Description of problem: When installing freeipa-server:master-nightly container (https://github.com/freeipa/freeipa-container/blob/master/Dockerfile.fedora-25-master-nightly) on Fedora 25 host, the installation fails during GssProxy service configuration: ''' Configuring the web interface (httpd) [1/22]: stopping httpd [2/22]: setting mod_nss port to 443 [3/22]: setting mod_nss cipher suite [4/22]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 [5/22]: setting mod_nss password file [6/22]: enabling mod_nss renegotiate [7/22]: adding URL rewriting rules [8/22]: configuring httpd [9/22]: setting up httpd keytab [10/22]: retrieving anonymous keytab [11/22]: configuring Gssproxy [error] CalledProcessError: Command '/bin/systemctl restart gssproxy.service' returned non-zero exit status 1 ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR Command '/bin/systemctl restart gssproxy.service' returned non-zero exit status 1 ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information FreeIPA server configuration failed. ''' When checking AVCs, I can see that GSSProxy demon is denied to set 'use-gss-proxy' option in the kernel to enable GSSAPI interposer plugin: '''--- time->Thu Apr 20 07:57:07 2017 type=AVC msg=audit(1492675027.545:3595): avc: denied { write } for pid=2778 comm="gssproxy" name="use-gss-proxy" dev="proc" ino=4026532871 scontext=system_u:system_r:container_t:s0:c135,c478 tcontext=system_u:object_r:sysctl_rpc_t:s0 tclass=file permissive=0 ''' Indeed, when I set SELinux to permissive I can deploy the container without problems. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. build a container from https://github.com/freeipa/freeipa-container/blob/master/Dockerfile.fedora-25-master-nightly 2. try to install the container, e.g. by using 'atomic install' Actual results: The installation crashes due to AVC reported above Expected results: Installation finishes succesfully Additional info: Upstream issue: https://github.com/freeipa/freeipa-container/issues/128
Do we know if this sysctl is namespaced, I can turn it on in SELinux, but not sure if it will work the way you expect.
This message is a reminder that Fedora 25 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 25. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '25'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 25 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
I assume we haven't seen this issue for a while. Do we know where change in behaviour (or change in tests) came from?
Unfortunately, I have no idea when this happened. I don't see any marked workarounds for this in our tests/container repo, not sure if it's safe to assume it's not there but I should hope it's not, then, in which case the change most probably comes from SELinux.