The yum installation of ipa-client does not ever install policycoreutils as a dependency which causes ipa-client-install to fail.
Traceback (most recent call last): File "/usr/sbin/ipa-client-install", line 1292, in <module> sys.exit(main()) File "/usr/sbin/ipa-client-install", line 1279, in main rval = install(options, env, fstore, statestore) File "/usr/sbin/ipa-client-install", line 1247, in install ipaclient.ntpconf.config_ntp(ntp_server, fstore, statestore) File "/usr/lib/python2.6/site-packages/ipaclient/ntpconf.py", line 114, in config_ntp ipaservices.restore_context(path_step_tickers) File "/usr/lib/python2.6/site-packages/ipapython/platform/redhat.py", line 134, in restore_context ipautil.run(["/sbin/restorecon", filepath], raiseonerr=False) File "/usr/lib/python2.6/site-packages/ipapython/ipautil.py", line 248, in run close_fds=True, env=env) File "/usr/lib64/python2.6/subprocess.py", line 639, in init errread, errwrite) File "/usr/lib64/python2.6/subprocess.py", line 1228, in _execute_child raise child_exception OSError: [Errno 2] No such file or directory
We should probably just make restorecon execution optional in ipa-client
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=790513
We should check to see if SELinux is enabled by running /usr/sbin/selinuxenabled (if the binary exists) before running restorecon.
attachment freeipa-rcrit-962-selinux.patch
master: e9ed7f7[[BR]] ipa-2-2: 61f7a66
Without policycoreutils sshd restart fails during uninstallation:
Traceback (most recent call last): File "/usr/sbin/ipa-client-install", line 1534, in <module> sys.exit(main()) File "/usr/sbin/ipa-client-install", line 1514, in main return uninstall(options, env) File "/usr/sbin/ipa-client-install", line 400, in uninstall ipaservices.knownservices.sshd.restart() File "/usr/lib/python2.6/site-packages/ipapython/platform/redhat.py", line 47, in restart ipautil.run(["/sbin/service", self.service_name, "restart", instance_name], capture_output=capture_output) File "/usr/lib/python2.6/site-packages/ipapython/ipautil.py", line 291, in run raise CalledProcessError(p.returncode, args) subprocess.CalledProcessError: Command '/sbin/service sshd restart ' returned non-zero exit status 1
It was also reported that during install getent passwd admin fails but that may be a red herring.
JR, to get the openssh guys to look into possibly correcting their package as well to work without policycoreutils installed I need to gather some additional information.
What is the SELinux context of sshd_config? Can you see if the file has been changed (rpm -V openssh-server)?
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=790513 (Red Hat Enterprise Linux 6)
I think we need to:
- warn when restorecon is not found and selinux is enabled - don't consider failing to start sshd as fatal
The getent passwd admin not found was not a red herring, it is caused by this:
getent passwd admin
type=AVC msg=audit(1337290408.174:15432): avc: denied { read } for pid=15428 comm="sssd_be" name="krb5.keytab" dev=dm-1 ino=137005 scontext=system_u:system_r:sssd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
sssd is running but not usable.
attachment freeipa-rcrit-1019-selinux.patch
master: 9e87758
Rename component.
Metadata Update from @jraquino: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 3.0 Beta 1
Login to comment on this ticket.