Bug 1490762
| Summary: | [Modular Server] Ipa-server-install update dse.ldif with wrong SELinux context | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Lukas Slebodnik <lslebodn> |
| Component: | freeipa | Assignee: | IPA Maintainers <ipa-maint> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 27 | CC: | abokovoy, awilliam, dgilmore, ipa-maint, jcholast, jhrozek, kparal, mkosek, pvoborni, rcritten, robatino, sgallagh, slaznick, ssorce, tkrizek |
| Target Milestone: | --- | Keywords: | Regression, Reopened |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | AcceptedBlocker | ||
| Fixed In Version: | freeipa-4.6.0-3.fc27 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-10-16 22:22:04 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1396702 | ||
freeipa-server should update dse.ldif but it should not change SELinux context for that file. What selinux-policy version do you have? Note that this is very similar to bug 1483170, see comment 5 where rolekit_tmp_t is carried over to /etc/dirsrv/ too. The difference is only which method is used to deploy IPA server: you did it manually under user context while Adam used rolekit for that. In both cases it looks like an issue with 389-ds python installer which should be doing restorecon by itself. (In reply to Alexander Bokovoy from comment #2) > What selinux-policy version do you have? It has nothing to do with selinux-policy it is a bug in ipa-server-install. As you can see in description of this bug 5th step updated dse.ding and 6th step tried to start 389-ds. But it failed because dse.ldif had wrong SELinux context sh# ls -lZ /etc/dirsrv/slapd-TESTRELM-TEST/dse.ldif -rw-------. 1 dirsrv dirsrv unconfined_u:object_r:user_tmp_t:s0 67949 Sep 12 03:58 /etc/dirsrv/slapd-TESTRELM-TEST/dse.ldif So I checked that actual code in dsinstance.py and it looks like we do it miss tasks.restore_context(dse_filename) after shutil.copy2() call:
def __update_dse_ldif(self):
"""
This method updates dse.ldif right after instance creation. This is
supposed to allow admin modify configuration of the DS which has to be
done before IPA is fully installed (for example: settings for
replication on replicas)
DS must be turned off.
"""
dse_filename = os.path.join(
paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % self.serverid,
'dse.ldif'
)
with tempfile.NamedTemporaryFile(
mode='w', delete=False) as new_dse_ldif:
temp_filename = new_dse_ldif.name
with open(dse_filename, "r") as input_file:
parser = installutils.ModifyLDIF(input_file, new_dse_ldif)
parser.replace_value(
'cn=config,cn=ldbm database,cn=plugins,cn=config',
'nsslapd-db-locks',
[b'50000']
)
if self.config_ldif:
# parse modifications from ldif file supplied by the admin
with open(self.config_ldif, "r") as config_ldif:
parser.modifications_from_ldif(config_ldif)
parser.parse()
new_dse_ldif.flush()
shutil.copy2(temp_filename, dse_filename)
try:
os.remove(temp_filename)
except OSError as e:
logger.debug("Failed to clean temporary file: %s", e)
