Bug 885154
Summary: | ipa-server-install selinux alert | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Dean Hunter <deanhunter> | ||||
Component: | freeipa | Assignee: | Rob Crittenden <rcritten> | ||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | urgent | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 18 | CC: | abokovoy, mkosek, nkinder, rcritten, rmeggins, ssorce | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2012-12-19 12:28:35 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Dean Hunter
2012-12-07 15:48:52 UTC
What version of selinux-policy is installed? Here is an excerpt from /var/log/messages covering the time of the ipa-server-install execution. Please note that there is also a problem with NTP: Dec 7 09:35:15 server systemd[1]: Stopped Network Time Service. Dec 7 09:35:15 server systemd[1]: Reloading. Dec 7 09:35:15 server systemd[1]: Cannot add dependency job for unit ntp-wait.service, ignoring: Unit ntp-wait.service failed to load: No such file or directory. See system logs and 'systemctl status ntp-wait.service' for details. Dec 7 09:35:15 server systemd[1]: Starting Network Time Service... Dec 7 09:35:15 server ntpd[2825]: ntpd 4.2.6p5 Thu Dec 6 12:52:39 UTC 2012 (1) Dec 7 09:35:15 server ntpd[2826]: proto: precision = 0.069 usec Dec 7 09:35:15 server ntpd[2826]: 0.0.0.0 c01d 0d kern kernel time sync enabled Dec 7 09:35:15 server ntpd[2826]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123 Dec 7 09:35:15 server systemd[1]: Started Network Time Service. Dec 7 09:35:15 server ntpd[2826]: Listen and drop on 1 v6wildcard :: UDP 123 Dec 7 09:35:15 server ntpd[2826]: Listen normally on 2 lo 127.0.0.1 UDP 123 Dec 7 09:35:15 server ntpd[2826]: Listen normally on 3 em1 192.168.1.11 UDP 123 Dec 7 09:35:15 server ntpd[2826]: Listen normally on 4 lo ::1 UDP 123 Dec 7 09:35:15 server ntpd[2826]: Listen normally on 5 em1 fe80::21c:c4ff:feae:574f UDP 123 Dec 7 09:35:15 server ntpd[2826]: peers refreshed Dec 7 09:35:15 server ntpd[2826]: Listening on routing socket on fd #22 for interface updates Dec 7 09:35:15 server ntpd[2826]: 0.0.0.0 c016 06 restart Dec 7 09:35:15 server ntpd[2826]: 0.0.0.0 c012 02 freq_set ntpd 0.000 PPM Dec 7 09:35:15 server ntpd[2826]: 0.0.0.0 c011 01 freq_not_set Dec 7 09:35:18 server systemd[1]: Reloading. Dec 7 09:35:18 server systemd[1]: Starting 389 Directory Server. Dec 7 09:35:18 server systemd[1]: Reached target 389 Directory Server. Dec 7 09:35:18 server systemd[1]: Starting 389 Directory Server PKI-IPA.... Dec 7 09:35:18 server ns-slapd[2902]: [07/Dec/2012:09:35:18 -0600] createprlistensockets - PR_Bind() on All Interfaces port 7389 failed: Netscape Portable Runtime error -5966 (Access Denied.) Dec 7 09:35:18 server dbus-daemon[634]: dbus[634]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper) Dec 7 09:35:18 server dbus[634]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper) Dec 7 09:35:18 server systemd[1]: dirsrv: control process exited, code=exited status=1 Dec 7 09:35:18 server systemd[1]: Failed to start 389 Directory Server PKI-IPA.. Dec 7 09:35:18 server systemd[1]: Unit dirsrv entered failed state Dec 7 09:35:18 server systemd[1]: Reloading. Dec 7 09:35:18 server systemd[1]: Reloading. Dec 7 09:35:18 server systemd[1]: Starting 389 Directory Server PKI-IPA.... Dec 7 09:35:18 server ns-slapd[2924]: [07/Dec/2012:09:35:18 -0600] createprlistensockets - PR_Bind() on All