What version of selinux-policy is installed?

Here is an excerpt from /var/log/messages covering the time of the ipa-server-install execution. Please note that there is also a problem with NTP:

Dec  7 09:35:15 server systemd[1]: Stopped Network Time Service.
Dec  7 09:35:15 server systemd[1]: Reloading.
Dec  7 09:35:15 server systemd[1]: Cannot add dependency job for unit ntp-wait.service, ignoring: Unit ntp-wait.service failed to load: No such file or directory. See system logs and 'systemctl status ntp-wait.service' for details.
Dec  7 09:35:15 server systemd[1]: Starting Network Time Service...
Dec  7 09:35:15 server ntpd[2825]: ntpd 4.2.6p5 Thu Dec  6 12:52:39 UTC 2012 (1)
Dec  7 09:35:15 server ntpd[2826]: proto: precision = 0.069 usec
Dec  7 09:35:15 server ntpd[2826]: 0.0.0.0 c01d 0d kern kernel time sync enabled
Dec  7 09:35:15 server ntpd[2826]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123
Dec  7 09:35:15 server systemd[1]: Started Network Time Service.
Dec  7 09:35:15 server ntpd[2826]: Listen and drop on 1 v6wildcard :: UDP 123
Dec  7 09:35:15 server ntpd[2826]: Listen normally on 2 lo 127.0.0.1 UDP 123
Dec  7 09:35:15 server ntpd[2826]: Listen normally on 3 em1 192.168.1.11 UDP 123
Dec  7 09:35:15 server ntpd[2826]: Listen normally on 4 lo ::1 UDP 123
Dec  7 09:35:15 server ntpd[2826]: Listen normally on 5 em1 fe80::21c:c4ff:feae:574f UDP 123
Dec  7 09:35:15 server ntpd[2826]: peers refreshed
Dec  7 09:35:15 server ntpd[2826]: Listening on routing socket on fd #22 for interface updates
Dec  7 09:35:15 server ntpd[2826]: 0.0.0.0 c016 06 restart
Dec  7 09:35:15 server ntpd[2826]: 0.0.0.0 c012 02 freq_set ntpd 0.000 PPM
Dec  7 09:35:15 server ntpd[2826]: 0.0.0.0 c011 01 freq_not_set
Dec  7 09:35:18 server systemd[1]: Reloading.
Dec  7 09:35:18 server systemd[1]: Starting 389 Directory Server.
Dec  7 09:35:18 server systemd[1]: Reached target 389 Directory Server.
Dec  7 09:35:18 server systemd[1]: Starting 389 Directory Server PKI-IPA....
Dec  7 09:35:18 server ns-slapd[2902]: [07/Dec/2012:09:35:18 -0600] createprlistensockets - PR_Bind() on All Interfaces port 7389 failed: Netscape Portable Runtime error -5966 (Access Denied.)
Dec  7 09:35:18 server dbus-daemon[634]: dbus[634]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper)
Dec  7 09:35:18 server dbus[634]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper)
Dec  7 09:35:18 server systemd[1]: dirsrv: control process exited, code=exited status=1
Dec  7 09:35:18 server systemd[1]: Failed to start 389 Directory Server PKI-IPA..
Dec  7 09:35:18 server systemd[1]: Unit dirsrv entered failed state
Dec  7 09:35:18 server systemd[1]: Reloading.
Dec  7 09:35:18 server systemd[1]: Reloading.
Dec  7 09:35:18 server systemd[1]: Starting 389 Directory Server PKI-IPA....
Dec  7 09:35:18 server ns-slapd[2924]: [07/Dec/2012:09:35:18 -0600] createprlistensockets - PR_Bind() on All Interfaces port 7389 failed: Netscape Portable Runtime error -5966 (Access Denied.)
Dec  7 09:35:18 server systemd[1]: dirsrv: control process exited, code=exited status=1
Dec  7 09:35:18 server systemd[1]: Failed to start 389 Directory Server PKI-IPA..
Dec  7 09:35:18 server systemd[1]: Unit dirsrv entered failed state
Dec  7 09:35:19 server ntpd[2826]: 0.0.0.0 c514 04 freq_mode
Dec  7 09:35:19 server dbus-daemon[634]: dbus[634]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Dec  7 09:35:19 server dbus[634]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Dec  7 09:35:19 server systemd[1]: Starting PKI Tomcat Server.
Dec  7 09:35:19 server systemd[1]: Reached target PKI Tomcat Server.
Dec  7 09:35:19 server systemd[1]: Starting PKI Tomcat Server pki-tomcat...
Dec  7 09:35:20 server setroubleshoot: SELinux is preventing /usr/sbin/ns-slapd from name_bind access on the tcp_socket . For complete SELinux messages. run sealert -l 7633f564-df6b-4256-aec0-3692a2e5b5a2
Dec  7 09:35:20 server setroubleshoot: SELinux is preventing /usr/sbin/ns-slapd from name_bind access on the tcp_socket . For complete SELinux messages. run sealert -l 7633f564-df6b-4256-aec0-3692a2e5b5a2
Dec  7 09:35:23 server pkidaemon[2943]: 'pki-tomcat' must still be CONFIGURED!
Dec  7 09:35:23 server pkidaemon[2943]: (see /var/log/pki-tomcat-install.log)
Dec  7 09:35:23 server systemd[1]: Started PKI Tomcat Server pki-tomcat.

