Bug 885154
| Summary: | ipa-server-install selinux alert | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Dean Hunter <deanhunter> | ||||
| Component: | freeipa | Assignee: | Rob Crittenden <rcritten> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | urgent | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 18 | CC: | abokovoy, mkosek, nkinder, rcritten, rmeggins, ssorce | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2012-12-19 12:28:35 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
What version of selinux-policy is installed? Here is an excerpt from /var/log/messages covering the time of the ipa-server-install execution. Please note that there is also a problem with NTP: Dec 7 09:35:15 server systemd[1]: Stopped Network Time Service. Dec 7 09:35:15 server systemd[1]: Reloading. Dec 7 09:35:15 server systemd[1]: Cannot add dependency job for unit ntp-wait.service, ignoring: Unit ntp-wait.service failed to load: No such file or directory. See system logs and 'systemctl status ntp-wait.service' for details. Dec 7 09:35:15 server systemd[1]: Starting Network Time Service... Dec 7 09:35:15 server ntpd[2825]: ntpd 4.2.6p5 Thu Dec 6 12:52:39 UTC 2012 (1) Dec 7 09:35:15 server ntpd[2826]: proto: precision = 0.069 usec Dec 7 09:35:15 server ntpd[2826]: 0.0.0.0 c01d 0d kern kernel time sync enabled Dec 7 09:35:15 server ntpd[2826]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123 Dec 7 09:35:15 server systemd[1]: Started Network Time Service. Dec 7 09:35:15 server ntpd[2826]: Listen and drop on 1 v6wildcard :: UDP 123 Dec 7 09:35:15 server ntpd[2826]: Listen normally on 2 lo 127.0.0.1 UDP 123 Dec 7 09:35:15 server ntpd[2826]: Listen normally on 3 em1 192.168.1.11 UDP 123 Dec 7 09:35:15 server ntpd[2826]: Listen normally on 4 lo ::1 UDP 123 Dec 7 09:35:15 server ntpd[2826]: Listen normally on 5 em1 fe80::21c:c4ff:feae:574f UDP 123 Dec 7 09:35:15 server ntpd[2826]: peers refreshed Dec 7 09:35:15 server ntpd[2826]: Listening on routing socket on fd #22 for interface updates Dec 7 09:35:15 server ntpd[2826]: 0.0.0.0 c016 06 restart Dec 7 09:35:15 server ntpd[2826]: 0.0.0.0 c012 02 freq_set ntpd 0.000 PPM Dec 7 09:35:15 server ntpd[2826]: 0.0.0.0 c011 01 freq_not_set Dec 7 09:35:18 server systemd[1]: Reloading. Dec 7 09:35:18 server systemd[1]: Starting 389 Directory Server. Dec 7 09:35:18 server systemd[1]: Reached target 389 Directory Server. Dec 7 09:35:18 server systemd[1]: Starting 389 Directory Server PKI-IPA.... Dec 7 09:35:18 server ns-slapd[2902]: [07/Dec/2012:09:35:18 -0600] createprlistensockets - PR_Bind() on All Interfaces port 7389 failed: Netscape Portable Runtime error -5966 (Access Denied.) Dec 7 09:35:18 server dbus-daemon[634]: dbus[634]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper) Dec 7 09:35:18 server dbus[634]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper) Dec 7 09:35:18 server systemd[1]: dirsrv: control process exited, code=exited status=1 Dec 7 09:35:18 server systemd[1]: Failed to start 389 Directory Server PKI-IPA.. Dec 7 09:35:18 server systemd[1]: Unit dirsrv entered failed state Dec 7 09:35:18 server systemd[1]: Reloading. Dec 7 09:35:18 server systemd[1]: Reloading. Dec 7 09:35:18 server systemd[1]: Starting 389 Directory Server PKI-IPA.... Dec 7 09:35:18 server ns-slapd[2924]: [07/Dec/2012:09:35:18 -0600] createprlistensockets - PR_Bind() on All Interfaces port 