Bug 980635 - Multiple same specifications for /var/lib/ipa/pki-ca/publish(/.*)?.
Multiple same specifications for /var/lib/ipa/pki-ca/publish(/.*)?.
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: freeipa (Show other bugs)
19
x86_64 Linux
high Severity high
: ---
: ---
Assigned To: Rob Crittenden
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 984043
  Show dependency treegraph
 
Reported: 2013-07-02 17:56 EDT by Dean Hunter
Modified: 2013-07-25 20:33 EDT (History)
8 users (show)

See Also:
Fixed In Version: freeipa-3.2.2-1.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 984043 (view as bug list)
Environment:
Last Closed: 2013-07-25 20:33:19 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dean Hunter 2013-07-02 17:56:19 EDT
Description of problem:

Error during yum install of freeipa-server.

I am using selinux-policy from updates-testing to resolve bug #976159.


Version-Release number of selected component (if applicable):

freeipa-server-3.2.1-1.fc19.x86_64
selinux-policy-3.12.1-57.fc19.x86_64


How reproducible: Consistent


Steps to Reproduce:

1. Build a new Fedora 19 VM
2. yum update --assumeyes
3. yum update --assumeyes --enablerepo updates-testing selinux-policy
4. yum install --assumeyes bind bind-dyndb-ldap freeipa-server


Actual results:

  Installing : freeipa-server-3.2.1-1.fc19.x86_64                       186/188 
  Installing : freeipa-server-selinux-3.2.1-1.fc19.x86_64               187/188 
/etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /var/lib/ipa/pki-ca/publish(/.*)?.
/etc/selinux/targeted/contexts/files/file_contexts: Invalid argument
libsemanage.semanage_install_active: setfiles returned error code 1.
semodule:  Failed!
  Installing : bind-dyndb-ldap-3.2-1.fc19.x86_64                        188/188 
  Verifying  : freeipa-client-3.2.1-1.fc19.x86_64                         1/188 


Expected results:

  Installing : freeipa-server-3.2.1-1.fc19.x86_64                       186/188 
  Installing : freeipa-server-selinux-3.2.1-1.fc19.x86_64               187/188 
  Installing : bind-dyndb-ldap-3.2-1.fc19.x86_64                        188/188 
  Verifying  : freeipa-client-3.2.1-1.fc19.x86_64                         1/188 


Additional info:
Comment 1 Dean Hunter 2013-07-02 17:58:10 EDT
Could this be related to #980588?
Comment 2 Rob Crittenden 2013-07-03 09:22:57 EDT
I think it is more related to 979379.

In the next release of FreeIPA we are planning on dropping our selinux sub-package. It looks like some things may have already made their way into base policy in 3.12.1-55, based on the changelog.

Adding selinux-policy maintainer as cc.
Comment 3 Miroslav Grepl 2013-07-03 09:50:30 EDT
Yes. A conflict will be needed in FreeIPA pkg.
Comment 4 Simo Sorce 2013-07-03 10:14:33 EDT
(In reply to Miroslav Grepl from comment #3)
> Yes. A conflict will be needed in FreeIPA pkg.

A conflict with what exactly ?
Comment 5 Dean Hunter 2013-07-03 11:04:55 EDT
Is there some place where I can track the status of the next release of FreeIPA?
Comment 6 Rob Crittenden 2013-07-03 11:18:22 EDT
(In reply to Dean Hunter from comment #5)
> Is there some place where I can track the status of the next release of
> FreeIPA?

You'd have to track the upstream.
Comment 7 Dean Hunter 2013-07-03 11:27:13 EDT
I found:

  https://fedorahosted.org/freeipa/roadmap

and I see that the June releases are running late.  So I will stop "bugging" y'all and just wait for the next update.
Comment 8 Dean Hunter 2013-07-07 16:43:17 EDT
The problem persists with selinux-policy-3.12.1-59.fc19.noarch.
Comment 9 Miroslav Grepl 2013-07-08 03:16:07 EDT
What is the latest release of freeipa which has this SELinux context spec?
Comment 10 Rob Crittenden 2013-07-08 09:07:59 EDT
The latest is 3.2.1. We planned on dropping the selinux subpackage in the next upstream release, 3.3 in F20 only. So I guess for now it would be best to back out the freeipa rules from the selinux policy package.
Comment 11 Dmitri Pal 2013-07-10 20:09:40 EDT
Should this bug be re-assigned to SELinux policy package?
Comment 12 Miroslav Grepl 2013-07-11 07:34:48 EDT
Basically we need to add

Conflicts: freeipa-selinux < 3.2.2

for F19.
Comment 13 Rob Crittenden 2013-07-11 09:40:19 EDT
We aren't planning on dropping the policy subpackage upstream until 3.3 which is aligned with F20.

