The following is an example of the problem as it occurs on my Fedora 8 machine (this occurs on all six unique PKI subsystems): # pkicreate -pki_instance_root=/var/lib -pki_instance_name=pki-ca1 -subsystem_type=ca -secure_port=9543 -unsecure_port=9280 -tomcat_server_port=9801 PKI instance creation Utility ... libsepol.context_from_record: type pki_ca_exec_t is not defined No such file or directory. libsepol.context_from_record: could not create context structure Invalid argument. libsemanage.validate_handler: invalid context system_u:object_r:pki_ca_exec_t:s0 specified for /usr/bin/dtomcat5-pki-ca1 [regular file] Invalid argument. libsemanage.dbase_llist_iterate: could not iterate over records Invalid argument. /usr/sbin/semanage: Could not add file context for /usr/bin/dtomcat5-pki-ca1 Error in setting selinux file context pki_ca_exec_t for /usr/bin/dtomcat5-pki-ca1 libsepol.context_from_record: type pki_ca_script_exec_t is not defined No such file or directory. libsepol.context_from_record: could not create context structure Invalid argument. libsemanage.validate_handler: invalid context system_u:object_r:pki_ca_script_exec_t:s0 specified for /etc/rc.d/init.d/pki-ca1 [regular file] Invalid argument. libsemanage.dbase_llist_iterate: could not iterate over records Invalid argument. /usr/sbin/semanage: Could not add file context for /etc/rc.d/init.d/pki-ca1 Error in setting selinux file context pki_ca_script_exec_t for /etc/rc\.d/init\.d/pki-ca1 libsepol.context_from_record: type pki_ca_var_lib_t is not defined No such file or directory. libsepol.context_from_record: could not create context structure Invalid argument. libsemanage.validate_handler: invalid context system_u:object_r:pki_ca_var_lib_t:s0 specified for /var/lib/pki-ca1(/.*)? [all files] Invalid argument. libsemanage.dbase_llist_iterate: could not iterate over records Invalid argument. /usr/sbin/semanage: Could not add file context for /var/lib/pki-ca1(/.*)? Error in setting selinux file context pki_ca_var_lib_t for "/var/lib/pki-ca1(/.*)?" libsepol.context_from_record: type pki_ca_var_run_t is not defined No such file or directory. libsepol.context_from_record: could not create context structure Invalid argument. libsemanage.validate_handler: invalid context system_u:object_r:pki_ca_var_run_t:s0 specified for /var/run/pki-ca1.pid [regular file] Invalid argument. libsemanage.dbase_llist_iterate: could not iterate over records Invalid argument. /usr/sbin/semanage: Could not add file context for /var/run/pki-ca1.pid Error in setting selinux file context pki_ca_var_run_t for /var/run/pki-ca1\.pid libsepol.context_from_record: type pki_ca_log_t is not defined No such file or directory. libsepol.context_from_record: could not create context structure Invalid argument. libsemanage.validate_handler: invalid context system_u:object_r:pki_ca_log_t:s0 specified for /var/lib/pki-ca1/logs(/.*)? [all files] Invalid argument. libsemanage.dbase_llist_iterate: could not iterate over records Invalid argument. /usr/sbin/semanage: Could not add file context for /var/lib/pki-ca1/logs(/.*)? Error in setting selinux file context pki_ca_log_t for "/var/lib/pki-ca1/logs(/.*)?" libsepol.context_from_record: type pki_ca_etc_rw_t is not defined No such file or directory. libsepol.context_from_record: could not create context structure Invalid argument. libsemanage.validate_handler: invalid context system_u:object_r:pki_ca_etc_rw_t:s0 specified for /var/lib/pki-ca1/conf(/.*)? [all files] Invalid argument. libsemanage.dbase_llist_iterate: could not iterate over records Invalid argument. /usr/sbin/semanage: Could not add file context for /var/lib/pki-ca1/conf(/.*)? Error in setting selinux file context pki_ca_etc_rw_t for "/var/lib/pki-ca1/conf(/.*)?" libsepol.context_from_record: type pki_ca_tomcat_exec_t is not defined No such file or directory. libsepol.context_from_record: could not create context structure Invalid argument. libsemanage.validate_handler: invalid context system_u:object_r:pki_ca_tomcat_exec_t:s0 specified for /var/lib/pki-ca1/conf/tomcat5.conf [regular file] Invalid argument. libsemanage.dbase_llist_iterate: could not iterate over records Invalid argument. /usr/sbin/semanage: Could not add file context for /var/lib/pki-ca1/conf/tomcat5.conf Error in setting selinux file context pki_ca_tomcat_exec_t for /var/lib/pki-ca1/conf/tomcat5\.conf libsepol.context_from_record: type pki_ca_port_t is not defined libsepol.context_from_record: could not create context structure Invalid argument. libsepol.port_from_record: could not create port structure for range 9543:9543 (tcp) Invalid argument. libsepol.sepol_port_modify: could not load port range 9543 - 9543 (tcp) Invalid argument. libsemanage.dbase_policydb_modify: could not modify record value Invalid argument. libsemanage.semanage_base_merge_components: could not merge local modifications into policy Invalid argument. /usr/sbin/semanage: Could not add port tcp/9543 Error in setting selinux context pki_ca_port_t for 9543 /usr/sbin/semanage: Port tcp/9280 already defined Error in setting selinux context pki_ca_port_t for 9280 libsepol.context_from_record: type pki_ca_port_t is not defined libsepol.context_from_record: could not create context structure Invalid argument. libsepol.port_from_record: could not create port structure for range 9801:9801 (tcp) Invalid argument. libsepol.sepol_port_modify: could not load port range 9801 - 9801 (tcp) Invalid argument. libsemanage.dbase_policydb_modify: could not modify record value Invalid argument. libsemanage.semanage_base_merge_components: could not merge local modifications into policy Invalid argument. /usr/sbin/semanage: Could not add port tcp/9801 Error in setting selinux context pki_ca_port_t for 9801 PKI instance creation completed ... Starting pki-ca1: [ OK ] PKI service(s) are available at https://pkilinux.sjc.redhat.com:9543 Server can be operated with /etc/init.d/pki-ca1 start | stop | restart Please start the configuration by accessing: http://pkilinux.sjc.redhat.com:9280/ca/admin/console/config/login?pin=C2ztlnkXJcL9oi1LuY85 Before proceeding with the configuration, make sure the firewall settings of this machine permit proper access to this subsystem. I spoke with Christina about this issue, and we suggest the following: (1) Check to make sure whether or not the SELinux policy exists on the machine. (2) If the policy does not exist, check to see if the SELinux mode is set to "Enforcing"; in this case, we should fail gracefully with an explicit message that our particular SELinux policy is required to run on a machine where SELinux is enforced. If the SELinux mode is set to "Permissive", perhaps just issue a single warning message to the screen and the log file, and continue without SELinux checks. (3) Verify with Dan Walsh if this is standard behavior for other applications.
Similarly, removing the above (unconfigured) instance shows the following: # pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca1 PKI instance Deletion Utility ... PKI instance Deletion Utility cleaning up instance ... You have elected to remove the instance installed in /var/lib/pki-ca1. Are you sure (Y/N)? y No security domain defined. If this is an unconfigured instance, then that is OK. Otherwise, manually delete the entry from the security domain master. Removing port 9280 from selinux policy. /usr/sbin/semanage: Port tcp/9280 is defined in policy, cannot be deleted Port 9280 not removed from selinux policy correctly. Removing port 9543 from selinux policy. /usr/sbin/semanage: Port tcp/9543 is not defined Port 9543 not removed from selinux policy correctly. Removing port 9801 from selinux policy. /usr/sbin/semanage: Port tcp/9801 is not defined Port 9801 not removed from selinux policy correctly. Removing selinux file contexts. /usr/sbin/semanage: File context for /usr/bin/dtomcat5-pki-ca1 is not defined ERROR: Error in setting selinux file context pki_ca_exec_t for /usr/bin/dtomcat5-pki-ca1 /usr/sbin/semanage: File context for /etc/rc.d/init.d/pki-ca1 is not defined ERROR: Error in setting selinux file context pki_ca_script_exec_t for /etc/rc\.d/init\.d/pki-ca1 /usr/sbin/semanage: File context for /var/lib/pki-ca1(/.*)? is not defined ERROR: Error in setting selinux file context pki_ca_var_lib_t for "/var/lib/pki-ca1(/.*)?" /usr/sbin/semanage: File context for /var/run/pki-ca1.pid is not defined ERROR: Error in setting selinux file context pki_ca_var_run_t for /var/run/pki-ca1\.pid /usr/sbin/semanage: File context for /var/lib/pki-ca1/logs(/.*)? is not defined ERROR: Error in setting selinux file context pki_ca_log_t for "/var/lib/pki-ca1/logs(/.*)?" /usr/sbin/semanage: File context for /var/lib/pki-ca1/conf/tomcat5.conf is not defined ERROR: Error in setting selinux file context pki_ca_tomcat_exec_t for /var/lib/pki-ca1/conf/tomcat5\.conf /usr/sbin/semanage: File context for /var/lib/pki-ca1/conf(/.*)? is not defined ERROR: Error in setting selinux file context pki_ca_etc_rw_t for "/var/lib/pki-ca1/conf(/.*)?" Stopping pki-ca1: ............................... [ OK ] Removing dir /var/lib/pki-ca1 Removing file /var/log/pki-ca1-install.log Removing file /etc/init.d/pki-ca1 Removing file /usr/share/applications/pki-ca1-config.desktop Removing file /usr/bin/dtomcat5-pki-ca1
selinux is now delivered as part of pki-selinux, which is included as a requirement for pki-ca and other subsystems as part of 480679. Therefore, closing this as NOT_A_BUG