Description of problem: After upgrading my virtual Fedora 17 freeipa server to Fedora 18 ipa.service fails to start if selinux is in enforcing mode Version-Release number of selected component (if applicable): freeipa-server.x86_64 3.1.2-1.fc18 selinux-policy.noarch 3.11.1-76.fc18 How reproducible: Always Steps to Reproduce: 1. Install freeipa on Fedora 17 2. Upgrade to Fedora 18 3. restart Actual results: systemctl reports ipa.service along with pki-ca@ and httpd failed to start Expected results: Everything starts to work at it should Additional info: I found the following in /var/log/audit/audit.log: type=AVC msg=audit(1360847849.390:97): avc: denied { transition } for pid=1209 comm="runcon" path="/usr/sbin/tomcat6-sysd" dev="vda2" ino=404044 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:pki_tomcat_script_t:s0 tclass=process type=SYSCALL msg=audit(1360847849.390:97): arch=c000003e syscall=59 success=no exit=-13 a0=7fff06b32c7e a1=7fff06b31dc0 a2=7fff06b31dd8 a3=7fff06b319e0 items=0 ppid=1115 pid=1209 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="runcon" exe="/usr/bin/runcon" subj=system_u:system_r:initrc_t:s0 key=(null) echo 0 > /sys/fs/selinux/enforce or boot with selinux in permissive mode and it works.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/3399
Re-assigning to selinux-policy to get their take on this. The pki-core team was baffled by this as well. It isn't clear yet where this transition is coming from, whether from the tomcat package, remnants of the old pki-selinux or something else.
Is /usr/sbin/tomcat6-sysd supposed to run as httpd_t?
I don't think so. I need to repeat pki+selinux knowledge.
I added a fix.
selinux-policy-3.11.1-81.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-81.fc18
selinux-policy-3.11.1-81.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.