Bug 1359237 - AVC on dirsrv config caused by IPA installer
Summary: AVC on dirsrv config caused by IPA installer
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Kaleem
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-07-22 14:57 UTC by Martin Babinsky
Modified: 2016-11-04 05:58 UTC (History)
3 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2016-11-04 05:58:57 UTC


Attachments (Terms of Use)
console output with verification steps (10.58 KB, text/plain)
2016-09-09 14:34 UTC, Kaleem
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2404 normal SHIPPED_LIVE ipa bug fix and enhancement update 2016-11-03 13:56:18 UTC

Description Martin Babinsky 2016-07-22 14:57:18 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/6111

IPA installer does not call 'restorecon' on '/etc/sysconfig/dirsrv' what is causing AVC and installation failed.

{{{
Jul 21 16:12:35 master.ipa.test audit[1]: AVC avc:  denied  { open } for  pid=1 comm="systemd" path="/etc/sysconfig/dirsrv" dev="vda1" ino=665018 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object
Jul 21 16:12:35 master.ipa.test systemd[1]: dirsrv@IPA-TEST.service: Failed to load environment files: Permission denied
Jul 21 16:12:35 master.ipa.test systemd[1]: dirsrv@IPA-TEST.service: Failed to run 'start' task: Permission denied
Jul 21 16:12:35 master.ipa.test systemd[1]: Failed to start 389 Directory Server IPA-TEST..
}}}

Packages:
selinux-policy-3.13.1-191.5.fc24.noarch
systemd-229-8.fc24.x86_64

Reproducible on F24

Comment 2 Martin Bašti 2016-07-22 15:00:31 UTC
Steps to reproduce:
1. # setenforce 1
2. # ipa-server-install
3. installation will fail on restarting dirsrv


I was able to reproduce this locally on my local VM, but I haven't been able to to reproduce this in lab.

But anyway we should play safe and prevent possible future AVCs.

Comment 4 Kaleem 2016-09-09 14:33:10 UTC
Verified. 

IPA Version:
============
[root@dhcp207-129 ~]# rpm -q ipa-server
ipa-server-4.4.0-10.el7.x86_64
[root@dhcp207-129 ~]# 

Please find the attached console output.

Comment 6 Kaleem 2016-09-09 14:34 UTC
Created attachment 1199493 [details]
console output with verification steps

Comment 8 errata-xmlrpc 2016-11-04 05:58:57 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html


Note You need to log in before you can comment on or make changes to this bug.