Bug 2006017

Summary:	Regression in ipa-and-similar test suite during test runs
Product:	Red Hat Enterprise Linux 8	Reporter:	Amith <apeetham>
Component:	ipa	Assignee:	Thomas Woerner <twoerner>
Status:	CLOSED ERRATA	QA Contact:	ipa-qe <ipa-qe>
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	8.4	CC:	frenaud, lvrabec, mmalik, myusuf, ndehadra, rcritten, rjeffman, ssekidde, ssidhaye, sumenon, tscherf, vmojzis
Target Milestone:	rc	Keywords:	Regression
Target Release:	---	Flags:	pm-rhel: mirror+
Hardware:	Unspecified
OS:	Linux
Whiteboard:
Fixed In Version:	ipa-4.9.8-2.module+el8.6.0+13621+937b8cd9	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2022-05-10 14:08:46 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Comment 3 Milos Malik 2021-09-22 10:45:09 UTC

Everything looks good before any ipa* package is installed:

# rpm -qa selinux\* ipa\* | sort
selinux-policy-3.14.3-79.el8.noarch
selinux-policy-targeted-3.14.3-79.el8.noarch
# matchpathcon /run/ipa /var/run/ipa
/run/ipa	system_u:object_r:var_run_t:s0
/var/run/ipa	system_u:object_r:var_run_t:s0
# semanage fcontext -l | grep /run/ipa
/var/run/ipa_memcached(/.*)?                       all files          system_u:object_r:memcached_var_run_t:s0 
# semanage fcontext -l -C
#

No errors or warnings appear during installation of ipa-selinux package:

# yum -y install ipa-selinux
Updating Subscription Management repositories.
Unable to read consumer identity

This system is not registered with an entitlement server. You can use subscription-manager to register.

Last metadata expiration check: 0:01:08 ago on Wed 22 Sep 2021 06:34:19 AM EDT.
Dependencies resolved.
================================================================================
 Package     Arch   Version                                Repository      Size
================================================================================
Installing:
 ipa-selinux noarch 4.9.6-3.module+el8.5.0+11817+d7405443  rhel-AppStream 175 k
Enabling module streams:
 idm                client                                                     

Transaction Summary
================================================================================
Install  1 Package

Total download size: 175 k
Installed size: 16 k
Downloading Packages:
ipa-selinux-4.9.6-3.module+el8.5.0+11817+d74054 4.5 MB/s | 175 kB     00:00    
--------------------------------------------------------------------------------
Total                                           4.4 MB/s | 175 kB     00:00     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1 
  Running scriptlet: ipa-selinux-4.9.6-3.module+el8.5.0+11817+d7405443.no   1/1 
  Installing       : ipa-selinux-4.9.6-3.module+el8.5.0+11817+d7405443.no   1/1 
  Running scriptlet: ipa-selinux-4.9.6-3.module+el8.5.0+11817+d7405443.no   1/1 
  Verifying        : ipa-selinux-4.9.6-3.module+el8.5.0+11817+d7405443.no   1/1 
Installed products updated.

Installed:
  ipa-selinux-4.9.6-3.module+el8.5.0+11817+d7405443.noarch                      

Complete!
# rpm -qa selinux\* ipa\* | sort
ipa-selinux-4.9.6-3.module+el8.5.0+11817+d7405443.noarch
selinux-policy-3.14.3-79.el8.noarch
selinux-policy-targeted-3.14.3-79.el8.noarch
# semodule -lfull | grep ipa
200 ipa               pp         
#

But interesting things appear after installation of the ipa-selinux package:

# matchpathcon /run/ipa /var/run/ipa
/run/ipa	system_u:object_r:var_run_t:s0
/var/run/ipa	system_u:object_r:var_run_t:s0
# semanage fcontext -l | grep /run/ipa
/run/ipa(/.*)?                                     all files          system_u:object_r:ipa_var_run_t:s0 
/var/run/ipa_memcached(/.*)?                       all files          system_u:object_r:memcached_var_run_t:s0 
# mkdir -p /run/ipa
# ls -dZ /run/ipa
unconfined_u:object_r:var_run_t:s0 /run/ipa
# restorecon -Rv /run/ipa
# ls -dZ /run/ipa
unconfined_u:object_r:var_run_t:s0 /run/ipa
# matchpathcon /run/ipa /var/run/ipa
/run/ipa	system_u:object_r:var_run_t:s0
/var/run/ipa	system_u:object_r:var_run_t:s0
# semanage fcontext -l | grep /run/ipa
/run/ipa(/.*)?                                     all files          system_u:object_r:ipa_var_run_t:s0 
/var/run/ipa_memcached(/.*)?                       all files          system_u:object_r:memcached_var_run_t:s0 
# semanage fcontext -l -C
# 