[root@server ~]# yum list installed selinux*
Loaded plugins: langpacks, presto, refresh-packagekit
Installed Packages
selinux-policy.noarch                   3.11.1-60.fc18          @updates-testing
selinux-policy-devel.noarch             3.11.1-60.fc18          @updates-testing
selinux-policy-targeted.noarch          3.11.1-60.fc18          @updates-testing
[root@server ~]#

I am unable to attach the log from ipa-server-install???? I believe I have made all the correct entries; selected the file, entered a description, etc. But when I click submit, nothing happens.

That's fine, the log isn't needed. the AVC is enough.

To try to work around the problem, I:
1. Uninstalled ipa server: ipa-server-install --uninstall
2. Followed the instructions in the SELinux alert details to update the policy
3. Rebooted
4. Tried to install IPA server again:

[root@server ~]#   ipa-server-install \
>     --admin-password adminpassword \
>     --hostname server.hunter.org \
>     --domain hunter.org \
>     --ds-password dspassword \
>     --realm HUNTER.ORG \
>     --setup-dns \
>     --no-forwarders \
>     --unattended

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the FreeIPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)

To accept the default shown in brackets, press the Enter key.

Warning: skipping DNS resolution of host server.hunter.org
Using reverse zone 1.168.192.in-addr.arpa.

The IPA Master Server will be configured with:
Hostname:      server.hunter.org
IP address:    192.168.1.11
Domain name:   hunter.org
Realm name:    HUNTER.ORG

BIND DNS server will be configured to serve IPA domain with:
Forwarders:    No forwarders
Reverse zone:  1.168.192.in-addr.arpa.

Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server for the CA (pkids): Estimated time 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
  [3/3]: restarting directory server
Done configuring directory server for the CA (pkids).
Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds
  [1/19]: creating certificate server user
  [2/19]: configuring certificate server instance
ipa         : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpBM6ZgK' returned non-zero exit status 1
Configuration of CA failed
[root@server ~]#

Created attachment 659510 [details]
testing attachment

this is a test
this is only a test

The CA not being configured it likely a different issue than the SELinux problem.

Look in /var/log/ipaserver-install.log for more details.

You may also want to try to uninstall again and run pkidestroy -s CA -i pki-tomcat

The SELinux replated problem seems to be that the port used by the 389 instance for Dogtag is labelled as pki_ca_port_t.  This means ns-slapd will not be allowed to bind to that port, we we expect it to be ldap_port_t.  A port can only have one label, so setup-ds.pl will fail to label the port properly.

