1024668 – IPA CA replica installation crashes on pkispawn

Bug 1024668 - IPA CA replica installation crashes on pkispawn

Summary: IPA CA replica installation crashes on pkispawn

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-10-30 08:23 UTC by Martin Kosek
Modified:	2013-10-30 08:35 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-10-30 08:35:06 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Martin Kosek 2013-10-30 08:23:55 UTC

Description of problem:
When RHEL-7.0 IPA server with CA enabled is being installed against a RHEL-6.5 IPA CA server, installation will crash:

# ipa-replica-install --setup-ca replica-info-ipa.example.com.gpg 
...
  [34/34]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd): Estimated time 33 minutes 30 seconds
  [1/19]: creating certificate server user
  [2/19]: configuring certificate server instance
ipa         : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpvldJpn' returned non-zero exit status 1

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Configuration of CA failed


pkispawn output:
2013-10-30T10:31:50Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpvldJpn
2013-10-30T10:32:09Z DEBUG Process finished, return code=1
2013-10-30T10:32:09Z DEBUG stdout=Loading deployment configuration from /tmp/tmpvldJpn.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
Installation failed.


There is an AVC:

type=AVC msg=audit(1383120863.865:3569): avc:  denied  { name_bind } for  pid=31436 comm="httpd"        src=10443 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:pki_kra_port_t:s0            tclass=tcp_socket


# ausearch -m avc -ts today | audit2allow 

#============= httpd_t ==============
allow httpd_t pki_kra_port_t:tcp_socket name_bind;


Version-Release number of selected component (if applicable):
ipa-server-3.3.2-5.el7.x86_64
selinux-policy-3.12.1-94.el7.noarch
pki-ca-10.0.5-1.el7.noarch


How reproducible:


Steps to Reproduce:
1. Install IPA server on RHEL-6.5
2. Install IPA replica with CA (--setup-ca) on RHEL-7.0
3.

Actual results:
Installation crashes unless SELinux is disabled

Expected results:
Installation succeeds

Additional info:

Comment 1 Martin Kosek 2013-10-30 08:35:06 UTC

Please disregard this bug (for now, IPA CA installation is still failing) - this AVC is an interference from my investigation of other bug, I was just mislead by the tcontext "system_u:object_r:pki_kra_port_t:s0" that it is related to the crash.

Note You need to log in before you can comment on or make changes to this bug.