Bug 696819

Summary: ipa-server-install fails on F-15 with enforcing SELinux
Product: [Retired] freeIPA Reporter: Tim Niemueller <tim>
Component: SELinuxAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: high Docs Contact:
Priority: unspecified    
Version: 2.0CC: benl, dpal, dwalsh, mgrepl, mkosek
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: freeipa-2.1.3-5.fc16 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-28 09:27:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
IPA server installation output
none
IPA server installation log
none
Relevant AVCs from audit.log none

Description Tim Niemueller 2011-04-14 22:26:12 UTC 
Description of problem:
When running ipa-server-install it hang when setting up the directory server.

Version-Release number of selected component (if applicable):
freeipa-server-2.0.0-1.fc15.x86_64


How reproducible:
Always

Steps to Reproduce:
1. Minimal install of devel F-15
2. Install freeipa-server
3. Call ipa-server-install
  
Actual results:
Installation hangs.

Expected results:
Installation succeeds.

Additional info:
Unfortunately I do not have the debug install logs anymore, it hang in setup-dl.pl or similar. audit2allow -a outputs:

#============= dirsrv_t ==============
allow dirsrv_t var_t:lnk_file read;
Comment 1 Dmitri Pal 2011-04-15 14:45:24 UTC 
How long did you wait?
There are some very strange delays that we have observed in systemd trying to restart different services. It might be that it looked like it hanged but was in the long timeout.
Why do you think it is a SELinux problem?
Comment 2 Daniel Walsh 2011-04-15 15:22:07 UTC 
You need a newer SELinux policy.

selinux-policy-3.9.16-15.fc15 is the latest.
Comment 3 Martin Kosek 2011-04-19 14:26:16 UTC 
I run into the same problem, just the AVC was different. Attaching IPA installation output, ipa server installation logfile and relevant AVCs.

I was informed that a fixed was checked in to F-16 and will be backported to relevant repos.
Comment 4 Martin Kosek 2011-04-19 14:27:06 UTC 
Created attachment 493206 [details]
IPA server installation output
Comment 5 Martin Kosek 2011-04-19 14:28:43 UTC 
Created attachment 493207 [details]
IPA server installation log

setup-ds.pl complains here that it could not create a directory.
Comment 6 Martin Kosek 2011-04-19 14:29:20 UTC 
Created attachment 493208 [details]
Relevant AVCs from audit.log
Comment 7 Daniel Walsh 2011-04-19 15:07:35 UTC 
Not sure why dirsrv_t would be changing the permissions on a var_lock directory but we are adding this to the next policy.
Comment 8 Martin Kosek 2011-04-20 09:17:16 UTC 
I can confirm, that when I loaded a custom SELinux module allowing a rule mentioned in the reported AVC the reported hang no longer occured.

My selinux-policy version:
selinux-policy-3.9.16-15.fc15.noarch
Comment 9 Martin Kosek 2011-04-21 13:27:28 UTC 
Tracking upstream ticket:

https://fedorahosted.org/freeipa/ticket/1185
Comment 10 Martin Kosek 2011-04-29 08:38:47 UTC 
selinux-policy-3.9.16-18.fc15 fixes the issue. Closing the upstream ticket.
Comment 11 Martin Kosek 2011-06-08 13:30:33 UTC 
The selinux problem was not solved completely, originally reported AVC reoccurred. ipa-replica-install will fail again.

selinux-policy version:
selinux-policy-3.9.16-26.fc15.noarch

audit.log:
type=AVC msg=audit(1307533596.416:1211): avc:  denied  { read } for
pid=17544 comm="ns-slapd" name="lock" dev=dm-0 ino=1681


audit2allow:
# cat /var/log/audit/audit.log | audit2allow


#============= dirsrv_t ==============
allow dirsrv_t var_t:lnk_file read;
Comment 12 Martin Kosek 2011-06-08 13:31:38 UTC 
Opening a new upstream ticket:
https://fedorahosted.org/freeipa/ticket/1306
Comment 13 Miroslav Grepl 2011-06-08 13:38:59 UTC 
well, the problem is /var/lock is mislabeled.

# restorecon -R -v /var
Comment 14 Martin Kosek 2011-06-09 10:51:12 UTC 
Yes, you are right, I see it now. Thanks for reply.