Description of problem: SELinux is preventing /usr/sbin/ns-slapd from name_bind access on the tcp_socket. Version-Release number of selected component (if applicable): [root@server ~]# yum list installed freeipa* Loaded plugins: langpacks, presto, refresh-packagekit Installed Packages freeipa-admintools.x86_64 3.0.1-3.fc18 @fedora freeipa-client.x86_64 3.0.1-3.fc18 @fedora freeipa-python.x86_64 3.0.1-3.fc18 @fedora freeipa-server.x86_64 3.0.1-3.fc18 @fedora freeipa-server-selinux.x86_64 3.0.1-3.fc18 @fedora [root@server ~]# How reproducible: consistent Steps to Reproduce: 1. Install Fedora 18 beta Gnome Desktop 2. hostnamectl set-hostname server 3. cat >/etc/sysconfig/network <<EOD NETWORKING=yes HOSTNAME=server.hunter.org EOD 4. yum update --assumeyes 5. reboot 6. yum install --assumeyes freeipa-server bind bind-dyndb-ldap 7. mkdir /var/run/ipa 8. chmod 0700 /var/run/ipa 9. cat >>/etc/hosts <<EOD 192.168.1.11 server.hunter.org server EOD 10. ipa-server-install \ --admin-password adminpassword \ --hostname server.hunter.org \ --domain hunter.org \ --ds-password dspassword \ --realm HUNTER.ORG \ --setup-dns \ --no-forwarders \ --unattended Actual results: The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the FreeIPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) To accept the default shown in brackets, press the Enter key. Warning: skipping DNS resolution of host server.hunter.org Using reverse zone 1.168.192.in-addr.arpa. The IPA Master Server will be configured with: Hostname: server.hunter.org IP address: 192.168.1.11 Domain name: hunter.org Realm name: HUNTER.ORG BIND DNS server will be configured to serve IPA domain with: Forwarders: No forwarders Reverse zone: 1.168.192.in-addr.arpa. Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server for the CA (pkids): Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance ipa : CRITICAL failed to create ds instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpipLYWg' returned non-zero exit status 1 [3/3]: restarting directory server ipa : CRITICAL Failed to restart the directory server. See the installation log for details. Done configuring directory server for the CA (pkids). Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/19]: creating certificate server user [2/19]: configuring certificate server instance Unexpected error - see /var/log/ipaserver-install.log for details: IOError: [Errno 2] No such file or directory: '/var/lib/pki/pki-tomcat/alias/ca_admin_cert.p12' [root@server ~]# Expected results: Successful completion of ipa-server-install Additional info: Source Context system_u:system_r:dirsrv_t:s0 Target Context system_u:object_r:pki_ca_port_t:s0 Target Objects [ tcp_socket ] Source ns-slapd Source Path /usr/sbin/ns-slapd Port 7389 Host server Source RPM Packages 389-ds-base-1.3.0-0.1.a1.fc18.x86_64 Target RPM Packages Policy RPM selinux-policy-3.11.1-60.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name server Platform Linux server 3.6.9-4.fc18.x86_64 #1 SMP Tue Dec 4 14:12:51 UTC 2012 x86_64 x86_64 Alert Count 2 First Seen 2012-12-07 09:35:18 CST Last Seen 2012-12-07 09:35:18 CST Local ID 7633f564-df6b-4256-aec0-3692a2e5b5a2 Raw Audit Messages type=AVC msg=audit(1354894518.888:342): avc: denied { name_bind } for pid=2924 comm="ns-slapd" src=7389 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:pki_ca_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1354894518.888:342): arch=x86_64 syscall=bind success=no exit=EACCES a0=6 a1=7fff3c600d50 a2=1c a3=7fff3c600ae0 items=0 ppid=1 pid=2924 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ns-slapd exe=/usr/sbin/ns-slapd subj=system_u:system_r:dirsrv_t:s0 key=(null) Hash: ns-slapd,dirsrv_t,pki_ca_port_t,tcp_socket,name_bind audit2allow audit2allow -R
What version of selinux-policy is installed?
