I upgraded from f17 to f18 and now pki-cad fails to start.
In messages I see this:
Feb 6 17:43:08 ipa1 pkicontrol[1819]: /usr/bin/runcon: /var/lib/pki-ca/pki-ca: Permission denied Feb 6 17:43:08 ipa1 systemd[1]: pki-cad@pki-ca.service: control process exited, code=exited status=126 Feb 6 17:43:08 ipa1 systemd[1]: Failed to start PKI Certificate Authority Server pki-ca. Feb 6 17:43:08 ipa1 systemd[1]: Unit pki-cad@pki-ca.service entered failed state
and in audit.log I get this AVC:
type=AVC msg=audit(1360190588.139:374): avc: denied { transition } for pid=1912 comm="runcon" path="/usr/sbin/tomcat6-sysd" dev="vda3" ino=171183 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:pki_tomcat_script_t:s0 tclass=process
What versions of pki-core did you go from and to?
What version of IPA did you upgrade from and to?
Uhmm turned out I had an unspecified version of freeipa I had compileed myself on this machine. It was certianly post 3.0 and called '3.0.2'. It has been upgraded to the stock 3.1.2-1.fc18 version available in the distro.
Excerpts from yum history of the upgrade:
Obsoleting pki-base-10.0.1-1.fc18.noarch Updated pki-ca-9.0.21-1.fc17.noarch Update 10.0.1-1.fc18.noarch Obsoleted pki-common-9.0.21-1.fc17.noarch Obsoleted pki-java-tools-9.0.21-1.fc17.noarch Obsoleted pki-native-tools-9.0.21-1.fc17.x86_64 Obsoleted pki-selinux-9.0.21-1.fc17.noarch Obsoleting pki-server-10.0.1-1.fc18.noarch Obsoleted pki-setup-9.0.21-1.fc17.noarch Obsoleted pki-silent-9.0.21-1.fc17.noarch Updated pki-symkey-9.0.21-1.fc17.x86_64 Update 10.0.1-1.fc18.x86_64 Obsoleting pki-tools-10.0.1-1.fc18.x86_64 Obsoleted pki-util-9.0.21-1.fc17.noarch Updated selinux-policy-3.10.0-166.fc17.noarch Update 3.11.1-73.fc18.noarch Updated selinux-policy-devel-3.10.0-146.fc17.noarch Update 3.11.1-73.fc18.noarch Dep-Install selinux-policy-doc-3.11.1-73.fc18.noarch Updated selinux-policy-targeted-3.10.0-166.fc17.noarch Update 3.11.1-73.fc18.noarch
Also saw these errors, that I did not notice at the time I upgraded:
117 Analyzing symlinks in PKI-CA install 118 Checking tomcatjss.jar ... Ok 119 Checking apache-commons-logging.jar ... Ok 120 Checking apache-commons-codec.jar ... Ok 121 Checking jss4.jar ... Ok 122 Checking pki-tomcat.jar ... Ok 123 Found IPA server for domain TRUST.SSIMO.ORG 124 Make sure PKI-CA has Extended Key Usage OIDs for the certificates (Server and Client Authentication) ... ok 125 Converting services setup to systemd 126 Upgrade /etc/sysconfig/dirsrv 127 Upgrade /etc/sysconfig/krb5kdc 128 Re-enable Directory server instances PKI-IPA and TRUST-SSIMO-ORG 129 Re-enable IPA service 130 Finished. 131 Cannot connect to LDAP to add DNS records: cannot connect to u'ldapi://%2fvar%2frun%2fslapd-TRUST-SSIMO-ORG.socket': LDAP Server Down 132 Failed to restart pki-cad: Command '/bin/systemctl restart pki-cad@pki-ca.service' returned non-zero exit status 1 133 libsepol.print_missing_requirements: matahari's global requirements were not met: bool init_systemd (No such file or directory). 134 libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). 135 semodule: Failed!
simo confirmed that the ipa_dogtag SELinux module is loaded with semodule -l
Ade thinks this is a bug in selinux-policy
Simo, can you file a bug in F-18 against selinux-policy re-iterating the above?
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=911145 (Fedora)
This is marked as fixed upstream, in selinux-policy.
We should set our minimum policy to whatever release this ends up in.
Just tested again with latest selinux and it has been fixed in F18. We may want to set the minimum policy to selinux-policy-3.11.1-81.fc18 in the fedora spec file.
Patch freeipa-mkosek-397-bump-selinux-policy-requires.patch sent for review
master: a8a77bf[[BR]] ipa-3-1: ca71d2e
Metadata Update from @simo: - Issue assigned to mkosek - Issue set to the milestone: FreeIPA 3.2 - 2013/03
Login to comment on this ticket.