Bug 616869 - pkicreate changes 389-ds socket contexts
Summary: pkicreate changes 389-ds socket contexts
Alias: None
Product: Dogtag Certificate System
Classification: Retired
Component: CA   
(Show other bugs)
Version: 1.3
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Ade Lee
QA Contact: Chandrasekar Kannan
Depends On:
Blocks: dogtagIPAv2 445047
TreeView+ depends on / blocked
Reported: 2010-07-21 15:26 UTC by Rob Crittenden
Modified: 2015-01-04 23:43 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-06-04 20:23:25 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
patch to fix (529 bytes, patch)
2010-08-16 17:52 UTC, Ade Lee
no flags Details | Diff

Description Rob Crittenden 2010-07-21 15:26:33 UTC
Description of problem:

I see this sometimes when trying to install IPA. The ldapi socket file is not removed when dirsrv is stopped and this seems to confuse 389-ds into thinking there is a listener there:

# service dirsrv status
dirsrv GREYOAK-COM (pid 3411) is running...
# ls -l /var/run/slapd-GREYOAK-COM.socket 
srw-rw-rw-. 1 root root 0 Jul 21 11:18 /var/run/slapd-GREYOAK-COM.socket
service dirsrv stop
Shutting down dirsrv: 
    GREYOAK-COM...                                         [  OK  ]
# ls -l /var/run/slapd-GREYOAK-COM.socket 
srw-rw-rw-. 1 root root 0 Jul 21 11:18 /var/run/slapd-GREYOAK-COM.socket

It does start up ok in some situations but in the IPA installer it sometimes fails to restart with the error:

2010-07-21 11:10:45,067 INFO stderr=[21/Jul/2010:11:10:45 -0400] createprlistensockets - PR_Bind() on localhost file /var/run/slapd-GREYOAK-COM.socket failed: Netscape Portable Runtime error -5982 (Local Network address is in use.)

Removing this file will let 389-ds be configured successfully.

Version-Release number of selected component (if applicable):

Comment 1 Nathan Kinder 2010-07-21 17:41:48 UTC
Do you notice an AVC in the audit log when this problem occurs?  I believe that the ldapi socket file is left around after a server is stopped by design, but it should be removed and recreated at instance startup time.  It is done this way since the user that ns-slapd runs as will typically not have permission to remove the ldapi socket file at shutdown time since.  The file should be removed at startup before we drop privileges.

Comment 2 Rob Crittenden 2010-07-21 17:49:10 UTC
Good call, it sure is:

type=AVC msg=audit(1279725045.036:166): avc:  denied  { unlink } for  pid=2647 comm="ns-slapd" name="slapd-GREYOAK-COM.socket" dev=sda1 ino=119192 scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file

srw-rw-rw-. root root unconfined_u:object_r:dirsrv_var_run_t:s0 /var/run/slapd-GREYOAK-COM.socket

Comment 3 Nathan Kinder 2010-07-22 15:41:16 UTC
It looks odd that the AVC shows that the context of the socket file is "var_run_t", yet you are seeing a context of "dirsrv_var_run_t" in your "ls -lZ" output later.  The correct context is "dirsrv_var_run_t", and everything should work fine if this context is set on the socket file.

Is this happening in an upgrade scenario, or for a fresh install?

Comment 4 Rob Crittenden 2010-07-22 18:16:08 UTC
Re-install/reconfigure of 389-ds

I'll install, uninstall, and re-install the same 389-DS instance several times in the same day during IPA development.

I'm having a hard time reproducing this at the moment. A few days ago it seemed like every time I re-installed I had to remove the socket file, now not so much. It may be related to usage of IPA. I'll see if I can come up with a reproducer.

Comment 5 Nathan Kinder 2010-07-22 18:23:36 UTC
If you do come up with a reproducer, note down the context of the ldapi socket file at various steps.  That will help to figure out what is happening.

Comment 6 Rob Crittenden 2010-07-22 20:03:13 UTC
Not quite a reproducer but I did reproduce the problem. At the beginning of an
IPA install the context was "dirsrv_var_run_t". The installation failed and the
context is "var_run_t".

I did a restorecon on it and the context is still var_run_t.

