates from LDAP
      [14/22]: publish CA cert
      [15/22]: clean up any existing httpd ccaches
      [16/22]: configuring SELinux for httpd
      [17/22]: create KDC proxy user
      [18/22]: create KDC proxy config
      [19/22]: enable KDC proxy
      [20/22]: restarting httpd
      [21/22]: configuring httpd to start on boot
      [22/22]: enabling oddjobd
    Done configuring the web interface (httpd).
    Configuring Kerberos KDC (krb5kdc)
      [1/2]: installing X509 Certificate for PKINIT
    ipa         : ERROR    Failed to initiate the request: org.fedorahosted.certmonger.bad_arg: The parent of location "/var/kerberos/krb5kdc/kdc.crt" could not be accessed due to insufficient permissions.
      [2/2]: testing anonymous PKINIT
      [error] RuntimeError: Failed to configure anonymous PKINIT
    ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR    Failed to configure anonymous PKINIT
    ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

#cat /var/log/audit/audit.log|audit2allow

#============= certmonger_t ==============
allow certmonger_t krb5kdc_conf_t:dir write;
allow certmonger_t systemd_unit_file_t:service status;
   
#============= gssproxy_t ==============
allow gssproxy_t self:capability { dac_override dac_read_search };
     
#============= httpd_t ==============
allow httpd_t cert_t:dir write;
     
#============= tomcat_t ==============
allow tomcat_t ipa_var_lib_t:dir { getattr search };

Comment 5 Lukas Vrabec 2017-04-12 10:20:30 UTC

*** This bug has been marked as a duplicate of bug 1436689 ***