Bug 1457106 - ipa-kra-install fails on replica
Summary: ipa-kra-install fails on replica
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.4
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Abhijeet Kasurde
URL:
Whiteboard:
Depends On:
Blocks: 1449189
TreeView+ depends on / blocked
 
Reported: 2017-05-31 07:06 UTC by Abhijeet Kasurde
Modified: 2017-08-01 15:26 UTC (History)
20 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 15:26:23 UTC
Target Upstream Version:


Attachments (Terms of Use)
ipakra-install.log (19.34 KB, text/plain)
2017-05-31 07:09 UTC, Abhijeet Kasurde
no flags Details
console.log (22.25 KB, text/plain)
2017-06-22 06:44 UTC, Abhijeet Kasurde
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:1861 normal SHIPPED_LIVE selinux-policy bug fix update 2017-08-01 17:50:24 UTC

Description Abhijeet Kasurde 2017-05-31 07:06:52 UTC
Description of problem:
When a user tries to install KRA on replica, ipa-kra-install commands fails with following error

[root@ipareplica01 ~]# ipa-kra-install
Directory Manager password:


===================================================================
This program will setup Dogtag KRA for the IPA Server.


Waiting up to 300 seconds to see our keys appear on host: vm-idm-027.testrelm.test
Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes
  [1/9]: creating installation admin user
  [2/9]: configuring KRA instance
Failed to configure KRA instance: Command '/usr/sbin/pkispawn -s KRA -f /tmp/tmpySKMRP' returned non-zero exit status 1
See the installation logs and the following files/directories for more information:
  /var/log/pki/pki-tomcat
  [error] RuntimeError: KRA configuration failed.

Your system may be partly configured.
If you run into issues, you may have to re-install IPA on this server.

KRA configuration failed.
The ipa-kra-install command failed. See /var/log/ipaserver-kra-install.log for more information


Version-Release number of selected component (if applicable):
# rpm -qa ipa-server pki-server gssproxy
gssproxy-0.7.0-3.el7.x86_64
ipa-server-4.5.0-14.el7.x86_64
pki-server-10.4.1-7.el7.noarch

How reproducible:
100%

Steps to Reproduce:
1. Install IPA server with CA and KRA
2. Install Replica
3. Install CA on Replica
4. Install KRA on Replica

Actual results:
KRA installation fails with above error

Expected results:
KRA installation should be successful.

Additional info:

Comment 2 Abhijeet Kasurde 2017-05-31 07:09:12 UTC
Created attachment 1283627 [details]
ipakra-install.log

Comment 3 Abhijeet Kasurde 2017-05-31 07:11:10 UTC
[root@ipareplica01 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful
[root@ipareplica01 ~]# rpm -qa ipa-server pki-server gssproxy
gssproxy-0.7.0-3.el7.x86_64
ipa-server-4.5.0-14.el7.x86_64
pki-server-10.4.1-7.el7.noarch
[root@ipareplica01 ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

Comment 4 Martin Bašti 2017-05-31 07:14:14 UTC
Hello,

could you provide /var/log/pki/* logs?

Are there any AVCs?

Comment 6 Petr Vobornik 2017-05-31 08:27:23 UTC
Felipe, when you were looking at installation tests, was installation of KRA affected by the OCSP checks, resp. did it start working when you disabled it?

Comment 9 fbarreto 2017-05-31 13:52:23 UTC
Petr, the OSCP checks seems to do not affect the KRA installation AFAIK. The tests are failing for another reason: https://paste.fedoraproject.org/paste/FiY~bAwNxuaqR8KFBYiPXl5M1UNdIGYhyRLivL9gydE=

Comment 12 Petr Vobornik 2017-06-01 08:02:11 UTC
The test failure seems to be something different then this issue. There ipa-kra-install thinks IPA is not installed.

Comment 16 Standa Laznicka 2017-06-06 09:44:57 UTC
So I was finally able to reproduce this, but only with SELinux enabled. Since the problem occurs during pkispawn, I am switching the component to pki-base.

Also, here are some AVCs that may possibly be related to the installation:

----
time->Tue Jun  6 11:36:29 2017
type=SYSCALL msg=audit(1496741789.084:20122): arch=c000003e syscall=59 success=yes exit=0 a0=1217380 a1=12166d0 a2=1215a60 a3=7ffcde6a8a20 items=0 ppid=2259 pid=2260 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="ldconfig" exe="/usr/sbin/ldconfig" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1496741789.084:20122): avc:  denied  { execute_no_trans } for  pid=2260 comm="sh" path="/usr/sbin/ldconfig" dev="dm-0" ino=16906334 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
type=AVC msg=audit(1496741789.084:20122): avc:  denied  { read open } for  pid=2260 comm="sh" path="/usr/sbin/ldconfig" dev="dm-0" ino=16906334 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
type=AVC msg=audit(1496741789.084:20122): avc:  denied  { execute } for  pid=2260 comm="sh" name="ldconfig" dev="dm-0" ino=16906334 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
----
time->Tue Jun  6 11:36:40 2017
type=SYSCALL msg=audit(1496741800.950:20124): arch=c000003e syscall=2 success=yes exit=137 a0=7f1544403cb0 a1=0 a2=1b6 a3=7f1608e49200 items=0 ppid=1 pid=2408 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-10.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1496741800.950:20124): avc:  denied  { open } for  pid=2408 comm="java" path="/tmp/tmpNrczb3" dev="dm-0" ino=11624 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
----
time->Tue Jun  6 11:37:53 2017
type=SYSCALL msg=audit(1496741873.445:20127): arch=c000003e syscall=59 success=yes exit=0 a0=df3380 a1=df26d0 a2=df1a60 a3=7fff57b099c0 items=0 ppid=2686 pid=2687 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="ldconfig" exe="/usr/sbin/ldconfig" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1496741873.445:20127): avc:  denied  { execute_no_trans } for  pid=2687 comm="sh" path="/usr/sbin/ldconfig" dev="dm-0" ino=16906334 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
type=AVC msg=audit(1496741873.445:20127): avc:  denied  { read open } for  pid=2687 comm="sh" path="/usr/sbin/ldconfig" dev="dm-0" ino=16906334 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
type=AVC msg=audit(1496741873.445:20127): avc:  denied  { execute } for  pid=2687 comm="sh" name="ldconfig" dev="dm-0" ino=16906334 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
----
time->Tue Jun  6 11:38:10 2017
type=SYSCALL msg=audit(1496741890.270:20134): arch=c000003e syscall=59 success=yes exit=0 a0=b74380 a1=b736d0 a2=b72a60 a3=7ffc0f5ab230 items=0 ppid=3252 pid=3253 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="ldconfig" exe="/usr/sbin/ldconfig" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1496741890.270:20134): avc:  denied  { execute_no_trans } for  pid=3253 comm="sh" path="/usr/sbin/ldconfig" dev="dm-0" ino=16906334 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
type=AVC msg=audit(1496741890.270:20134): avc:  denied  { read open } for  pid=3253 comm="sh" path="/usr/sbin/ldconfig" dev="dm-0" ino=16906334 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
type=AVC msg=audit(1496741890.270:20134): avc:  denied  { execute } for  pid=3253 comm="sh" name="ldconfig" dev="dm-0" ino=16906334 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file

Comment 17 Petr Vobornik 2017-06-06 10:27:39 UTC
Would check if it is the same as bug 1436689, comment 104 - which was fixed in selinux-policy-3.13.1-159.el7.noarch

Comment 19 Abhijeet Kasurde 2017-06-06 12:50:26 UTC
Still failing with following AVC

# rpm -qa ipa-server pki-server selinux-policy
ipa-server-4.5.0-14.el7.x86_64
pki-server-10.4.1-7.el7.noarch
selinux-policy-3.13.1-159.el7.noarch

# ausearch -m AVC
----
time->Tue Jun  6 07:32:55 2017
type=PROCTITLE msg=audit(1496748775.354:231): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69
type=SYSCALL msg=audit(1496748775.354:231): arch=c000003e syscall=2 success=no exit=-13 a0=7f70205d6780 a1=0 a2=1b6 a3=7f7025052200 items=0 ppid=1 pid=2555 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-9.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1496748775.354:231): avc:  denied  { open } for  pid=2555 comm="java" path="/tmp/tmpI3D1qI" dev="dm-0" ino=101905729 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file

Comment 20 Matthew Harmsen 2017-06-07 17:47:57 UTC
You may want to provide this info to the SELinux folks, as this may simply be an SELinux issue rather than a pki-core issue.

Comment 21 Matthew Harmsen 2017-06-08 22:47:20 UTC
(In reply to Matthew Harmsen from comment #20)
> You may want to provide this info to the SELinux folks, as this may simply
> be an SELinux issue rather than a pki-core issue.

In today's PKI Bug Council, alee suggested confirming whether or not this is an selinux-policy issue by merely re-running the test by setting SELinux in Permissive mode.  If it no longer fails, it is almost certainly a selinux-policy issue, and this bug can be moved to that component.

Comment 22 Abhijeet Kasurde 2017-06-12 07:12:24 UTC
(In reply to Matthew Harmsen from comment #21)
> (In reply to Matthew Harmsen from comment #20)
> > You may want to provide this info to the SELinux folks, as this may simply
> > be an SELinux issue rather than a pki-core issue.
> 
> In today's PKI Bug Council, alee suggested confirming whether or not this is
> an selinux-policy issue by merely re-running the test by setting SELinux in
> Permissive mode.  If it no longer fails, it is almost certainly a
> selinux-policy issue, and this bug can be moved to that component.

In Permissive mode, I am unable to install KRA on replica due to timeout issue which is described in #1449189

Comment 23 Matthew Harmsen 2017-06-15 15:20:04 UTC
Abhijeet,

I see that the time-out issue in https://bugzilla.redhat.com/show_bug.cgi?id=1449189 has been corrected in build ipa-4.5.0-18.el7.

Using the latest selinux-policy available, https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=565393 - selinux-policy-3.13.1-162.el7, can you now confirm whether or not this bug is still an issue?

