Hide Forgot
Description of problem: I'm seeing AVC denials during ipa-server-install: [root@rhel7-1 etc]# ausearch -m avc ---- time->Wed Sep 25 09:28:13 2013 type=SYSCALL msg=audit(1380119293.446:564): arch=c000003e syscall=248 success=no exit=-13 a0=7f10eca1eb2e a1=7f10e4331ed0 a2=0 a3=0 items=0 ppid=10607 pid=10611 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="named" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key=(null) type=AVC msg=audit(1380119293.446:564): avc: denied { write } for pid=10611 comm="named" scontext=system_u:system_r:named_t:s0 tcontext=system_u:system_r:named_t:s0 tclass=key ---- time->Wed Sep 25 09:29:19 2013 type=SYSCALL msg=audit(1380119359.265:570): arch=c000003e syscall=248 success=no exit=-13 a0=7fbd69648b2e a1=7fbd7741a950 a2=0 a3=0 items=0 ppid=10631 pid=10637 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1380119359.265:570): avc: denied { write } for pid=10637 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=key ---- time->Wed Sep 25 09:29:19 2013 type=SYSCALL msg=audit(1380119359.264:569): arch=c000003e syscall=248 success=no exit=-13 a0=7fbd69648b2e a1=7fbd780890a0 a2=0 a3=0 items=0 ppid=10631 pid=10637 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1380119359.264:569): avc: denied { write } for pid=10637 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=key ---- time->Wed Sep 25 09:29:19 2013 type=SYSCALL msg=audit(1380119359.265:571): arch=c000003e syscall=248 success=no exit=-13 a0=7fbd69648b2e a1=7fbd77910bd0 a2=0 a3=0 items=0 ppid=10631 pid=10637 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1380119359.265:571): avc: denied { write } for pid=10637 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=key ---- time->Wed Sep 25 09:29:19 2013 type=SYSCALL msg=audit(1380119359.266:572): arch=c000003e syscall=248 success=no exit=-13 a0=7fbd69648b2e a1=7fbd7741a950 a2=0 a3=0 items=0 ppid=10631 pid=10637 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1380119359.266:572): avc: denied { write } for pid=10637 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=key ---- time->Wed Sep 25 09:29:19 2013 type=SYSCALL msg=audit(1380119359.304:573): arch=c000003e syscall=248 success=no exit=-13 a0=7fbd69648b2e a1=7fbd7784e720 a2=0 a3=0 items=0 ppid=10631 pid=10637 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1380119359.304:573): avc: denied { write } for pid=10637 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=key ---- time->Wed Sep 25 09:29:19 2013 type=SYSCALL msg=audit(1380119359.304:574): arch=c000003e syscall=248 success=no exit=-13 a0=7fbd69648b2e a1=7fbd77458510 a2=0 a3=0 items=0 ppid=10631 pid=10637 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1380119359.304:574): avc: denied { write } for pid=10637 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=key ---- time->Wed Sep 25 09:29:19 2013 type=SYSCALL msg=audit(1380119359.305:575): arch=c000003e syscall=248 success=no exit=-13 a0=7fbd69648b2e a1=7fbd77460340 a2=0 a3=0 items=0 ppid=10631 pid=10637 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1380119359.305:575): avc: denied { write } for pid=10637 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=key ---- time->Wed Sep 25 09:29:19 2013 type=SYSCALL msg=audit(1380119359.305:576): arch=c000003e syscall=248 success=no exit=-13 a0=7fbd69648b2e a1=7fbd778082b0 a2=0 a3=0 items=0 ppid=10631 pid=10637 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1380119359.305:576): avc: denied { write } for pid=10637 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=key [root@rhel7-1 etc]# cat /var/log/audit/audit.log | audit2allow #============= httpd_t ============== allow httpd_t self:key write; #============= named_t ============== allow named_t self:key write; Version-Release number of selected component (if applicable): selinux-policy-3.12.1-80.el7.noarch How reproducible: always Steps to Reproduce: 1. ipa-server-install Actual results: AVC denials causing ipa-server-install to fail during ipa-client-install run at end. AVC denials listed above. Expected results: no AVCs during ipa-server-install Additional info: /var/log/ipaserver-install shows this: 2013-09-25T14:28:15Z DEBUG args=/usr/sbin/ipa-client-install --on-master --unattended --domain testrelm.com --server rhel7-1.testrelm.com --realm TESTRELM.COM --hostname rhel7-1.testrelm.com 2013-09-25T14:29:20Z DEBUG Process finished, return code=1 2013-09-25T14:29:20Z DEBUG stdout= 2013-09-25T14:29:20Z DEBUG stderr=Hostname: rhel7-1.testrelm.com Realm: TESTRELM.COM DNS Domain: testrelm.com IPA Server: rhel7-1.testrelm.com BaseDN: dc=testrelm,dc=com New SSSD config will be created Configured /etc/sssd/sssd.conf Traceback (most recent call last): File "/usr/sbin/ipa-client-install", line 2565, in <module> sys.exit(main()) File "/usr/sbin/ipa-client-install", line 2551, in main rval = install(options, env, fstore, statestore) File "/usr/sbin/ipa-client-install", line 2349, in install remote_env = api.Command['env'](server=True)['result'] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 436, in __call__ ret = self.run(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 1103, in run return self.forward(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 782, in forward return self.Backend.xmlclient.forward(self.name, *args, **kw) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 752, in forward raise NetworkError(uri=server, error=e.errmsg) ipalib.errors.NetworkError: cannot connect to 'https://rhel7-1.testrelm.com/ipa/xml': Internal Server Error 2013-09-25T14:29:20Z DEBUG File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 622, in run_script return_value = main_function() File "/usr/sbin/ipa-server-install", line 1217, in main sys.exit("Configuration of client side components failed!\nipa-client-install returned: " + str(e)) 2013-09-25T14:29:20Z DEBUG The ipa-server-install command failed, exception: SystemExit: Configuration of client side components failed! ipa-client-install returned: Command '/usr/sbin/ipa-client-install --on-master --unattended --domain testrelm.com --server rhel7-1.testrelm.com --realm TESTRELM.COM --hostname rhel7-1.testrelm.com' returned non-zero exit status 1
*** This bug has been marked as a duplicate of bug 1012051 ***