Description of problem: SSIA Version-Release number of selected component (if applicable): sh$ rpm -q freeipa-server pki-ca tomcat nss freeipa-server-4.8.0-2.fc31.x86_64 pki-ca-10.7.0-2.fc31.noarch tomcat-9.0.21-2.fc31.noarch nss-3.44.1-2.fc31.x86_64 How reproducible: deterministic Steps to Reproduce: 1. dnf isntall -y freeipa-server 2. /usr/sbin/ipa-server-install --hostname=kvm-01-guest05.testrelm.test -r TESTRELM.TEST -n testrelm.test -p Secret123 -a Secret123 Actual results: //snip Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc) [1/10]: adding kerberos container to the directory [2/10]: configuring KDC [3/10]: initialize kerberos container [4/10]: adding default ACIs [5/10]: creating a keytab for the directory [6/10]: creating a keytab for the machine [7/10]: adding the password extension to the directory [8/10]: creating anonymous principal [9/10]: starting the KDC [10/10]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring ipa-custodia [1/5]: Making sure custodia container exists [2/5]: Generating ipa-custodia config file [3/5]: Generating ipa-custodia keys [4/5]: starting ipa-custodia [5/5]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/30]: configuring certificate server instance Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmp1utityua'] returned non-zero exit status 1: '') See the installation logs and the following files/directories for more information: /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. CA configuration failed. The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information Expected results: freeIPA server installed without any problem.
The directory /var/lib/pki/pki-tomcat/ was created with wrong SELinux context therefore all subdirectories had wrong SELinux file context as well which caused bunch of AVCs But installation failed even in permissive mode.
most of logs are empty sh# ls -lR /var/log/pki/ /var/log/pki/: total 100 -rw-rw-r--. 1 root root 97074 Jul 31 20:47 pki-ca-spawn.20190731204752.log -rw-r--r--. 1 root root 1137 Jul 31 20:44 pki-server-upgrade-10.7.0.log drwxrwx---. 3 pkiuser pkiuser 187 Jul 31 20:47 pki-tomcat /var/log/pki/pki-tomcat: total 4 drwxrwx---. 4 pkiuser pkiuser 40 Jul 31 20:47 ca -rw-r--r--. 1 pkiuser pkiuser 0 Jul 31 20:47 catalina.2019-07-31.log -rw-r--r--. 1 pkiuser pkiuser 0 Jul 31 20:47 host-manager.2019-07-31.log -rw-r--r--. 1 pkiuser pkiuser 0 Jul 31 20:47 localhost.2019-07-31.log -rw-r--r--. 1 pkiuser pkiuser 196 Jul 31 20:48 localhost_access_log.2019-07-31.txt -rw-r--r--. 1 pkiuser pkiuser 0 Jul 31 20:47 manager.2019-07-31.log /var/log/pki/pki-tomcat/ca: total 0 drwxrwx---. 2 pkiuser pkiuser 6 Jul 31 20:47 archive drwxrwx---. 2 pkiuser pkiuser 6 Jul 31 20:47 signedAudit /var/log/pki/pki-tomcat/ca/archive: total 0 /var/log/pki/pki-tomcat/ca/signedAudit: total 0 sh# cat /var/log/pki/pki-server-upgrade-10.7.0.log Upgrading PKI server configuration at Wed 31 Jul 2019 08:44:42 PM CEST. Traceback (most recent call last): File "/usr/lib64/python3.7/runpy.py", line 193, in _run_module_as_main "__main__", mod_spec) File "/usr/lib64/python3.7/runpy.py", line 85, in _run_code exec(code, run_globals) File "/usr/lib/python3.7/site-packages/pki/server/cli/upgrade.py", line 208, in <module> main(sys.argv) File "/usr/lib/python3.7/site-packages/pki/server/cli/upgrade.py", line 199, in main upgrader.upgrade() File "/usr/lib/python3.7/site-packages/pki/upgrade.py", line 619, in upgrade versions = self.versions() File "/usr/lib/python3.7/site-packages/pki/upgrade.py", line 429, in versions current_version = self.get_current_version() File "/usr/lib/python3.7/site-packages/pki/server/upgrade.py", line 301, in get_current_version for subsystem in self.subsystems(instance): File "/usr/lib/python3.7/site-packages/pki/server/upgrade.py", line 235, in subsystems for subsystemName in os.listdir(registry_dir): FileNotFoundError: [Errno 2] No such file or directory: '/etc/sysconfig/pki/tomcat/pki-tomcat' sh# ls -l /etc/sysconfig/pki/tomcat/pki-tomcat total 4 drwxrwx---. 2 pkiuser pkiuser 47 Jul 31 20:47 ca -rw-rw----. 1 pkiuser pkiuser 1187 Jul 31 20:47 pki-tomcat
Moving to Dogtag to investigate.
