Description of problem: Installation fails in enforcing mode because ipa-server-install update dse.ldif but with wrong SElinux context Version-Release number of selected component (if applicable): sh$ rpm -q freeipa-server freeipa-server-4.6.0-2.fc27.x86_64 How reproducible: Deteministic Steps to Reproduce: 1. dnf install -y freeipa-server 2. /usr/sbin/ipa-server-install --hostname=ipa-lovely-name.testrelm.test -r TESTRELM.TEST -n testrelm.test -p Secret123 -a Secret123 -U Actual results: [5/45]: updating configuration in dse.ldif [6/45]: starting directory server [error] CalledProcessError: Command '/bin/systemctl start dirsrv' returned non-zero exit status 1. ipapython.admintool: ERROR Command '/bin/systemctl start dirsrv' returned non-zero exit status 1. ipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information Expected results: Installation pass without any other problems Additional info: sh# ausearch -m avc -ts recent -i ---- type=AVC msg=audit(09/12/2017 03:58:23.484:320) : avc: denied { link } for pid=15563 comm=ns-slapd name=dse.ldif dev="dm-0" ino=25973397 scontext=system_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0 sh# find /etc/ -inum 25973397 /etc/dirsrv/slapd-TESTRELM-TEST/dse.ldif sh# ls -lZ /etc/dirsrv/slapd-TESTRELM-TEST/dse.ldif -rw-------. 1 dirsrv dirsrv unconfined_u:object_r:user_tmp_t:s0 67949 Sep 12 03:58 /etc/dirsrv/slapd-TESTRELM-TEST/dse.ldif sh# matchpathcon /etc/dirsrv/slapd-TESTRELM-TEST/dse.ldif /etc/dirsrv/slapd-TESTRELM-TEST/dse.ldif system_u:object_r:dirsrv_config_t:s0
freeipa-server should update dse.ldif but it should not change SELinux context for that file.
What selinux-policy version do you have?
Note that this is very similar to bug 1483170, see comment 5 where rolekit_tmp_t is carried over to /etc/dirsrv/ too. The difference is only which method is used to deploy IPA server: you did it manually under user context while Adam used rolekit for that. In both cases it looks like an issue with 389-ds python installer which should be doing restorecon by itself.
(In reply to Alexander Bokovoy from comment #2) > What selinux-policy version do you have? It has nothing to do with selinux-policy it is a bug in ipa-server-install. As you can see in description of this bug 5th step updated dse.ding and 6th step tried to start 389-ds. But it failed because dse.ldif had wrong SELinux context sh# ls -lZ /etc/dirsrv/slapd-TESTRELM-TEST/dse.ldif -rw-------. 1 dirsrv dirsrv unconfined_u:object_r:user_tmp_t:s0 67949 Sep 12 03:58 /etc/dirsrv/slapd-TESTRELM-TEST/dse.ldif
So I checked that actual code in dsinstance.py and it looks like we do it miss tasks.restore_context(dse_filename) after shutil.copy2() call: def __update_dse_ldif(self): """ This method updates dse.ldif right after instance creation. This is supposed to allow admin modify configuration of the DS which has to be done before IPA is fully installed (for example: settings for replication on replicas) DS must be turned off. """ dse_filename = os.path.join( paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % self.serverid, 'dse.ldif' ) with tempfile.NamedTemporaryFile( mode='w', delete=False) as new_dse_ldif: temp_filename = new_dse_ldif.name with open(dse_filename, "r") as input_file: parser = installutils.ModifyLDIF(input_file, new_dse_ldif) parser.replace_value( 'cn=config,cn=ldbm database,cn=plugins,cn=config', 'nsslapd-db-locks', [b'50000'] ) if self.config_ldif: # parse modifications from ldif file supplied by the admin with open(self.config_ldif, "r") as config_ldif: parser.modifications_from_ldif(config_ldif) parser.parse() new_dse_ldif.flush() shutil.copy2(temp_filename, dse_filename) try: os.remove(temp_filename) except OSError as e: logger.debug("Failed to clean temporary file: %s", e)
Patched version of ipa shows that it is bug in freeipa 2017-09-12T08:19:33Z DEBUG [4/45]: stopping directory server 2017-09-12T08:19:33Z DEBUG Starting external process 2017-09-12T08:19:33Z DEBUG args=/bin/systemctl stop dirsrv 2017-09-12T08:19:35Z DEBUG Process finished, return code=0 2017-09-12T08:19:35Z DEBUG stdout= 2017-09-12T08:19:35Z DEBUG stderr= 2017-09-12T08:19:35Z DEBUG duration: 2 seconds 2017-09-12T08:19:35Z DEBUG [5/45]: updating configuration in dse.ldif 2017-09-12T08:19:35Z DEBUG Starting external process 2017-09-12T08:19:35Z DEBUG args=/bin/ls -lZ /etc/dirsrv/slapd-TESTRELM-TEST/dse.ldif 2017-09-12T08:19:35Z DEBUG Process finished, return code=0 2017-09-12T08:19:35Z DEBUG stdout=-rw-------. 1 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0 67928 Sep 12 04:19 /etc/dirsrv/slapd-TESTRELM-TEST/dse.ldif 2017-09-12T08:19:35Z DEBUG stderr= 2017-09-12T08:19:35Z DEBUG Starting external process 2017-09-12T08:19:35Z DEBUG args=/bin/ls -lZ /etc/dirsrv/slapd-TESTRELM-TEST/dse.ldif 2017-09-12T08:19:35Z DEBUG Process finished, return code=0 2017-09-12T08:19:35Z DEBUG stdout=-rw-------. 1 dirsrv dirsrv unconfined_u:object_r:user_tmp_t:s0 67949 Sep 12 04:19 /etc/dirsrv/slapd-TESTRELM-TEST/dse.ldif 2017-09-12T08:19:35Z DEBUG stderr= 2017-09-12T08:19:35Z DEBUG duration: 0 seconds 2017-09-12T08:19:35Z DEBUG [6/45]: starting directory server
Added https://github.com/freeipa/freeipa/pull/1062 to fix this.
Proposing this as a Beta blocker. ab, can you please do a freeipa package build and submit an update for this? Thanks.
+1 Blocker
+1 blocker
That's +3 and this is a nice clear case, so marking AcceptedBlocker. For the record, the criterion is good old Alpha "Release-blocking roles and the supported role configuration interfaces must meet the core functional Role Definition Requirements to the extent that supported roles can be successfully deployed, started, stopped, brought to a working configuration, and queried." - 'domain controller' is a release-blocking role.
Upstream ticket: https://pagure.io/freeipa/issue/7150
Fixed upstream master: https://pagure.io/freeipa/c/473ddbdb66e563d93a30ac51b1ac559adbd18190
freeipa-4.6.0-3.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-9a6df5d962
freeipa-4.6.0-3.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-9a6df5d962
freeipa-4.6.0-3.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
This is an accepted blocker, we still need to verify the fix.
openQA has verified the fix many times.