Bug 474197 - pkicreate complains about missing SELinux policy . . .
pkicreate complains about missing SELinux policy . . .
Status: CLOSED NOTABUG
Product: Dogtag Certificate System
Classification: Community
Component: Installer (pkicreate/pkiremove) (Show other bugs)
1.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Ade Lee
Chandrasekar Kannan
:
Depends On:
Blocks: 443788
  Show dependency treegraph
 
Reported: 2008-12-02 13:36 EST by Matthew Harmsen
Modified: 2015-01-04 18:35 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-01-27 15:57:40 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Matthew Harmsen 2008-12-02 13:36:37 EST
The following is an example of the problem as it occurs on my Fedora 8 machine (this occurs on all six unique PKI subsystems):

# pkicreate -pki_instance_root=/var/lib -pki_instance_name=pki-ca1 -subsystem_type=ca -secure_port=9543 -unsecure_port=9280 -tomcat_server_port=9801
PKI instance creation Utility ...

libsepol.context_from_record: type pki_ca_exec_t is not defined No such file or directory.
libsepol.context_from_record: could not create context structure Invalid argument.
libsemanage.validate_handler: invalid context system_u:object_r:pki_ca_exec_t:s0 specified for /usr/bin/dtomcat5-pki-ca1 [regular file] Invalid argument.
libsemanage.dbase_llist_iterate: could not iterate over records Invalid argument.
/usr/sbin/semanage: Could not add file context for /usr/bin/dtomcat5-pki-ca1
Error in setting selinux file context pki_ca_exec_t for /usr/bin/dtomcat5-pki-ca1

libsepol.context_from_record: type pki_ca_script_exec_t is not defined No such file or directory.
libsepol.context_from_record: could not create context structure Invalid argument.
libsemanage.validate_handler: invalid context system_u:object_r:pki_ca_script_exec_t:s0 specified for /etc/rc.d/init.d/pki-ca1 [regular file] Invalid argument.
libsemanage.dbase_llist_iterate: could not iterate over records Invalid argument.
/usr/sbin/semanage: Could not add file context for /etc/rc.d/init.d/pki-ca1
Error in setting selinux file context pki_ca_script_exec_t for /etc/rc\.d/init\.d/pki-ca1

libsepol.context_from_record: type pki_ca_var_lib_t is not defined No such file or directory.
libsepol.context_from_record: could not create context structure Invalid argument.
libsemanage.validate_handler: invalid context system_u:object_r:pki_ca_var_lib_t:s0 specified for /var/lib/pki-ca1(/.*)? [all files] Invalid argument.
libsemanage.dbase_llist_iterate: could not iterate over records Invalid argument.
/usr/sbin/semanage: Could not add file context for /var/lib/pki-ca1(/.*)?
Error in setting selinux file context pki_ca_var_lib_t for "/var/lib/pki-ca1(/.*)?"

libsepol.context_from_record: type pki_ca_var_run_t is not defined No such file or directory.
libsepol.context_from_record: could not create context structure Invalid argument.
libsemanage.validate_handler: invalid context system_u:object_r:pki_ca_var_run_t:s0 specified for /var/run/pki-ca1.pid [regular file] Invalid argument.
libsemanage.dbase_llist_iterate: could not iterate over records Invalid argument.
/usr/sbin/semanage: Could not add file context for /var/run/pki-ca1.pid
Error in setting selinux file context pki_ca_var_run_t for /var/run/pki-ca1\.pid

libsepol.context_from_record: type pki_ca_log_t is not defined No such file or directory.
libsepol.context_from_record: could not create context structure Invalid argument.
libsemanage.validate_handler: invalid context system_u:object_r:pki_ca_log_t:s0 specified for /var/lib/pki-ca1/logs(/.*)? [all files] Invalid argument.
libsemanage.dbase_llist_iterate: could not iterate over records Invalid argument.
/usr/sbin/semanage: Could not add file context for /var/lib/pki-ca1/logs(/.*)?
Error in setting selinux file context pki_ca_log_t for "/var/lib/pki-ca1/logs(/.*)?"

libsepol.context_from_record: type pki_ca_etc_rw_t is not defined No such file or directory.
libsepol.context_from_record: could not create context structure Invalid argument.
libsemanage.validate_handler: invalid context system_u:object_r:pki_ca_etc_rw_t:s0 specified for /var/lib/pki-ca1/conf(/.*)? [all files] Invalid argument.
libsemanage.dbase_llist_iterate: could not iterate over records Invalid argument.
/usr/sbin/semanage: Could not add file context for /var/lib/pki-ca1/conf(/.*)?
Error in setting selinux file context pki_ca_etc_rw_t for "/var/lib/pki-ca1/conf(/.*)?"

libsepol.context_from_record: type pki_ca_tomcat_exec_t is not defined No such file or directory.
libsepol.context_from_record: could not create context structure Invalid argument.
libsemanage.validate_handler: invalid context system_u:object_r:pki_ca_tomcat_exec_t:s0 specified for /var/lib/pki-ca1/conf/tomcat5.conf [regular file] Invalid argument.
libsemanage.dbase_llist_iterate: could not iterate over records Invalid argument.
/usr/sbin/semanage: Could not add file context for /var/lib/pki-ca1/conf/tomcat5.conf
Error in setting selinux file context pki_ca_tomcat_exec_t for /var/lib/pki-ca1/conf/tomcat5\.conf

libsepol.context_from_record: type pki_ca_port_t is not defined
libsepol.context_from_record: could not create context structure Invalid argument.
libsepol.port_from_record: could not create port structure for range 9543:9543 (tcp) Invalid argument.
libsepol.sepol_port_modify: could not load port range 9543 - 9543 (tcp) Invalid argument.
libsemanage.dbase_policydb_modify: could not modify record value Invalid argument.
libsemanage.semanage_base_merge_components: could not merge local modifications into policy Invalid argument.
/usr/sbin/semanage: Could not add port tcp/9543
Error in setting selinux context pki_ca_port_t for 9543