Our CI test matrix [1] includes rawhide (allowed to fail) and it failed to catch the error that you were seeing. Can you post the versions of the various components that you have installed on your system? The only difference between [1] and your setup would be that our CI uses the laster PKI-10.7.2 packages while we have only 10.7.0 released on Fedora. We will be releasing the latest PKI 10.7.2 next week. :) You can probably grab the latest RPMS from our official COPR repo[2] [1] https://travis-ci.org/dogtagpki/pki/jobs/565175183 [2] https://copr.fedorainfracloud.org/coprs/g/pki/master/builds/ PS1: The overall job failed because of IPA testcases. PS2: we recently branch 10.8. So, you might find some 10.8 builds too in COPR. :)
(In reply to Dinesh Prasanth from comment #5) > Our CI test matrix [1] includes rawhide (allowed to fail) and it failed to > catch the error that you were seeing. Can you post the versions of the > various components that you have installed on your system? > I already provided them in the description of this bug. If something is missing let me know which package are you interested in.
(In reply to Lukas Slebodnik from comment #6) > (In reply to Dinesh Prasanth from comment #5) > > Our CI test matrix [1] includes rawhide (allowed to fail) and it failed to > > catch the error that you were seeing. Can you post the versions of the > > various components that you have installed on your system? > > > > I already provided them in the description of this bug. ~facepalm~ Sorry about that. I looked at this BZ around midnight, when i was in a zombie state. :) > If something is missing let me know which package are you interested in. Sure. We will be releasing the latest PKI 10.7.2 early next week. I'll keep you posted. Thanks for the report! :)
I tried package from copr repo and SELinux issues are not fixed. The directory /var/lib/pki/pki-tomcat/ was created with wrong SELinux file context and therefore all files inside has wrong label as well. sh# rpm -q pki-ca pki-ca-10.8.0-0.1.20190731195605.c5d8e6e2.fc31.noarch sh# grep -i selinux /var/log/pki/pki-ca-spawn.20190801132146.log 'selinux_setup\n' 'selinux_setup\n' INFO : selinux SELinux disabled sh# getenforce Enforcing sh# ls -lZd /var/lib/pki/pki-tomcat/ drwxrwx---. 5 pkiuser pkiuser unconfined_u:object_r:var_lib_t:s0 131 Aug 1 13:21 /var/lib/pki/pki-tomcat/ sh# ls -lZ /var/lib/pki/pki-tomcat/ total 0 lrwxrwxrwx. 1 pkiuser pkiuser unconfined_u:object_r:var_lib_t:s0 25 Aug 1 13:21 alias -> /etc/pki/pki-tomcat/alias lrwxrwxrwx. 1 pkiuser pkiuser unconfined_u:object_r:var_lib_t:s0 21 Aug 1 13:21 bin -> /usr/share/tomcat/bin drwxrwx---. 5 pkiuser pkiuser unconfined_u:object_r:var_lib_t:s0 104 Aug 1 13:21 ca lrwxrwxrwx. 1 pkiuser pkiuser unconfined_u:object_r:var_lib_t:s0 28 Aug 1 13:21 common -> /usr/share/pki/server/common lrwxrwxrwx. 1 pkiuser pkiuser unconfined_u:object_r:var_lib_t:s0 19 Aug 1 13:21 conf -> /etc/pki/pki-tomcat lrwxrwxrwx. 1 pkiuser pkiuser unconfined_u:object_r:var_lib_t:s0 25 Aug 1 13:21 lib -> /usr/share/pki/server/lib lrwxrwxrwx. 1 pkiuser pkiuser unconfined_u:object_r:var_lib_t:s0 23 Aug 1 13:21 logs -> /var/log/pki/pki-tomcat lrwxrwxrwx. 1 root root unconfined_u:object_r:var_lib_t:s0 16 Aug 1 13:21 pki-tomcat -> /usr/sbin/tomcat drwxrwx---. 2 pkiuser pkiuser unconfined_u:object_r:var_lib_t:s0 6 Aug 1 13:21 temp drwxrwx---. 