I do not know how things got in this state, but you should be able to work around this problem my manually cleaning up the port label:

- Uninstall IPA.
- As root, remove the pki_ca_port_t label from port 7389 by running 'semanage port -d -p tcp -t pki_ca_port_t 7389'.
- Reinstall IPA.

I am sorry but the workaround for the port label did not work. I had already started a rebuild because of problems with ipa-server-install --uninstall, so I used these steps:

1.  Install Fedora 18 beta Gnome Desktop
2.  hostnamectl set-hostname server
3.  cat >/etc/sysconfig/network <<EOD
    NETWORKING=yes
    HOSTNAME=server.hunter.org
    EOD
4.  yum update --assumeyes
5.  reboot
6.  yum install --assumeyes freeipa-server bind bind-dyndb-ldap
7.  mkdir /var/run/ipa                             # 880995
8.  chmod 0700 /var/run/ipa                        # 880995
9.  semanage port -d -p tcp -t pki_ca_port_t 7389  # 885154
    
The result was this message:

/sbin/semanage: Port tcp/7389 is defined in policy, cannot be deleted

What does the output of 'semanage port -l |grep 7389' show?  This might be a problem in the version of selinux-policy that you have installed.  Port 7389 should not be labelled as pki_ca_port_t.

The SELinux issue is related to the fix that was added for this bug:

    https://bugzilla.redhat.com/show_bug.cgi?id=879516

I have repopened the above bug, as the fix is incorrect.  Port 7389 should not be labelled as pki_ca_port_t.

On the other hand, following the instructions in the alert details to create a new policy from the log did resolve the problem:

[root@server ~]# audit2allow -M mypol <<EOD
type=AVC msg=audit(1354894518.888:342): avc:  denied  { name_bind } for  pid=2924 comm="ns-slapd" src=7389 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:pki_ca_port_t:s0 tclass=tcp_socket


type=SYSCALL msg=audit(1354894518.888:342): arch=x86_64 syscall=bind success=no exit=EACCES a0=6 a1=7fff3c600d50 a2=1c a3=7fff3c600ae0 items=0 ppid=1 pid=2924 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ns-slapd exe=/usr/sbin/ns-slapd subj=system_u:system_r:dirsrv_t:s0 key=(null)
EOD
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i mypol.pp

[root@server ~]# cat mypol.te

module mypol 1.0;

require {
	type dirsrv_t;
	type pki_ca_port_t;
	class tcp_socket name_bind;
}

#============= dirsrv_t ==============
#!!!! This avc is allowed in the current policy

allow dirsrv_t pki_ca_port_t:tcp_socket name_bind;
[root@server ~]#  semodule -i mypol.pp
[root@server ~]# 

I believe the error was introduced sometime in the last week since the IPA server was last installed on Nov 29 with 3.11.1-57.fc18 required to correct another bug.

Per your last request:

[root@server ~]# semanage port -l | grep 7389
pki_ca_port_t                  tcp      7389, 9180, 9701, 9443-9447
[root@server ~]#

The policy module you added will work, but I would consider it a temporary fix, as it's not really correct.  When a new selinux-policy update is made to fix this, you should remove your custom policy module (mypol.pp) and then label 7389 as ldap_port_t using semanage.

Absolutely! I agree 100%. I apologize that I was not clear that I was working around the bug. Do you have an estimate on when a new selinux-policy update will correct this problem?

(In reply to comment #15)
> Absolutely! I agree 100%. I apologize that I was not clear that I was
> working around the bug. Do you have an estimate on when a new selinux-policy
> update will correct this problem?

According to bug 879416, it has been fixed now:

   "Fixed in selinux-policy-3.11.1-61.fc18"

I have verified that this problem has been corrected in selinux-policy-3.11.1-62.fc18

Ok. In that case I will simply close the bug. Thanks Nathan and Dean for cooperation!