Bug 1384872 - SELinux denials on ipa-otpd service prevent installation of FreeIPA master/replica
Summary: SELinux denials on ipa-otpd service prevent installation of FreeIPA master/re...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 27
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-10-14 10:35 UTC by Martin Babinsky
Modified: 2017-09-08 14:07 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-09-08 14:07:10 UTC
Type: Bug

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Martin Babinsky 2016-10-14 10:35:46 UTC 
Description of problem:

During installation of FreeIPA server from master branch the following error is encountered:

Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa_memcached
  [1/2]: starting ipa_memcached 
  [2/2]: configuring ipa_memcached to start on boot
Done configuring ipa_memcached.
Configuring ipa-otpd
  [1/2]: starting ipa-otpd 
  [error] CalledProcessError: Command '/bin/systemctl restart ipa-otpd.socket' returned non-zero exit status 1
ipa.ipapython.install.cli.install_tool(Server): ERROR    Command '/bin/systemctl restart ipa-otpd.socket' returned non-zero exit status 1
ipa.ipapython.install.cli.install_tool(Server): ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

journalctl -u ipa-otpd.socket shows permission denied errors:

Oct 14 11:04:27 vm-150.idm.lab.eng.brq.redhat.com systemd[1]: ipa-otpd.socket: Failed to listen on sockets: Permissi
Oct 14 11:04:27 vm-150.idm.lab.eng.brq.redhat.com systemd[1]: Starting ipa-otpd socket.
Oct 14 11:04:27 vm-150.idm.lab.eng.brq.redhat.com unlink[7523]: /usr/bin/unlink: cannot unlink '/var/run/krb5kdc/DEF
Oct 14 11:04:27 vm-150.idm.lab.eng.brq.redhat.com systemd[1]: ipa-otpd.socket: Control process exited, code=exited s
Oct 14 11:04:27 vm-150.idm.lab.eng.brq.redhat.com systemd[1]: Failed to listen on ipa-otpd socket.
Oct 14 11:04:27 vm-150.idm.lab.eng.brq.redhat.com systemd[1]: ipa-otpd.socket: Unit entered failed state.

This can be traced to SELinux blocking the creation and binding to a socket for otpd daemon as can be seen from the following AVCs:

time->Fri Oct 14 12:18:16 2016
type=AVC msg=audit(1476440296.499:217615): avc:  denied  { setopt } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1
----
time->Fri Oct 14 12:18:16 2016
type=AVC msg=audit(1476440296.499:217616): avc:  denied  { bind } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1
----
time->Fri Oct 14 12:18:16 2016
type=AVC msg=audit(1476440296.500:217617): avc:  denied  { listen } for  pid=1 comm="systemd" path="/run/krb5kdc/DEFAULT.socket" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1

Permissive mode fixes the issue.

This was probably caused by https://github.com/freeipa/freeipa/pull/127 which moved /usr/libexec/ipa-otpd to /usr/libexec/ipa/ipa-otpd. The selinux policy will have to be updated to reflect this change.

Version-Release number of selected component (if applicable):

FreeIPA master (HEAD at 16dad1c3cb09acee946bc5b2409447279a8bc0de)

selinux-policy-targeted-3.13.1-191.18.fc24.noarch

How reproducible:

Always in enforcing mode

Steps to Reproduce:
1. run ipa-server-install

Actual results:

Installation fails on restarting ipa-otpd.socket

Expected results:

Installation succeeds
Comment 1 Petr Vobornik 2016-10-14 10:56:22 UTC 
FreeIPA master branch (4.5) will land probably in F26 (current rawhide).
Comment 2 Lukas Slebodnik 2016-10-18 12:33:23 UTC 
sh$ matchpathcon /usr/libexec/ipa-otpd /usr/libexec/ipa/ipa-otpd
/usr/libexec/ipa-otpd   system_u:object_r:ipa_otpd_exec_t:s0
/usr/libexec/ipa/ipa-otpd       system_u:object_r:bin_t:s0

And workaround is to run following command before ipa-server-install:
sh# chcon system_u:object_r:ipa_otpd_exec_t:s0 /usr/libexec/ipa/ipa-otpd
Comment 3 Milan Kubík 2016-12-02 10:12:12 UTC 
Can this be addressed for Fedora 25? Bugs like these force us to run all tests in permissive mode potentially missing other selinux issues.
As for workarounds I'd like to avoid using these in the automated tests.
Comment 4 Christian Heimes 2017-02-15 11:07:26 UTC 
bump

Please address this issue soonish. It's affecting FreeIPA development agaun.
Comment 5 Lukas Slebodnik 2017-02-15 11:14:08 UTC 
(In reply to Christian Heimes from comment #4)
> bump
> 
> Please address this issue soonish. It's affecting FreeIPA development agaun.

This affect just freeipa GIT master and if you change lales in fedora then it will affect all users of freeipa-4.4 which is a default in f25+.

There is a workaround in comment 2 or in https://github.com/freeipa/freeipa/pull/414
Comment 6 Fedora End Of Life 2017-02-28 10:26:49 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 26 development cycle.
Changing version to '26'.
Comment 7 Lukas Slebodnik 2017-09-08 14:06:52 UTC 
fedora 27 has ipa >= 4.5 and it is fixed there

sh# matchpathcon /usr/libexec/ipa-otpd /usr/libexec/ipa/ipa-otpd
/usr/libexec/ipa-otpd   system_u:object_r:ipa_otpd_exec_t:s0
/usr/libexec/ipa/ipa-otpd       system_u:object_r:ipa_otpd_exec_t:s0

sh# rpm -q selinux-policy
selinux-policy-3.13.1-280.fc27.noarch
Note You need to log in before you can comment on or make changes to this bug.