3 pkiuser pkiuser unconfined_u:object_r:var_lib_t:s0 22 Aug 1 13:21 work sh# matchpathcon /var/lib/pki/pki-tomcat/* /var/lib/pki/pki-tomcat/alias system_u:object_r:pki_tomcat_var_lib_t:s0 /var/lib/pki/pki-tomcat/bin system_u:object_r:pki_tomcat_var_lib_t:s0 /var/lib/pki/pki-tomcat/ca system_u:object_r:pki_tomcat_var_lib_t:s0 /var/lib/pki/pki-tomcat/common system_u:object_r:pki_tomcat_var_lib_t:s0 /var/lib/pki/pki-tomcat/conf system_u:object_r:pki_tomcat_var_lib_t:s0 /var/lib/pki/pki-tomcat/lib system_u:object_r:pki_tomcat_var_lib_t:s0 /var/lib/pki/pki-tomcat/logs system_u:object_r:pki_tomcat_var_lib_t:s0 /var/lib/pki/pki-tomcat/pki-tomcat system_u:object_r:pki_tomcat_var_lib_t:s0 /var/lib/pki/pki-tomcat/temp system_u:object_r:pki_tomcat_var_lib_t:s0 /var/lib/pki/pki-tomcat/work system_u:object_r:pki_tomcat_var_lib_t:s0
The same problem is with the directory /etc/pki/pki-tomcat/ sh-5.0# ls -ldZ /etc/pki/pki-tomcat/ drwxrwx---. 5 pkiuser pkiuser system_u:object_r:usr_t:s0 4096 Aug 1 19:04 /etc/pki/pki-tomcat/ sh-5.0# matchpathcon /etc/pki/pki-tomcat/ /etc/pki/pki-tomcat system_u:object_r:pki_tomcat_etc_rw_t:s0 sh-5.0# sh-5.0# sh-5.0# ls -ldZ /etc/pki/pki-tomcat/* drwxrwx---. 2 pkiuser pkiuser unconfined_u:object_r:usr_t:s0 100 Aug 1 19:05 /etc/pki/pki-tomcat/alias drwxrwx---. 2 pkiuser pkiuser unconfined_u:object_r:usr_t:s0 4096 Aug 1 19:05 /etc/pki/pki-tomcat/ca drwxrwx---. 3 pkiuser pkiuser system_u:object_r:usr_t:s0 23 Aug 1 18:56 /etc/pki/pki-tomcat/Catalina -rw-rw----. 1 pkiuser pkiuser system_u:object_r:usr_t:s0 21458 Aug 1 19:04 /etc/pki/pki-tomcat/catalina.policy lrwxrwxrwx. 1 pkiuser pkiuser unconfined_u:object_r:usr_t:s0 46 Aug 1 19:03 /etc/pki/pki-tomcat/catalina.properties -> /usr/share/pki/server/conf/catalina.properties lrwxrwxrwx. 1 pkiuser pkiuser unconfined_u:object_r:usr_t:s0 39 Aug 1 19:03 /etc/pki/pki-tomcat/ciphers.info -> /usr/share/pki/server/conf/ciphers.info lrwxrwxrwx. 1 pkiuser pkiuser unconfined_u:object_r:usr_t:s0 34 Aug 1 19:03 /etc/pki/pki-tomcat/context.xml -> /usr/share/tomcat/conf/context.xml -rw-rw----. 1 pkiuser pkiuser system_u:object_r:usr_t:s0 292 May 6 18:27 /etc/pki/pki-tomcat/custom.policy lrwxrwxrwx. 1 pkiuser pkiuser unconfined_u:object_r:usr_t:s0 45 Aug 1 19:03 /etc/pki/pki-tomcat/logging.properties -> /usr/share/pki/server/conf/logging.properties -rw-rw----. 1 pkiuser pkiuser unconfined_u:object_r:usr_t:s0 98 Aug 1 19:03 /etc/pki/pki-tomcat/password.conf -rw-rw----. 1 pkiuser pkiuser system_u:object_r:usr_t:s0 7996 Aug 1 19:04 /etc/pki/pki-tomcat/pki.policy -rw-rw----. 1 pkiuser pkiuser system_u:object_r:usr_t:s0 1622 May 6 18:27 /etc/pki/pki-tomcat/schema-authority.ldif -rw-rw----. 1 pkiuser pkiuser system_u:object_r:usr_t:s0 495 May 6 18:27 /etc/pki/pki-tomcat/schema-certProfile.ldif -rw-rw----. 1 pkiuser pkiuser unconfined_u:object_r:usr_t:s0 24 Aug 1 19:04 /etc/pki/pki-tomcat/serverCertNick.conf -rw-rw----. 1 pkiuser pkiuser system_u:object_r:usr_t:s0 11340 Aug 1 19:04 /etc/pki/pki-tomcat/server.xml -rw-rw----. 1 pkiuser pkiuser system_u:object_r:usr_t:s0 1895 Aug 1 19:03 /etc/pki/pki-tomcat/tomcat.conf -rw-rw----. 1 pkiuser pkiuser system_u:object_r:usr_t:s0 2473 May 6 18:27 /etc/pki/pki-tomcat/tomcat-users.xml -rw-rw----. 1 pkiuser pkiuser system_u:object_r:usr_t:s0 108 May 6 18:27 /etc/pki/pki-tomcat/usn.ldif lrwxrwxrwx. 