Bug 1490762 - [Modular Server] Ipa-server-install update dse.ldif with wrong SELinux context
Summary: [Modular Server] Ipa-server-install update dse.ldif with wrong SELinux context
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: freeipa
Version: 27
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: IPA Maintainers
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: AcceptedBlocker
Depends On:
Blocks: F27BetaBlocker
TreeView+ depends on / blocked
 
Reported: 2017-09-12 08:01 UTC by Lukas Slebodnik
Modified: 2017-10-16 22:22 UTC (History)
15 users (show)

Fixed In Version: freeipa-4.6.0-3.fc27
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-10-16 22:22:04 UTC


Attachments (Terms of Use)

Description Lukas Slebodnik 2017-09-12 08:01:36 UTC
Description of problem:
Installation fails in enforcing mode because ipa-server-install update dse.ldif but with wrong SElinux context

Version-Release number of selected component (if applicable):
sh$ rpm -q freeipa-server
freeipa-server-4.6.0-2.fc27.x86_64

How reproducible:
Deteministic

Steps to Reproduce:
1. dnf install -y freeipa-server
2. /usr/sbin/ipa-server-install --hostname=ipa-lovely-name.testrelm.test -r TESTRELM.TEST -n testrelm.test -p Secret123 -a Secret123 -U


Actual results:
  [5/45]: updating configuration in dse.ldif
  [6/45]: starting directory server
  [error] CalledProcessError: Command '/bin/systemctl start dirsrv@TESTRELM-TEST.service' returned non-zero exit status 1.
ipapython.admintool: ERROR    Command '/bin/systemctl start dirsrv@TESTRELM-TEST.service' returned non-zero exit status 1.
ipapython.admintool: ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

Expected results:
Installation pass without any other problems

Additional info:

sh# ausearch -m avc -ts recent -i
----
type=AVC msg=audit(09/12/2017 03:58:23.484:320) : avc:  denied  { link } for  pid=15563 comm=ns-slapd name=dse.ldif dev="dm-0" ino=25973397 scontext=system_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0 

sh# find /etc/ -inum 25973397
/etc/dirsrv/slapd-TESTRELM-TEST/dse.ldif

sh# ls -lZ /etc/dirsrv/slapd-TESTRELM-TEST/dse.ldif
-rw-------. 1 dirsrv dirsrv unconfined_u:object_r:user_tmp_t:s0 67949 Sep 12 03:58 /etc/dirsrv/slapd-TESTRELM-TEST/dse.ldif

sh# matchpathcon /etc/dirsrv/slapd-TESTRELM-TEST/dse.ldif
/etc/dirsrv/slapd-TESTRELM-TEST/dse.ldif        system_u:object_r:dirsrv_config_t:s0

Comment 1 Lukas Slebodnik 2017-09-12 08:02:57 UTC
freeipa-server should update dse.ldif but it should not change SELinux context for that file.

Comment 2 Alexander Bokovoy 2017-09-12 08:05:48 UTC
What selinux-policy version do you have?

Comment 3 Alexander Bokovoy 2017-09-12 08:08:04 UTC
Note that this is very similar to bug 1483170, see comment 5 where rolekit_tmp_t is carried over to /etc/dirsrv/ too. The difference is only which method is used to deploy IPA server: you did it manually under user context while Adam used rolekit for that.

In both cases it looks like an issue with 389-ds python installer which should be doing restorecon by itself.

Comment 4 Lukas Slebodnik 2017-09-12 08:11:34 UTC
(In reply to Alexander Bokovoy from comment #2)
> What selinux-policy version do you have?

It has nothing to do with selinux-policy it is a bug in ipa-server-install.
As you can see in description of this bug 5th step updated dse.ding and 6th step tried to start 389-ds. But it failed because dse.ldif had wrong SELinux context  

sh# ls -lZ /etc/dirsrv/slapd-TESTRELM-TEST/dse.ldif
-rw-------. 1 dirsrv dirsrv unconfined_u:object_r:user_tmp_t:s0 67949 Sep 12 03:58 /etc/dirsrv/slapd-TESTRELM-TEST/dse.ldif

Comment 5 Alexander Bokovoy 2017-09-12 08:18:53 UTC
So I checked that actual code in dsinstance.py and it looks like we do it miss tasks.restore_context(dse_filename) after shutil.copy2() call:

    def __update_dse_ldif(self):
        """
        This method updates dse.ldif right after instance creation. This is
        supposed to allow admin modify configuration of the DS which has to be
        done before IPA is fully installed (for example: settings for
        replication on replicas)
        DS must be turned off.
        """
        dse_filename = os.path.join(
            paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % self.serverid,
            'dse.ldif'
        )

        with tempfile.NamedTemporaryFile(
                mode='w', delete=False) as new_dse_ldif:
            temp_filename = new_dse_ldif.name
            with open(dse_filename, "r") as input_file:
                parser = installutils.ModifyLDIF(input_file, new_dse_ldif)
                parser.replace_value(
                        'cn=config,cn=ldbm database,cn=plugins,cn=config',
                        'nsslapd-db-locks',
                        [b'50000']
                        )
                if self.config_ldif:
                    # parse modifications from ldif file supplied by the admin
                    with open(self.config_ldif, "r") as config_ldif:
                        parser.modifications_from_ldif(config_ldif)
                parser.parse()
            new_dse_ldif.flush()
        shutil.copy2(temp_filename, dse_filename)
        try:
            os.remove(temp_filename)
        except OSError as e:
            logger.debug("Failed to clean temporary file: %s", e)

