#5757 incorrect SELinux label of second replica's /var/log/ipareplica-conncheck.log
Closed: Fixed None Opened 8 years ago by pvoborni.

  1. install master with domain 'test.domain.test'
  2. install replica 1 with --domain test.domain.test
  3. install replica 2 with --domain test.domain.test

Conncheck from remote replica 1 to replica 2 during 3 fails.

Culprit and fix (on replica 1):

$ ls -Z /var/log/ipareplica-conncheck.log
unconfined_u:object_r:var_log_t:s0 /var/log/ipareplica-conncheck.log
# restorecon /var/log/ipareplica-conncheck.log
$ ls -Z /var/log/ipareplica-conncheck.log 
system_u:object_r:ipa_log_t:s0 /var/log/ipareplica-conncheck.log



$ rpm -q selinux-policy
selinux-policy-3.13.1-158.11.fc23.noarch

A reason why the log has invalid label needs to be checked.


reproducibility: not sure if it happens always, I've seen it at least twice. But I don't usually install 3 replicas.

I've reproduced it again with today's master. Moving to needs triage to raise priority.

Issue is that ipa-replica-conncheck creates the log file with unconfined_u:object_r:var_log_t:s0

Reproduction steps on already installed server

# rm /var/log/ipareplica-conncheck.log
# ipa-replica-conncheck --realm EXAMPLE.TEST --hostname ipa4.example.test --master ipa1.example.test --auto-master-check --ca-cert-file /etc/ipa/ca.crt -p admin
# ls -lZ /var/log/ipareplica-conncheck.log

If any other replica tries to install against this master then API-started conncheck on this replica will fail.

More details:

master:
system_u:object_r:ipa_log_t:s0 /var/log/ipareplica-conncheck.log  (run by oddjob)

replica1 before replica2:
unconfined_u:object_r:var_log_t:s0 /var/log/ipareplica-conncheck.log  (run by ipa-replica-install)

replica2:
unconfined_u:object_r:ipa_log_t:s0 /var/log/ipareplica-conncheck.log (run by ipa-replica install)
conncheck failed

replica1
$ rm /var/log/ipareplica-conncheck.log
system_u:object_r:ipa_log_t:s0 /var/log/ipareplica-conncheck.log  (run by oddjob)

ipa-replica-conncheck logs into the same log as oddjob process and from installer, which creates file under the different context.

The easiest solution would be to add timestamps to logs, or log to different logs from oddjob or from installer (ipareplica-conncheck.local.log and ipareplica-conncheck.remote.log)

Oddjob will not log, we don't care about logging on remote side, because all errors are passed back to replica

master:

  • 4ce0258 Add option --no-log for ipa-replica-conncheck script
  • 08fcc7e Do not log to file in remote conncheck side

Metadata Update from @pvoborni:
- Issue assigned to mbasti
- Issue set to the milestone: FreeIPA 4.4

7 years ago

Login to comment on this ticket.

Metadata