Bug 1443968

Summary: freeipa-server container deployment fails due to AVCs during GSSProxy restart
Product: [Fedora] Fedora Reporter: Martin Babinsky <mbabinsk>
Component: dockerAssignee: Daniel Walsh <dwalsh>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 25CC: adimania, admiller, amurdaca, dwalsh, ichavero, jcajka, jpazdziora, lsm5, marianne, miminar, nalin, riek, slaznick, vbatts
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1451289 (view as bug list) Environment:
Last Closed: 2017-12-11 15:30:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1451289    

Description Martin Babinsky 2017-04-20 11:08:10 UTC 
Description of problem:

When installing freeipa-server:master-nightly container (https://github.com/freeipa/freeipa-container/blob/master/Dockerfile.fedora-25-master-nightly) on Fedora 25 host, the installation fails during GssProxy service configuration:
 
'''
Configuring the web interface (httpd)
  [1/22]: stopping httpd
  [2/22]: setting mod_nss port to 443
  [3/22]: setting mod_nss cipher suite
  [4/22]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
  [5/22]: setting mod_nss password file
  [6/22]: enabling mod_nss renegotiate
  [7/22]: adding URL rewriting rules
  [8/22]: configuring httpd
  [9/22]: setting up httpd keytab
  [10/22]: retrieving anonymous keytab
  [11/22]: configuring Gssproxy
  [error] CalledProcessError: Command '/bin/systemctl restart gssproxy.service' returned non-zero exit status 1
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR    Command '/bin/systemctl restart gssproxy.service' returned non-zero exit status 1
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
FreeIPA server configuration failed.
'''

When checking AVCs, I can see that GSSProxy demon is denied to set 'use-gss-proxy' option in the kernel to enable GSSAPI interposer plugin:

'''---
time->Thu Apr 20 07:57:07 2017
type=AVC msg=audit(1492675027.545:3595): avc:  denied  { write } for  pid=2778 comm="gssproxy" name="use-gss-proxy" dev="proc" ino=4026532871 scontext=system_u:system_r:container_t:s0:c135,c478 tcontext=system_u:object_r:sysctl_rpc_t:s0 tclass=file permissive=0

'''

Indeed, when I set SELinux to permissive I can deploy the container without problems.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. build a container from https://github.com/freeipa/freeipa-container/blob/master/Dockerfile.fedora-25-master-nightly

2. try to install the container, e.g. by using 'atomic install'

Actual results:

The installation crashes due to AVC reported above

Expected results:

Installation finishes succesfully

Additional info:

Upstream issue: https://github.com/freeipa/freeipa-container/issues/128
Comment 4 Daniel Walsh 2017-04-30 11:07:59 UTC 
Do we know if this sysctl is namespaced,  I can turn it on in SELinux, but not sure if it will work the way you expect.
Comment 5 Fedora End Of Life 2017-11-16 18:40:40 UTC 
This message is a reminder that Fedora 25 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 25. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '25'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 25 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged  change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.
Comment 6 Jan Pazdziora 2017-11-29 14:21:23 UTC 
I assume we haven't seen this issue for a while. Do we know where change in behaviour (or change in tests) came from?
Comment 7 Standa Laznicka 2017-12-11 07:50:25 UTC 
Unfortunately, I have no idea when this happened. I don't see any marked workarounds for this in our tests/container repo, not sure if it's safe to assume it's not there but I should hope it's not, then, in which case the change most probably comes from SELinux.