Here is an excerpt from /var/log/messages covering the time of the ipa-server-install execution. Please note that there is also a problem with NTP: Dec 7 09:35:15 server systemd[1]: Stopped Network Time Service. Dec 7 09:35:15 server systemd[1]: Reloading. Dec 7 09:35:15 server systemd[1]: Cannot add dependency job for unit ntp-wait.service, ignoring: Unit ntp-wait.service failed to load: No such file or directory. See system logs and 'systemctl status ntp-wait.service' for details. Dec 7 09:35:15 server systemd[1]: Starting Network Time Service... Dec 7 09:35:15 server ntpd[2825]: ntpd 4.2.6p5 Thu Dec 6 12:52:39 UTC 2012 (1) Dec 7 09:35:15 server ntpd[2826]: proto: precision = 0.069 usec Dec 7 09:35:15 server ntpd[2826]: 0.0.0.0 c01d 0d kern kernel time sync enabled Dec 7 09:35:15 server ntpd[2826]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123 Dec 7 09:35:15 server systemd[1]: Started Network Time Service. Dec 7 09:35:15 server ntpd[2826]: Listen and drop on 1 v6wildcard :: UDP 123 Dec 7 09:35:15 server ntpd[2826]: Listen normally on 2 lo 127.0.0.1 UDP 123 Dec 7 09:35:15 server ntpd[2826]: Listen normally on 3 em1 192.168.1.11 UDP 123 Dec 7 09:35:15 server ntpd[2826]: Listen normally on 4 lo ::1 UDP 123 Dec 7 09:35:15 server ntpd[2826]: Listen normally on 5 em1 fe80::21c:c4ff:feae:574f UDP 123 Dec 7 09:35:15 server ntpd[2826]: peers refreshed Dec 7 09:35:15 server ntpd[2826]: Listening on routing socket on fd #22 for interface updates Dec 7 09:35:15 server ntpd[2826]: 0.0.0.0 c016 06 restart Dec 7 09:35:15 server ntpd[2826]: 0.0.0.0 c012 02 freq_set ntpd 0.000 PPM Dec 7 09:35:15 server ntpd[2826]: 0.0.0.0 c011 01 freq_not_set Dec 7 09:35:18 server systemd[1]: Reloading. Dec 7 09:35:18 server systemd[1]: Starting 389 Directory Server. Dec 7 09:35:18 server systemd[1]: Reached target 389 Directory Server. Dec 7 09:35:18 server systemd[1]: Starting 389 Directory Server PKI-IPA.... Dec 7 09:35:18 server ns-slapd[2902]: [07/Dec/2012:09:35:18 -0600] createprlistensockets - PR_Bind() on All Interfaces port 7389 failed: Netscape Portable Runtime error -5966 (Access Denied.) Dec 7 09:35:18 server dbus-daemon[634]: dbus[634]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper) Dec 7 09:35:18 server dbus[634]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper) Dec 7 09:35:18 server systemd[1]: dirsrv: control process exited, code=exited status=1 Dec 7 09:35:18 server systemd[1]: Failed to start 389 Directory Server PKI-IPA.. Dec 7 09:35:18 server systemd[1]: Unit dirsrv entered failed state Dec 7 09:35:18 server systemd[1]: Reloading. Dec 7 09:35:18 server systemd[1]: Reloading. Dec 7 09:35:18 server systemd[1]: Starting 389 Directory Server PKI-IPA.... Dec 7 09:35:18 server ns-slapd[2924]: [07/Dec/2012:09:35:18 -0600] createprlistensockets - PR_Bind() on All Interfaces port 7389 failed: Netscape Portable Runtime error -5966 (Access Denied.) Dec 7 09:35:18 server systemd[1]: dirsrv: control process exited, code=exited status=1 Dec 7 09:35:18 server systemd[1]: Failed to start 389 Directory Server PKI-IPA.. Dec 7 09:35:18 server systemd[1]: Unit dirsrv entered failed state Dec 7 09:35:19 server ntpd[2826]: 0.0.0.0 c514 04 freq_mode Dec 7 09:35:19 server dbus-daemon[634]: dbus[634]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd' Dec 7 09:35:19 server dbus[634]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd' Dec 7 09:35:19 server systemd[1]: Starting PKI Tomcat Server. Dec 7 09:35:19 server systemd[1]: Reached target PKI Tomcat Server. Dec 7 09:35:19 server systemd[1]: Starting PKI Tomcat Server pki-tomcat... Dec 7 09:35:20 server setroubleshoot: SELinux is preventing /usr/sbin/ns-slapd from name_bind access on the tcp_socket . For complete SELinux messages. run sealert -l 7633f564-df6b-4256-aec0-3692a2e5b5a2 Dec 7 09:35:20 server setroubleshoot: SELinux is preventing /usr/sbin/ns-slapd from name_bind access on the tcp_socket . For complete SELinux messages. run sealert -l 7633f564-df6b-4256-aec0-3692a2e5b5a2 Dec 7 09:35:23 server pkidaemon[2943]: 'pki-tomcat' must still be CONFIGURED! Dec 7 09:35:23 server pkidaemon[2943]: (see /var/log/pki-tomcat-install.log) Dec 7 09:35:23 server systemd[1]: Started PKI Tomcat Server pki-tomcat.
[root@server ~]# yum list installed selinux* Loaded plugins: langpacks, presto, refresh-packagekit Installed Packages selinux-policy.noarch 3.11.1-60.fc18 @updates-testing selinux-policy-devel.noarch 3.11.1-60.fc18 @updates-testing selinux-policy-targeted.noarch 3.11.1-60.fc18 @updates-testing [root@server ~]#
I am unable to attach the log from ipa-server-install???? I believe I have made all the correct entries; selected the file, entered a description, etc. But when I click submit, nothing happens.
That's fine, the log isn't needed. the AVC is enough.
