Issue #7353: Fedora 28: Bad NSSDB permissions/owner/context - freeipa

freeipa

#7353 Fedora 28: Bad NSSDB permissions/owner/context

Closed: worksforme 5 years ago by rcritten. Opened 6 years ago by cheimes.

Issue

Installation on rawhide is failing because permission, ownership and SELinux context are incorrect. The issue is related to recent migration of NSS from DBM to SQL database

Steps to Reproduce

install latest ipa-4-6 RPMs
install certmonger from https://koji.fedoraproject.org/koji/taskinfo?taskID=24112735
ipa-server-install

Actual behavior

  [18/28]: configure certificate renewals
  [error] DBusException: org.fedorahosted.certmonger.bad_arg: The location "/etc/pki/pki-tomcat/alias" could not be accessed due to insufficient permissions.
ipapython.admintool: ERROR    org.fedorahosted.certmonger.bad_arg: The location "/etc/pki/pki-tomcat/alias" could not be accessed due to insufficient permissions.
ipapython.admintool: ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

With SELinux in permissive mode, it fails a bit later.

Expected behavior

installation successful

Version/Release/Distribution

freeipa-server-4.6.2.dev201801080853+git1dc74f0e9-0.fc28.x86_64
freeipa-client-4.6.2.dev201801080853+git1dc74f0e9-0.fc28.x86_64
389-ds-base-1.4.0.3-1.fc28.1.x86_64
pki-ca-10.5.3-1.fc28.noarch
krb5-server-1.16-2.x86_64

Additional info:

/etc/dirsrv/slapd-IPA-EXAMPLE/:
total 652
drwxr-x---. 3 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0   4096 Jan 10 10:13 .
drwxrwxr-x. 6 root   dirsrv system_u:object_r:dirsrv_config_t:s0        109 Jan 10 10:11 ..
-rw-r-----. 1 dirsrv root   unconfined_u:object_r:dirsrv_config_t:s0  28672 Jan 10 10:13 cert9.db
-rw-rw----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0  28672 Jan 10 10:11 cert9.db.orig
-r--r-----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0   1730 Jan 10 10:11 certmap.conf
-rw-------. 1 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0     151178 Jan 10 10:13 dse.ldif
-rw-------. 2 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0     151178 Jan 10 10:13 dse.ldif.bak
-rw-------. 2 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0     151178 Jan 10 10:13 dse.ldif.startOK
-r--r-----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0  35501 Jan 10 10:11 dse_original.ldif
-rw-r-----. 1 dirsrv root   unconfined_u:object_r:dirsrv_config_t:s0  36864 Jan 10 10:13 key4.db
-rw-rw----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0  28672 Jan 10 10:11 key4.db.orig
-r--------. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0     67 Jan 10 10:13 pin.txt
-rw-r-----. 1 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0        558 Jan 10 10:13 pkcs11.txt
-rw-rw----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0    553 Jan 10 10:11 pkcs11.txt.orig
-rw-------. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0     41 Jan 10 10:13 pwdfile.txt
-r--------. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0     41 Jan 10 10:13 pwdfile.txt.orig
drwxrwx---. 2 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0   4096 Jan 10 10:13 schema
-r--r-----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0  15142 Jan 10 10:11 slapd-collations.conf

/etc/httpd/alias/:
total 176
drwxr-x---. 2 root apache system_u:object_r:cert_t:s0           209 Jan 10 10:14 .
drwxr-xr-x. 6 root root   system_u:object_r:httpd_config_t:s0   105 Jan  7 14:31 ..
-rw-r-----. 1 root apache unconfined_u:object_r:cert_t:s0     28672 Jan 10 10:14 cert9.db
-rw-r-----. 1 root apache system_u:object_r:cert_t:s0         36864 Jan  7 14:31 cert9.db.ipasave
-rw-------. 1 root root   system_u:object_r:cert_t:s0          5346 Jan  7 14:31 install.log
-rw-------. 1 root root   system_u:object_r:ipa_cert_t:s0        32 Jan 10 10:14 ipasession.key
-rw-r-----. 1 root apache unconfined_u:object_r:cert_t:s0     36864 Jan 10 10:14 key4.db
-rw-r-----. 1 root apache system_u:object_r:cert_t:s0         53248 Jan  7 14:31 key4.db.ipasave
lrwxrwxrwx. 1 root root   system_u:object_r:cert_t:s0            33 Oct 20 08:13 libnssckbi.so -> ../../..//usr/lib64/libnssckbi.so
-rw-r-----. 1 root root   unconfined_u:object_r:cert_t:s0       623 Jan 10 10:14 pkcs11.txt
-rw-------. 1 root root   system_u:object_r:cert_t:s0           498 Jan  7 14:31 pkcs11.txt.ipasave
-rw-------. 1 root apache unconfined_u:object_r:cert_t:s0        41 Jan 10 10:14 pwdfile.txt

