Bug 885154 - ipa-server-install selinux alert
Summary: ipa-server-install selinux alert
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: freeipa
Version: 18
Hardware: x86_64
OS: Linux
unspecified
urgent
Target Milestone: ---
Assignee: Rob Crittenden
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-12-07 15:48 UTC by Dean Hunter
Modified: 2012-12-19 12:28 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-12-19 12:28:35 UTC
Type: Bug


Attachments (Terms of Use)
testing attachment (197 bytes, text/plain)
2012-12-07 17:15 UTC, Dean Hunter
no flags Details

Description Dean Hunter 2012-12-07 15:48:52 UTC
Description of problem:
SELinux is preventing /usr/sbin/ns-slapd from name_bind access on the tcp_socket.


Version-Release number of selected component (if applicable):
[root@server ~]# yum list installed freeipa*
Loaded plugins: langpacks, presto, refresh-packagekit
Installed Packages
freeipa-admintools.x86_64                    3.0.1-3.fc18                @fedora
freeipa-client.x86_64                        3.0.1-3.fc18                @fedora
freeipa-python.x86_64                        3.0.1-3.fc18                @fedora
freeipa-server.x86_64                        3.0.1-3.fc18                @fedora
freeipa-server-selinux.x86_64                3.0.1-3.fc18                @fedora
[root@server ~]# 


How reproducible: consistent


Steps to Reproduce:
1.  Install Fedora 18 beta Gnome Desktop
2.  hostnamectl set-hostname server
3.  cat >/etc/sysconfig/network <<EOD
    NETWORKING=yes
    HOSTNAME=server.hunter.org
    EOD
4.  yum update --assumeyes
5.  reboot
6.  yum install --assumeyes freeipa-server bind bind-dyndb-ldap
7.  mkdir /var/run/ipa
8.  chmod 0700 /var/run/ipa
9.  cat >>/etc/hosts <<EOD
    192.168.1.11  server.hunter.org server
    EOD
10. ipa-server-install \
      --admin-password adminpassword \
      --hostname server.hunter.org \
      --domain hunter.org \
      --ds-password dspassword \
      --realm HUNTER.ORG \
      --setup-dns \
      --no-forwarders \
      --unattended

  
Actual results:
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the FreeIPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)

To accept the default shown in brackets, press the Enter key.

Warning: skipping DNS resolution of host server.hunter.org
Using reverse zone 1.168.192.in-addr.arpa.

The IPA Master Server will be configured with:
Hostname:      server.hunter.org
IP address:    192.168.1.11
Domain name:   hunter.org
Realm name:    HUNTER.ORG

BIND DNS server will be configured to serve IPA domain with:
Forwarders:    No forwarders
Reverse zone:  1.168.192.in-addr.arpa.

Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server for the CA (pkids): Estimated time 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
ipa         : CRITICAL failed to create ds instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpipLYWg' returned non-zero exit status 1
  [3/3]: restarting directory server
ipa         : CRITICAL Failed to restart the directory server. See the installation log for details.
Done configuring directory server for the CA (pkids).
Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds
  [1/19]: creating certificate server user
  [2/19]: configuring certificate server instance
Unexpected error - see /var/log/ipaserver-install.log for details:
IOError: [Errno 2] No such file or directory: '/var/lib/pki/pki-tomcat/alias/ca_admin_cert.p12'
[root@server ~]#


Expected results:
Successful completion of ipa-server-install


Additional info:
Source Context                system_u:system_r:dirsrv_t:s0
Target Context                system_u:object_r:pki_ca_port_t:s0
Target Objects                 [ tcp_socket ]
Source                        ns-slapd
Source Path                   /usr/sbin/ns-slapd
Port                          7389
Host                          server
Source RPM Packages           389-ds-base-1.3.0-0.1.a1.fc18.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-60.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     server
Platform                      Linux server 3.6.9-4.fc18.x86_64 #1 SMP Tue Dec 4
                              14:12:51 UTC 2012 x86_64 x86_64
Alert Count                   2
First Seen                    2012-12-07 09:35:18 CST
Last Seen                     2012-12-07 09:35:18 CST
Local ID                      7633f564-df6b-4256-aec0-3692a2e5b5a2

Raw Audit Messages
type=AVC msg=audit(1354894518.888:342): avc:  denied  { name_bind } for  pid=2924 comm="ns-slapd" src=7389 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:pki_ca_port_t:s0 tclass=tcp_socket


type=SYSCALL msg=audit(1354894518.888:342): arch=x86_64 syscall=bind success=no exit=EACCES a0=6 a1=7fff3c600d50 a2=1c a3=7fff3c600ae0 items=0 ppid=1 pid=2924 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ns-slapd exe=/usr/sbin/ns-slapd subj=system_u:system_r:dirsrv_t:s0 key=(null)

Hash: ns-slapd,dirsrv_t,pki_ca_port_t,tcp_socket,name_bind

audit2allow
audit2allow -R

Comment 1 Rob Crittenden 2012-12-07 15:51:24 UTC
What version of selinux-policy is installed?

