Bug 1447703

Summary: Fix SELinux contex of http.keytab during upgrade
Product: Red Hat Enterprise Linux 7 Reporter: Petr Vobornik <pvoborni>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Nikhil Dehadrai <ndehadra>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: ksiddiqu, mbabinsk, pvoborni, rcritten, tscherf
Target Milestone: rcKeywords: TestBlocker
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.5.0-10.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 09:50:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Petr Vobornik 2017-05-03 14:18:34 UTC 
Cloned from upstream: https://pagure.io/freeipa/issue/6924

During upgrate the http.keytab is moved to a new location but with incorrect SELinux context. Operation `copy` and `remove` should be used instead of `move` to restore context properly.
Comment 2 Petr Vobornik 2017-05-03 14:20:55 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/6924
Comment 3 Petr Vobornik 2017-05-03 14:22:52 UTC 
This bz is derived from bug 1436689
Comment 5 Martin Babinsky 2017-05-03 15:43:55 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/7f4c2fbd975d09c01e6898a4eb70d7dfea1171b4
ipa-4-5:
https://pagure.io/freeipa/c/bda733db9ede3307595963a8c086e1b700c41e25
Comment 10 Nikhil Dehadrai 2017-05-22 10:37:43 UTC 
IPA server version: ipa-server-4.5.0-13.el7.x86_64

Tested the bug with following observations:

1) Verified that upgrade of IPA server to latest version is successful.
2) No errors/ failures are observed during upgrade process.
3) All the basic commands work successfully after upgrade.
4) Verified the same for other upgrade paths:
  - RHEL 7.1.z > Rhel 7.4
  - RHEL 7.2.z > Rhel 7.4
  - RHEL 7.3 > Rhel 7.4
  - RHEL 7.3.z > Rhel 7.4
5) We are unable to login to UI after upgrade, for which a separate bug is logged BZ#1451733
6) No AVC errors related to "http.keytab" are observed during/after the upgrade process.

Thus on the basis of above observations, marking status of bug to "VERIFIED".
Comment 12 errata-xmlrpc 2017-08-01 09:50:15 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304