1159330 – RHEL7.1 ipa-server-install --uninstall Could not set SELinux booleans for httpd

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1159330 - RHEL7.1 ipa-server-install --uninstall Could not set SELinux booleans for httpd

Summary: RHEL7.1 ipa-server-install --uninstall Could not set SELinux booleans for httpd

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-10-31 14:45 UTC by Scott Poore
Modified:	2015-03-05 10:14 UTC (History)
CC List:	3 users (show)
Fixed In Version:	ipa-4.1.0-7.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-03-05 10:14:17 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:0442	0	normal	SHIPPED_LIVE	Moderate: ipa security, bug fix, and enhancement update	2015-03-05 14:50:39 UTC

Description Scott Poore 2014-10-31 14:45:58 UTC

Description of problem:

On RHEL7.1, it appears that the setsebool from ipa-server-install --uninstall is incorrectly setting httpd booleans to None instead of off.

On RHEL7.1, it tries to set the following:

2014-10-31T14:14:48Z DEBUG args='/usr/sbin/setsebool' '-P' 'httpd_can_network_connect=None' 'httpd_manage_ipa=None'

On RHEL7.0, it sets them like this:

2014-10-31T14:39:57Z DEBUG args=/usr/sbin/setsebool -P httpd_can_network_connect off
...
2014-10-31T14:40:07Z DEBUG args=/usr/sbin/setsebool -P httpd_manage_ipa off

This is failing to change settings and throwing a warning:

[root@rhel7-1 yum.local.d]# ipa-server-install --uninstall -U

WARNING: Failed to connect to Directory Server to find information about
replication agreements. Uninstallation will continue despite the possible
existing replication agreements.
Shutting down all IPA services
Removing IPA client configuration
WARNING: Could not set SELinux booleans: httpd_can_network_connect=None httpd_manage_ipa=None

Version-Release number of selected component (if applicable):
ipa-server-4.1.0-3.el7.x86_64

How reproducible:
always.

Steps to Reproduce:
1.  ipa-server-install # install server per normal
2.  ipa-server-install --uninstall -U

Actual results:

WARNING: Could not set SELinux booleans: httpd_can_network_connect=None httpd_manage_ipa=None

Expected results:
booleans set to off and not errors/warnings.

Additional info:

/var/log/ipaserver-uninstall.log:

2014-10-31T14:14:48Z DEBUG Starting external process
2014-10-31T14:14:48Z DEBUG args='/usr/sbin/getsebool' 'httpd_can_network_connect'
2014-10-31T14:14:48Z DEBUG Process finished, return code=0
2014-10-31T14:14:48Z DEBUG stdout=httpd_can_network_connect --> off

2014-10-31T14:14:48Z DEBUG stderr=
2014-10-31T14:14:48Z DEBUG Starting external process
2014-10-31T14:14:48Z DEBUG args='/usr/sbin/getsebool' 'httpd_manage_ipa'
2014-10-31T14:14:48Z DEBUG Process finished, return code=0
2014-10-31T14:14:48Z DEBUG stdout=httpd_manage_ipa --> off

2014-10-31T14:14:48Z DEBUG stderr=
2014-10-31T14:14:48Z DEBUG Starting external process
2014-10-31T14:14:48Z DEBUG args='/usr/sbin/setsebool' '-P' 'httpd_can_network_connect=None' 'httpd_manage_ipa=None'
2014-10-31T14:14:48Z DEBUG Process finished, return code=255
2014-10-31T14:14:48Z DEBUG stdout=
2014-10-31T14:14:48Z DEBUG stderr=setsebool: illegal value None for boolean httpd_can_network_connect

2014-10-31T14:14:48Z DEBUG WARNING: Could not set SELinux booleans: httpd_can_network_connect=None httpd_manage_ipa=None

Comment 2 Petr Vobornik 2014-11-03 13:31:01 UTC

ipa-server-install --uninstall certainly should not use  'None' as setsebool's option value.

But in your case, the `ipa-server-install --uninstall -U` output look as if ipa-server was previously uninstalled. `ipa-server-install` then incorrectly handles saved state(None) and does the incorrect call.

Comment 3 Petr Vobornik 2014-11-03 16:29:00 UTC

to confirm comment 2:

[root@host ~]$ getsebool -a | grep -E 'httpd_can_network_connect|httpd_manage_ipa'
httpd_can_network_connect --> on
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_manage_ipa --> on

[root@host ~]$ ipa-server-install --uninstall -U
Shutting down all IPA services
Removing IPA client configuration
Unconfiguring ntpd
Unconfiguring CA
Unconfiguring named
Unconfiguring web server
Unconfiguring krb5kdc
Unconfiguring kadmin
Unconfiguring directory server
Unconfiguring ipa_memcached
Unconfiguring ipa-otpd

[root@host ~]$ getsebool -a | grep -E 'httpd_can_network_connect|httpd_manage_ipa'
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_manage_ipa --> off

[root@host ~]$ ipa-server-install --uninstall -U

WARNING: Failed to connect to Directory Server to find information about
replication agreements. Uninstallation will continue despite the possible
existing replication agreements.
Shutting down all IPA services
Removing IPA client configuration
WARNING: Could not set SELinux booleans: httpd_can_network_connect=None httpd_manage_ipa=None

Comment 4 Petr Vobornik 2014-11-03 16:45:14 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4678

Comment 5 Petr Vobornik 2014-11-19 14:49:36 UTC

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/a14ce85357419f41f0994625d29d3f1af7a53d4c
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/1d7407c06caa06119635910d34213167d97125a0

Comment 7 Scott Poore 2014-11-21 18:33:43 UTC

Verified.

Version ::
ipa-server-4.1.0-7.el7.x86_64

Results ::

[root@vm3 log]# getsebool httpd_can_network_connect
httpd_can_network_connect --> on

[root@vm3 log]# getsebool httpd_manage_ipa
httpd_manage_ipa --> on

[root@vm3 log]# ipa-server-install --uninstall -U
Shutting down all IPA services
Removing IPA client configuration
Unconfiguring ntpd
Unconfiguring CA
Unconfiguring named
Unconfiguring web server
Unconfiguring krb5kdc
Unconfiguring kadmin
Unconfiguring directory server
Unconfiguring ipa_memcached
Unconfiguring ipa-otpd

[root@vm3 log]# ipa-server-install --uninstall -U

WARNING: Failed to connect to Directory Server to find information about
replication agreements. Uninstallation will continue despite the possible
existing replication agreements.
Shutting down all IPA services
Removing IPA client configuration

[root@vm3 log]# ipa-server-install --uninstall -U

WARNING: Failed to connect to Directory Server to find information about
replication agreements. Uninstallation will continue despite the possible
existing replication agreements.
Shutting down all IPA services
Removing IPA client configuration

[root@vm3 log]# getsebool httpd_can_network_connect
httpd_can_network_connect --> off

[root@vm3 log]# getsebool httpd_manage_ipa
httpd_manage_ipa --> off

Comment 9 errata-xmlrpc 2015-03-05 10:14:17 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html

Note You need to log in before you can comment on or make changes to this bug.