To try to work around the problem, I: 1. Uninstalled ipa server: ipa-server-install --uninstall 2. Followed the instructions in the SELinux alert details to update the policy 3. Rebooted 4. Tried to install IPA server again: [root@server ~]# ipa-server-install \ > --admin-password adminpassword \ > --hostname server.hunter.org \ > --domain hunter.org \ > --ds-password dspassword \ > --realm HUNTER.ORG \ > --setup-dns \ > --no-forwarders \ > --unattended The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the FreeIPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) To accept the default shown in brackets, press the Enter key. Warning: skipping DNS resolution of host server.hunter.org Using reverse zone 1.168.192.in-addr.arpa. The IPA Master Server will be configured with: Hostname: server.hunter.org IP address: 192.168.1.11 Domain name: hunter.org Realm name: HUNTER.ORG BIND DNS server will be configured to serve IPA domain with: Forwarders: No forwarders Reverse zone: 1.168.192.in-addr.arpa. Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server for the CA (pkids): Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server Done configuring directory server for the CA (pkids). Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/19]: creating certificate server user [2/19]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpBM6ZgK' returned non-zero exit status 1 Configuration of CA failed [root@server ~]#
Created attachment 659510 [details] testing attachment this is a test this is only a test
The CA not being configured it likely a different issue than the SELinux problem. Look in /var/log/ipaserver-install.log for more details. You may also want to try to uninstall again and run pkidestroy -s CA -i pki-tomcat
The SELinux replated problem seems to be that the port used by the 389 instance for Dogtag is labelled as pki_ca_port_t. This means ns-slapd will not be allowed to bind to that port, we we expect it to be ldap_port_t. A port can only have one label, so setup-ds.pl will fail to label the port properly. I do not know how things got in this state, but you should be able to work around this problem my manually cleaning up the port label: - Uninstall IPA. - As root, remove the pki_ca_port_t label from port 7389 by running 'semanage port -d -p tcp -t pki_ca_port_t 7389'. - Reinstall IPA.
I am sorry but the workaround for the port label did not work. I had already started a rebuild because of problems with ipa-server-install --uninstall, so I used these steps: 1. Install Fedora 18 beta Gnome Desktop 2. hostnamectl set-hostname server 3. cat >/etc/sysconfig/network <<EOD NETWORKING=yes HOSTNAME=server.hunter.org EOD 4. yum update --assumeyes 5. reboot 6. yum install --assumeyes freeipa-server bind bind-dyndb-ldap 7. mkdir /var/run/ipa # 880995 8. chmod 0700 /var/run/ipa # 880995 9. semanage port -d -p tcp -t pki_ca_port_t 7389 # 885154 The result was this message: /sbin/semanage: Port tcp/7389 is defined in policy, cannot be deleted
What does the output of 'semanage port -l |grep 7389' show? This might be a problem in the version of selinux-policy that you have installed. Port 7389 should not be labelled as pki_ca_port_t.
The SELinux issue is related to the fix that was added for this bug: https://bugzilla.redhat.com/show_bug.cgi?id=879516 I have repopened the above bug, as the fix is incorrect. Port 7389 should not be labelled as pki_ca_port_t.
On the other hand, following the instructions in the alert details to create a new policy from the log did resolve the problem: [root@server ~]# audit2allow -M mypol <<EOD type=AVC msg=audit(1354894518.888:342): avc: denied { name_bind } for pid=2924 comm="ns-slapd" src=7389 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:pki_ca_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1354894518.888:342): arch=x86_64 syscall=bind success=no exit=EACCES a0=6 a1=7fff3c600d50 a2=1c a3=7fff3c600ae0 items=0 ppid=1 pid=2924 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ns-slapd exe=/usr/sbin/ns-slapd subj=system_u:system_r:dirsrv_t:s0 key=(null) EOD ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i mypol.pp [root@server ~]# cat mypol.te module mypol 1.0; require { type dirsrv_t; type pki_ca_port_t; class tcp_socket name_bind; } #============= dirsrv_t ============== #!!!! This avc is allowed in the current policy allow dirsrv_t pki_ca_port_t:tcp_socket name_bind; [root@server ~]# semodule -i mypol.pp [root@server ~]# I believe the error was introduced sometime in the last week since the IPA server was last installed on Nov 29 with 3.11.1-57.fc18 required to correct another bug. Per your last request: [root@server ~]# semanage port -l | grep 7389 pki_ca_port_t tcp 7389, 9180, 9701, 9443-9447 [root@server ~]#
The policy module you added will work, but I would consider it a temporary fix, as it's not really correct. When a new selinux-policy update is made to fix this, you should remove your custom policy module (mypol.pp) and then label 7389 as ldap_port_t using semanage.
Absolutely! I agree 100%. I apologize that I was not clear that I was working around the bug. Do you have an estimate on when a new selinux-policy update will correct this problem?
(In reply to comment #15) > Absolutely! I agree 100%. I apologize that I was not clear that I was > working around the bug. Do you have an estimate on when a new selinux-policy > update will correct this problem? According to bug 879416, it has been fixed now: "Fixed in selinux-policy-3.11.1-61.fc18"
I have verified that this problem has been corrected in selinux-policy-3.11.1-62.fc18
Ok. In that case I will simply close the bug. Thanks Nathan and Dean for cooperation!