Bug 674513 - ipa-server-install fails, as a result of failure to restart KDC(with SELinux enforcing)
Summary: ipa-server-install fails, as a result of failure to restart KDC(with SELinux ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: freeIPA
Classification: Retired
Component: SELinux
Version: 2.0
Hardware: x86_64
OS: Linux
high
medium
Target Milestone: ---
Assignee: Rob Crittenden
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-02-02 09:35 UTC by Kashyap Chamarthy
Modified: 2015-01-04 23:46 UTC (History)
3 users (show)

Fixed In Version: freeipa-2.1.0-1.fc15
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-03-27 07:22:20 UTC

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Kashyap Chamarthy 2011-02-02 09:35:23 UTC 
Description of problem:

With SELinux enforcing, ipa-server-install fails as a result of KDC restart failure. KDC fails to restart as it cannot contact the LDAP server. 

Please see below for log details.

SELinux audit2allow info:

I guess, krb5kdc is trying to write to the slapd socket here which it does not have permissions for?
##############################################################
[root@foobaz yum.repos.d]# cat /var/log/audit/audit.log | audit2allow -R

require {
	type krb5kdc_t;
}

#============= krb5kdc_t ==============
ldap_stream_connect_dirsrv(krb5kdc_t)
[root@foobaz yum.repos.d]# 
##############################################################



Version-Release number of selected component (if applicable):
----------------------------------------------------------------
[root@foobaz ~]# rpm -qi freeipa-server 
Name        : freeipa-server               Relocations: (not relocatable)
Version     : 2.0                               Vendor: (none)
Release     : 0.2011020122gitf3d04bf.fc14   Build Date: Wed 02 Feb 2011 04:44:14 AM IST
Install Date: Wed 02 Feb 2011 01:32:33 PM IST      Build Host: vm-048.idm.lab.bos.redhat.com
Group       : System Environment/Base       Source RPM: freeipa-2.0-0.2011020122gitf3d04bf.fc14.src.rpm
----------------------------------------------------------------

How reproducible:
Always

Steps to Reproduce:
1. SELinux in Enforcing.
2. Invocation : ipa-server-install -N --setup-dns
3. Accept defaults & provide details where appropriate and proceed with the install.
  
Actual results:
IPA server install fails with 

"2011-02-02 13:44:37,946 INFO stderr=krb5kdc: cannot initialize realm PNQ.REDHAT.COM - see log file for details"

Expected results:
IPA server install goes ahead fine.



Additional info:
----------------

/var/log/ipaserver-install.log
##############################################################
<snip>
.

2011-02-02 13:44:37,540 INFO args=/sbin/service dirsrv restart 
2011-02-02 13:44:37,541 INFO stdout=Shutting down dirsrv: 
    PKI-IPA...[  OK  ]
    PNQ-REDHAT-COM...[  OK  ]
Starting dirsrv: 
    PKI-IPA...[  OK  ]
    PNQ-REDHAT-COM...[  OK  ]

2011-02-02 13:44:37,541 INFO stderr=[02/Feb/2011:13:44:36 +051800] config - Unknown attribute nsslapd-entryusn-import-initval will be ignored

2011-02-02 13:44:37,541 DEBUG restarting the KDC
2011-02-02 13:44:37,945 INFO args=/sbin/service krb5kdc restart 
2011-02-02 13:44:37,946 INFO stdout=Stopping Kerberos 5 KDC: [FAILED]
Starting Kerberos 5 KDC: [FAILED]

2011-02-02 13:44:37,946 INFO stderr=krb5kdc: cannot initialize realm PNQ.REDHAT.COM - see log file for details

2011-02-02 13:44:37,970 DEBUG Command '/sbin/service krb5kdc restart ' returned non-zero exit status 1
  File "/usr/sbin/ipa-server-install", line 947, in <module>
    sys.exit(main())

  File "/usr/sbin/ipa-server-install", line 863, in main
    krb.restart()

  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 230, in restart
    restart(self.service_name, instance_name, capture_output=capture_output)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 54, in restart
    capture_output=capture_output)

  File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 154, in run
    raise CalledProcessError(p.returncode, args)

[root@foobaz yum.repos.d]

</snip>
################################################################

==> And, krb5kdc.log says: <==

[root@foobaz yum.repos.d]# cat /var/log/krb5kdc.log
Feb 02 13:25:31 foobaz.pnq.redhat.com krb5kdc[5991](info): shutdown signal received
Feb 02 13:25:31 foobaz.pnq.redhat.com krb5kdc[5991](info): closing down fd 11
Feb 02 13:25:31 foobaz.pnq.redhat.com krb5kdc[5991](info): closing down fd 12
Feb 02 13:25:31 foobaz.pnq.redhat.com krb5kdc[5991](info): closing down fd 10
Feb 02 13:25:31 foobaz.pnq.redhat.com krb5kdc[5991](info): closing down fd 9
Feb 02 13:25:31 foobaz.pnq.redhat.com krb5kdc[5991](info): shutting down
krb5kdc: Can't contact LDAP server - while initializing database for realm PNQ.REDHAT.COM
krb5kdc: Can't contact LDAP server - while initializing database for realm PNQ.REDHAT.COM
[root@foobaz yum.repos.d]#
###################################################################

NOTE: ipa-server-install works just fine with SELinux in 'permissive' mode
Comment 1 Rob Crittenden 2011-02-02 14:41:02 UTC 
This should be fixed by selinux-policy in F14 updates-testing, can you re-test?
Comment 2 Kashyap Chamarthy 2011-02-03 06:26:40 UTC 
VERIFIED.

Yes, I can confirm that enabling updates-testing, ipa-server-install runs smooth.

Version info:
---------------------------------------
[root@foobaz ~]# rpm -q selinux-policy
selinux-policy-3.9.7-25.fc14.noarch
[root@foobaz ~]# rpm -q selinux-policy --changelog | grep dirsrv
- Allow dirsrv to use kerberos
---------------------------------------
[root@foobaz ~]# rpm -qi freeipa-server
Name        : freeipa-server               Relocations: (not relocatable)
Version     : 2.0                               Vendor: (none)
Release     : 0.2011020221gitafce50a.fc14   Build Date: Thu 03 Feb 2011 04:42:55 AM IST
-----------------------------------------
Note You need to log in before you can comment on or make changes to this bug.