Comment 7 Rob Crittenden 2010-07-27 12:56:46 UTC
This is a dogtag problem. pkicreate is changing the context.


Comment 8 Rob Crittenden 2010-07-27 13:02:05 UTC
Super-easy reproducer:

# touch /var/run/slapd-MINE.socket
# chcon unconfined_u:object_r:dirsrv_var_run_t:s0 /var/run/slapd-MINE.socket
# /usr/bin/pkicreate -pki_instance_root /var/lib -pki_instance_name pki-ca -subsystem_type ca -agent_secure_port 9443 -ee_secure_port 9444 -admin_secure_port 9445 -ee_secure_client_auth_port 9446 -unsecure_port 9180 -tomcat_server_port 9701 -redirect conf=/etc/pki-ca -redirect logs=/var/log/pki-ca
# ls -lZ /var/run/slapd-MINE.socket
-rw-r--r--. root root system_u:object_r:var_run_t:s0   /var/run/slapd-MINE.socket

Comment 9 Nathan Kinder 2010-07-27 14:27:11 UTC
The dirsrv SELinux policy uses a filetrans to transition the socket file from the default context of var_run_t to dirsrv_var_run_t.  My guess is that pkicreate is doing a recursive restorecon somewhere that ends up changing the context of this file.  The restorecon should be more specific to only relabel Dogtag files.  This sort of thing could be causing issues for other programs who use a filetrans for files in /var/run as well.

Comment 10 Nathan Kinder 2010-08-02 16:59:45 UTC
Is there any update on this?

Comment 12 Ade Lee 2010-08-16 16:32:18 UTC

I am adding a patch to only relabel dogtag files within /var/run.  That should fix the immediate problem.  However, my guess is that you need to define some rule in policy to prevent your selinux context being corrupted by a random relabelling.

That is, if I do a restorecon on /var/lib at any time -- the dogtag files will retain their correct labelling because they have rules defined in policy.

Comment 13 Ade Lee 2010-08-16 17:52:45 UTC
Created attachment 438998 [details]
patch to fix

mharmsen, please review.

Comment 14 Matthew Harmsen 2010-08-16 18:15:38 UTC
attachment 438998 [details] +mharmsen

Comment 15 Ade Lee 2010-08-16 18:21:21 UTC

[vakwetu@goofy-vm4 setup]$ svn ci -m "Bugzilla Bug 616869 - pkicreate changes 389-ds socket contexts" 
Sending        setup/pkicreate
Transmitting file data .
Committed revision 1180.


[vakwetu@dhcp231-121 setup]$ svn ci -m "Bugzilla Bug 616869 - pkicreate changes 389-ds socket contexts"
Sending        setup/pkicreate
Transmitting file data .
Committed revision 1181.

Comment 16 Chandrasekar Kannan 2011-03-24 13:46:28 UTC
with cs81, after a pkicreate, here's what i observed.

