RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1211995 - IPA install fails with AVC denial message for pki-core component
Summary: IPA install fails with AVC denial message for pki-core component
Keywords:
Status: CLOSED DUPLICATE of bug 1212557
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: pki-core
Version: 6.7
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: rc
: ---
Assignee: Matthew Harmsen
QA Contact: Asha Akkiangady
URL:
Whiteboard:
Depends On: 1175457
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-04-15 11:33 UTC by Kaleem
Modified: 2015-04-20 18:55 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-04-17 17:20:04 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
related log files (270.00 KB, application/x-tar)
2015-04-15 11:33 UTC, Kaleem 		no flags Details
View All

Description Kaleem 2015-04-15 11:33:27 UTC 
Created attachment 1014687 [details]
related log files

Description of problem:

IPA Server install in latest RHEL6.7 compose(RHEL-6.7-20150415.n.0) fails with CA instance creation not successful, AVC denial messages for pki component in audit.log.

time->Wed Apr 15 19:13:19 2015
type=SYSCALL msg=audit(1429105399.793:52): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=1000 a2=5 a3=1 items=0 ppid=1 pid=2255 auid=0 uid=496 gid=496 euid=496 suid=496 fsuid=496 egid=496 sgid=496 fsgid=496 tty=(none) ses=1 comm="java" exe="/usr/bin/gij" subj=unconfined_u:system_r:pki_ca_t:s0 key=(null)
type=AVC msg=audit(1429105399.793:52): avc:  denied  { execute } for  pid=2255 comm="java" path=2F746D702F666669364C4C59776B202864656C6574656429 dev=dm-0 ino=260105 scontext=unconfined_u:system_r:pki_ca_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file

Version-Release number of selected component (if applicable):
[root@dhcp207-230 ~]# rpm -q ipa-server pki-ca tomcat6 selinux-policy
ipa-server-3.0.0-46.el6.x86_64
pki-ca-9.0.3-40.el6.noarch
tomcat6-6.0.24-88.el6.x86_64
selinux-policy-3.7.19-264.el6.noarch
[root@dhcp207-230 ~]#

How reproducible:
Always

Steps to Reproduce:
1.Install latest RHEL6.7 compose 

Actual results:
IPA Server install fails

Expected results:
IPA Server install should be successful.

Additional info:
(1) Please find the attached tar file which contain log files (ipa-server-install.log, pki-ca-install.log and audit.log)
Comment 3 Ade Lee 2015-04-15 14:20:23 UTC 
interesting --

A rule based on the above would look like this:

[root@alee-workpc ~]# audit2allow -R -i test.avc 

require {
	type tmp_t;
	type pki_ca_t;
	class file execute;
}

#============= pki_ca_t ==============
allow pki_ca_t tmp_t:file execute;

I wonder whats going on ...
Comment 4 Namita Soman 2015-04-16 19:04:55 UTC 
Updating steps taken to troubleshoot so far:

Last clean install - rhel 0408 build with upgraded ipa-server-46

Saw failure - rhel 0415 build.
Some pkgs that are different between the two builds:
ipa-server-3.0.0-46.el6.x86_64
selinux-policy-3.7.19-265.el6.noarch
sssd-1.12.4-29.el6.x86_64
nss-3.18.0-1.el6.x86_64
nspr-4.10.8-1.el6.x86_64


ipaserver-install.log has:
<..snip..>
2015-04-15T15:20:44Z DEBUG   [3/21]: configuring certificate server instance
2015-04-15T15:20:44Z DEBUG args=/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname qe-blade-10.testrelm.test -cs_port 9445 -client_certdb_dir /tmp/tmp-ttXb3E -client_certdb_pwd XXXXXXXX -preop_pin 9oZTUFC2dPedL4cxWKqL -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password XXXXXXXX -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=TESTRELM.TEST -ldap_host qe-blade-10.testrelm.test -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password XXXXXXXX -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd XXXXXXXX -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TESTRELM.TEST -ca_subsystem_cert_subject_name CN=CA Subsystem,O=TESTRELM.TEST -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=TESTRELM.TEST -ca_server_cert_subject_name CN=qe-blade-10.testrelm.test,O=TESTRELM.TEST -ca_audit_signing_cert_subject_name CN=CA Audit,O=TESTRELM.TEST -ca_sign_cert_subject_name CN=Certificate Authority,O=TESTRELM.TEST -external false -clone false
2015-04-15T15:20:44Z DEBUG stdout=libpath=/usr/lib64
#######################################################################
CRYPTO INIT WITH CERTDB:/tmp/tmp-ttXb3E
tokenpwdXXXXXXX
#############################################
Attempting to connect to: qe-blade-10.testrelm.test:9445
Exception in LoginPanel(): java.lang.NullPointerException
ERROR: ConfigureCA: LoginPanel() failure
ERROR: unable to create CA