Comment 2 Dean Hunter 2012-12-07 15:55:08 UTC
Here is an excerpt from /var/log/messages covering the time of the ipa-server-install execution. Please note that there is also a problem with NTP:

Dec  7 09:35:15 server systemd[1]: Stopped Network Time Service.
Dec  7 09:35:15 server systemd[1]: Reloading.
Dec  7 09:35:15 server systemd[1]: Cannot add dependency job for unit ntp-wait.service, ignoring: Unit ntp-wait.service failed to load: No such file or directory. See system logs and 'systemctl status ntp-wait.service' for details.
Dec  7 09:35:15 server systemd[1]: Starting Network Time Service...
Dec  7 09:35:15 server ntpd[2825]: ntpd 4.2.6p5@1.2349-o Thu Dec  6 12:52:39 UTC 2012 (1)
Dec  7 09:35:15 server ntpd[2826]: proto: precision = 0.069 usec
Dec  7 09:35:15 server ntpd[2826]: 0.0.0.0 c01d 0d kern kernel time sync enabled
Dec  7 09:35:15 server ntpd[2826]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123
Dec  7 09:35:15 server systemd[1]: Started Network Time Service.
Dec  7 09:35:15 server ntpd[2826]: Listen and drop on 1 v6wildcard :: UDP 123
Dec  7 09:35:15 server ntpd[2826]: Listen normally on 2 lo 127.0.0.1 UDP 123
Dec  7 09:35:15 server ntpd[2826]: Listen normally on 3 em1 192.168.1.11 UDP 123
Dec  7 09:35:15 server ntpd[2826]: Listen normally on 4 lo ::1 UDP 123
Dec  7 09:35:15 server ntpd[2826]: Listen normally on 5 em1 fe80::21c:c4ff:feae:574f UDP 123
Dec  7 09:35:15 server ntpd[2826]: peers refreshed
Dec  7 09:35:15 server ntpd[2826]: Listening on routing socket on fd #22 for interface updates
Dec  7 09:35:15 server ntpd[2826]: 0.0.0.0 c016 06 restart
Dec  7 09:35:15 server ntpd[2826]: 0.0.0.0 c012 02 freq_set ntpd 0.000 PPM
Dec  7 09:35:15 server ntpd[2826]: 0.0.0.0 c011 01 freq_not_set
Dec  7 09:35:18 server systemd[1]: Reloading.
Dec  7 09:35:18 server systemd[1]: Starting 389 Directory Server.
Dec  7 09:35:18 server systemd[1]: Reached target 389 Directory Server.
Dec  7 09:35:18 server systemd[1]: Starting 389 Directory Server PKI-IPA....
Dec  7 09:35:18 server ns-slapd[2902]: [07/Dec/2012:09:35:18 -0600] createprlistensockets - PR_Bind() on All Interfaces port 7389 failed: Netscape Portable Runtime error -5966 (Access Denied.)
Dec  7 09:35:18 server dbus-daemon[634]: dbus[634]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper)
Dec  7 09:35:18 server dbus[634]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper)
Dec  7 09:35:18 server systemd[1]: dirsrv@PKI-IPA.service: control process exited, code=exited status=1
Dec  7 09:35:18 server systemd[1]: Failed to start 389 Directory Server PKI-IPA..
Dec  7 09:35:18 server systemd[1]: Unit dirsrv@PKI-IPA.service entered failed state
Dec  7 09:35:18 server systemd[1]: Reloading.
Dec  7 09:35:18 server systemd[1]: Reloading.
Dec  7 09:35:18 server systemd[1]: Starting 389 Directory Server PKI-IPA....
Dec  7 09:35:18 server ns-slapd[2924]: [07/Dec/2012:09:35:18 -0600] createprlistensockets - PR_Bind() on All Interfaces port 7389 failed: Netscape Portable Runtime error -5966 (Access Denied.)
Dec  7 09:35:18 server systemd[1]: dirsrv@PKI-IPA.service: control process exited, code=exited status=1
Dec  7 09:35:18 server systemd[1]: Failed to start 389 Directory Server PKI-IPA..
Dec  7 09:35:18 server systemd[1]: Unit dirsrv@PKI-IPA.service entered failed state
Dec  7 09:35:19 server ntpd[2826]: 0.0.0.0 c514 04 freq_mode
Dec  7 09:35:19 server dbus-daemon[634]: dbus[634]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Dec  7 09:35:19 server dbus[634]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Dec  7 09:35:19 server systemd[1]: Starting PKI Tomcat Server.
Dec  7 09:35:19 server systemd[1]: Reached target PKI Tomcat Server.
Dec  7 09:35:19 server systemd[1]: Starting PKI Tomcat Server pki-tomcat...
Dec  7 09:35:20 server setroubleshoot: SELinux is preventing /usr/sbin/ns-slapd from name_bind access on the tcp_socket . For complete SELinux messages. run sealert -l 7633f564-df6b-4256-aec0-3692a2e5b5a2
Dec  7 09:35:20 server setroubleshoot: SELinux is preventing /usr/sbin/ns-slapd from name_bind access on the tcp_socket . For complete SELinux messages. run sealert -l 7633f564-df6b-4256-aec0-3692a2e5b5a2
Dec  7 09:35:23 server pkidaemon[2943]: 'pki-tomcat' must still be CONFIGURED!
Dec  7 09:35:23 server pkidaemon[2943]: (see /var/log/pki-tomcat-install.log)
Dec  7 09:35:23 server systemd[1]: Started PKI Tomcat Server pki-tomcat.

