Issue #7150: Ipa-server-install update dse.ldif with wrong SELinux context - freeipa

freeipa

#7150 Ipa-server-install update dse.ldif with wrong SELinux context

Closed: fixed 6 years ago Opened 6 years ago by stlaz.

Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 1490762

Description of problem:
Installation fails in enforcing mode because ipa-server-install update dse.ldif
but with wrong SElinux context

Version-Release number of selected component (if applicable):
sh$ rpm -q freeipa-server
freeipa-server-4.6.0-2.fc27.x86_64

How reproducible:
Deteministic

Steps to Reproduce:
1. dnf install -y freeipa-server
2. /usr/sbin/ipa-server-install --hostname=ipa-lovely-name.testrelm.test -r
TESTRELM.TEST -n testrelm.test -p Secret123 -a Secret123 -U


Actual results:
  [5/45]: updating configuration in dse.ldif
  [6/45]: starting directory server
  [error] CalledProcessError: Command '/bin/systemctl start
dirsrv@TESTRELM-TEST.service' returned non-zero exit status 1.
ipapython.admintool: ERROR    Command '/bin/systemctl start
dirsrv@TESTRELM-TEST.service' returned non-zero exit status 1.
ipapython.admintool: ERROR    The ipa-server-install command failed. See
/var/log/ipaserver-install.log for more information

Expected results:
Installation pass without any other problems

Additional info:

sh# ausearch -m avc -ts recent -i
----
type=AVC msg=audit(09/12/2017 03:58:23.484:320) : avc:  denied  { link } for
pid=15563 comm=ns-slapd name=dse.ldif dev="dm-0" ino=25973397
scontext=system_u:system_r:dirsrv_t:s0
tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0

sh# find /etc/ -inum 25973397
/etc/dirsrv/slapd-TESTRELM-TEST/dse.ldif

sh# ls -lZ /etc/dirsrv/slapd-TESTRELM-TEST/dse.ldif
-rw-------. 1 dirsrv dirsrv unconfined_u:object_r:user_tmp_t:s0 67949 Sep 12
03:58 /etc/dirsrv/slapd-TESTRELM-TEST/dse.ldif

sh# matchpathcon /etc/dirsrv/slapd-TESTRELM-TEST/dse.ldif
/etc/dirsrv/slapd-TESTRELM-TEST/dse.ldif
system_u:object_r:dirsrv_config_t:s0

Metadata Update from @stlaz:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1490762

6 years ago

Metadata Update from @pvoborni:
- Issue priority set to: blocker
- Issue set to the milestone: FreeIPA 4.6.1

6 years ago

stlaz commented 6 years ago

master:

473ddbd dsinstance: Restore context after changing dse.ldif

stlaz commented 6 years ago

ipa-4-6:

715e786 dsinstance: Restore context after changing dse.ldif

Metadata Update from @stlaz:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

6 years ago

Metadata

Assignee

None

Tags

None

Blocking

None

Depending on

None

Priority

critical

Milestone

FreeIPA 4.6.1

None

affects_doc

None

source

None

knownissue

None

type

None

blockedby

None

test_case

None

component

None

blocking

None

on_review

None

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1490762

tester

None

changelog

None

design

None

freeipa

Source Code

#7150 Ipa-server-install update dse.ldif with wrong SELinux context Closed: fixed 6 years ago Opened 6 years ago by stlaz.

Metadata

#7150 Ipa-server-install update dse.ldif with wrong SELinux context

Closed: fixed 6 years ago Opened 6 years ago by stlaz.