Bug 474197

Summary: pkicreate complains about missing SELinux policy . . .
Product: [Retired] Dogtag Certificate System Reporter: Matthew Harmsen <mharmsen>
Component: Installer (pkicreate/pkiremove)Assignee: Ade Lee <alee>
Status: CLOSED NOTABUG QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: medium    
Version: 1.0CC: alee, awnuk, benl, cfu, jmagne
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-01-27 20:57:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 443788    

Description Matthew Harmsen 2008-12-02 18:36:37 UTC 
The following is an example of the problem as it occurs on my Fedora 8 machine (this occurs on all six unique PKI subsystems):

# pkicreate -pki_instance_root=/var/lib -pki_instance_name=pki-ca1 -subsystem_type=ca -secure_port=9543 -unsecure_port=9280 -tomcat_server_port=9801
PKI instance creation Utility ...

libsepol.context_from_record: type pki_ca_exec_t is not defined No such file or directory.
libsepol.context_from_record: could not create context structure Invalid argument.
libsemanage.validate_handler: invalid context system_u:object_r:pki_ca_exec_t:s0 specified for /usr/bin/dtomcat5-pki-ca1 [regular file] Invalid argument.
libsemanage.dbase_llist_iterate: could not iterate over records Invalid argument.
/usr/sbin/semanage: Could not add file context for /usr/bin/dtomcat5-pki-ca1
Error in setting selinux file context pki_ca_exec_t for /usr/bin/dtomcat5-pki-ca1

libsepol.context_from_record: type pki_ca_script_exec_t is not defined No such file or directory.
libsepol.context_from_record: could not create context structure Invalid argument.
libsemanage.validate_handler: invalid context system_u:object_r:pki_ca_script_exec_t:s0 specified for /etc/rc.d/init.d/pki-ca1 [regular file] Invalid argument.
libsemanage.dbase_llist_iterate: could not iterate over records Invalid argument.
/usr/sbin/semanage: Could not add file context for /etc/rc.d/init.d/pki-ca1
Error in setting selinux file context pki_ca_script_exec_t for /etc/rc\.d/init\.d/pki-ca1

libsepol.context_from_record: type pki_ca_var_lib_t is not defined No such file or directory.
libsepol.context_from_record: could not create context structure Invalid argument.
libsemanage.validate_handler: invalid context system_u:object_r:pki_ca_var_lib_t:s0 specified for /var/lib/pki-ca1(/.*)? [all files] Invalid argument.
libsemanage.dbase_llist_iterate: could not iterate over records Invalid argument.
/usr/sbin/semanage: Could not add file context for /var/lib/pki-ca1(/.*)?
Error in setting selinux file context pki_ca_var_lib_t for "/var/lib/pki-ca1(/.*)?"

libsepol.context_from_record: type pki_ca_var_run_t is not defined No such file or directory.
libsepol.context_from_record: could not create context structure Invalid argument.
libsemanage.validate_handler: invalid context system_u:object_r:pki_ca_var_run_t:s0 specified for /var/run/pki-ca1.pid [regular file] Invalid argument.
libsemanage.dbase_llist_iterate: could not iterate over records Invalid argument.
/usr/sbin/semanage: Could not add file context for /var/run/pki-ca1.pid
Error in setting selinux file context pki_ca_var_run_t for /var/run/pki-ca1\.pid

libsepol.context_from_record: type pki_ca_log_t is not defined No such file or directory.
libsepol.context_from_record: could not create context structure Invalid argument.
libsemanage.validate_handler: invalid context system_u:object_r:pki_ca_log_t:s0 specified for /var/lib/pki-ca1/logs(/.*)? [all files] Invalid argument.
libsemanage.dbase_llist_iterate: could not iterate over records Invalid argument.
/usr/sbin/semanage: Could not add file context for /var/lib/pki-ca1/logs(/.*)?
Error in setting selinux file context pki_ca_log_t for "/var/lib/pki-ca1/logs(/.*)?"

libsepol.context_from_record: type pki_ca_etc_rw_t is not defined No such file or directory.
libsepol.context_from_record: could not create context structure Invalid argument.
libsemanage.validate_handler: invalid context system_u:object_r:pki_ca_etc_rw_t:s0 specified for /var/lib/pki-ca1/conf(/.*)? [all files] Invalid argument.
libsemanage.dbase_llist_iterate: could not iterate over records Invalid argument.
/usr/sbin/semanage: Could not add file context for /var/lib/pki-ca1/conf(/.*)?
Error in setting selinux file context pki_ca_etc_rw_t for "/var/lib/pki-ca1/conf(/.*)?"

libsepol.context_from_record: type pki_ca_tomcat_exec_t is not defined No such file or directory.
libsepol.context_from_record: could not create context structure Invalid argument.
libsemanage.validate_handler: invalid context system_u:object_r:pki_ca_tomcat_exec_t:s0 specified for /var/lib/pki-ca1/conf/tomcat5.conf [regular file] Invalid argument.
libsemanage.dbase_llist_iterate: could not iterate over records Invalid argument.
/usr/sbin/semanage: Could not add file context for /var/lib/pki-ca1/conf/tomcat5.conf
Error in setting selinux file context pki_ca_tomcat_exec_t for /var/lib/pki-ca1/conf/tomcat5\.conf

libsepol.context_from_record: type pki_ca_port_t is not defined
libsepol.context_from_record: could not create context structure Invalid argument.
libsepol.port_from_record: could not create port structure for range 9543:9543 (tcp) Invalid argument.
libsepol.sepol_port_modify: could not load port range 9543 - 9543 (tcp) Invalid argument.
libsemanage.dbase_policydb_modify: could not modify record value Invalid argument.
libsemanage.semanage_base_merge_components: could not merge local modifications into policy Invalid argument.
/usr/sbin/semanage: Could not add port tcp/9543
Error in setting selinux context pki_ca_port_t for 9543

