Hide Forgot
Description of problem: When a user tries to install KRA on replica, ipa-kra-install commands fails with following error [root@ipareplica01 ~]# ipa-kra-install Directory Manager password: =================================================================== This program will setup Dogtag KRA for the IPA Server. Waiting up to 300 seconds to see our keys appear on host: vm-idm-027.testrelm.test Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes [1/9]: creating installation admin user [2/9]: configuring KRA instance Failed to configure KRA instance: Command '/usr/sbin/pkispawn -s KRA -f /tmp/tmpySKMRP' returned non-zero exit status 1 See the installation logs and the following files/directories for more information: /var/log/pki/pki-tomcat [error] RuntimeError: KRA configuration failed. Your system may be partly configured. If you run into issues, you may have to re-install IPA on this server. KRA configuration failed. The ipa-kra-install command failed. See /var/log/ipaserver-kra-install.log for more information Version-Release number of selected component (if applicable): # rpm -qa ipa-server pki-server gssproxy gssproxy-0.7.0-3.el7.x86_64 ipa-server-4.5.0-14.el7.x86_64 pki-server-10.4.1-7.el7.noarch How reproducible: 100% Steps to Reproduce: 1. Install IPA server with CA and KRA 2. Install Replica 3. Install CA on Replica 4. Install KRA on Replica Actual results: KRA installation fails with above error Expected results: KRA installation should be successful. Additional info:
Created attachment 1283627 [details] ipakra-install.log
[root@ipareplica01 ~]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING ntpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa: INFO: The ipactl command was successful [root@ipareplica01 ~]# rpm -qa ipa-server pki-server gssproxy gssproxy-0.7.0-3.el7.x86_64 ipa-server-4.5.0-14.el7.x86_64 pki-server-10.4.1-7.el7.noarch [root@ipareplica01 ~]# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28
Hello, could you provide /var/log/pki/* logs? Are there any AVCs?
Felipe, when you were looking at installation tests, was installation of KRA affected by the OCSP checks, resp. did it start working when you disabled it?
Petr, the OSCP checks seems to do not affect the KRA installation AFAIK. The tests are failing for another reason: https://paste.fedoraproject.org/paste/FiY~bAwNxuaqR8KFBYiPXl5M1UNdIGYhyRLivL9gydE=
The test failure seems to be something different then this issue. There ipa-kra-install thinks IPA is not installed.
So I was finally able to reproduce this, but only with SELinux enabled. Since the problem occurs during pkispawn, I am switching the component to pki-base. Also, here are some AVCs that may possibly be related to the installation: ---- time->Tue Jun 6 11:36:29 2017 type=SYSCALL msg=audit(1496741789.084:20122): arch=c000003e syscall=59 success=yes exit=0 a0=1217380 a1=12166d0 a2=1215a60 a3=7ffcde6a8a20 items=0 ppid=2259 pid=2260 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="ldconfig" exe="/usr/sbin/ldconfig" subj=system_u:system_r:pki_tomcat_t:s0 key=(null) type=AVC msg=audit(1496741789.084:20122): avc: denied { execute_no_trans } for pid=2260 comm="sh" path="/usr/sbin/ldconfig" dev="dm-0" ino=16906334 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file type=AVC msg=audit(1496741789.084:20122): avc: denied { read open } for pid=2260 comm="sh" path="/usr/sbin/ldconfig" dev="dm-0" ino=16906334 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file type=AVC msg=audit(1496741789.084:20122): avc: denied { execute } for pid=2260 comm="sh" name="ldconfig" dev="dm-0" ino=16906334 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file ---- time->Tue Jun 6 11:36:40 2017 type=SYSCALL msg=audit(1496741800.950:20124): arch=c000003e syscall=2 success=yes exit=137 a0=7f1544403cb0 a1=0 a2=1b6 a3=7f1608e49200 items=0 ppid=1 pid=2408 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-10.