Comment 3 Dean Hunter 2012-12-07 15:56:23 UTC
[root@server ~]# yum list installed selinux*
Loaded plugins: langpacks, presto, refresh-packagekit
Installed Packages
selinux-policy.noarch                   3.11.1-60.fc18          @updates-testing
selinux-policy-devel.noarch             3.11.1-60.fc18          @updates-testing
selinux-policy-targeted.noarch          3.11.1-60.fc18          @updates-testing
[root@server ~]#

Comment 4 Dean Hunter 2012-12-07 16:02:59 UTC
I am unable to attach the log from ipa-server-install???? I believe I have made all the correct entries; selected the file, entered a description, etc. But when I click submit, nothing happens.

Comment 5 Rob Crittenden 2012-12-07 16:43:51 UTC
That's fine, the log isn't needed. the AVC is enough.

Comment 6 Dean Hunter 2012-12-07 17:13:51 UTC
To try to work around the problem, I:
1. Uninstalled ipa server: ipa-server-install --uninstall
2. Followed the instructions in the SELinux alert details to update the policy
3. Rebooted
4. Tried to install IPA server again:

[root@server ~]#   ipa-server-install \
>     --admin-password adminpassword \
>     --hostname server.hunter.org \
>     --domain hunter.org \
>     --ds-password dspassword \
>     --realm HUNTER.ORG \
>     --setup-dns \
>     --no-forwarders \
>     --unattended

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the FreeIPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)

To accept the default shown in brackets, press the Enter key.

Warning: skipping DNS resolution of host server.hunter.org
Using reverse zone 1.168.192.in-addr.arpa.

The IPA Master Server will be configured with:
Hostname:      server.hunter.org
IP address:    192.168.1.11
Domain name:   hunter.org
Realm name:    HUNTER.ORG

BIND DNS server will be configured to serve IPA domain with:
Forwarders:    No forwarders
Reverse zone:  1.168.192.in-addr.arpa.

Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server for the CA (pkids): Estimated time 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server
Done configuring directory server for the CA (pkids).
Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds
  [1/19]: creating certificate server user
  [2/19]: configuring certificate server instance
ipa         : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpBM6ZgK' returned non-zero exit status 1
Configuration of CA failed
[root@server ~]#

Comment 7 Dean Hunter 2012-12-07 17:15:20 UTC
Created attachment 659510 [details]
testing attachment

this is a test
this is only a test

Comment 8 Rob Crittenden 2012-12-07 17:50:45 UTC
The CA not being configured it likely a different issue than the SELinux problem.

Look in /var/log/ipaserver-install.log for more details.

You may also want to try to uninstall again and run pkidestroy -s CA -i pki-tomcat

Comment 9 Nathan Kinder 2012-12-07 18:23:36 UTC
The SELinux replated problem seems to be that the port used by the 389 instance for Dogtag is labelled as pki_ca_port_t.  This means ns-slapd will not be allowed to bind to that port, we we expect it to be ldap_port_t.  A port can only have one label, so setup-ds.pl will fail to label the port properly.

