Bug 929062 - libsemanage reports load_policy errors during freeipa-server-selinux install
Summary: libsemanage reports load_policy errors during freeipa-server-selinux install
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 19
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-03-29 07:33 UTC by Martin Kosek
Modified: 2013-10-24 18:07 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-10-24 18:07:13 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
relevant part of /var/log/messages (17.48 KB, application/octet-stream)
2013-03-29 14:46 UTC, Tomas Babej 		no flags Details
View All

Description Martin Kosek 2013-03-29 07:33:47 UTC 
Description of problem:

When we enroll a new Fedora 19 VM (by distro-syncing a Fedora 18 VM) and install FreeIPA packages, we sometimes hit following bug:

  Installing : freeipa-server-3.1.99GITa9b9b77-0.fc19.x86_64 4/7
  Installing : freeipa-server-selinux-3.1.99GITa9b9b77-0.fc19.x86_64 5/7
libsemanage.semanage_exec_prog: Child process /sbin/load_policy did not exit cleanly.
libsemanage.semanage_reload_policy: load_policy returned error code -1.
libsemanage.semanage_exec_prog: Child process /sbin/load_policy did not exit cleanly.
libsemanage.semanage_reload_policy: load_policy returned error code -1.
semodule:  Failed!
  Installing : freeipa-server-trust-ad-3.1.99GITa9b9b77-0.fc19.x86_64 6/7


Consenquently, it causes the following failure during ipa-server-install:

[12/14]: configuring SELinux for httpd
WARNING: could not set the following SELinux boolean(s):
  httpd_can_network_connect -> on
  httpd_manage_ipa -> on
The web interface may not function correctly until the booleans
are successfully changed with the command:
/usr/sbin/setsebool -P httpd_can_network_connect=on httpd_manage_ipa=on
Try updating the policycoreutils and selinux-policy packages.
  [13/14]: restarting httpd
... 

When setting these booleans by hand, setsetbool returned error 137:
# /usr/sbin/setsebool -P httpd_can_network_connect=on httpd_manage_ipa=on
# echo $?
137

Additional note - the VM was running SELinux in Permissive mode.

Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-24.fc19.noarch

How reproducible:

Steps to Reproduce:
1. Upgrade F18 to F19
2. Install freeipa packages (we use develoment packages from upstream git, they will land in Fedora 19 on Apr 2nd)
3. Run ipa-server-install
  
Actual results:
setsebool reports errors above.

Expected results:
setsebool runs smoothly.

Additional info:
Comment 1 Daniel Walsh 2013-03-29 13:23:20 UTC 
Do you see anything in dmesg or the /var/log/messages?

Are the machines memory challenged?
Comment 2 Daniel Walsh 2013-03-29 13:23:54 UTC 
If you run load_policy after the fact does it work?
Comment 3 Martin Kosek 2013-03-29 14:18:38 UTC 
Adding Tomas to add this finromation he is the actual owner of the failing VMs.
Comment 4 Tomas Babej 2013-03-29 14:46:15 UTC 
Created attachment 718098 [details]
relevant part of /var/log/messages

Adding a relevant part of /var/log/messages. There really seems to be memory problem, semodule process was killed because of it.
Comment 5 Tomas Babej 2013-03-29 15:05:49 UTC 
Running load_policy after installing the packages does not help the issue.
Comment 6 Daniel Walsh 2013-04-01 13:31:26 UTC 
If you try this with a bigger VM memory wise does it work?
Comment 7 Tomas Babej 2013-04-02 08:46:18 UTC 
I doubled the amount of memory available (from 1024 MB to 2048 MB) and the issue is no longer reproducible.
Note You need to log in before you can comment on or make changes to this bug.