This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1024668 - IPA CA replica installation crashes on pkispawn
IPA CA replica installation crashes on pkispawn
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.0
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-30 04:23 EDT by Martin Kosek
Modified: 2013-10-30 04:35 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-10-30 04:35:06 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Martin Kosek 2013-10-30 04:23:55 EDT
Description of problem:
When RHEL-7.0 IPA server with CA enabled is being installed against a RHEL-6.5 IPA CA server, installation will crash:

# ipa-replica-install --setup-ca replica-info-ipa.example.com.gpg 
...
  [34/34]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd): Estimated time 33 minutes 30 seconds
  [1/19]: creating certificate server user
  [2/19]: configuring certificate server instance
ipa         : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpvldJpn' returned non-zero exit status 1

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Configuration of CA failed


pkispawn output:
2013-10-30T10:31:50Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpvldJpn
2013-10-30T10:32:09Z DEBUG Process finished, return code=1
2013-10-30T10:32:09Z DEBUG stdout=Loading deployment configuration from /tmp/tmpvldJpn.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
Installation failed.


There is an AVC:

type=AVC msg=audit(1383120863.865:3569): avc:  denied  { name_bind } for  pid=31436 comm="httpd"        src=10443 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:pki_kra_port_t:s0            tclass=tcp_socket


# ausearch -m avc -ts today | audit2allow 

#============= httpd_t ==============
allow httpd_t pki_kra_port_t:tcp_socket name_bind;


Version-Release number of selected component (if applicable):
ipa-server-3.3.2-5.el7.x86_64
selinux-policy-3.12.1-94.el7.noarch
pki-ca-10.0.5-1.el7.noarch


How reproducible:


Steps to Reproduce:
1. Install IPA server on RHEL-6.5
2. Install IPA replica with CA (--setup-ca) on RHEL-7.0
3.

Actual results:
Installation crashes unless SELinux is disabled

Expected results:
Installation succeeds

Additional info:
Comment 1 Martin Kosek 2013-10-30 04:35:06 EDT
Please disregard this bug (for now, IPA CA installation is still failing) - this AVC is an interference from my investigation of other bug, I was just mislead by the tcontext "system_u:object_r:pki_kra_port_t:s0" that it is related to the crash.

Note You need to log in before you can comment on or make changes to this bug.