/usr/sbin/semanage: Port tcp/9280 already defined
Error in setting selinux context pki_ca_port_t for 9280

libsepol.context_from_record: type pki_ca_port_t is not defined
libsepol.context_from_record: could not create context structure Invalid argument.
libsepol.port_from_record: could not create port structure for range 9801:9801 (tcp) Invalid argument.
libsepol.sepol_port_modify: could not load port range 9801 - 9801 (tcp) Invalid argument.
libsemanage.dbase_policydb_modify: could not modify record value Invalid argument.
libsemanage.semanage_base_merge_components: could not merge local modifications into policy Invalid argument.
/usr/sbin/semanage: Could not add port tcp/9801
Error in setting selinux context pki_ca_port_t for 9801


PKI instance creation completed ...

Starting pki-ca1:                                          [  OK  ]

PKI service(s) are available at https://pkilinux.sjc.redhat.com:9543

Server can be operated with /etc/init.d/pki-ca1 start | stop | restart

Please start the configuration by accessing:
http://pkilinux.sjc.redhat.com:9280/ca/admin/console/config/login?pin=C2ztlnkXJcL9oi1LuY85

Before proceeding with the configuration, make sure 
the firewall settings of this machine permit proper 
access to this subsystem. 


I spoke with Christina about this issue, and we suggest the following:

(1) Check to make sure whether or not the SELinux policy exists on the machine.
(2) If the policy does not exist, check to see if the SELinux mode is set to
    "Enforcing"; in this case, we should fail gracefully with an explicit
    message that our particular SELinux policy is required to run on a
    machine where SELinux is enforced.  If the SELinux mode is set to
    "Permissive", perhaps just issue a single warning message to the screen
    and the log file, and continue without SELinux checks.
(3) Verify with Dan Walsh if this is standard behavior for other applications.
Comment 1 Matthew Harmsen 2008-12-03 00:36:43 UTC 
Similarly, removing the above (unconfigured) instance shows the following:

# pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca1
PKI instance Deletion Utility ...

PKI instance Deletion Utility cleaning up instance ...

You have elected to remove the instance installed in /var/lib/pki-ca1.
Are you sure (Y/N)?   y

No security domain defined.  If this is an unconfigured instance, then that is OK.
Otherwise, manually delete the entry from the security domain master.
Removing port 9280 from selinux policy.
/usr/sbin/semanage: Port tcp/9280 is defined in policy, cannot be deleted
Port 9280 not removed from selinux policy correctly.
Removing port 9543 from selinux policy.
/usr/sbin/semanage: Port tcp/9543 is not defined
Port 9543 not removed from selinux policy correctly.
Removing port 9801 from selinux policy.
/usr/sbin/semanage: Port tcp/9801 is not defined
Port 9801 not removed from selinux policy correctly.
Removing selinux file contexts. 
/usr/sbin/semanage: File context for /usr/bin/dtomcat5-pki-ca1 is not defined
ERROR: Error in setting selinux file context pki_ca_exec_t for /usr/bin/dtomcat5-pki-ca1

/usr/sbin/semanage: File context for /etc/rc.d/init.d/pki-ca1 is not defined
ERROR: Error in setting selinux file context pki_ca_script_exec_t for /etc/rc\.d/init\.d/pki-ca1

/usr/sbin/semanage: File context for /var/lib/pki-ca1(/.*)? is not defined
ERROR: Error in setting selinux file context pki_ca_var_lib_t for "/var/lib/pki-ca1(/.*)?"

/usr/sbin/semanage: File context for /var/run/pki-ca1.pid is not defined
ERROR: Error in setting selinux file context pki_ca_var_run_t for /var/run/pki-ca1\.pid

/usr/sbin/semanage: File context for /var/lib/pki-ca1/logs(/.*)? is not defined
ERROR: Error in setting selinux file context pki_ca_log_t for "/var/lib/pki-ca1/logs(/.*)?"

/usr/sbin/semanage: File context for /var/lib/pki-ca1/conf/tomcat5.conf is not defined
ERROR: Error in setting selinux file context pki_ca_tomcat_exec_t for /var/lib/pki-ca1/conf/tomcat5\.conf

/usr/sbin/semanage: File context for /var/lib/pki-ca1/conf(/.*)? is not defined
ERROR: Error in setting selinux file context pki_ca_etc_rw_t for "/var/lib/pki-ca1/conf(/.*)?"

Stopping pki-ca1: ...............................          [  OK  ]

Removing dir /var/lib/pki-ca1
Removing file /var/log/pki-ca1-install.log
Removing file /etc/init.d/pki-ca1
Removing file /usr/share/applications/pki-ca1-config.desktop
Removing file /usr/bin/dtomcat5-pki-ca1
Comment 2 Ade Lee 2009-01-27 20:57:40 UTC 
selinux is now delivered as part of pki-selinux, which is included as a requirement for pki-ca and other subsystems as part of 480679.

Therefore, closing this as NOT_A_BUG