#######################################################################

2015-04-15T15:20:44Z DEBUG stderr=Exception: Unable to Send Request:java.net.ConnectException: Connection refused
java.net.ConnectException: Connection refused
   at gnu.java.net.PlainSocketImpl.connect(libgcj.so.10)
   at java.net.Socket.connect(libgcj.so.10)
   at java.net.Socket.connect(libgcj.so.10)
   at java.net.Socket.<init>(libgcj.so.10)
   at java.net.Socket.<init>(libgcj.so.10)
   at HTTPClient.sslConnect(HTTPClient.java:300)
   at ConfigureCA.LoginPanel(ConfigureCA.java:244)
   at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157)
   at ConfigureCA.main(ConfigureCA.java:1672)
java.lang.NullPointerException
   at ConfigureCA.LoginPanel(ConfigureCA.java:245)
   at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1157)
   at ConfigureCA.main(ConfigureCA.java:1672)
<..snip..>

catalina.out has:
<..snip..>
Apr 16, 2015 1:05:12 a.m. org.apache.catalina.users.MemoryUserDatabase open
WARNING: Exception configuring digester to permit java encoding names in XML files. Only IANA encoding names will be supported.
org.xml.sax.SAXNotSupportedException: http://apache.org/xml/features/allow-java-encodings
   at gnu.xml.stream.SAXParserFactory.setFeature(libgcj.so.10)
   at org.apache.tomcat.util.digester.Digester.setFeature(Digester.java:556)
   at org.apache.catalina.users.MemoryUserDatabase.open(MemoryUserDatabase.java:391)
   at org.apache.catalina.users.MemoryUserDatabaseFactory.getObjectInstance(MemoryUserDatabaseFactory.java:103)
   at org.apache.naming.factory.ResourceFactory.getObjectInstance(ResourceFactory.java:140)
   at javax.naming.spi.NamingManager.getObjectInstance(libgcj.so.10)
   at org.apache.naming.NamingContext.lookup(NamingContext.java:793)
   at org.apache.naming.NamingContext.lookup(NamingContext.java:140)
   at org.apache.naming.NamingContextBindingsEnumeration.nextElementInternal(NamingContextBindingsEnumeration.java:113)
   at org.apache.naming.NamingContextBindingsEnumeration.next(NamingContextBindingsEnumeration.java:71)
   at org.apache.catalina.mbeans.GlobalResourcesLifecycleListener.createMBeans(GlobalResourcesLifecycleListener.java:137)
   at org.apache.catalina.mbeans.GlobalResourcesLifecycleListener.createMBeans(GlobalResourcesLifecycleListener.java:109)
   at org.apache.catalina.mbeans.GlobalResourcesLifecycleListener.lifecycleEvent(GlobalResourcesLifecycleListener.java:81)
   at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:142)
   at org.apache.catalina.core.StandardServer.start(StandardServer.java:703)
   at org.apache.catalina.startup.Catalina.start(Catalina.java:593)
   at java.lang.reflect.Method.invoke(libgcj.so.10)
   at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
   at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
Apr 16, 2015 1:05:12 a.m. org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
Apr 16, 2015 1:05:12 a.m. org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/6.0.24
Apr 16, 2015 1:05:12 a.m. org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory ca
Apr 16, 2015 1:05:13 a.m. org.apache.catalina.startup.TldConfig lifecycleEvent
SEVERE: Error processing TLD files for context path /ca
java.lang.IllegalArgumentException: URI "file:./" is not hierarchical
   at java.io.File.<init>(libgcj.so.10)
   at org.apache.catalina.startup.TldConfig.getJarPaths(TldConfig.java:636)
   at org.apache.catalina.startup.TldConfig.execute(TldConfig.java:305)
   at org.apache.catalina.startup.TldConfig.lifecycleEvent(TldConfig.java:688)
   at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:142)
   at org.apache.catalina.core.StandardContext.start(StandardContext.java:4616)
   at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
   at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
<..snip..>

Tried combinations:
Start at 0408 - upgraded selinux-policy - install was successful

Start at 0415 - install in permissive mode, then downgraded and upgraded individually - selinux-policy, ipa-server, nss, nspr
Also switched java alternative to openjdk. Did this because Nathan noticed something is installing gcj 1.5.0, and it's set as the default java
This got install further but gave new error:
in ipaserver-install.log:
<..snip..>
2015-04-16T18:26:08Z DEBUG stderr=[Fatal Error] :-1:-1: Premature end of file.
org.xml.sax.SAXParseException; Premature end of file.
        at org.apache.xerces.parsers.DOMParser.parse(DOMParser.java:239)
        at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(DocumentBuilderImpl.java:283)
        at javax.xml.parsers.DocumentBuilder.parse(DocumentBuilder.java:121)
        at ParseXML.parse(ParseXML.java:258)
        at ConfigureCA.getStatus(ConfigureCA.java:205)
        at ConfigureCA.checkStatus(ConfigureCA.java:221)
        at ConfigureCA.checkStatus(ConfigureCA.java:216)
        at ConfigureCA.CertSubjectPanel(ConfigureCA.java:644)
        at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1242)
        at ConfigureCA.main(ConfigureCA.java:1672)
<..snip..>
Comment 6 Petr Vobornik 2015-04-17 15:09:11 UTC 
The installation works if I use java-1.7.0-openjdk. Fails with java-1.8.0-openjdk, jre-1.5.0-gcj. 

Same case in bug 1212557 but there it failed with Oracle Java version "1.7.0_79".
Comment 7 Endi Sukma Dewata 2015-04-17 17:20:04 UTC 
Dogtag 9 will be changed to use java-1.7.0-openjdk specifically:
* https://fedorahosted.org/pki/ticket/1350
* https://bugzilla.redhat.com/show_bug.cgi?id=1212557

This bug is probably identical to bug 1212557, but once we use java-1.7.0-openjdk the SELinux issues described in this ticket will no longer be relevant and therefore will not be fixed (at least for now).
Comment 8 Jenny Severance 2015-04-20 18:55:52 UTC 

*** This bug has been marked as a duplicate of bug 1212557 ***
Note You need to log in before you can comment on or make changes to this bug.