I agree that some parts of the TC need to be updated, but my question is why the /run/ipa directory is not labeled correctly (ipa_var_run_t) in the end.

Comment 4 Milos Malik 2021-09-22 10:48:14 UTC

Is it possible that the use of "/run = /var/run" equivalence causes that?

# semanage fcontext -l | grep -A 20 "fcontext Equivalence"
SELinux Distribution fcontext Equivalence 

/run = /var/run
/run/lock = /var/lock
/run/systemd/system = /usr/lib/systemd/system
/run/systemd/generator = /usr/lib/systemd/system
/run/systemd/generator.late = /usr/lib/systemd/system
/lib = /usr/lib
/lib64 = /usr/lib
/usr/lib64 = /usr/lib
/usr/local/lib64 = /usr/lib
/usr/local/lib32 = /usr/lib
/etc/systemd/system = /usr/lib/systemd/system
/var/lib/xguest/home = /home
/var/named/chroot/usr/lib64 = /usr/lib
/var/named/chroot/lib64 = /usr/lib
/home-inst = /home
/home/home-inst = /home
/var/roothome = /root
/sbin = /usr/sbin
/sysroot/tmp = /tmp
#

Comment 5 Milos Malik 2021-09-22 10:53:21 UTC

After adding a local customization which uses the "/var/run/ipa" pattern instead of "/run/ipa" pattern, everything is OK again:

# semanage fcontext -a -t ipa_var_run_t '/var/run/ipa(/.*)?'
# semanage fcontext -l -C
SELinux fcontext                                   type               Context

/var/run/ipa(/.*)?                                 all files          system_u:object_r:ipa_var_run_t:s0 
# restorecon -Rv /run/ipa
Relabeled /run/ipa from unconfined_u:object_r:var_run_t:s0 to unconfined_u:object_r:ipa_var_run_t:s0
# matchpathcon /run/ipa
/run/ipa	system_u:object_r:ipa_var_run_t:s0
#

The equivalences are tricky.

Comment 9 Rob Crittenden 2021-09-27 13:55:07 UTC

Fixed upstream
master:
https://pagure.io/freeipa/c/cd85b729d3fd03e6acd75ec4f0f916aec4bc9247

Comment 10 Rob Crittenden 2021-09-27 15:46:15 UTC

Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/186497cb790a81d43c35659f81fab2eb47ea65cd

Comment 26 Sudhir Menon 2022-01-18 16:37:02 UTC

ipa-server-4.9.8-2.module+el8.6.0+13621+937b8cd9.x86_64
ipa-selinux-4.9.8-2.module+el8.6.0+13621+937b8cd9.noarch
selinux-policy-3.14.3-86.el8.noarch

[root@server oddjob]# pwd
/usr/libexec/ipa/oddjob

[root@server oddjob]# ls -lZ
total 24
-rwxr-xr-x. 1 root root system_u:object_r:ipa_helper_exec_t:s0 9556 Dec 10 14:26 com.redhat.idm.trust-fetch-domains
-rwxr-xr-x. 1 root root system_u:object_r:ipa_helper_exec_t:s0 2332 Dec 10 14:26 org.freeipa.server.config-enable-sid
-rwxr-xr-x. 1 root root system_u:object_r:ipa_helper_exec_t:s0   76 Nov  4 09:12 org.freeipa.server.conncheck
-rwxr-xr-x. 1 root root system_u:object_r:ipa_helper_exec_t:s0  210 Dec 10 14:26 org.freeipa.server.trust-enable-agent

Comment 29 errata-xmlrpc 2022-05-10 14:08:46 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (idm:client and idm:DL1 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:1884