Red Hat Bugzilla – Bug 732084
IPA 2.1 won't start if SELinux is disabled
Last modified: 2015-01-04 18:50:35 EST
+++ This bug was initially created as a clone of Bug #732064 +++ Description of problem: IPA 2.1 won't start if SELinux is disabled Version-Release number of selected component (if applicable): 2.1.0 How reproducible: I've just updated to FreeIPA 2.1.0. I disabled SELinux on this machine (Fedora 15) when I installed IPA, as there was a bug with IPA's SELinux ruleset, which made the ipa-server-install script fail. That decision seem to be biting my ass now, I get the following error message: "/usr/bin/runcon: /usr/bin/runcon may be used only on a SELinux kernel" whenever I attempt to start IPA. After configuring SELinux to be permissive the error disappears, and IPA starts normally. [root@ipa03 ~]# ipactl restart Restarting Directory Service Shutting down dirsrv: IX-TEST-COM... server already stopped [FAILED] PKI-IPA... server already stopped [FAILED] *** Error: 2 instance(s) unsuccessfully stopped [FAILED] Starting dirsrv: IX-TEST-COM... [ OK ] PKI-IPA... [ OK ] Restarting KDC Service Restarting krb5kdc (via systemctl): [ OK ] Restarting KPASSWD Service Restarting ipa_kpasswd (via systemctl): [ OK ] Restarting HTTP Service Restarting httpd (via systemctl): [ OK ] Restarting CA Service Stopping pki-ca: [ OK ] /usr/bin/runcon: /usr/bin/runcon may be used only on a SELinux kernel Failed to restart CA Service Shutting down Stopping krb5kdc (via systemctl): [ OK ] Stopping ipa_kpasswd (via systemctl): [ OK ] Stopping httpd (via systemctl): [ OK ] Stopping pki-ca: [ OK ] Shutting down dirsrv: IX-TEST-COM... [ OK ] PKI-IPA... [ OK ] Aborting ipactl [root@ipa03 ~]# getenforce Disabled Steps to Reproduce: 1. Disable SELinux 2. Reboot 3. Attempt to start IPA Actual results: IPA fails to start with the following error message: /usr/bin/runcon: /usr/bin/runcon may be used only on a SELinux kernel Expected results: IPA should check if SELinux is enabled before depending on SELinux commands to complete successfully Additional info: --- Additional comment from rcritten@redhat.com on 2011-08-19 13:17:50 EDT --- This is fixed in upstream dogtag, bug https://bugzilla.redhat.com/show_bug.cgi?id=700505 Once a Fedora build is available with that fix we can update the minimum dogtag package requires. Upstream tracker https://fedorahosted.org/freeipa/ticket/1686
In scripting you should use selinuxenabled if [ selinuxenabled ];then runcon ... else ... fi Why is an init script using runcon?
Fixed upstream: master: 3ef732d7381a8d59400a669009904e14c8265792 ipa-2-1: 28e6d137afa65f638ea6e748eb39bce9aa83e403
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Cause: Disable SELinux and attempt to restart the ipa service (completely disabled as opposed to permissive). Consequence: The ipa service fails to start. Fix: Ignore the return value of restorecon. Its return value does not reflect success/failure. Result: The ipa service starts whether SELinux is enabled or not.
[root@decepticons ~]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted [root@decepticons ~]# [root@decepticons ~]# ipactl restart Restarting Directory Service Shutting down dirsrv: LAB-ENG-PNQ-REDHAT-COM... [ OK ] PKI-IPA... [ OK ] Starting dirsrv: LAB-ENG-PNQ-REDHAT-COM... [ OK ] PKI-IPA... [ OK ] Restarting KDC Service Stopping Kerberos 5 KDC: [ OK ] Starting Kerberos 5 KDC: [ OK ] Restarting KPASSWD Service Shutting down ipa_kpasswd: [ OK ] Starting ipa_kpasswd: [ OK ] Restarting DNS Service Stopping named: . [ OK ] Starting named: [ OK ] Restarting HTTP Service Stopping httpd: [ OK ] Starting httpd: [Sun Nov 06 15:11:58 2011] [warn] worker ajp://localhost:9447/ already used by another worker [Sun Nov 06 15:11:58 2011] [warn] worker ajp://localhost:9447/ already used by another worker [ OK ] Restarting CA Service Stopping pki-ca: [ OK ] Starting pki-ca: [ OK ] [root@decepticons ~]# [root@decepticons ~]# reboot [root@decepticons ~]# sestatus SELinux status: disabled [root@decepticons ~]# [root@decepticons ~]# ipactl restart Restarting Directory Service Shutting down dirsrv: LAB-ENG-PNQ-REDHAT-COM... [ OK ] PKI-IPA... [ OK ] Starting dirsrv: LAB-ENG-PNQ-REDHAT-COM... [ OK ] PKI-IPA... [ OK ] Restarting KDC Service Stopping Kerberos 5 KDC: [ OK ] Starting Kerberos 5 KDC: [ OK ] Restarting KPASSWD Service Shutting down ipa_kpasswd: [ OK ] Starting ipa_kpasswd: [ OK ] Restarting DNS Service Stopping named: . [ OK ] Starting named: [ OK ] Restarting HTTP Service Stopping httpd: [ OK ] Starting httpd: [Sun Nov 06 15:32:58 2011] [warn] worker ajp://localhost:9447/ already used by another worker [Sun Nov 06 15:32:58 2011] [warn] worker ajp://localhost:9447/ already used by another worker [ OK ] Restarting CA Service Stopping pki-ca: [ OK ] Starting pki-ca: [ OK ] [root@decepticons ~]# ipa user-add shanks First name: shanks Last name: r ------------------- Added user "shanks" ------------------- User login: shanks First name: shanks Last name: r Full name: shanks r Display name: shanks r Initials: sr Home directory: /home/shanks GECOS field: shanks r Login shell: /bin/sh Kerberos principal: shanks@LAB.ENG.PNQ.REDHAT.COM UID: 67600004 GID: 67600004 Keytab: False Password: False [root@decepticons ~]# [root@decepticons ~]# rpm -qi ipa-server | head Name : ipa-server Relocations: (not relocatable) Version : 2.1.3 Vendor: Red Hat, Inc. Release : 8.el6 Build Date: Wed 02 Nov 2011 03:21:27 AM IST Install Date: Thu 03 Nov 2011 10:13:53 AM IST Build Host: x86-012.build.bos.redhat.com Group : System Environment/Base Source RPM: ipa-2.1.3-8.el6.src.rpm Size : 3381421 License: GPLv3+ Signature : (none) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> URL : http://www.freeipa.org/ Summary : The IPA authentication server [root@decepticons ~]#
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2011-1533.html