1 pkiuser pkiuser unconfined_u:object_r:usr_t:s0 30 Aug 1 19:03 /etc/pki/pki-tomcat/web.xml -> /usr/share/tomcat/conf/web.xml sh-5.0# matchpathcon /etc/pki/pki-tomcat/* /etc/pki/pki-tomcat/alias system_u:object_r:pki_tomcat_cert_t:s0 /etc/pki/pki-tomcat/ca system_u:object_r:pki_tomcat_cert_t:s0 /etc/pki/pki-tomcat/Catalina system_u:object_r:pki_tomcat_etc_rw_t:s0 /etc/pki/pki-tomcat/catalina.policy system_u:object_r:pki_tomcat_etc_rw_t:s0 /etc/pki/pki-tomcat/catalina.properties system_u:object_r:pki_tomcat_etc_rw_t:s0 /etc/pki/pki-tomcat/ciphers.info system_u:object_r:pki_tomcat_etc_rw_t:s0 /etc/pki/pki-tomcat/context.xml system_u:object_r:pki_tomcat_etc_rw_t:s0 /etc/pki/pki-tomcat/custom.policy system_u:object_r:pki_tomcat_etc_rw_t:s0 /etc/pki/pki-tomcat/logging.properties system_u:object_r:pki_tomcat_etc_rw_t:s0 /etc/pki/pki-tomcat/password.conf system_u:object_r:pki_tomcat_etc_rw_t:s0 /etc/pki/pki-tomcat/pki.policy system_u:object_r:pki_tomcat_etc_rw_t:s0 /etc/pki/pki-tomcat/schema-authority.ldif system_u:object_r:pki_tomcat_etc_rw_t:s0 /etc/pki/pki-tomcat/schema-certProfile.ldif system_u:object_r:pki_tomcat_etc_rw_t:s0 /etc/pki/pki-tomcat/serverCertNick.conf system_u:object_r:pki_tomcat_etc_rw_t:s0 /etc/pki/pki-tomcat/server.xml system_u:object_r:pki_tomcat_etc_rw_t:s0 /etc/pki/pki-tomcat/tomcat.conf system_u:object_r:pki_tomcat_etc_rw_t:s0 /etc/pki/pki-tomcat/tomcat-users.xml system_u:object_r:pki_tomcat_etc_rw_t:s0 /etc/pki/pki-tomcat/usn.ldif system_u:object_r:pki_tomcat_etc_rw_t:s0 /etc/pki/pki-tomcat/web.xml system_u:object_r:pki_tomcat_etc_rw_t:s0
The SElinux related problems are caused by wrong detection of enabled SELinux in /usr/lib/python3.7/site-packages/pki/server/deployment/scriptlets/selinux_setup.py # PKI Deployment Selinux Setup Scriptlet class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): suffix = "(/.*)?" def restore_context(self, mdict): selinux.restorecon(mdict['pki_instance_path'], True) selinux.restorecon(config.PKI_DEPLOYMENT_LOG_ROOT, True) selinux.restorecon(mdict['pki_instance_log_path'], True) selinux.restorecon(mdict['pki_instance_configuration_path'], True) def spawn(self, deployer): if config.str2bool(deployer.mdict['pki_skip_installation']): logger.info('Skipping SELinux setup') return if not selinux.is_selinux_enabled() or seobject is None: logger.info('SELinux disabled') return It fails because of bug in python-setools python3 -c 'import seobject' Traceback (most recent call last): File "<string>", line 1, in <module> File "/usr/lib/python3.7/site-packages/seobject.py", line 33, in <module> import sepolicy File "/usr/lib/python3.7/site-packages/sepolicy/__init__.py", line 7, in <module> import setools File "/usr/lib64/python3.7/site-packages/setools/__init__.py", line 31, in <module> from . import policyrep File "/usr/lib64/python3.7/site-packages/setools/policyrep/__init__.py", line 26, in <module> from .bounds import BoundsRuletype File "/usr/lib64/python3.7/site-packages/setools/policyrep/bounds.py", line 22, in <module> from .qpol import qpol_typebounds_t ImportError: cannot import name 'qpol_typebounds_t' from 'setools.policyrep.qpol' (/usr/lib64/python3.7/site-packages/setools/policyrep/qpol.py)
*** This bug has been marked as a duplicate of bug 1734789 ***
thank you for the confirmation, Lukas! Glad that it worked out! :)
(In reply to Dinesh Prasanth from comment #12) > thank you for the confirmation, Lukas! Glad that it worked out! :) I a have no idea what do you mean here I could not confirm any of your suggestions. Because version of dogtag was unrelated and dogtag team did not even try to investigate SELinux bug. no need to say thank you very much Lukas for your time :-)