I do not know how things got in this state, but you should be able to work around this problem my manually cleaning up the port label:

- Uninstall IPA.
- As root, remove the pki_ca_port_t label from port 7389 by running 'semanage port -d -p tcp -t pki_ca_port_t 7389'.
- Reinstall IPA.

Comment 10 Dean Hunter 2012-12-07 21:17:33 UTC
I am sorry but the workaround for the port label did not work. I had already started a rebuild because of problems with ipa-server-install --uninstall, so I used these steps:

1.  Install Fedora 18 beta Gnome Desktop
2.  hostnamectl set-hostname server
3.  cat >/etc/sysconfig/network <<EOD
    NETWORKING=yes
    HOSTNAME=server.hunter.org
    EOD
4.  yum update --assumeyes
5.  reboot
6.  yum install --assumeyes freeipa-server bind bind-dyndb-ldap
7.  mkdir /var/run/ipa                             # 880995
8.  chmod 0700 /var/run/ipa                        # 880995
9.  semanage port -d -p tcp -t pki_ca_port_t 7389  # 885154
    
The result was this message:

/sbin/semanage: Port tcp/7389 is defined in policy, cannot be deleted

Comment 11 Nathan Kinder 2012-12-07 22:08:56 UTC
What does the output of 'semanage port -l |grep 7389' show?  This might be a problem in the version of selinux-policy that you have installed.  Port 7389 should not be labelled as pki_ca_port_t.

Comment 12 Nathan Kinder 2012-12-07 22:25:18 UTC
The SELinux issue is related to the fix that was added for this bug:

    https://bugzilla.redhat.com/show_bug.cgi?id=879516

I have repopened the above bug, as the fix is incorrect.  Port 7389 should not be labelled as pki_ca_port_t.

Comment 13 Dean Hunter 2012-12-07 22:28:55 UTC
On the other hand, following the instructions in the alert details to create a new policy from the log did resolve the problem:

[root@server ~]# audit2allow -M mypol <<EOD
type=AVC msg=audit(1354894518.888:342): avc:  denied  { name_bind } for  pid=2924 comm="ns-slapd" src=7389 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:pki_ca_port_t:s0 tclass=tcp_socket


type=SYSCALL msg=audit(1354894518.888:342): arch=x86_64 syscall=bind success=no exit=EACCES a0=6 a1=7fff3c600d50 a2=1c a3=7fff3c600ae0 items=0 ppid=1 pid=2924 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ns-slapd exe=/usr/sbin/ns-slapd subj=system_u:system_r:dirsrv_t:s0 key=(null)
EOD
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i mypol.pp

[root@server ~]# cat mypol.te

module mypol 1.0;

require {
	type dirsrv_t;
	type pki_ca_port_t;
	class tcp_socket name_bind;
}

#============= dirsrv_t ==============
#!!!! This avc is allowed in the current policy

allow dirsrv_t pki_ca_port_t:tcp_socket name_bind;
[root@server ~]#  semodule -i mypol.pp
[root@server ~]# 

I believe the error was introduced sometime in the last week since the IPA server was last installed on Nov 29 with 3.11.1-57.fc18 required to correct another bug.

Per your last request:

[root@server ~]# semanage port -l | grep 7389
pki_ca_port_t                  tcp      7389, 9180, 9701, 9443-9447
[root@server ~]#

Comment 14 Nathan Kinder 2012-12-07 23:25:08 UTC
The policy module you added will work, but I would consider it a temporary fix, as it's not really correct.  When a new selinux-policy update is made to fix this, you should remove your custom policy module (mypol.pp) and then label 7389 as ldap_port_t using semanage.

Comment 15 Dean Hunter 2012-12-08 05:00:09 UTC
Absolutely! I agree 100%. I apologize that I was not clear that I was working around the bug. Do you have an estimate on when a new selinux-policy update will correct this problem?

Comment 16 Nathan Kinder 2012-12-10 18:57:42 UTC
(In reply to comment #15)
> Absolutely! I agree 100%. I apologize that I was not clear that I was
> working around the bug. Do you have an estimate on when a new selinux-policy
> update will correct this problem?

According to bug 879416, it has been fixed now:

   "Fixed in selinux-policy-3.11.1-61.fc18"

Comment 17 Dean Hunter 2012-12-12 06:34:59 UTC
I have verified that this problem has been corrected in selinux-policy-3.11.1-62.fc18

Comment 18 Martin Kosek 2012-12-19 12:28:35 UTC
Ok. In that case I will simply close the bug. Thanks Nathan and Dean for cooperation!


Note You need to log in before you can comment on or make changes to this bug.