RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 732084 - IPA 2.1 won't start if SELinux is disabled
Summary: IPA 2.1 won't start if SELinux is disabled
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.1
Hardware: All
OS: Linux
unspecified
high
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On: 700505 732064
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-08-19 18:09 UTC by Dmitri Pal
Modified: 2015-01-04 23:50 UTC (History)
7 users (show)

Fixed In Version: ipa-2.1.1-1.el6
Doc Type: Bug Fix
Doc Text:
Cause: Disable SELinux and attempt to restart the ipa service (completely disabled as opposed to permissive). Consequence: The ipa service fails to start. Fix: Ignore the return value of restorecon. Its return value does not reflect success/failure. Result: The ipa service starts whether SELinux is enabled or not.
Clone Of: 732064
Environment:
Last Closed: 2011-12-06 18:30:08 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1533 0 normal SHIPPED_LIVE Moderate: ipa security and bug fix update 2011-12-06 01:23:31 UTC

Description Dmitri Pal 2011-08-19 18:09:13 UTC 
+++ This bug was initially created as a clone of Bug #732064 +++

Description of problem:
IPA 2.1 won't start if SELinux is disabled

Version-Release number of selected component (if applicable):
2.1.0

How reproducible:
I've just updated to FreeIPA 2.1.0. I disabled SELinux on this machine (Fedora 15) when I installed IPA, as there was a bug with IPA's SELinux ruleset, which made the ipa-server-install script fail.

That decision seem to be biting my ass now, I get the following error message: "/usr/bin/runcon: /usr/bin/runcon may be used only on a SELinux kernel" whenever I attempt to start IPA.

After configuring SELinux to be permissive the error disappears, and IPA starts normally.



[root@ipa03 ~]# ipactl restart
Restarting Directory Service
Shutting down dirsrv:
    IX-TEST-COM... server already stopped                [FAILED]
    PKI-IPA... server already stopped                      [FAILED]
  *** Error: 2 instance(s) unsuccessfully stopped          [FAILED]
Starting dirsrv:
    IX-TEST-COM...                                       [  OK  ]
    PKI-IPA...                                             [  OK  ]
Restarting KDC Service
Restarting krb5kdc (via systemctl):                        [  OK  ]
Restarting KPASSWD Service
Restarting ipa_kpasswd (via systemctl):                    [  OK  ]
Restarting HTTP Service
Restarting httpd (via systemctl):                          [  OK  ]
Restarting CA Service
Stopping pki-ca:                                           [  OK  ]
/usr/bin/runcon: /usr/bin/runcon may be used only on a SELinux kernel
Failed to restart CA Service
Shutting down
Stopping krb5kdc (via systemctl):                          [  OK  ]
Stopping ipa_kpasswd (via systemctl):                      [  OK  ]
Stopping httpd (via systemctl):                            [  OK  ]
Stopping pki-ca:                                           [  OK  ]
Shutting down dirsrv:
    IX-TEST-COM...                                       [  OK  ]
    PKI-IPA...                                             [  OK  ]
Aborting ipactl
[root@ipa03 ~]# getenforce
Disabled


Steps to Reproduce:
1. Disable SELinux
2. Reboot
3. Attempt to start IPA
  
Actual results:
IPA fails to start with the following error message:
/usr/bin/runcon: /usr/bin/runcon may be used only on a SELinux kernel

Expected results:
IPA should check if SELinux is enabled before depending on SELinux commands to complete successfully

Additional info:

--- Additional comment from rcritten on 2011-08-19 13:17:50 EDT ---

This is fixed in upstream dogtag, bug https://bugzilla.redhat.com/show_bug.cgi?id=700505

Once a Fedora build is available with that fix we can update the minimum dogtag package requires.

Upstream tracker https://fedorahosted.org/freeipa/ticket/1686
Comment 2 Daniel Walsh 2011-08-20 10:38:36 UTC 
In scripting you should use selinuxenabled

if [ selinuxenabled ];then
   runcon ...
else
   ...
fi


Why is an init script using runcon?
Comment 3 Martin Kosek 2011-08-31 06:46:53 UTC 
Fixed upstream:
master: 3ef732d7381a8d59400a669009904e14c8265792
ipa-2-1: 28e6d137afa65f638ea6e748eb39bce9aa83e403
Comment 6 Rob Crittenden 2011-11-01 13:59:08 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: Disable SELinux and attempt to restart the ipa service (completely disabled as opposed to permissive).
Consequence: The ipa service fails to start.
Fix: Ignore the return value of restorecon. Its return value does not reflect success/failure.
Result: The ipa service starts whether SELinux is enabled or not.
Comment 7 Gowrishankar Rajaiyan 2011-11-06 10:09:49 UTC 
[root@decepticons ~]# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted
[root@decepticons ~]# 