7389 failed: Netscape Portable Runtime error -5966 (Access Denied.) Dec 7 09:35:18 server systemd[1]: dirsrv: control process exited, code=exited status=1 Dec 7 09:35:18 server systemd[1]: Failed to start 389 Directory Server PKI-IPA.. Dec 7 09:35:18 server systemd[1]: Unit dirsrv entered failed state Dec 7 09:35:19 server ntpd[2826]: 0.0.0.0 c514 04 freq_mode Dec 7 09:35:19 server dbus-daemon[634]: dbus[634]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd' Dec 7 09:35:19 server dbus[634]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd' Dec 7 09:35:19 server systemd[1]: Starting PKI Tomcat Server. Dec 7 09:35:19 server systemd[1]: Reached target PKI Tomcat Server. Dec 7 09:35:19 server systemd[1]: Starting PKI Tomcat Server pki-tomcat... Dec 7 09:35:20 server setroubleshoot: SELinux is preventing /usr/sbin/ns-slapd from name_bind access on the tcp_socket . For complete SELinux messages. run sealert -l 7633f564-df6b-4256-aec0-3692a2e5b5a2 Dec 7 09:35:20 server setroubleshoot: SELinux is preventing /usr/sbin/ns-slapd from name_bind access on the tcp_socket . For complete SELinux messages. run sealert -l 7633f564-df6b-4256-aec0-3692a2e5b5a2 Dec 7 09:35:23 server pkidaemon[2943]: 'pki-tomcat' must still be CONFIGURED! Dec 7 09:35:23 server pkidaemon[2943]: (see /var/log/pki-tomcat-install.log) Dec 7 09:35:23 server systemd[1]: Started PKI Tomcat Server pki-tomcat. [root@server ~]# yum list installed selinux* Loaded plugins: langpacks, presto, refresh-packagekit Installed Packages selinux-policy.noarch 3.11.1-60.fc18 @updates-testing selinux-policy-devel.noarch 3.11.1-60.fc18 @updates-testing selinux-policy-targeted.noarch 3.11.1-60.fc18 @updates-testing [root@server ~]# I am unable to attach the log from ipa-server-install???? I believe I have made all the correct entries; selected the file, entered a description, etc. But when I click submit, nothing happens. That's fine, the log isn't needed. the AVC is enough. To try to work around the problem, I:
1. Uninstalled ipa server: ipa-server-install --uninstall
2. Followed the instructions in the SELinux alert details to update the policy
3. Rebooted
4. Tried to install IPA server again:
[root@server ~]# ipa-server-install \
> --admin-password adminpassword \
> --hostname server.hunter.org \
> --domain hunter.org \
> --ds-password dspassword \
> --realm HUNTER.ORG \
> --setup-dns \
> --no-forwarders \
> --unattended
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the FreeIPA Server.
This includes:
* Configure a stand-alone CA (dogtag) for certificate management
* Configure the Network Time Daemon (ntpd)
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)
* Configure DNS (bind)
To accept the default shown in brackets, press the Enter key.
Warning: skipping DNS resolution of host server.hunter.org
Using reverse zone 1.168.192.in-addr.arpa.
The IPA Master Server will be configured with:
Hostname: server.hunter.org
IP address: 192.168.1.11
Domain name: hunter.org
Realm name: HUNTER.ORG
BIND DNS server will be configured to serve IPA domain with:
Forwarders: No forwarders
Reverse zone: 1.168.192.in-addr.arpa.
Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server for the CA (pkids): Estimated time 30 seconds
[1/3]: creating directory server user
[2/3]: creating directory server instance
[3/3]: restarting directory server
Done configuring directory server for the CA (pkids).
Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds
[1/19]: creating certificate server user
[2/19]: configuring certificate server instance
ipa : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpBM6ZgK' returned non-zero exit status 1
Configuration of CA failed
[root@server ~]#
Created attachment 659510 [details]
testing attachment
this is a test
this is only a test
The CA not being configured it likely a different issue than the SELinux problem. Look in /var/log/ipaserver-install.log for more details. You may also want to try to uninstall again and run pkidestroy -s CA -i pki-tomcat The SELinux replated problem seems to be that the port used by the 389 instance for Dogtag is labelled as pki_ca_port_t. This means ns-slapd will not be allowed to bind to that port, we we expect it to be ldap_port_t. A port can only have one label, so setup-ds.pl will fail to label the port properly. I do not know how things got in this state, but you should be able to work around this problem my manually cleaning up the port label: - Uninstall IPA. - As root, remove the pki_ca_port_t label from port 7389 by running 'semanage port -d -p tcp -t pki_ca_port_t 7389'. - Reinstall IPA. I am sorry but the workaround for the port label did not work. I had already started a rebuild because of problems with ipa-server-install --uninstall, so I used these steps:
1. Install Fedora 18 beta Gnome Desktop
2. hostnamectl set-hostname server
3. cat >/etc/sysconfig/network <<EOD
NETWORKING=yes
HOSTNAME=server.hunter.org
EOD
4. yum update --assumeyes
5. reboot
6. yum install --assumeyes freeipa-server bind bind-dyndb-ldap
7. mkdir /var/run/ipa # 880995
8. chmod 0700 /var/run/ipa # 880995
9. semanage port -d -p tcp -t pki_ca_port_t 7389 # 885154
The result was this message:
/sbin/semanage: Port tcp/7389 is defined in policy, cannot be deleted
What does the output of 'semanage port -l |grep 7389' show? This might be a problem in the version of selinux-policy that you have installed. Port 7389 should not be labelled as pki_ca_port_t. The SELinux issue is related to the fix that was added for this bug:
https://bugzilla.redhat.com/show_bug.cgi?id=879516
I have repopened the above bug, as the fix is incorrect. Port 7389 should not be labelled as pki_ca_port_t.
On the other hand, following the instructions in the alert details to create a new policy from the log did resolve the problem:
[root@server ~]# audit2allow -M mypol <<EOD
type=AVC msg=audit(1354894518.888:342): avc: denied { name_bind } for pid=2924 comm="ns-slapd" src=7389 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:pki_ca_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1354894518.888:342): arch=x86_64 syscall=bind success=no exit=EACCES a0=6 a1=7fff3c600d50 a2=1c a3=7fff3c600ae0 items=0 ppid=1 pid=2924 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ns-slapd exe=/usr/sbin/ns-slapd subj=system_u:system_r:dirsrv_t:s0 key=(null)
EOD
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i mypol.pp
[root@server ~]# cat mypol.te
module mypol 1.0;
require {
type dirsrv_t;
type pki_ca_port_t;
class tcp_socket name_bind;
}
#============= dirsrv_t ==============
#!!!! This avc is allowed in the current policy
allow dirsrv_t pki_ca_port_t:tcp_socket name_bind;
[root@server ~]# semodule -i mypol.pp
[root@server ~]#
I believe the error was introduced sometime in the last week since the IPA server was last installed on Nov 29 with 3.11.1-57.fc18 required to correct another bug.
