732064 – IPA 2.1 won't start if SELinux is disabled

Bug 732064 - IPA 2.1 won't start if SELinux is disabled

Summary: IPA 2.1 won't start if SELinux is disabled

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	None
Product:	freeIPA
Classification:	Retired
Component:	ipa-server
Sub Component:
Version:	2.0
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Rob Crittenden
QA Contact:	Chandrasekar Kannan
Docs Contact:
URL:
Whiteboard:
Depends On:	700505
Blocks:	732084
TreeView+	depends on / blocked

Reported:	2011-08-19 16:47 UTC by Sigbjorn Lie
Modified:	2015-01-04 23:50 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Clones:	732084 (view as bug list)
Environment:
Last Closed:	2011-08-29 18:12:53 UTC
Embargoed:

Attachments	(Terms of Use)

Description Sigbjorn Lie 2011-08-19 16:47:31 UTC

Description of problem:
IPA 2.1 won't start if SELinux is disabled

Version-Release number of selected component (if applicable):
2.1.0

How reproducible:
I've just updated to FreeIPA 2.1.0. I disabled SELinux on this machine (Fedora 15) when I installed IPA, as there was a bug with IPA's SELinux ruleset, which made the ipa-server-install script fail.

That decision seem to be biting my ass now, I get the following error message: "/usr/bin/runcon: /usr/bin/runcon may be used only on a SELinux kernel" whenever I attempt to start IPA.

After configuring SELinux to be permissive the error disappears, and IPA starts normally.



[root@ipa03 ~]# ipactl restart
Restarting Directory Service
Shutting down dirsrv:
    IX-TEST-COM... server already stopped                [FAILED]
    PKI-IPA... server already stopped                      [FAILED]
  *** Error: 2 instance(s) unsuccessfully stopped          [FAILED]
Starting dirsrv:
    IX-TEST-COM...                                       [  OK  ]
    PKI-IPA...                                             [  OK  ]
Restarting KDC Service
Restarting krb5kdc (via systemctl):                        [  OK  ]
Restarting KPASSWD Service
Restarting ipa_kpasswd (via systemctl):                    [  OK  ]
Restarting HTTP Service
Restarting httpd (via systemctl):                          [  OK  ]
Restarting CA Service
Stopping pki-ca:                                           [  OK  ]
/usr/bin/runcon: /usr/bin/runcon may be used only on a SELinux kernel
Failed to restart CA Service
Shutting down
Stopping krb5kdc (via systemctl):                          [  OK  ]
Stopping ipa_kpasswd (via systemctl):                      [  OK  ]
Stopping httpd (via systemctl):                            [  OK  ]
Stopping pki-ca:                                           [  OK  ]
Shutting down dirsrv:
    IX-TEST-COM...                                       [  OK  ]
    PKI-IPA...                                             [  OK  ]
Aborting ipactl
[root@ipa03 ~]# getenforce
Disabled


Steps to Reproduce:
1. Disable SELinux
2. Reboot
3. Attempt to start IPA
  
Actual results:
IPA fails to start with the following error message:
/usr/bin/runcon: /usr/bin/runcon may be used only on a SELinux kernel

Expected results:
IPA should check if SELinux is enabled before depending on SELinux commands to complete successfully

Additional info:

Comment 1 Rob Crittenden 2011-08-19 17:17:50 UTC

This is fixed in upstream dogtag, bug https://bugzilla.redhat.com/show_bug.cgi?id=700505

Once a Fedora build is available with that fix we can update the minimum dogtag package requires.

Upstream tracker https://fedorahosted.org/freeipa/ticket/1686

Comment 2 Rob Crittenden 2011-08-29 18:12:53 UTC

Fix in dogtag, updated deps in freeipa upstream:

master: 3ef732d7381a8d59400a669009904e14c8265792

ipa-2-1: 28e6d137afa65f638ea6e748eb39bce9aa83e403

Note You need to log in before you can comment on or make changes to this bug.