I'm seeing certmonger errors while installing the latest IPA master as of today (GIT7c9fa8f) on an up-to-date F-20 machine.
The relevant error from server install log seems to be:
2014-03-14T12:59:11Z ERROR certmonger failed to start tracking certificate: Command '/usr/bin/getcert start-tracking -d /etc/pki/pki-tomcat/alias -n auditSigningCert cert-pki-ca -c dogtag-ipa-renew-agent -B /usr/lib64/ipa/certmonger/stop_pkicad -C /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" -P XXXXXXXX' returned non-zero exit status 1 2014-03-14T12:59:11Z DEBUG Starting external process
The packages are:
rpm -q freeipa-server certmonger freeipa-server-3.3.90GIT7c9fa8f-0.fc20.x86_64 certmonger-0.73-0.20140312T2143Zgit9f8d271.fc20.x86_64
I'll attach the whole server log.
server install log ipaserver-install.log
Jan please check this one, you recently touched these scripts in scope of #4093.
The scripts couldn't possibly cause this, they are not run on start-tracking.
The log Jakub provided says:
2014-03-14T12:59:11Z DEBUG Starting external process 2014-03-14T12:59:11Z DEBUG args=/usr/bin/getcert start-tracking -d /etc/pki/pki-tomcat/alias -n auditSigningCert cert-pki-ca -c dogtag-ipa-renew-agent -B /usr/lib64/ipa/certmonger/stop_pkicad -C /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" -P XXXXXXXX 2014-03-14T12:59:11Z DEBUG Process finished, return code=1 2014-03-14T12:59:11Z DEBUG stdout=The location "/etc/pki/pki-tomcat/alias" could not be accessed due to insufficient permissions. 2014-03-14T12:59:11Z DEBUG stderr=
The permission error is caused by:
type=AVC msg=audit(1395004717.905:148): avc: denied { read } for pid=22956 comm="certmonger" name="alias" dev="dm-0" ino=5567 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=dir
We need to clone this ticket for SELinux guys.
I did a quick test before creating the Bugzilla and found out that this error only reproduces only with certmonger from git and not with certmonger in repos (i.e. certmonger-0.73-0.20140313T2037Zgitf1b680b.fc20 vs. certmonger-0:0.70-1.fc20.
Adding Nalin to CC for his information. Apparently certmonger's behavior changed between these 2 behaviors. Honza, Nalin - is this change expected?
If yes, Honza please file the selinux-policy Bugzilla.
Part of the work for bugzilla #996581 involved adding a call to access(R_OK | W_OK) to check if the directory in which an NSS database resides is writable before agreeing to use it. That seemed pretty reasonable to me, but I could be talked into reverting it. In permissive mode, that's the only denial I hit with the new version, so adding that access to the policy should also allow things to work again.
I personally am all for keeping the error message clean, even in spite of one more SELinux rule. Honza, please file a bugzilla for SELinxu and add the link in this ticket.
https://bugzilla.redhat.com/show_bug.cgi?id=1078783
This issue should be fixed in selinux-policy-3.12.1-153.fc20 which was pushed to stable updates repo.
I just reproduced this issue with selinux-policy-3.12.1-158.fc20.noarchm, reopening.
I did not see any AVCs with selinux-policy-3.12.1-181.fc20.noarch, selinux-policy Bugzilla was fixed.
This ticket can be therefore closed.
Metadata Update from @jhrozek: - Issue assigned to jcholast - Issue set to the milestone: FreeIPA 3.3.6 (bug fixing)
Login to comment on this ticket.