/etc/pki/pki-tomcat/alias/:
total 192
drwxrwx---. 2 pkiuser pkiuser unconfined_u:object_r:pki_tomcat_cert_t:s0     104 Jan 10 10:13 .
drwxrwx---. 5 pkiuser pkiuser unconfined_u:object_r:pki_tomcat_etc_rw_t:s0  4096 Jan 10 10:13 ..
-rw-------. 1 pkiuser pkiuser unconfined_u:object_r:pki_tomcat_cert_t:s0   65536 Jan 10 10:13 cert8.db
-rw-------. 1 root    root    system_u:object_r:pki_tomcat_cert_t:s0       40960 Jan 10 10:13 cert9.db
-rw-------. 1 pkiuser pkiuser unconfined_u:object_r:pki_tomcat_cert_t:s0   24576 Jan 10 10:13 key3.db
-rw-------. 1 root    root    system_u:object_r:pki_tomcat_cert_t:s0       61440 Jan 10 10:13 key4.db
-r--------. 1 pkiuser pkiuser unconfined_u:object_r:pki_tomcat_cert_t:s0      42 Jan 10 10:12 pwdfile.txt
-rw-------. 1 pkiuser pkiuser unconfined_u:object_r:pki_tomcat_cert_t:s0   16384 Jan 10 10:11 secmod.db

SELinux policies look fine to me:

# semanage fcontext -l | grep /etc/dirsrv
/etc/dirsrv(/.*)?                                  all files          system_u:object_r:dirsrv_config_t:s0 
/etc/dirsrv/admin-serv(/.*)?                       all files          system_u:object_r:dirsrvadmin_config_t:s0 
/etc/dirsrv/dsgw(/.*)?                             all files          system_u:object_r:dirsrvadmin_config_t:s0 
# semanage fcontext -l | grep /etc/pki/pki-tomcat/alias
/etc/pki/pki-tomcat/alias(/.*)?                    all files          system_u:object_r:pki_tomcat_cert_t:s0 
# semanage fcontext -l | grep /etc/httpd/alias
/etc/httpd/alias(/.*)?                             all files          system_u:object_r:cert_t:s0 
/etc/httpd/alias/ipasession.key                    regular file       system_u:object_r:ipa_cert_t:s0

cheimes commented 6 years ago

I'll open separate tickets for 389-DS and Dogtag.

rcritten commented 6 years ago

Issue linked to Bugzilla: Bug 1491419

Metadata Update from @rcritten:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1491419

6 years ago

rcritten commented 6 years ago

Issue linked to Bugzilla: Bug 1491419

Metadata Update from @rcritten:
- Issue priority set to: normal
- Issue set to the milestone: FreeIPA 4.7

6 years ago

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)

5 years ago

rcritten commented 5 years ago

FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.7.2 (was: FreeIPA 4.7.1)

5 years ago

rcritten commented 5 years ago

FreeIPA 4.7.1 has been released, moving to FreeIPA 4.7.2 milestone

rcritten commented 5 years ago

Associated BZ is closed insufficient_data. We aren't seeing other cases of this, closing as worksforme.

Metadata Update from @rcritten:
- Issue close_status updated to: worksforme
- Issue status updated to: Closed (was: Open)

5 years ago

Metadata

Assignee

None

Tags

None

Blocking

None

Depending on

None

Priority

normal

Milestone

FreeIPA 4.7.2

None

affects_doc

None

source

None

knownissue

None

type

None

blockedby

None

test_case

None

component

None

blocking

None

on_review

None

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1491419

tester

None

changelog

None

design

None

freeipa

Source Code

#7353 Fedora 28: Bad NSSDB permissions/owner/context Closed: worksforme 5 years ago by rcritten. Opened 6 years ago by cheimes.

Issue

Steps to Reproduce

Actual behavior

Expected behavior

Version/Release/Distribution

Additional info:

Metadata

#7353 Fedora 28: Bad NSSDB permissions/owner/context

Closed: worksforme 5 years ago by rcritten. Opened 6 years ago by cheimes.