Patched version of ipa shows that it is bug in freeipa 2017-09-12T08:19:33Z DEBUG [4/45]: stopping directory server 2017-09-12T08:19:33Z DEBUG Starting external process 2017-09-12T08:19:33Z DEBUG args=/bin/systemctl stop dirsrv 2017-09-12T08:19:35Z DEBUG Process finished, return code=0 2017-09-12T08:19:35Z DEBUG stdout= 2017-09-12T08:19:35Z DEBUG stderr= 2017-09-12T08:19:35Z DEBUG duration: 2 seconds 2017-09-12T08:19:35Z DEBUG [5/45]: updating configuration in dse.ldif 2017-09-12T08:19:35Z DEBUG Starting external process 2017-09-12T08:19:35Z DEBUG args=/bin/ls -lZ /etc/dirsrv/slapd-TESTRELM-TEST/dse.ldif 2017-09-12T08:19:35Z DEBUG Process finished, return code=0 2017-09-12T08:19:35Z DEBUG stdout=-rw-------. 1 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0 67928 Sep 12 04:19 /etc/dirsrv/slapd-TESTRELM-TEST/dse.ldif 2017-09-12T08:19:35Z DEBUG stderr= 2017-09-12T08:19:35Z DEBUG Starting external process 2017-09-12T08:19:35Z DEBUG args=/bin/ls -lZ /etc/dirsrv/slapd-TESTRELM-TEST/dse.ldif 2017-09-12T08:19:35Z DEBUG Process finished, return code=0 2017-09-12T08:19:35Z DEBUG stdout=-rw-------. 1 dirsrv dirsrv unconfined_u:object_r:user_tmp_t:s0 67949 Sep 12 04:19 /etc/dirsrv/slapd-TESTRELM-TEST/dse.ldif 2017-09-12T08:19:35Z DEBUG stderr= 2017-09-12T08:19:35Z DEBUG duration: 0 seconds 2017-09-12T08:19:35Z DEBUG [6/45]: starting directory server Added https://github.com/freeipa/freeipa/pull/1062 to fix this. Proposing this as a Beta blocker. ab, can you please do a freeipa package build and submit an update for this? Thanks. +1 Blocker +1 blocker +1 blocker That's +3 and this is a nice clear case, so marking AcceptedBlocker. For the record, the criterion is good old Alpha "Release-blocking roles and the supported role configuration interfaces must meet the core functional Role Definition Requirements to the extent that supported roles can be successfully deployed, started, stopped, brought to a working configuration, and queried." - 'domain controller' is a release-blocking role. Upstream ticket: https://pagure.io/freeipa/issue/7150 Fixed upstream master: https://pagure.io/freeipa/c/473ddbdb66e563d93a30ac51b1ac559adbd18190 freeipa-4.6.0-3.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-9a6df5d962 freeipa-4.6.0-3.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-9a6df5d962 freeipa-4.6.0-3.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. This is an accepted blocker, we still need to verify the fix. openQA has verified the fix many times. |
Description of problem: Installation fails in enforcing mode because ipa-server-install update dse.ldif but with wrong SElinux context Version-Release number of selected component (if applicable): sh$ rpm -q freeipa-server freeipa-server-4.6.0-2.fc27.x86_64 How reproducible: Deteministic Steps to Reproduce: 1. dnf install -y freeipa-server 2. /usr/sbin/ipa-server-install --hostname=ipa-lovely-name.testrelm.test -r TESTRELM.TEST -n testrelm.test -p Secret123 -a Secret123 -U Actual results: [5/45]: updating configuration in dse.ldif [6/45]: starting directory server [error] CalledProcessError: Command '/bin/systemctl start dirsrv' returned non-zero exit status 1. ipapython.admintool: ERROR Command '/bin/systemctl start dirsrv' returned non-zero exit status 1. ipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information Expected results: Installation pass without any other problems Additional info: sh# ausearch -m avc -ts recent -i ---- type=AVC msg=audit(09/12/2017 03:58:23.484:320) : avc: denied { link } for pid=15563 comm=ns-slapd name=dse.ldif dev="dm-0" ino=25973397 scontext=system_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0 sh# find /etc/ -inum 25973397 /etc/dirsrv/slapd-TESTRELM-TEST/dse.ldif sh# ls -lZ /etc/dirsrv/slapd-TESTRELM-TEST/dse.ldif -rw-------. 1 dirsrv dirsrv unconfined_u:object_r:user_tmp_t:s0 67949 Sep 12 03:58 /etc/dirsrv/slapd-TESTRELM-TEST/dse.ldif sh# matchpathcon /etc/dirsrv/slapd-TESTRELM-TEST/dse.ldif /etc/dirsrv/slapd-TESTRELM-TEST/dse.ldif system_u:object_r:dirsrv_config_t:s0