If you add this conflicts then this could prevent future SELinux changes to work in F-19 if there is a 3.2 minor release.
Comment 14 Miroslav Grepl 2013-07-11 10:18:39 EDT
So you are not going to drop it in F19?
Comment 15 Rob Crittenden 2013-07-11 11:34:23 EDT
No. We don't want to drop a subpackage in the middle of a Fedora release.
Comment 19 Dean Hunter 2013-07-12 15:33:12 EDT
Is there any way I can work around this problem?  How does this problem affect my use of IPA?

I understand that /var/lib/ipa/pki-ca/publish is supposed to be populated but after ipa-server-install it is empty.  And Java might be trying to write to the directory and failing with SELinux alerts:

time->Thu Jul 11 16:59:44 2013
type=SYSCALL msg=audit(1373579984.476:927): arch=c000003e syscall=2 success=no exit=-13 a0=7f842c0033b0 a1=241 a2=1b6 a3=7473614d2f687369 items=0 ppid=1 pid=3529 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.x86_64/jre/bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1373579984.476:927): avc:  denied  { write } for  pid=3529 comm="java" name="publish" dev="dm-1" ino=276132 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir
----
time->Thu Jul 11 17:00:00 2013
type=SYSCALL msg=audit(1373580000.224:933): arch=c000003e syscall=2 success=no exit=-13 a0=7f842c00bec0 a1=241 a2=1b6 a3=7473614d2f687369 items=0 ppid=1 pid=3529 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.x86_64/jre/bin/java" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1373580000.224:933): avc:  denied  { write } for  pid=3529 comm="java" name="publish" dev="dm-1" ino=276132 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir
----
time->Thu Jul 11 21:00:00 2013
type=SYSCALL msg=audit(1373594400.066:1960): arch=c000003e syscall=2 success=no exit=-13 a0=7fa950022680 a1=241 a2=1b6 a3=7473614d2f687369 items=0 ppid=1 pid=4033 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="java" exe=2F7573722F6C69622F6A766D2F6A6176612D312E372E302D6F70656E6A646B2D312E372E302E32352E7838365F36342F6A72652F62696E2F6A617661202864656C6574656429 subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1373594400.066:1960): avc:  denied  { write } for  pid=4033 comm="java" name="publish" dev="dm-1" ino=276132 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir
----
time->Fri Jul 12 01:00:00 2013
type=SYSCALL msg=audit(1373608800.072:2098): arch=c000003e syscall=88 success=no exit=-13 a0=7fffc38e8bb9 a1=7fffc38e8bf3 a2=0 a3=3386e850b0 items=0 ppid=3980 pid=8694 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ln" exe="/usr/bin/ln" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1373608800.072:2098): avc:  denied  { create } for  pid=8694 comm="ln" name="MasterCRL.bin.new" scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=lnk_file
----
time->Fri Jul 12 05:00:00 2013
type=SYSCALL msg=audit(1373623200.057:2134): arch=c000003e syscall=88 success=no exit=-13 a0=7fff2dfe2bb9 a1=7fff2dfe2bf3 a2=0 a3=3386e850b0 items=0 ppid=3980 pid=9621 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ln" exe="/usr/bin/ln" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1373623200.057:2134): avc:  denied  { create } for  pid=9621 comm="ln" name="MasterCRL.bin.new" scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=lnk_file
----
time->Fri Jul 12 09:00:00 2013
type=SYSCALL msg=audit(1373637600.063:2170): arch=c000003e syscall=88 success=no exit=-13 a0=7fff4f9febb9 a1=7fff4f9febf3 a2=0 a3=3386e850b0 items=0 ppid=3980 pid=10496 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ln" exe="/usr/bin/ln" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1373637600.063:2170): avc:  denied  { create } for  pid=10496 comm="ln" name="MasterCRL.bin.new" scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=lnk_file
----
time->Fri Jul 12 13:00:00 2013
type=SYSCALL msg=audit(1373652000.057:2206): arch=c000003e syscall=88 success=no exit=-13 a0=7fff684adbb9 a1=7fff684adbf3 a2=0 a3=3386e850b0 items=0 ppid=3980 pid=11372 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ln" exe="/usr/bin/ln" subj=system_u:system_r:pki_tomcat_t:s0 key=(null)
type=AVC msg=audit(1373652000.057:2206): avc:  denied  { create } for  pid=11372 comm="ln" name="MasterCRL.bin.new" scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=lnk_file
Comment 20 Rob Crittenden 2013-07-12 15:52:14 EDT
You might try: semodule -r ipa_dogtag

