Description of problem: Error during yum install of freeipa-server. I am using selinux-policy from updates-testing to resolve bug #976159. Version-Release number of selected component (if applicable): freeipa-server-3.2.1-1.fc19.x86_64 selinux-policy-3.12.1-57.fc19.x86_64 How reproducible: Consistent Steps to Reproduce: 1. Build a new Fedora 19 VM 2. yum update --assumeyes 3. yum update --assumeyes --enablerepo updates-testing selinux-policy 4. yum install --assumeyes bind bind-dyndb-ldap freeipa-server Actual results: Installing : freeipa-server-3.2.1-1.fc19.x86_64 186/188 Installing : freeipa-server-selinux-3.2.1-1.fc19.x86_64 187/188 /etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /var/lib/ipa/pki-ca/publish(/.*)?. /etc/selinux/targeted/contexts/files/file_contexts: Invalid argument libsemanage.semanage_install_active: setfiles returned error code 1. semodule: Failed! Installing : bind-dyndb-ldap-3.2-1.fc19.x86_64 188/188 Verifying : freeipa-client-3.2.1-1.fc19.x86_64 1/188 Expected results: Installing : freeipa-server-3.2.1-1.fc19.x86_64 186/188 Installing : freeipa-server-selinux-3.2.1-1.fc19.x86_64 187/188 Installing : bind-dyndb-ldap-3.2-1.fc19.x86_64 188/188 Verifying : freeipa-client-3.2.1-1.fc19.x86_64 1/188 Additional info:
Could this be related to #980588?
I think it is more related to 979379. In the next release of FreeIPA we are planning on dropping our selinux sub-package. It looks like some things may have already made their way into base policy in 3.12.1-55, based on the changelog. Adding selinux-policy maintainer as cc.
Yes. A conflict will be needed in FreeIPA pkg.
(In reply to Miroslav Grepl from comment #3) > Yes. A conflict will be needed in FreeIPA pkg. A conflict with what exactly ?
Is there some place where I can track the status of the next release of FreeIPA?
(In reply to Dean Hunter from comment #5) > Is there some place where I can track the status of the next release of > FreeIPA? You'd have to track the upstream.
I found: https://fedorahosted.org/freeipa/roadmap and I see that the June releases are running late. So I will stop "bugging" y'all and just wait for the next update.
The problem persists with selinux-policy-3.12.1-59.fc19.noarch.
What is the latest release of freeipa which has this SELinux context spec?
The latest is 3.2.1. We planned on dropping the selinux subpackage in the next upstream release, 3.3 in F20 only. So I guess for now it would be best to back out the freeipa rules from the selinux policy package.
Should this bug be re-assigned to SELinux policy package?
Basically we need to add Conflicts: freeipa-selinux < 3.2.2 for F19.
We aren't planning on dropping the policy subpackage upstream until 3.3 which is aligned with F20. If you add this conflicts then this could prevent future SELinux changes to work in F-19 if there is a 3.2 minor release.
So you are not going to drop it in F19?
No. We don't want to drop a subpackage in the middle of a Fedora release.
Is there any way I can work around this problem? How does this problem affect my use of IPA? I understand that /var/lib/ipa/pki-ca/publish is supposed to be populated but after ipa-server-install it is empty. And Java might be trying to write to the directory and failing with SELinux alerts: time->Thu Jul 11 16:59:44 2013 type=SYSCALL msg=audit(1373579984.476:927): arch=c000003e syscall=2 success=no exit=-13 a0=7f842c0033b0 a1=241 a2=1b6 a3=7473614d2f687369 items=0 ppid=1 pid=3529 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.x86_64/jre/bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null) type=AVC msg=audit(1373579984.476:927): avc: denied { write } for pid=3529 comm="java" name="publish" dev="dm-1" ino=276132 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir ---- time->Thu Jul 11 17:00:00 2013 type=SYSCALL msg=audit(1373580000.224:933): arch=c000003e syscall=2 success=no exit=-13 a0=7f842c00bec0 a1=241 a2=1b6 a3=7473614d2f687369 items=0 ppid=1 pid=3529 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.x86_64/jre/bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null) type=AVC msg=audit(1373580000.224:933): avc: denied { write } for pid=3529 comm="java" name="publish" dev="dm-1" ino=276132 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir ---- time->Thu Jul 11 21:00:00 2013 type=SYSCALL msg=audit(1373594400.066:1960): arch=c000003e syscall=2 success=no exit=-13 a0=7fa950022680 a1=241 a2=1b6 a3=7473614d2f687369 items=0 ppid=1 pid=4033 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="java" exe=2F7573722F6C69622F6A766D2F6A6176612D312E372E302D6F70656E6A646B2D312E372E302E32352E7838365F36342F6A72652F62696E2F6A617661202864656C6574656429 subj=system_u:system_r:pki_tomcat_t:s0 key=(null) type=AVC msg=audit(1373594400.066:1960): avc: denied { write } for pid=4033 comm="java" name="publish" dev="dm-1" ino=276132 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir ---- time->Fri Jul 12 01:00:00 2013 type=SYSCALL msg=audit(1373608800.072:2098): arch=c000003e syscall=88 