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1496741800.950:20124): avc: denied { open } for pid=2408 comm="java" path="/tmp/tmpNrczb3" dev="dm-0" ino=11624 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file ---- time->Tue Jun 6 11:37:53 2017 type=SYSCALL msg=audit(1496741873.445:20127): arch=c000003e syscall=59 success=yes exit=0 a0=df3380 a1=df26d0 a2=df1a60 a3=7fff57b099c0 items=0 ppid=2686 pid=2687 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="ldconfig" exe="/usr/sbin/ldconfig" subj=system_u:system_r:pki_tomcat_t:s0 key=(null) type=AVC msg=audit(1496741873.445:20127): avc: denied { execute_no_trans } for pid=2687 comm="sh" path="/usr/sbin/ldconfig" dev="dm-0" ino=16906334 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file type=AVC msg=audit(1496741873.445:20127): avc: denied { read open } for pid=2687 comm="sh" path="/usr/sbin/ldconfig" dev="dm-0" ino=16906334 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file type=AVC msg=audit(1496741873.445:20127): avc: denied { execute } for pid=2687 comm="sh" name="ldconfig" dev="dm-0" ino=16906334 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file ---- time->Tue Jun 6 11:38:10 2017 type=SYSCALL msg=audit(1496741890.270:20134): arch=c000003e syscall=59 success=yes exit=0 a0=b74380 a1=b736d0 a2=b72a60 a3=7ffc0f5ab230 items=0 ppid=3252 pid=3253 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="ldconfig" exe="/usr/sbin/ldconfig" subj=system_u:system_r:pki_tomcat_t:s0 key=(null) type=AVC msg=audit(1496741890.270:20134): avc: denied { execute_no_trans } for pid=3253 comm="sh" path="/usr/sbin/ldconfig" dev="dm-0" ino=16906334 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file type=AVC msg=audit(1496741890.270:20134): avc: denied { read open } for pid=3253 comm="sh" path="/usr/sbin/ldconfig" dev="dm-0" ino=16906334 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file type=AVC msg=audit(1496741890.270:20134): avc: denied { execute } for pid=3253 comm="sh" name="ldconfig" dev="dm-0" ino=16906334 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
Would check if it is the same as bug 1436689, comment 104 - which was fixed in selinux-policy-3.13.1-159.el7.noarch
Still failing with following AVC # rpm -qa ipa-server pki-server selinux-policy ipa-server-4.5.0-14.el7.x86_64 pki-server-10.4.1-7.el7.noarch selinux-policy-3.13.1-159.el7.noarch # ausearch -m AVC ---- time->Tue Jun 6 07:32:55 2017 type=PROCTITLE msg=audit(1496748775.354:231): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69 type=SYSCALL msg=audit(1496748775.354:231): arch=c000003e syscall=2 success=no exit=-13 a0=7f70205d6780 a1=0 a2=1b6 a3=7f7025052200 items=0 ppid=1 pid=2555 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-9.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1496748775.354:231): avc: denied { open } for pid=2555 comm="java" path="/tmp/tmpI3D1qI" dev="dm-0" ino=101905729 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
You may want to provide this info to the SELinux folks, as this may simply be an SELinux issue rather than a pki-core issue.
(In reply to Matthew Harmsen from comment #20) > You may want to provide this info to the SELinux folks, as this may simply > be an SELinux issue rather than a pki-core issue. In today's PKI Bug Council, alee suggested confirming whether or not this is an selinux-policy issue by merely re-running the test by setting SELinux in Permissive mode. If it no longer fails, it is almost certainly a selinux-policy issue, and this bug can be moved to that component.
