Bug 929062

Summary: libsemanage reports load_policy errors during freeipa-server-selinux install
Product: [Fedora] Fedora Reporter: Martin Kosek <mkosek>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: dominick.grift, dwalsh, eparis, lvrabec, mgrepl, tbabej
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-10-24 18:07:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
relevant part of /var/log/messages none

Description Martin Kosek 2013-03-29 07:33:47 UTC 
Description of problem:

When we enroll a new Fedora 19 VM (by distro-syncing a Fedora 18 VM) and install FreeIPA packages, we sometimes hit following bug:

  Installing : freeipa-server-3.1.99GITa9b9b77-0.fc19.x86_64 4/7
  Installing : freeipa-server-selinux-3.1.99GITa9b9b77-0.fc19.x86_64 5/7
libsemanage.semanage_exec_prog: Child process /sbin/load_policy did not exit cleanly.
libsemanage.semanage_reload_policy: load_policy returned error code -1.
libsemanage.semanage_exec_prog: Child process /sbin/load_policy did not exit cleanly.
libsemanage.semanage_reload_policy: load_policy returned error code -1.
semodule:  Failed!
  Installing : freeipa-server-trust-ad-3.1.99GITa9b9b77-0.fc19.x86_64 6/7


Consenquently, it causes the following failure during ipa-server-install:

[12/14]: configuring SELinux for httpd
WARNING: could not set the following SELinux boolean(s):
  httpd_can_network_connect -> on
  httpd_manage_ipa -> on
The web interface may not function correctly until the booleans
are successfully changed with the command:
/usr/sbin/setsebool -P httpd_can_network_connect=on httpd_manage_ipa=on
Try updating the policycoreutils and selinux-policy packages.
  [13/14]: restarting httpd
... 

When setting these booleans by hand, setsetbool returned error 137:
# /usr/sbin/setsebool -P httpd_can_network_connect=on httpd_manage_ipa=on
# echo $?
137

Additional note - the VM was running SELinux in Permissive mode.

Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-24.fc19.noarch

How reproducible:

Steps to Reproduce:
1. Upgrade F18 to F19
2. Install freeipa packages (we use develoment packages from upstream git, they will land in Fedora 19 on Apr 2nd)
3. Run ipa-server-install
  
Actual results:
setsebool reports errors above.

Expected results:
setsebool runs smoothly.

Additional info:
Comment 1 Daniel Walsh 2013-03-29 13:23:20 UTC 
Do you see anything in dmesg or the /var/log/messages?

Are the machines memory challenged?
Comment 2 Daniel Walsh 2013-03-29 13:23:54 UTC 
If you run load_policy after the fact does it work?
Comment 3 Martin Kosek 2013-03-29 14:18:38 UTC 
Adding Tomas to add this finromation he is the actual owner of the failing VMs.
Comment 4 Tomas Babej 2013-03-29 14:46:15 UTC 
Created attachment 718098 [details]
relevant part of /var/log/messages

Adding a relevant part of /var/log/messages. There really seems to be memory problem, semodule process was killed because of it.
Comment 5 Tomas Babej 2013-03-29 15:05:49 UTC 
Running load_policy after installing the packages does not help the issue.
Comment 6 Daniel Walsh 2013-04-01 13:31:26 UTC 
If you try this with a bigger VM memory wise does it work?
Comment 7 Tomas Babej 2013-04-02 08:46:18 UTC 
I doubled the amount of memory available (from 1024 MB to 2048 MB) and the issue is no longer reproducible.