success=no exit=-13 a0=7fffc38e8bb9 a1=7fffc38e8bf3 a2=0 a3=3386e850b0 items=0 ppid=3980 pid=8694 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ln" exe="/usr/bin/ln" subj=system_u:system_r:pki_tomcat_t:s0 key=(null) type=AVC msg=audit(1373608800.072:2098): avc: denied { create } for pid=8694 comm="ln" name="MasterCRL.bin.new" scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=lnk_file ---- time->Fri Jul 12 05:00:00 2013 type=SYSCALL msg=audit(1373623200.057:2134): arch=c000003e syscall=88 success=no exit=-13 a0=7fff2dfe2bb9 a1=7fff2dfe2bf3 a2=0 a3=3386e850b0 items=0 ppid=3980 pid=9621 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ln" exe="/usr/bin/ln" subj=system_u:system_r:pki_tomcat_t:s0 key=(null) type=AVC msg=audit(1373623200.057:2134): avc: denied { create } for pid=9621 comm="ln" name="MasterCRL.bin.new" scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=lnk_file ---- time->Fri Jul 12 09:00:00 2013 type=SYSCALL msg=audit(1373637600.063:2170): arch=c000003e syscall=88 success=no exit=-13 a0=7fff4f9febb9 a1=7fff4f9febf3 a2=0 a3=3386e850b0 items=0 ppid=3980 pid=10496 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ln" exe="/usr/bin/ln" subj=system_u:system_r:pki_tomcat_t:s0 key=(null) type=AVC msg=audit(1373637600.063:2170): avc: denied { create } for pid=10496 comm="ln" name="MasterCRL.bin.new" scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=lnk_file ---- time->Fri Jul 12 13:00:00 2013 type=SYSCALL msg=audit(1373652000.057:2206): arch=c000003e syscall=88 success=no exit=-13 a0=7fff684adbb9 a1=7fff684adbf3 a2=0 a3=3386e850b0 items=0 ppid=3980 pid=11372 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ln" exe="/usr/bin/ln" subj=system_u:system_r:pki_tomcat_t:s0 key=(null) type=AVC msg=audit(1373652000.057:2206): avc: denied { create } for pid=11372 comm="ln" name="MasterCRL.bin.new" scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=lnk_file
You might try: semodule -r ipa_dogtag If you don't rely on CRLs then this shouldn't cause any problems.
I am sorry, but what are CRLs and how would I know if I rely on them?
[root@ipa19 ~]# semodule -r ipa_dogtag libsemanage.get_module_file_by_name: Module ipa_dogtag was not found. semodule: Failed on ipa_dogtag! [root@ipa19 ~]#
I just returned from PTO so sorry from jumping in a middle of a conversation. (In reply to Rob Crittenden from comment #15) > No. We don't want to drop a subpackage in the middle of a Fedora release. I would really like to let us consider dropping the selinux subpackage in Fedora 19 timeframe (which is really still in the beginning of the lifetime) - it will make a lot of policy-related code easier and let us avoid maintaining the redundant selinux subpackage in F19. The upgrade should be clean, yum will automatically remove the selinux subpackage during update process. Originally, I did the change only with 3.3 development version and started asking Miroslav for fixing the 2 SELinux policy issues I found (Bug 979379 and Bug 976308), one is already fixed. Unfortunately, this mid-state caused the (benign) warning above. I would propose to let us: 1) Fix both Bug 979379 and Bug 976308 in selinux-policy 2) Drop freeipa-server-selinux subpackage in 3.2.x release in Fedora 19 which should be done soon (if not only because of related https://fedorahosted.org/freeipa/ticket/3727). 3) We have consistent system SELinux policy + FreeIPA without custom/redundant selinux subpackage -> great!
Upstream ticket: https://fedorahosted.org/freeipa/ticket/3788
I hit this after upgrade on F19 system and that in turn make selinux inconfigurable: # setsebool -P httpd_can_network_connect_db 1 /etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /var/lib/ipa/pki-ca/publish(/.*)?. /etc/selinux/targeted/contexts/files/file_contexts: Invalid argument libsemanage.semanage_install_active: setfiles returned error code 1. Could not change policy booleans the prio/severity should be raised IMO.
Agreed. Raising the priority. I am working with Miroslav on fixing this issue in both SELinux policy + FreeIPA right now.
Fixed upstream: master: 1dcbb3adfae78e6f46ff76f72d651d75850c46ab Require new selinux-policy replacing old server-selinux subpacka ipa-3-2: be327e21ce1877b944508b4ff14101dc3c922d0c Require new selinux-policy replacing old server-selinux subpacka FreeIPA will now require selinux-policy-3.12.1-65.fc19.noarch which adds missing bits previously present in freeipa-server-selinux subpackage. Next version of FreeIPA will not contain this subpackage so there will be no conflict in policy.
freeipa-3.2.2-1.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/freeipa-3.2.2-1.fc19
Package freeipa-3.2.2-1.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing freeipa-3.2.2-1.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-13224/freeipa-3.2.2-1.fc19 then log in and leave karma (feedback).
Correction verified and karma updated.
The fix works for me, too.
freeipa-3.2.2-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.