Comment 6 Lukas Slebodnik 2017-09-12 08:21:03 UTC
Patched version of ipa shows that it is bug in freeipa

2017-09-12T08:19:33Z DEBUG   [4/45]: stopping directory server
2017-09-12T08:19:33Z DEBUG Starting external process
2017-09-12T08:19:33Z DEBUG args=/bin/systemctl stop dirsrv@TESTRELM-TEST.service
2017-09-12T08:19:35Z DEBUG Process finished, return code=0
2017-09-12T08:19:35Z DEBUG stdout=
2017-09-12T08:19:35Z DEBUG stderr=
2017-09-12T08:19:35Z DEBUG   duration: 2 seconds
2017-09-12T08:19:35Z DEBUG   [5/45]: updating configuration in dse.ldif
2017-09-12T08:19:35Z DEBUG Starting external process
2017-09-12T08:19:35Z DEBUG args=/bin/ls -lZ /etc/dirsrv/slapd-TESTRELM-TEST/dse.ldif
2017-09-12T08:19:35Z DEBUG Process finished, return code=0
2017-09-12T08:19:35Z DEBUG stdout=-rw-------. 1 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0 67928 Sep 12 04:19 /etc/dirsrv/slapd-TESTRELM-TEST/dse.ldif

2017-09-12T08:19:35Z DEBUG stderr=
2017-09-12T08:19:35Z DEBUG Starting external process
2017-09-12T08:19:35Z DEBUG args=/bin/ls -lZ /etc/dirsrv/slapd-TESTRELM-TEST/dse.ldif
2017-09-12T08:19:35Z DEBUG Process finished, return code=0
2017-09-12T08:19:35Z DEBUG stdout=-rw-------. 1 dirsrv dirsrv unconfined_u:object_r:user_tmp_t:s0 67949 Sep 12 04:19 /etc/dirsrv/slapd-TESTRELM-TEST/dse.ldif

2017-09-12T08:19:35Z DEBUG stderr=
2017-09-12T08:19:35Z DEBUG   duration: 0 seconds
2017-09-12T08:19:35Z DEBUG   [6/45]: starting directory server

Comment 7 Alexander Bokovoy 2017-09-12 08:24:44 UTC
Added https://github.com/freeipa/freeipa/pull/1062 to fix this.

Comment 8 Adam Williamson 2017-09-12 22:03:49 UTC
Proposing this as a Beta blocker. ab, can you please do a freeipa package build and submit an update for this? Thanks.

Comment 9 Dennis Gilmore 2017-09-12 22:06:49 UTC
+1 Blocker

Comment 10 Kevin Fenzi 2017-09-12 22:07:04 UTC
+1 blocker

Comment 11 Stephen Gallagher 2017-09-12 22:12:07 UTC
+1 blocker

Comment 12 Adam Williamson 2017-09-12 22:12:33 UTC
That's +3 and this is a nice clear case, so marking AcceptedBlocker. For the record, the criterion is good old Alpha "Release-blocking roles and the supported role configuration interfaces must meet the core functional Role Definition Requirements to the extent that supported roles can be successfully deployed, started, stopped, brought to a working configuration, and queried." - 'domain controller' is a release-blocking role.

Comment 13 Standa Laznicka 2017-09-13 12:14:08 UTC
Upstream ticket:
https://pagure.io/freeipa/issue/7150

Comment 14 Standa Laznicka 2017-09-13 14:54:48 UTC
Fixed upstream
master:
https://pagure.io/freeipa/c/473ddbdb66e563d93a30ac51b1ac559adbd18190

Comment 15 Fedora Update System 2017-09-13 20:35:35 UTC
freeipa-4.6.0-3.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-9a6df5d962

Comment 16 Fedora Update System 2017-09-14 18:22:01 UTC
freeipa-4.6.0-3.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-9a6df5d962

Comment 17 Fedora Update System 2017-09-20 15:25:43 UTC
freeipa-4.6.0-3.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 18 Kamil Páral 2017-09-20 15:33:17 UTC
This is an accepted blocker, we still need to verify the fix.

Comment 19 Adam Williamson 2017-10-16 22:22:04 UTC
openQA has verified the fix many times.


Note You need to log in before you can comment on or make changes to this bug.