/usr/sbin/semanage: Port tcp/9280 already defined
Error in setting selinux context pki_ca_port_t for 9280

libsepol.context_from_record: type pki_ca_port_t is not defined
libsepol.context_from_record: could not create context structure Invalid argument.
libsepol.port_from_record: could not create port structure for range 9801:9801 (tcp) Invalid argument.
libsepol.sepol_port_modify: could not load port range 9801 - 9801 (tcp) Invalid argument.
libsemanage.dbase_policydb_modify: could not modify record value Invalid argument.
libsemanage.semanage_base_merge_components: could not merge local modifications into policy Invalid argument.
/usr/sbin/semanage: Could not add port tcp/9801
Error in setting selinux context pki_ca_port_t for 9801


PKI instance creation completed ...

Starting pki-ca1:                                          [  OK  ]

PKI service(s) are available at https://pkilinux.sjc.redhat.com:9543

Server can be operated with /etc/init.d/pki-ca1 start | stop | restart

Please start the configuration by accessing:
http://pkilinux.sjc.redhat.com:9280/ca/admin/console/config/login?pin=C2ztlnkXJcL9oi1LuY85

Before proceeding with the configuration, make sure 
the firewall settings of this machine permit proper 
access to this subsystem. 


I spoke with Christina about this issue, and we suggest the following:

(1) Check to make sure whether or not the SELinux policy exists on the machine.
(2) If the policy does not exist, check to see if the SELinux mode is set to
    "Enforcing"; in this case, we should fail gracefully with an explicit
    message that our particular SELinux policy is required to run on a
    machine where SELinux is enforced.  If the SELinux mode is set to
    "Permissive", perhaps just issue a single warning message to the screen
    and the log file, and continue without SELinux checks.
(3) Verify with Dan Walsh if this is standard behavior for other applications.
Comment 1 Matthew Harmsen 2008-12-02 19:36:43 EST
Similarly, removing the above (unconfigured) instance shows the following:

# pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca1
PKI instance Deletion Utility ...

PKI instance Deletion Utility cleaning up instance ...

You have elected to remove the instance installed in /var/lib/pki-ca1.
Are you sure (Y/N)?   y

No security domain defined.  If this is an unconfigured instance, then that is OK.
Otherwise, manually delete the entry from the security domain master.
Removing port 9280 from selinux policy.
/usr/sbin/semanage: Port tcp/9280 is defined in policy, cannot be deleted
Port 9280 not removed from selinux policy correctly.
Removing port 9543 from selinux policy.
/usr/sbin/semanage: Port tcp/9543 is not defined
Port 9543 not removed from selinux policy correctly.
Removing port 9801 from selinux policy.
/usr/sbin/semanage: Port tcp/9801 is not defined
Port 9801 not removed from selinux policy correctly.
Removing selinux file contexts. 
/usr/sbin/semanage: File context for /usr/bin/dtomcat5-pki-ca1 is not defined
ERROR: Error in setting selinux file context pki_ca_exec_t for /usr/bin/dtomcat5-pki-ca1

/usr/sbin/semanage: File context for /etc/rc.d/init.d/pki-ca1 is not defined
ERROR: Error in setting selinux file context pki_ca_script_exec_t for /etc/rc\.d/init\.d/pki-ca1

/usr/sbin/semanage: File context for /var/lib/pki-ca1(/.*)? is not defined
ERROR: Error in setting selinux file context pki_ca_var_lib_t for "/var/lib/pki-ca1(/.*)?"

/usr/sbin/semanage: File context for /var/run/pki-ca1.pid is not defined
ERROR: Error in setting selinux file context pki_ca_var_run_t for /var/run/pki-ca1\.pid

/usr/sbin/semanage: File context for /var/lib/pki-ca1/logs(/.*)? is not defined
ERROR: Error in setting selinux file context pki_ca_log_t for "/var/lib/pki-ca1/logs(/.*)?"

/usr/sbin/semanage: File context for /var/lib/pki-ca1/conf/tomcat5.conf is not defined
ERROR: Error in setting selinux file context pki_ca_tomcat_exec_t for /var/lib/pki-ca1/conf/tomcat5\.conf

/usr/sbin/semanage: File context for /var/lib/pki-ca1/conf(/.*)? is not defined
ERROR: Error in setting selinux file context pki_ca_etc_rw_t for "/var/lib/pki-ca1/conf(/.*)?"

Stopping pki-ca1: ...............................          [  OK  ]

Removing dir /var/lib/pki-ca1
Removing file /var/log/pki-ca1-install.log
Removing file /etc/init.d/pki-ca1
Removing file /usr/share/applications/pki-ca1-config.desktop
Removing file /usr/bin/dtomcat5-pki-ca1
Comment 2 Ade Lee 2009-01-27 15:57:40 EST
selinux is now delivered as part of pki-selinux, which is included as a requirement for pki-ca and other subsystems as part of 480679.

Therefore, closing this as NOT_A_BUG

Note You need to log in before you can comment on or make changes to this bug.