If it runs successfully under Enforcing mode, please close this bug.

If it fails when running under Enforcing mode, please retry it under Permissive mode, and if it passes, please capture the AVCs and re-assign this bug to selinux-policy.

If it fails under Permissive mode, please capture any AVCs (there may not be any) and attach PKI log files so that we can investigate.

Thanks,
-- Matt

Comment 25 Abhijeet Kasurde 2017-06-19 08:17:48 UTC
(In reply to Matthew Harmsen from comment #23)
> Abhijeet,
> 
> I see that the time-out issue in
> https://bugzilla.redhat.com/show_bug.cgi?id=1449189 has been corrected in
> build ipa-4.5.0-18.el7.
> 
> Using the latest selinux-policy available,
> https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=565393 -
> selinux-policy-3.13.1-162.el7, can you now confirm whether or not this bug
> is still an issue?
> 
> If it runs successfully under Enforcing mode, please close this bug.
> 
> If it fails when running under Enforcing mode, please retry it under
> Permissive mode, and if it passes, please capture the AVCs and re-assign
> this bug to selinux-policy.
> 
> If it fails under Permissive mode, please capture any AVCs (there may not be
> any) and attach PKI log files so that we can investigate.
> 
> Thanks,
> -- Matt

Hi Matt,

I am seeing AVC while installing KRA on Replica in Enforcing mode, but able to install KRA on replica in Permissive mode.

# rpm -qa ipa-server selinux-policy
selinux-policy-3.13.1-162.el7.noarch
ipa-server-4.5.0-18.el7.x86_64
# ipa-kra-install 
Directory Manager password: 


===================================================================
This program will setup Dogtag KRA for the IPA Server.


Waiting up to 300 seconds to see our keys appear on host: bkr-hv03-guest23.testrelm.test
Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes
  [1/9]: creating installation admin user
  [2/9]: configuring KRA instance
Failed to configure KRA instance: Command '/usr/sbin/pkispawn -s KRA -f /tmp/tmpcNOZxA' returned non-zero exit status 1
See the installation logs and the following files/directories for more information:
  /var/log/pki/pki-tomcat
  [error] RuntimeError: KRA configuration failed.

Your system may be partly configured.
If you run into issues, you may have to re-install IPA on this server.

KRA configuration failed.
The ipa-kra-install command failed. See /var/log/ipaserver-kra-install.log for more information
[root@mgmt3 ~]# vim /var/log/ipaserver-kra-install.log
[root@mgmt3 ~]# ausearch -m AVC
----
time->Mon Jun 19 03:09:23 2017
type=PROCTITLE msg=audit(1497856163.201:208): proctitle=2F7573722F6C69622F6A766D2F6A72652D312E382E302D6F70656E6A646B2F62696E2F6A617661002D4452455354454153595F4C49423D2F7573722F73686172652F6A6176612F72657374656173792D62617365002D446A6176612E6C6962726172792E706174683D2F7573722F6C696236342F6E757877646F672D6A6E69
type=SYSCALL msg=audit(1497856163.201:208): arch=c000003e syscall=2 success=no exit=-13 a0=7f66203ae660 a1=0 a2=1b6 a3=7f666d052200 items=0 ppid=1 pid=17492 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-11.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1497856163.201:208): avc:  denied  { open } for  pid=17492 comm="java" path="/tmp/tmpCeWtzk" dev="dm-0" ino=1467293 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
# yum update selinux-policy -y
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
No packages marked for update

I am re-assigning this issue to SElinux-policy component.

Comment 26 Miroslav Grepl 2017-06-19 13:11:31 UTC
Guys,
do you know when and how /tmp/tmpCeWtzk is created? It looks like that something during the install process but not sure for what the file is.

Comment 28 Standa Laznicka 2017-06-19 13:47:45 UTC
It may possibly be the value of "pki_clone_pkcs12_path", then it would be created in IPA.
However, due to the nature of tmp files, it could possibly be also anything created by pkispawn. We'd need pkispawn logs from the very installation where the file/directory is created to be sure.

Comment 29 Lukas Vrabec 2017-06-19 15:20:43 UTC
Main issue here is that tmpfile has no constant sub-string in name (/tmp/tmpCeWtzk). 

Command #ipa-kra-install will run under userdomain (most likely as unconfined_t). Unconfined_t domain will create tmpfile with label user_tmp_t(as we see in AVC from comment#25). As there is no constant sub-string in tmpfile we need to allow tomcat_t domain allow read all user_tmp_t files.

Comment 31 Abhijeet Kasurde 2017-06-22 06:42:48 UTC
Verified using IPA and SELinux-policy version ::
ipa-server-4.5.0-19.el7.x86_64
selinux-policy-3.13.1-164.el7.noarch


Marking BZ as verified. See attachment for console.log.

Comment 32 Abhijeet Kasurde 2017-06-22 06:44:18 UTC
Created attachment 1290516 [details]
console.log

Comment 33 errata-xmlrpc 2017-08-01 15:26:23 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861


Note You need to log in before you can comment on or make changes to this bug.