Interfaces port 7389 failed: Netscape Portable Runtime error -5966 (Access Denied.) Dec 7 09:35:18 server systemd[1]: dirsrv: control process exited, code=exited status=1 Dec 7 09:35:18 server systemd[1]: Failed to start 389 Directory Server PKI-IPA.. Dec 7 09:35:18 server systemd[1]: Unit dirsrv entered failed state Dec 7 09:35:19 server ntpd[2826]: 0.0.0.0 c514 04 freq_mode Dec 7 09:35:19 server dbus-daemon[634]: dbus[634]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd' Dec 7 09:35:19 server dbus[634]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd' Dec 7 09:35:19 server systemd[1]: Starting PKI Tomcat Server. Dec 7 09:35:19 server systemd[1]: Reached target PKI Tomcat Server. Dec 7 09:35:19 server systemd[1]: Starting PKI Tomcat Server pki-tomcat... Dec 7 09:35:20 server setroubleshoot: SELinux is preventing /usr/sbin/ns-slapd from name_bind access on the tcp_socket . For complete SELinux messages. run sealert -l 7633f564-df6b-4256-aec0-3692a2e5b5a2 Dec 7 09:35:20 server setroubleshoot: SELinux is preventing /usr/sbin/ns-slapd from name_bind access on the tcp_socket . For complete SELinux messages. run sealert -l 7633f564-df6b-4256-aec0-3692a2e5b5a2 Dec 7 09:35:23 server pkidaemon[2943]: 'pki-tomcat' must still be CONFIGURED! Dec 7 09:35:23 server pkidaemon[2943]: (see /var/log/pki-tomcat-install.log) Dec 7 09:35:23 server systemd[1]: Started PKI Tomcat Server pki-tomcat. [root@server ~]# yum list installed selinux* Loaded plugins: langpacks, presto, refresh-packagekit Installed Packages selinux-policy.noarch 3.11.1-60.fc18 @updates-testing selinux-policy-devel.noarch 3.11.1-60.fc18 @updates-testing selinux-policy-targeted.noarch 3.11.1-60.fc18 @updates-testing [root@server ~]# I am unable to attach the log from ipa-server-install???? I believe I have made all the correct entries; selected the file, entered a description, etc. But when I click submit, nothing happens. That's fine, the log isn't needed. the AVC is enough. To try to work around the problem, I:
1. Uninstalled ipa server: ipa-server-install --uninstall
2. Followed the instructions in the SELinux alert details to update the policy
3. Rebooted
4. Tried to install IPA server again:
[root@server ~]# ipa-server-install \
> --admin-password adminpassword \
> --hostname server.hunter.org \
> --domain hunter.org \
> --ds-password dspassword \
> --realm HUNTER.ORG \
> --setup-dns \
> --no-forwarders \
> --unattended
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the FreeIPA Server.
This includes:
* Configure a stand-alone CA (dogtag) for certificate management
* Configure the Network Time Daemon (ntpd)
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)
* Configure DNS (bind)
To accept the default shown in brackets, press the Enter key.
Warning: skipping DNS resolution of host server.hunter.org
Using reverse zone 1.168.192.in-addr.arpa.
The IPA Master Server will be configured with:
Hostname: server.hunter.org
IP address: 192.168.1.11
Domain name: hunter.org
Realm name: HUNTER.ORG
BIND DNS server will be configured to serve IPA domain with:
Forwarders: No forwarders
Reverse zone: 1.168.192.in-addr.arpa.
Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server for the CA (pkids): Estimated time 30 seconds
[1/3]: creating directory server user
[2/3]: creating directory server instance
[3/3]: restarting directory server
Done configuring directory server for the CA (pkids).
Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds
[1/19]: creating certificate server user
[2/19]: configuring certificate server instance
ipa : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpBM6ZgK' returned non-zero exit status 1
Configuration of CA failed
[root@server ~]#
Created attachment 659510 [details]
testing attachment
this is a test
this is only a test
The CA not being configured it likely a different issue than the SELinux problem. Look in /var/log/ipaserver-install.log for more details. You may also want to try to uninstall again and run pkidestroy -s CA -i pki-tomcat The SELinux replated problem seems to be that the port used by the 389 instance for Dogtag is labelled as pki_ca_port_t. This means ns-slapd will not be allowed to bind to that port, we we expect it to be ldap_port_t. A port can only have one label, so setup-ds.pl will fail to label the port properly. I do not know how things got in this state, but you should be able to work around this problem my manually cleaning up the port label: - Uninstall IPA. - As root, remove the pki_ca_port_t label from port 7389 by running 'semanage port -d -p tcp -t pki_ca_port_t 7389'. - Reinstall IPA. I am sorry but the workaround for the port label did not work. I had already started a rebuild because of problems with ipa-server-install --uninstall, so I used these steps: 1. Install Fedora 18 beta Gnome Desktop 2. hostnamectl set-hostname server 3. cat >/etc/sysconfig/network <<EOD NETWORKING=yes HOSTNAME=server.hunter.org EOD 4. yum update --assumeyes 5. reboot 6. yum install --assumeyes freeipa-server bind bind-dyndb-ldap 7. mkdir /var/run/ipa # 880995 8. chmod 0700 /var/run/ipa # 880995 9. semanage port -d -p tcp -t pki_ca_port_t 7389 # 885154 The result was this message: /sbin/semanage: Port tcp/7389 is defined in policy, cannot be deleted What does the output of 'semanage port -l |grep 7389' show? This might be a problem in the version of selinux-policy that you have installed. Port 7389 should not be labelled as pki_ca_port_t. The SELinux issue is related to the fix that was added for this bug: https://bugzilla.redhat.com/show_bug.cgi?id=879516 I have repopened the above bug, as the fix is incorrect. Port 7389 should not be labelled as pki_ca_port_t. On the other hand, following the instructions in the alert details to create a new policy from the log did resolve the problem: [root@server ~]# audit2allow -M mypol <<EOD type=AVC msg=audit(1354894518.888:342): avc: denied { name_bind } for pid=2924 comm="ns-slapd" src=7389 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:pki_ca_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1354894518.888:342): arch=x86_64 syscall=bind success=no exit=EACCES a0=6 a1=7fff3c600d50 a2=1c a3=7fff3c600ae0 items=0 ppid=1 pid=2924 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ns-slapd exe=/usr/sbin/ns-slapd subj=system_u:system_r:dirsrv_t:s0 key=(null) EOD ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i mypol.pp [root@server ~]# cat mypol.te module mypol 1.0; require { type dirsrv_t; type pki_ca_port_t; class tcp_socket name_bind; } #============= dirsrv_t ============== #!!!! This avc is allowed in the current policy allow dirsrv_t pki_ca_port_t:tcp_socket name_bind; [root@server ~]# semodule -i mypol.pp [root@server ~]# I believe the error was introduced sometime in the last week since the IPA server was last installed on Nov 29 with 3.11.1-57.fc18 required to correct another bug. Per your last request: [root@server ~]# semanage port -l | grep 7389 pki_ca_port_t tcp 7389, 9180, 9701, 9443-9447 [root@server ~]# The policy module you added will work, but I would consider it a temporary fix, as it's not really correct. When a new selinux-policy update is made to fix this, you should remove your custom policy module (mypol.pp) and then label 7389 as ldap_port_t using semanage. Absolutely! I agree 100%. I apologize that I was not clear that I was working around the bug. Do you have an estimate on when a new selinux-policy update will correct this problem? (In reply to comment #15) > Absolutely! I agree 100%. I apologize that I was not clear that I was > working around the bug. Do you have an estimate on when a new selinux-policy > update will correct this problem? According to bug 879416, it has been fixed now: "Fixed in selinux-policy-3.11.1-61.fc18" I have verified that this problem has been corrected in selinux-policy-3.11.1-62.fc18 Ok. In that case I will simply close the bug. Thanks Nathan and Dean for cooperation! |