Red Hat Bugzilla – Bug 496175
pkiremove of tps instance throws error message when tps log location is changed.
Last modified: 2015-01-04 18:37:54 EST
Description of problem:
pkicreate tps instance by providing value to '-redirect logs=', pkiremove the same instance throws error message "(13)Permission denied: Error retrieving pid file logs/tps_instance.pid".
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. pkicreate tps instance. Example:
pkicreate -pki_instance_root=/var/lib -subsystem_type=tps -pki_instance_name=pki-tps-2 -secure_port=13389 -unsecure_port=13388 -non_clientauth_secure_port=13390 -redirect logs=/tmp/asha/tps-log/
2.pkiremove the tps instance.
pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-tps-2 -force
Stopping pki-tps-2: (13)Permission denied: Error retrieving pid file logs/pki-tps-2.pid
Remove it before continuing if it is corrupted.
tps instance removed successfully.
tps processes and files seems to be deleted. If I try to pkicreate tps instance using the same ports again, it fails.
Test is run on RHEL 5.3 64 bit, logged in as root.
With SELinux policy set to permissive, do not see any issue for this scenario.
I want to make sure I get the right rule for the selinux policy. I do not see a specific message for the pid file. Could be that my system is set up slightly differently.
So please reproduce on your system. Should not take more than a few minutes.
Do as follows:
cat /dev/null > /var/log/audit/audit.log
do the pkicreate/ pkiremove as you have described
cat /var/log/audit/audit.log |audit2allow -R
Post the output.
So, it turns out that the selinux context for the log file location was not being correctly set because of the trailing slash in the log location specified in the pkicreate.
pkicreate needs to be modified to remove any trailing slashes from paths before setting the selinux context.
Created attachment 341257 [details]
patch to fix
This patch includes fixes for this bug and for 496332
mharmsen, please review
attachment (id=341257) +mharmsen
[builder@dhcp231-124 pki]$ svn ci -m "Bugzilla Bug #496332 and #496175"
Transmitting file data .....
Committed revision 415.
pkiremove of the instance removed successfully, when a trailing slash in the log location specified in the pkicreate.