Per your last request:
[root@server ~]# semanage port -l | grep 7389
pki_ca_port_t tcp 7389, 9180, 9701, 9443-9447
[root@server ~]#
The policy module you added will work, but I would consider it a temporary fix, as it's not really correct. When a new selinux-policy update is made to fix this, you should remove your custom policy module (mypol.pp) and then label 7389 as ldap_port_t using semanage. Absolutely! I agree 100%. I apologize that I was not clear that I was working around the bug. Do you have an estimate on when a new selinux-policy update will correct this problem? (In reply to comment #15) > Absolutely! I agree 100%. I apologize that I was not clear that I was > working around the bug. Do you have an estimate on when a new selinux-policy > update will correct this problem? According to bug 879416, it has been fixed now: "Fixed in selinux-policy-3.11.1-61.fc18" I have verified that this problem has been corrected in selinux-policy-3.11.1-62.fc18 Ok. In that case I will simply close the bug. Thanks Nathan and Dean for cooperation! |
Description of problem: SELinux is preventing /usr/sbin/ns-slapd from name_bind access on the tcp_socket. Version-Release number of selected component (if applicable): [root@server ~]# yum list installed freeipa* Loaded plugins: langpacks, presto, refresh-packagekit Installed Packages freeipa-admintools.x86_64 3.0.1-3.fc18 @fedora freeipa-client.x86_64 3.0.1-3.fc18 @fedora freeipa-python.x86_64 3.0.1-3.fc18 @fedora freeipa-server.x86_64 3.0.1-3.fc18 @fedora freeipa-server-selinux.x86_64 3.0.1-3.fc18 @fedora [root@server ~]# How reproducible: consistent Steps to Reproduce: 1. Install Fedora 18 beta Gnome Desktop 2. hostnamectl set-hostname server 3. cat >/etc/sysconfig/network <<EOD NETWORKING=yes HOSTNAME=server.hunter.org EOD 4. yum update --assumeyes 5. reboot 6. yum install --assumeyes freeipa-server bind bind-dyndb-ldap 7. mkdir /var/run/ipa 8. chmod 0700 /var/run/ipa 9. cat >>/etc/hosts <<EOD 192.168.1.11 server.hunter.org server EOD 10. ipa-server-install \ --admin-password adminpassword \ --hostname server.hunter.org \ --domain hunter.org \ --ds-password dspassword \ --realm HUNTER.ORG \ --setup-dns \ --no-forwarders \ --unattended Actual results: The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the FreeIPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) To accept the default shown in brackets, press the Enter key. Warning: skipping DNS resolution of host server.hunter.org Using reverse zone 1.168.192.in-addr.arpa. The IPA Master Server will be configured with: Hostname: server.hunter.org IP address: 192.168.1.11 Domain name: hunter.org Realm name: HUNTER.ORG BIND DNS server will be configured to serve IPA domain with: Forwarders: No forwarders Reverse zone: 1.168.192.in-addr.arpa. Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server for the CA (pkids): Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance ipa : CRITICAL failed to create ds instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpipLYWg' returned non-zero exit status 1 [3/3]: restarting directory server ipa : CRITICAL Failed to restart the directory server. See the installation log for details. Done configuring directory server for the CA (pkids). Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/19]: creating certificate server user [2/19]: configuring certificate server instance Unexpected error - see /var/log/ipaserver-install.log for details: IOError: [Errno 2] No such file or directory: '/var/lib/pki/pki-tomcat/alias/ca_admin_cert.p12' [root@server ~]# Expected results: Successful completion of ipa-server-install Additional info: Source Context system_u:system_r:dirsrv_t:s0 Target Context system_u:object_r:pki_ca_port_t:s0 Target Objects [ tcp_socket ] Source ns-slapd Source Path /usr/sbin/ns-slapd Port 7389 Host server Source RPM Packages 389-ds-base-1.3.0-0.1.a1.fc18.x86_64 Target RPM Packages Policy RPM selinux-policy-3.11.1-60.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name server Platform Linux server 3.6.9-4.fc18.x86_64 #1 SMP Tue Dec 4 14:12:51 UTC 2012 x86_64 x86_64 Alert Count 2 First Seen 2012-12-07 09:35:18 CST Last Seen 2012-12-07 09:35:18 CST Local ID 7633f564-df6b-4256-aec0-3692a2e5b5a2 Raw Audit Messages type=AVC msg=audit(1354894518.888:342): avc: denied { name_bind } for pid=2924 comm="ns-slapd" src=7389 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:pki_ca_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1354894518.888:342): arch=x86_64 syscall=bind success=no exit=EACCES a0=6 a1=7fff3c600d50 a2=1c a3=7fff3c600ae0 items=0 ppid=1 pid=2924 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ns-slapd exe=/usr/sbin/ns-slapd subj=system_u:system_r:dirsrv_t:s0 key=(null) Hash: ns-slapd,dirsrv_t,pki_ca_port_t,tcp_socket,name_bind audit2allow audit2allow -R