[root@decepticons ~]# ipactl restart
Restarting Directory Service
Shutting down dirsrv: 
    LAB-ENG-PNQ-REDHAT-COM...                              [  OK  ]
    PKI-IPA...                                             [  OK  ]
Starting dirsrv: 
    LAB-ENG-PNQ-REDHAT-COM...                              [  OK  ]
    PKI-IPA...                                             [  OK  ]
Restarting KDC Service
Stopping Kerberos 5 KDC:                                   [  OK  ]
Starting Kerberos 5 KDC:                                   [  OK  ]
Restarting KPASSWD Service
Shutting down ipa_kpasswd:                                 [  OK  ]
Starting ipa_kpasswd:                                      [  OK  ]
Restarting DNS Service
Stopping named: .                                          [  OK  ]
Starting named:                                            [  OK  ]
Restarting HTTP Service
Stopping httpd:                                            [  OK  ]
Starting httpd: [Sun Nov 06 15:11:58 2011] [warn] worker ajp://localhost:9447/ already used by another worker
[Sun Nov 06 15:11:58 2011] [warn] worker ajp://localhost:9447/ already used by another worker
                                                           [  OK  ]
Restarting CA Service
Stopping pki-ca:                                           [  OK  ]
Starting pki-ca:                                           [  OK  ]
[root@decepticons ~]# 

[root@decepticons ~]# reboot

[root@decepticons ~]# sestatus 
SELinux status:                 disabled
[root@decepticons ~]# 


[root@decepticons ~]# ipactl restart
Restarting Directory Service
Shutting down dirsrv: 
    LAB-ENG-PNQ-REDHAT-COM...                              [  OK  ]
    PKI-IPA...                                             [  OK  ]
Starting dirsrv: 
    LAB-ENG-PNQ-REDHAT-COM...                              [  OK  ]
    PKI-IPA...                                             [  OK  ]
Restarting KDC Service
Stopping Kerberos 5 KDC:                                   [  OK  ]
Starting Kerberos 5 KDC:                                   [  OK  ]
Restarting KPASSWD Service
Shutting down ipa_kpasswd:                                 [  OK  ]
Starting ipa_kpasswd:                                      [  OK  ]
Restarting DNS Service
Stopping named: .                                          [  OK  ]
Starting named:                                            [  OK  ]
Restarting HTTP Service
Stopping httpd:                                            [  OK  ]
Starting httpd: [Sun Nov 06 15:32:58 2011] [warn] worker ajp://localhost:9447/ already used by another worker
[Sun Nov 06 15:32:58 2011] [warn] worker ajp://localhost:9447/ already used by another worker
                                                           [  OK  ]
Restarting CA Service
Stopping pki-ca:                                           [  OK  ]
Starting pki-ca:                                           [  OK  ]


[root@decepticons ~]# ipa user-add shanks
First name: shanks
Last name: r
-------------------
Added user "shanks"
-------------------
  User login: shanks
  First name: shanks
  Last name: r
  Full name: shanks r
  Display name: shanks r
  Initials: sr
  Home directory: /home/shanks
  GECOS field: shanks r
  Login shell: /bin/sh
  Kerberos principal: shanks.PNQ.REDHAT.COM
  UID: 67600004
  GID: 67600004
  Keytab: False
  Password: False
[root@decepticons ~]# 


[root@decepticons ~]# rpm -qi ipa-server | head
Name        : ipa-server                   Relocations: (not relocatable)
Version     : 2.1.3                             Vendor: Red Hat, Inc.
Release     : 8.el6                         Build Date: Wed 02 Nov 2011 03:21:27 AM IST
Install Date: Thu 03 Nov 2011 10:13:53 AM IST      Build Host: x86-012.build.bos.redhat.com
Group       : System Environment/Base       Source RPM: ipa-2.1.3-8.el6.src.rpm
Size        : 3381421                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://www.freeipa.org/
Summary     : The IPA authentication server
[root@decepticons ~]#
Comment 8 errata-xmlrpc 2011-12-06 18:30:08 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html
Note You need to log in before you can comment on or make changes to this bug.