(In reply to Matthew Harmsen from comment #21) > (In reply to Matthew Harmsen from comment #20) > > You may want to provide this info to the SELinux folks, as this may simply > > be an SELinux issue rather than a pki-core issue. > > In today's PKI Bug Council, alee suggested confirming whether or not this is > an selinux-policy issue by merely re-running the test by setting SELinux in > Permissive mode. If it no longer fails, it is almost certainly a > selinux-policy issue, and this bug can be moved to that component. In Permissive mode, I am unable to install KRA on replica due to timeout issue which is described in #1449189
Abhijeet, I see that the time-out issue in https://bugzilla.redhat.com/show_bug.cgi?id=1449189 has been corrected in build ipa-4.5.0-18.el7. Using the latest selinux-policy available, https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=565393 - selinux-policy-3.13.1-162.el7, can you now confirm whether or not this bug is still an issue? If it runs successfully under Enforcing mode, please close this bug. If it fails when running under Enforcing mode, please retry it under Permissive mode, and if it passes, please capture the AVCs and re-assign this bug to selinux-policy. If it fails under Permissive mode, please capture any AVCs (there may not be any) and attach PKI log files so that we can investigate. Thanks, -- Matt
(In reply to Matthew Harmsen from comment #23) > Abhijeet, > > I see that the time-out issue in > https://bugzilla.redhat.com/show_bug.cgi?id=1449189 has been corrected in > build ipa-4.5.0-18.el7. > > Using the latest selinux-policy available, > https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=565393 - > selinux-policy-3.13.1-162.el7, can you now confirm whether or not this bug > is still an issue? > > If it runs successfully under Enforcing mode, please close this bug. > > If it fails when running under Enforcing mode, please retry it under > Permissive mode, and if it passes, please capture the AVCs and re-assign > this bug to selinux-policy. > > If it fails under Permissive mode, please capture any AVCs (there may not be > any) and attach PKI log files so that we can investigate. > > Thanks, > -- Matt Hi Matt, I am seeing AVC while installing KRA on Replica in Enforcing mode, but able to install KRA on replica in Permissive mode. # rpm -qa ipa-server selinux-policy selinux-policy-3.13.1-162.el7.noarch ipa-server-4.5.0-18.el7.x86_64 # ipa-kra-install Directory Manager password: =================================================================== This program will setup Dogtag KRA for the IPA Server. Waiting up to 300 seconds to see our keys appear on host: bkr-hv03-guest23.testrelm.test Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes [1/9]: creating installation admin user [2/9]: configuring KRA instance Failed to configure KRA instance: Command '/usr/sbin/pkispawn -s KRA -f /tmp/tmpcNOZxA' returned non-zero exit status 1 See the installation logs and the following files/directories for more information: /var/log/pki/pki-tomcat [error] RuntimeError: KRA configuration failed. Your system may be partly configured. If you run into issues, you may have to re-install IPA on this server. KRA configuration failed. The ipa-kra-install command failed. See /var/log/ipaserver-kra-install.log for more information [root@mgmt3 ~]# vim /var/log/ipaserver-kra-install.log [root@mgmt3 ~]# ausearch -m AVC ---- time->Mon Jun 19 03:09:23 2017 type=PROCTITLE msg=audit(1497856163.201:208): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69 type=SYSCALL msg=audit(1497856163.201:208): arch=c000003e syscall=2 success=no exit=-13 a0=7f66203ae660 a1=0 a2=1b6 a3=7f666d052200 items=0 ppid=1 pid=17492 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-11.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null) type=AVC msg=audit(1497856163.201:208): avc: denied { open } for pid=17492 comm="java" path="/tmp/tmpCeWtzk" dev="dm-0" ino=1467293 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file # yum update selinux-policy -y Loaded plugins: product-id, search-disabled-repos, subscription-manager This system is not registered with an entitlement server. You can use subscription-manager to register. No packages marked for update I am re-assigning this issue to SElinux-policy component.
Guys, do you know when and how /tmp/tmpCeWtzk is created? It looks like that something during the install process but not sure for what the file is.
It may possibly be the value of "pki_clone_pkcs12_path", then it would be created in IPA. However, due to the nature of tmp files, it could possibly be also anything created by pkispawn. We'd need pkispawn logs from the very installation where the file/directory is created to be sure.
Main issue here is that tmpfile has no constant sub-string in name (/tmp/tmpCeWtzk). Command #ipa-kra-install will run under userdomain (most likely as unconfined_t). Unconfined_t domain will create tmpfile with label user_tmp_t(as we see in AVC from comment#25). As there is no constant sub-string in tmpfile we need to allow tomcat_t domain allow read all user_tmp_t files.
Verified using IPA and SELinux-policy version :: ipa-server-4.5.0-19.el7.x86_64 selinux-policy-3.13.1-164.el7.noarch Marking BZ as verified. See attachment for console.log.
Created attachment 1290516 [details] console.log
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1861