#2368 ipa-client should not require SELinux be enabled.
Closed: Fixed None Opened 10 years ago by jraquino.

The yum installation of ipa-client does not ever install policycoreutils as a dependency which causes ipa-client-install to fail.

Traceback (most recent call last):
File "/usr/sbin/ipa-client-install", line 1292, in <module>
sys.exit(main())
File "/usr/sbin/ipa-client-install", line 1279, in main
rval = install(options, env, fstore, statestore)
File "/usr/sbin/ipa-client-install", line 1247, in install
ipaclient.ntpconf.config_ntp(ntp_server, fstore, statestore)
File "/usr/lib/python2.6/site-packages/ipaclient/ntpconf.py", line 114, in config_ntp
ipaservices.restore_context(path_step_tickers)
File "/usr/lib/python2.6/site-packages/ipapython/platform/redhat.py", line 134, in restore_context
ipautil.run(["/sbin/restorecon", filepath], raiseonerr=False)
File "/usr/lib/python2.6/site-packages/ipapython/ipautil.py", line 248, in run
close_fds=True, env=env)
File "/usr/lib64/python2.6/subprocess.py", line 639, in init
errread, errwrite)
File "/usr/lib64/python2.6/subprocess.py", line 1228, in _execute_child
raise child_exception
OSError: [Errno 2] No such file or directory


We should probably just make restorecon execution optional in ipa-client

We should check to see if SELinux is enabled by running /usr/sbin/selinuxenabled (if the binary exists) before running restorecon.

Without policycoreutils sshd restart fails during uninstallation:

Traceback (most recent call last):
File "/usr/sbin/ipa-client-install", line 1534, in <module>
sys.exit(main())
File "/usr/sbin/ipa-client-install", line 1514, in main
return uninstall(options, env)
File "/usr/sbin/ipa-client-install", line 400, in uninstall
ipaservices.knownservices.sshd.restart()
File "/usr/lib/python2.6/site-packages/ipapython/platform/redhat.py", line
47, in restart
ipautil.run(["/sbin/service", self.service_name, "restart", instance_name],
capture_output=capture_output)
File "/usr/lib/python2.6/site-packages/ipapython/ipautil.py", line 291, in
run
raise CalledProcessError(p.returncode, args)
subprocess.CalledProcessError: Command '/sbin/service sshd restart ' returned
non-zero exit status 1

It was also reported that during install getent passwd admin fails but that may be a red herring.

JR, to get the openssh guys to look into possibly correcting their package as well to work without policycoreutils installed I need to gather some additional information.

What is the SELinux context of sshd_config? Can you see if the file has been changed (rpm -V openssh-server)?

I think we need to:

- warn when restorecon is not found and selinux is enabled
- don't consider failing to start sshd as fatal

The getent passwd admin not found was not a red herring, it is caused by this:

type=AVC msg=audit(1337290408.174:15432): avc: denied { read } for pid=15428 comm="sssd_be" name="krb5.keytab" dev=dm-1 ino=137005 scontext=system_u:system_r:sssd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file

sssd is running but not usable.

Metadata Update from @jraquino:
- Issue assigned to rcritten
- Issue set to the milestone: FreeIPA 3.0 Beta 1

5 years ago

Login to comment on this ticket.

Metadata