[root@alice ~]# ls -lZ /var/run/*
srw-rw-rw-  root    root    system_u:object_r:apmd_var_run_t /var/run/acpid.socket
-rw-r--r--  root    root    system_u:object_r:crond_var_run_t /var/run/atd.pid
srw-r-----  root    root    system_u:object_r:audisp_var_run_t /var/run/audispd_events
-rw-r--r--  root    root    system_u:object_r:auditd_var_run_t /var/run/auditd.pid
prw-------  root    root    system_u:object_r:automount_var_run_t /var/run/autofs.fifo-misc
prw-------  root    root    system_u:object_r:automount_var_run_t /var/run/autofs.fifo-net
-rw-r--r--  root    root    system_u:object_r:iscsi_var_run_t /var/run/brcm_iscsiuio.pid
-rw-r--r--  root    root    system_u:object_r:crond_var_run_t /var/run/crond.pid
-rw-r--r--  root    root    system_u:object_r:cupsd_var_run_t /var/run/cupsd.pid
-rw-r--r--  root    root    system_u:object_r:dhcpc_var_run_t /var/run/dhclient-eth0.pid
-rw-r--r--  root    root    system_u:object_r:gpm_var_run_t  /var/run/gpm.pid
-rw-r--r--  root    root    system_u:object_r:hald_var_run_t /var/run/haldaemon.pid
-rw-r--r--  root    root    system_u:object_r:hplip_var_run_t /var/run/hpiod.pid
-rw-r--r--  root    root    system_u:object_r:hplip_var_run_t /var/run/hpiod.port
-rw-r--r--  root    root    system_u:object_r:hplip_var_run_t /var/run/hpssd.pid
-rw-r--r--  root    root    system_u:object_r:hplip_var_run_t /var/run/hpssd.port
-rw-------  root    root    system_u:object_r:iscsi_var_run_t /var/run/iscsid.pid
-rw-------  root    root    system_u:object_r:klogd_var_run_t /var/run/klogd.pid
-rw-r--r--  root    root    system_u:object_r:system_dbusd_var_run_t /var/run/messagebus.pid
srwxrwxrwx  root    root    system_u:object_r:pcscd_var_run_t /var/run/pcscd.comm
-rw-r--r--  root    root    system_u:object_r:pcscd_var_run_t /var/run/pcscd.pid
-rw-r--r--  root    root    system_u:object_r:pcscd_var_run_t /var/run/pcscd.pub
-rw-r--r--  pkiuser pkiuser system_u:object_r:pki_ca_var_run_t /var/run/pki-ca.pid
-rw-r--r--  pkiuser pkiuser system_u:object_r:pki_kra_var_run_t /var/run/pki-kra.pid
-rw-r--r--  pkiuser pkiuser system_u:object_r:pki_ocsp_var_run_t /var/run/pki-ocsp.pid
-rw-r--r--  pkiuser pkiuser system_u:object_r:pki_ca_var_run_t /var/run/pki-subca.pid
-rw-r--r--  pkiuser pkiuser system_u:object_r:pki_tks_var_run_t /var/run/pki-tks.pid
-rw-r--r--  root    root    system_u:object_r:restorecond_var_run_t /var/run/restorecond.pid
-rwxr-xr-x  root    root    system_u:object_r:var_run_t      /var/run/rhn_check.pid
-rw-r--r--  root    root    system_u:object_r:initrc_var_run_t /var/run/rhnsd.pid
-rw-r--r--  rpcuser rpcuser system_u:object_r:rpcd_var_run_t /var/run/rpc.statd.pid
srw-rw-rw-  root    root    system_u:object_r:bluetooth_var_run_t /var/run/sdp
-rw-------  root    smmsp   system_u:object_r:sendmail_var_run_t /var/run/sendmail.pid
-rw-r--r--  root    root    system_u:object_r:setroubleshoot_var_run_t /var/run/setroubleshootd.pid
-rw-r--r--  smmsp   smmsp   system_u:object_r:sendmail_var_run_t /var/run/sm-client.pid
-rw-r--r--  root    root    system_u:object_r:var_run_t      /var/run/sshd.pid
-rw-------  root    root    system_u:object_r:syslogd_var_run_t /var/run/syslogd.pid
-rw-rw-r--  root    utmp    system_u:object_r:initrc_var_run_t /var/run/utmp
-rw-r--r--  root    root    system_u:object_r:xfs_var_run_t  /var/run/xfs.pid
-rw-r--r--  root    root    system_u:object_r:inetd_var_run_t /var/run/xinetd.pid

-rw-r--r--  avahi avahi system_u:object_r:avahi_var_run_t pid
srwxrwxrwx  avahi avahi system_u:object_r:avahi_var_run_t socket


dr-x--x--x  lp   sys  system_u:object_r:cupsd_var_run_t certs
srwxrwxrwx  root root system_u:object_r:cupsd_var_run_t cups.sock

srwxrwxrwx  root root system_u:object_r:system_dbusd_var_run_t system_bus_socket

srwx------  nobody root   root:object_r:var_run_t          admin-serv.cgisock.16376
-rw-r--r--  root   root   root:object_r:var_run_t          admin-serv.pid
-rw-r--r--  nobody nobody root:object_r:var_run_t          slapd-alice.pid
-rw-r--r--  nobody nobody root:object_r:var_run_t          slapd-alice.stats











srw-rw-rw-  root root system_u:object_r:setroubleshoot_var_run_t setroubleshoot_server




marking bug verified.

Note You need to log in before you can comment on or make changes to this bug.