If you don't rely on CRLs then this shouldn't cause any problems.
Comment 21 Dean Hunter 2013-07-12 17:55:40 EDT
I am sorry, but what are CRLs and how would I know if I rely on them?
Comment 22 Dean Hunter 2013-07-12 18:11:33 EDT
[root@ipa19 ~]# semodule -r ipa_dogtag
libsemanage.get_module_file_by_name: Module ipa_dogtag was not found.
semodule:  Failed on ipa_dogtag!
[root@ipa19 ~]#
Comment 23 Martin Kosek 2013-07-15 07:34:49 EDT
I just returned from PTO so sorry from jumping in a middle of a conversation.

(In reply to Rob Crittenden from comment #15)
> No. We don't want to drop a subpackage in the middle of a Fedora release.

I would really like to let us consider dropping the selinux subpackage in Fedora 19 timeframe (which is really still in the beginning of the lifetime) - it will make a lot of policy-related code easier and let us avoid maintaining the redundant selinux subpackage in F19. The upgrade should be clean, yum will automatically remove the selinux subpackage during update process.

Originally, I did the change only with 3.3 development version and started asking Miroslav for fixing the 2 SELinux policy issues I found (Bug 979379 and Bug 976308), one is already fixed. Unfortunately, this mid-state caused the (benign) warning above.

I would propose to let us:

1) Fix both Bug 979379 and Bug 976308 in selinux-policy
2) Drop freeipa-server-selinux subpackage in 3.2.x release in Fedora 19 which should be done soon (if not only because of related https://fedorahosted.org/freeipa/ticket/3727).
3) We have consistent system SELinux policy + FreeIPA without custom/redundant selinux subpackage -> great!
Comment 27 Martin Kosek 2013-07-16 11:08:16 EDT
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3788
Comment 28 David Jaša 2013-07-17 04:14:54 EDT
I hit this after upgrade on F19 system and that in turn make selinux inconfigurable:

# setsebool -P httpd_can_network_connect_db 1
/etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /var/lib/ipa/pki-ca/publish(/.*)?.
/etc/selinux/targeted/contexts/files/file_contexts: Invalid argument
libsemanage.semanage_install_active: setfiles returned error code 1.
Could not change policy booleans

the prio/severity should be raised IMO.
Comment 29 Martin Kosek 2013-07-17 04:26:26 EDT
Agreed. Raising the priority.

I am working with Miroslav on fixing this issue in both SELinux policy + FreeIPA right now.
Comment 30 Martin Kosek 2013-07-17 10:26:30 EDT
Fixed upstream:

master:
1dcbb3adfae78e6f46ff76f72d651d75850c46ab Require new selinux-policy replacing old server-selinux subpacka

ipa-3-2:
be327e21ce1877b944508b4ff14101dc3c922d0c Require new selinux-policy replacing old server-selinux subpacka

FreeIPA will now require selinux-policy-3.12.1-65.fc19.noarch which adds missing bits previously present in freeipa-server-selinux subpackage. Next version of FreeIPA will not contain this subpackage so there will be no conflict in policy.
Comment 31 Fedora Update System 2013-07-17 12:48:49 EDT
freeipa-3.2.2-1.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/freeipa-3.2.2-1.fc19
Comment 32 Fedora Update System 2013-07-18 01:51:56 EDT
Package freeipa-3.2.2-1.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing freeipa-3.2.2-1.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-13224/freeipa-3.2.2-1.fc19
then log in and leave karma (feedback).
Comment 33 Dean Hunter 2013-07-18 13:46:20 EDT
Correction verified and karma updated.
Comment 34 David Jaša 2013-07-19 06:35:29 EDT
The fix works for me, too.
Comment 35 Fedora Update System 2013-07-25 20:33:19 EDT
freeipa-3.2.2-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.