Bug 1609475
Summary: | SELinux is preventing /usr/sbin/httpd from getattr access on the file /usr/lib/systemd/system/fedora-domainname.service | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Lukas Slebodnik <lslebodn> |
Component: | freeipa | Assignee: | IPA Maintainers <ipa-maint> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 28 | CC: | abokovoy, dwalsh, ipa-maint, jcholast, jhrozek, jpazdziora, lslebodn, lvrabec, mgrepl, plautrba, pvoborni, rcritten, ssorce, tdudlak |
Target Milestone: | --- | Keywords: | Regression |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | freeipa-4.7.0-3.fc28 freeipa-4.7.0-3.fc29 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-10-02 16:01:10 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Lukas Slebodnik
2018-07-28 09:02:11 UTC
I have no idea what freeIPA server tries to do but it did not happen in older version. And IMHO, it is not ideal that it happens as httpd_t. httpd_t shouls not be allowed many things. If it is really needed then there should be special SELinux boolean httpd_ipa_something Do you know what context this is happening? Is the installer, every time httpd starts? I saw it as part of installation. I can check restarting of httpd I've reproduced it and confirmed it appears when httpd is restarted. Still investigating why. The name of the service that manages the NIS domainname keeps changing so the following was added to the platform code ipaplatform/fedora/services.py: HAS_FEDORA_DOMAINNAME_SERVICE = os.path.isfile( "/usr/lib/systemd/system/fedora-domainname.service" ) if HAS_FEDORA_DOMAINNAME_SERVICE: fedora_system_units['domainname'] = 'fedora-domainname.service' That explains the getattr. That it fails isn't important but we should try to avoid the AVC. (In reply to Rob Crittenden from comment #4) > I've reproduced it and confirmed it appears when httpd is restarted. Still > investigating why. Thank you very much. I did not have a time to try 2nd case today. *** Bug 1609476 has been marked as a duplicate of this bug. *** I disabled the code in my install and the AVC went away. It also got ride of the ipa-dnskeysyncd AVC which had different behavior but the same root cause apparently. Upstream ticket: https://pagure.io/freeipa/issue/7661 Is there an ETA for fixing this in fedora? It would be good to reduce unnecessary AVC noise? Fixed upstream master: https://pagure.io/freeipa/c/b8528da5a8e8cf4fdeabb77022cb511043544e9f https://pagure.io/freeipa/c/1c03181e78b8f43e7bfd32e52c5b9d161c326fd6 freeipa-4.7.0-3.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-16f734859d freeipa-4.7.0-3.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-e407241b53 freeipa-4.7.0-3.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-16f734859d freeipa-4.7.0-3.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-e407241b53 freeipa-4.7.0-3.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-e407241b53 What is the plan here? The change is in testing for 24 days ... can we move it closer to updates so that automated tests stop showing the AVC noise? It should go to stable soon. freeipa-4.7.0-3.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report. freeipa-4.7.0-3.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report. |