Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1159330

Summary: RHEL7.1 ipa-server-install --uninstall Could not set SELinux booleans for httpd
Product: Red Hat Enterprise Linux 7 Reporter: Scott Poore <spoore>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.1CC: mkosek, pvoborni, rcritten
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.1.0-7.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 10:14:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Scott Poore 2014-10-31 14:45:58 UTC 
Description of problem:

On RHEL7.1, it appears that the setsebool from ipa-server-install --uninstall is incorrectly setting httpd booleans to None instead of off.

On RHEL7.1, it tries to set the following:

2014-10-31T14:14:48Z DEBUG args='/usr/sbin/setsebool' '-P' 'httpd_can_network_connect=None' 'httpd_manage_ipa=None'

On RHEL7.0, it sets them like this:

2014-10-31T14:39:57Z DEBUG args=/usr/sbin/setsebool -P httpd_can_network_connect off
...
2014-10-31T14:40:07Z DEBUG args=/usr/sbin/setsebool -P httpd_manage_ipa off

This is failing to change settings and throwing a warning:

[root@rhel7-1 yum.local.d]# ipa-server-install --uninstall -U

WARNING: Failed to connect to Directory Server to find information about
replication agreements. Uninstallation will continue despite the possible
existing replication agreements.
Shutting down all IPA services
Removing IPA client configuration
WARNING: Could not set SELinux booleans: httpd_can_network_connect=None httpd_manage_ipa=None

Version-Release number of selected component (if applicable):
ipa-server-4.1.0-3.el7.x86_64

How reproducible:
always.

Steps to Reproduce:
1.  ipa-server-install # install server per normal
2.  ipa-server-install --uninstall -U

Actual results:

WARNING: Could not set SELinux booleans: httpd_can_network_connect=None httpd_manage_ipa=None

Expected results:
booleans set to off and not errors/warnings.

Additional info:

/var/log/ipaserver-uninstall.log:

2014-10-31T14:14:48Z DEBUG Starting external process
2014-10-31T14:14:48Z DEBUG args='/usr/sbin/getsebool' 'httpd_can_network_connect'
2014-10-31T14:14:48Z DEBUG Process finished, return code=0
2014-10-31T14:14:48Z DEBUG stdout=httpd_can_network_connect --> off

2014-10-31T14:14:48Z DEBUG stderr=
2014-10-31T14:14:48Z DEBUG Starting external process
2014-10-31T14:14:48Z DEBUG args='/usr/sbin/getsebool' 'httpd_manage_ipa'
2014-10-31T14:14:48Z DEBUG Process finished, return code=0
2014-10-31T14:14:48Z DEBUG stdout=httpd_manage_ipa --> off

2014-10-31T14:14:48Z DEBUG stderr=
2014-10-31T14:14:48Z DEBUG Starting external process
2014-10-31T14:14:48Z DEBUG args='/usr/sbin/setsebool' '-P' 'httpd_can_network_connect=None' 'httpd_manage_ipa=None'
2014-10-31T14:14:48Z DEBUG Process finished, return code=255
2014-10-31T14:14:48Z DEBUG stdout=
2014-10-31T14:14:48Z DEBUG stderr=setsebool: illegal value None for boolean httpd_can_network_connect

2014-10-31T14:14:48Z DEBUG WARNING: Could not set SELinux booleans: httpd_can_network_connect=None httpd_manage_ipa=None
Comment 2 Petr Vobornik 2014-11-03 13:31:01 UTC 
ipa-server-install --uninstall certainly should not use  'None' as setsebool's option value.

But in your case, the `ipa-server-install --uninstall -U` output look as if ipa-server was previously uninstalled. `ipa-server-install` then incorrectly handles saved state(None) and does the incorrect call.
Comment 3 Petr Vobornik 2014-11-03 16:29:00 UTC 
to confirm comment 2:

[root@host ~]$ getsebool -a | grep -E 'httpd_can_network_connect|httpd_manage_ipa'
httpd_can_network_connect --> on
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_manage_ipa --> on

[root@host ~]$ ipa-server-install --uninstall -U
Shutting down all IPA services
Removing IPA client configuration
Unconfiguring ntpd
Unconfiguring CA
Unconfiguring named
Unconfiguring web server
Unconfiguring krb5kdc
Unconfiguring kadmin
Unconfiguring directory server
Unconfiguring ipa_memcached
Unconfiguring ipa-otpd

[root@host ~]$ getsebool -a | grep -E 'httpd_can_network_connect|httpd_manage_ipa'
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_manage_ipa --> off

[root@host ~]$ ipa-server-install --uninstall -U

WARNING: Failed to connect to Directory Server to find information about
replication agreements. Uninstallation will continue despite the possible
existing replication agreements.
Shutting down all IPA services
Removing IPA client configuration
WARNING: Could not set SELinux booleans: httpd_can_network_connect=None httpd_manage_ipa=None
Comment 4 Petr Vobornik 2014-11-03 16:45:14 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4678
Comment 5 Petr Vobornik 2014-11-19 14:49:36 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/a14ce85357419f41f0994625d29d3f1af7a53d4c
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/1d7407c06caa06119635910d34213167d97125a0
Comment 7 Scott Poore 2014-11-21 18:33:43 UTC 
Verified.

Version ::
ipa-server-4.1.0-7.el7.x86_64

Results ::

[root@vm3 log]# getsebool httpd_can_network_connect
httpd_can_network_connect --> on

[root@vm3 log]# getsebool httpd_manage_ipa
httpd_manage_ipa --> on

[root@vm3 log]# ipa-server-install --uninstall -U
Shutting down all IPA services
Removing IPA client configuration
Unconfiguring ntpd
Unconfiguring CA
Unconfiguring named
Unconfiguring web server
Unconfiguring krb5kdc
Unconfiguring kadmin
Unconfiguring directory server
Unconfiguring ipa_memcached
Unconfiguring ipa-otpd

[root@vm3 log]# ipa-server-install --uninstall -U

WARNING: Failed to connect to Directory Server to find information about
replication agreements. Uninstallation will continue despite the possible
existing replication agreements.
Shutting down all IPA services
Removing IPA client configuration

[root@vm3 log]# ipa-server-install --uninstall -U

WARNING: Failed to connect to Directory Server to find information about
replication agreements. Uninstallation will continue despite the possible
existing replication agreements.
Shutting down all IPA services
Removing IPA client configuration

[root@vm3 log]# getsebool httpd_can_network_connect
httpd_can_network_connect --> off

[root@vm3 log]# getsebool httpd_manage_ipa
httpd_manage_ipa --> off
Comment 9 errata-xmlrpc 2015-03-05 10:14:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html