Description of problem: ipa-server-install fails on configuaration of kadmin: systemctl start kadmin.service errors out. Version-Release number of selected component (if applicable): freeipa-server-4.1.1-1 krb5-server-1.12.2-8.fc21.x86_64 selinux-policy-3.13.1-92.fc21.noarch How reproducible: Always Steps to Reproduce: 1. run ipa-server-install or then just 1. systemctl start kadmin.service Actual results: ipa-server-install fails on configuration of kadmin Expected results: ipa-server-install finishes successfully Additional info: found 2 alerts in /var/log/audit/audit.log -------------------------------------------------------------------------------- SELinux is preventing kadmind from unlink access on the file kadmin_0. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that kadmind should be allowed unlink access on the kadmin_0 file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep kadmind /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:kadmind_t:s0 Target Context system_u:object_r:tmp_t:s0 Target Objects kadmin_0 [ file ] Source kadmind Source Path kadmind Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-92.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name obfuscated Platform Linux obfuscated 3.16.3-300.fc21.x86_64 #1 SMP Wed Sep 17 20:54:02 UTC 2014 x86_64 x86_64 Alert Count 8 First Seen 2014-11-07 12:14:58 CET Last Seen 2014-11-07 12:14:58 CET Local ID 8965a9af-8310-43d7-94ff-d63c89029193 Raw Audit Messages type=AVC msg=audit(1415358898.900:118): avc: denied { unlink } for pid=2706 comm="kadmind" name="kadmin_0" dev="dm-0" ino=411321 scontext=system_u:system_r:kadmind_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0 Hash: kadmind,kadmind_t,tmp_t,file,unlink -------------------------------------------------------------------------------- SELinux is preventing kadmind from write access on the file kadmin_0. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that kadmind should be allowed write access on the kadmin_0 file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep kadmind /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:kadmind_t:s0 Target Context system_u:object_r:tmp_t:s0 Target Objects kadmin_0 [ file ] Source kadmind Source Path kadmind Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-92.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name obfuscated Platform Linux obfuscated 3.16.3-300.fc21.x86_64 #1 SMP Wed Sep 17 20:54:02 UTC 2014 x86_64 x86_64 Alert Count 8 First Seen 2014-11-07 12:14:58 CET Last Seen 2014-11-07 12:14:58 CET Local ID d985fe2c-dded-423d-af45-31e3e220085a Raw Audit Messages type=AVC msg=audit(1415358898.905:123): avc: denied { write } for pid=2706 comm="kadmind" name="kadmin_0" dev="dm-0" ino=411321 scontext=system_u:system_r:kadmind_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file permissive=0 Hash: kadmind,kadmind_t,tmp_t,file,write
This is Fedora 21 Final blocker as it blocks FreeIPA server installation, Stephen is already in copy.
Proposed as a Blocker for 21-final by Fedora user sgallagh using the blocker tracking app because: Proposed criterion: https://lists.fedoraproject.org/pipermail/server/2014-November/001551.html From Alpha Criteria: "Unless explicitly specified otherwise, after system installation SELinux must be enabled and in enforcing mode"
Could you confirm it happens also if you remove /tmp/kadmin_0 a re-test it with ipa-server-install?
Something created "kadmin_0" in /tmp with tmp_t. Have you ever run in permissive mode?
More likely it's kadmind's replay cache, which would be in /var/tmp, and would usually be labeled kadmind_tmp_t when it's created by kadmind.
removal of /var/tmp/kadmin_0 fixes the issue and FreeIPA is successfully installed. kadmin_0 is recreated with correct kadmind_tmp_t label. Seems that comment 4 is the source of the error. Therefore probably NOT A BUG. Cause of the mistake: * server was initially installed with old SELinux Policy. * installation was run in permissive mode * SELinux Policy was updated * installation was run in enforcing mode On new clear vm with updated policy and in enforcing mode the installation succeeds. Sorry for noise.
OK, closing as NOTABUG. I will reopen it if it reappears during testing. Thanks for the quick response, folks!
Of course I meant /vat/tmp//kadmin_0. Basically this was probably caused by a combination of these reasons.
I hit this issue on RHEL 6.6 also. It happened to me because I switched a system from selinux disabled to selinux enforcing. But I did invoke an autorelabel between those two states. It seems like a bug that /var/tmp/kadmin_0 can be left around and not relabeled by an autolabel. Could we get this reopened as such?
(In reply to Brian J. Murrell from comment #9) > I hit this issue on RHEL 6.6 also. It happened to me because I switched a > system from selinux disabled to selinux enforcing. But I did invoke an > autorelabel between those two states. > > It seems like a bug that /var/tmp/kadmin_0 can be left around and not > relabeled by an autolabel. > > Could we get this reopened as such? If so, please open a new RHEL6 bug.