ipa-upgradeconfig run kdestroy -A as apache user. However, it was found out that this may cause SELinux AVCs:
ipa-upgradeconfig
kdestroy -A
time->Mon Nov 17 14:37:32 2014 type=SYSCALL msg=audit(1416253052.306:727): arch=c000003e syscall=250 success=yes exit=11 a0=b a1=1fdc4acb a2=7f1f9d16bfc0 a3=b items=0 ppid=28546 pid=28551 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1416253052.306:727): avc: denied { read } for pid=28551 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=key
The problem is that kdestroy -A destroys Apache keyring CCache which is then re-created with rpm_script_t context. This call was introduced for upgrades from FreeIPA 2.2 from which the upgrade is no longer supported.
rpm_script_t
Simo, please send proper patch to freeipa-devel, I will ack it - it is already known to work, I tested it as well.
Moving to 4.0.x as the problem exhibits there as well.
master:
ipa-4-1:
ipa-4-0:
Metadata Update from @mkosek: - Issue assigned to simo - Issue set to the milestone: FreeIPA 4.0.6
Login to comment on this ticket.