Bug 1159330 – RHEL7.1 ipa-server-install --uninstall Could not set SELinux booleans for httpd

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1159330 - RHEL7.1 ipa-server-install --uninstall Could not set SELinux booleans for httpd

Summary:	RHEL7.1 ipa-server-install --uninstall Could not set SELinux booleans for httpd

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa (Show other bugs)
Sub Component:
Version:	7.1
Hardware:	Unspecified Unspecified

Priority	medium Severity unspecified
Target Milestone:	rc
Target Release:	---
Assigned To:	IPA Maintainers
QA Contact:	Namita Soman
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2014-10-31 10:45 EDT by Scott Poore
Modified:	2015-03-05 05:14 EST (History)
CC List:	3 users (show)

See Also:
Fixed In Version:	ipa-4.1.0-7.el7
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2015-03-05 05:14:17 EST
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:0442	normal	SHIPPED_LIVE	Moderate: ipa security, bug fix, and enhancement update	2015-03-05 09:50:39 EST

Groups: None (edit)

Description Scott Poore 2014-10-31 10:45:58 EDT

Description of problem:

On RHEL7.1, it appears that the setsebool from ipa-server-install --uninstall is incorrectly setting httpd booleans to None instead of off.

On RHEL7.1, it tries to set the following:

2014-10-31T14:14:48Z DEBUG args='/usr/sbin/setsebool' '-P' 'httpd_can_network_connect=None' 'httpd_manage_ipa=None'

On RHEL7.0, it sets them like this:

2014-10-31T14:39:57Z DEBUG args=/usr/sbin/setsebool -P httpd_can_network_connect off
...
2014-10-31T14:40:07Z DEBUG args=/usr/sbin/setsebool -P httpd_manage_ipa off

This is failing to change settings and throwing a warning:

[root@rhel7-1 yum.local.d]# ipa-server-install --uninstall -U

WARNING: Failed to connect to Directory Server to find information about
replication agreements. Uninstallation will continue despite the possible
existing replication agreements.
Shutting down all IPA services
Removing IPA client configuration
WARNING: Could not set SELinux booleans: httpd_can_network_connect=None httpd_manage_ipa=None

Version-Release number of selected component (if applicable):
ipa-server-4.1.0-3.el7.x86_64

How reproducible:
always.

Steps to Reproduce:
1.  ipa-server-install # install server per normal
2.  ipa-server-install --uninstall -U

Actual results:

WARNING: Could not set SELinux booleans: httpd_can_network_connect=None httpd_manage_ipa=None

Expected results:
booleans set to off and not errors/warnings.

Additional info:

/var/log/ipaserver-uninstall.log:

2014-10-31T14:14:48Z DEBUG Starting external process
2014-10-31T14:14:48Z DEBUG args='/usr/sbin/getsebool' 'httpd_can_network_connect'
2014-10-31T14:14:48Z DEBUG Process finished, return code=0
2014-10-31T14:14:48Z DEBUG stdout=httpd_can_network_connect --> off

2014-10-31T14:14:48Z DEBUG stderr=
2014-10-31T14:14:48Z DEBUG Starting external process
2014-10-31T14:14:48Z DEBUG args='/usr/sbin/getsebool' 'httpd_manage_ipa'
2014-10-31T14:14:48Z DEBUG Process finished, return code=0
2014-10-31T14:14:48Z DEBUG stdout=httpd_manage_ipa --> off

2014-10-31T14:14:48Z DEBUG stderr=
2014-10-31T14:14:48Z DEBUG Starting external process
2014-10-31T14:14:48Z DEBUG args='/usr/sbin/setsebool' '-P' 'httpd_can_network_connect=None' 'httpd_manage_ipa=None'
2014-10-31T14:14:48Z DEBUG Process finished, return code=255
2014-10-31T14:14:48Z DEBUG stdout=
2014-10-31T14:14:48Z DEBUG stderr=setsebool: illegal value None for boolean httpd_can_network_connect

2014-10-31T14:14:48Z DEBUG WARNING: Could not set SELinux booleans: httpd_can_network_connect=None httpd_manage_ipa=None

Comment 2 Petr Vobornik 2014-11-03 08:31:01 EST

ipa-server-install --uninstall certainly should not use  'None' as setsebool's option value.

But in your case, the `ipa-server-install --uninstall -U` output look as if ipa-server was previously uninstalled. `ipa-server-install` then incorrectly handles saved state(None) and does the incorrect call.

Comment 3 Petr Vobornik 2014-11-03 11:29:00 EST

to confirm comment 2:

[root@host ~]$ getsebool -a | grep -E 'httpd_can_network_connect|httpd_manage_ipa'
httpd_can_network_connect --> on
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_manage_ipa --> on

[root@host ~]$ ipa-server-install --uninstall -U
Shutting down all IPA services
Removing IPA client configuration
Unconfiguring ntpd
Unconfiguring CA
Unconfiguring named
Unconfiguring web server
Unconfiguring krb5kdc
Unconfiguring kadmin
Unconfiguring directory server
Unconfiguring ipa_memcached
Unconfiguring ipa-otpd

[root@host ~]$ getsebool -a | grep -E 'httpd_can_network_connect|httpd_manage_ipa'
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_manage_ipa --> off

[root@host ~]$ ipa-server-install --uninstall -U

WARNING: Failed to connect to Directory Server to find information about
replication agreements. Uninstallation will continue despite the possible
existing replication agreements.
Shutting down all IPA services
Removing IPA client configuration
WARNING: Could not set SELinux booleans: httpd_can_network_connect=None httpd_manage_ipa=None

Comment 4 Petr Vobornik 2014-11-03 11:45:14 EST

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4678

Comment 5 Petr Vobornik 2014-11-19 09:49:36 EST

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/a14ce85357419f41f0994625d29d3f1af7a53d4c
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/1d7407c06caa06119635910d34213167d97125a0

Comment 7 Scott Poore 2014-11-21 13:33:43 EST

Verified.

Version ::
ipa-server-4.1.0-7.el7.x86_64

Results ::

[root@vm3 log]# getsebool httpd_can_network_connect
httpd_can_network_connect --> on

[root@vm3 log]# getsebool httpd_manage_ipa
httpd_manage_ipa --> on

[root@vm3 log]# ipa-server-install --uninstall -U
Shutting down all IPA services
Removing IPA client configuration
Unconfiguring ntpd
Unconfiguring CA
Unconfiguring named
Unconfiguring web server
Unconfiguring krb5kdc
Unconfiguring kadmin
Unconfiguring directory server
Unconfiguring ipa_memcached
Unconfiguring ipa-otpd

[root@vm3 log]# ipa-server-install --uninstall -U

WARNING: Failed to connect to Directory Server to find information about
replication agreements. Uninstallation will continue despite the possible
existing replication agreements.
Shutting down all IPA services
Removing IPA client configuration

[root@vm3 log]# ipa-server-install --uninstall -U

WARNING: Failed to connect to Directory Server to find information about
replication agreements. Uninstallation will continue despite the possible
existing replication agreements.
Shutting down all IPA services
Removing IPA client configuration

[root@vm3 log]# getsebool httpd_can_network_connect
httpd_can_network_connect --> off

[root@vm3 log]# getsebool httpd_manage_ipa
httpd_manage_ipa --> off

Comment 9 errata-xmlrpc 2015-03-05 05:14:17 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html

Note You need to log in before you can comment on or make changes to this bug.