Installation on rawhide is failing because permission, ownership and SELinux context are incorrect. The issue is related to recent migration of NSS from DBM to SQL database
[18/28]: configure certificate renewals [error] DBusException: org.fedorahosted.certmonger.bad_arg: The location "/etc/pki/pki-tomcat/alias" could not be accessed due to insufficient permissions. ipapython.admintool: ERROR org.fedorahosted.certmonger.bad_arg: The location "/etc/pki/pki-tomcat/alias" could not be accessed due to insufficient permissions. ipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
With SELinux in permissive mode, it fails a bit later.
installation successful
/etc/dirsrv/slapd-IPA-EXAMPLE/: total 652 drwxr-x---. 3 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 4096 Jan 10 10:13 . drwxrwxr-x. 6 root dirsrv system_u:object_r:dirsrv_config_t:s0 109 Jan 10 10:11 .. -rw-r-----. 1 dirsrv root unconfined_u:object_r:dirsrv_config_t:s0 28672 Jan 10 10:13 cert9.db -rw-rw----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 28672 Jan 10 10:11 cert9.db.orig -r--r-----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 1730 Jan 10 10:11 certmap.conf -rw-------. 1 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0 151178 Jan 10 10:13 dse.ldif -rw-------. 2 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0 151178 Jan 10 10:13 dse.ldif.bak -rw-------. 2 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0 151178 Jan 10 10:13 dse.ldif.startOK -r--r-----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 35501 Jan 10 10:11 dse_original.ldif -rw-r-----. 1 dirsrv root unconfined_u:object_r:dirsrv_config_t:s0 36864 Jan 10 10:13 key4.db -rw-rw----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 28672 Jan 10 10:11 key4.db.orig -r--------. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 67 Jan 10 10:13 pin.txt -rw-r-----. 1 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0 558 Jan 10 10:13 pkcs11.txt -rw-rw----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 553 Jan 10 10:11 pkcs11.txt.orig -rw-------. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 41 Jan 10 10:13 pwdfile.txt -r--------. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 41 Jan 10 10:13 pwdfile.txt.orig drwxrwx---. 2 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 4096 Jan 10 10:13 schema -r--r-----. 1 dirsrv dirsrv unconfined_u:object_r:dirsrv_config_t:s0 15142 Jan 10 10:11 slapd-collations.conf /etc/httpd/alias/: total 176 drwxr-x---. 2 root apache system_u:object_r:cert_t:s0 209 Jan 10 10:14 . drwxr-xr-x. 6 root root system_u:object_r:httpd_config_t:s0 105 Jan 7 14:31 .. -rw-r-----. 1 root apache unconfined_u:object_r:cert_t:s0 28672 Jan 10 10:14 cert9.db -rw-r-----. 1 root apache system_u:object_r:cert_t:s0 36864 Jan 7 14:31 cert9.db.ipasave -rw-------. 1 root root system_u:object_r:cert_t:s0 5346 Jan 7 14:31 install.log -rw-------. 1 root root system_u:object_r:ipa_cert_t:s0 32 Jan 10 10:14 ipasession.key -rw-r-----. 1 root apache unconfined_u:object_r:cert_t:s0 36864 Jan 10 10:14 key4.db -rw-r-----. 1 root apache system_u:object_r:cert_t:s0 53248 Jan 7 14:31 key4.db.ipasave lrwxrwxrwx. 1 root root system_u:object_r:cert_t:s0 33 Oct 20 08:13 libnssckbi.so -> ../../..//usr/lib64/libnssckbi.so -rw-r-----. 1 root root unconfined_u:object_r:cert_t:s0 623 Jan 10 10:14 pkcs11.txt -rw-------. 1 root root system_u:object_r:cert_t:s0 498 Jan 7 14:31 pkcs11.txt.ipasave -rw-------. 1 root apache unconfined_u:object_r:cert_t:s0 41 Jan 10 10:14 pwdfile.txt /etc/pki/pki-tomcat/alias/: total 192 drwxrwx---. 2 pkiuser pkiuser unconfined_u:object_r:pki_tomcat_cert_t:s0 104 Jan 10 10:13 . drwxrwx---. 5 pkiuser pkiuser unconfined_u:object_r:pki_tomcat_etc_rw_t:s0 4096 Jan 10 10:13 .. -rw-------. 1 pkiuser pkiuser unconfined_u:object_r:pki_tomcat_cert_t:s0 65536 Jan 10 10:13 cert8.db -rw-------. 1 root root system_u:object_r:pki_tomcat_cert_t:s0 40960 Jan 10 10:13 cert9.db -rw-------. 1 pkiuser pkiuser unconfined_u:object_r:pki_tomcat_cert_t:s0 24576 Jan 10 10:13 key3.db -rw-------. 1 root root system_u:object_r:pki_tomcat_cert_t:s0 61440 Jan 10 10:13 key4.db -r--------. 1 pkiuser pkiuser unconfined_u:object_r:pki_tomcat_cert_t:s0 42 Jan 10 10:12 pwdfile.txt -rw-------. 1 pkiuser pkiuser unconfined_u:object_r:pki_tomcat_cert_t:s0 16384 Jan 10 10:11 secmod.db
SELinux policies look fine to me:
# semanage fcontext -l | grep /etc/dirsrv /etc/dirsrv(/.*)? all files system_u:object_r:dirsrv_config_t:s0 /etc/dirsrv/admin-serv(/.*)? all files system_u:object_r:dirsrvadmin_config_t:s0 /etc/dirsrv/dsgw(/.*)? all files system_u:object_r:dirsrvadmin_config_t:s0 # semanage fcontext -l | grep /etc/pki/pki-tomcat/alias /etc/pki/pki-tomcat/alias(/.*)? all files system_u:object_r:pki_tomcat_cert_t:s0 # semanage fcontext -l | grep /etc/httpd/alias /etc/httpd/alias(/.*)? all files system_u:object_r:cert_t:s0 /etc/httpd/alias/ipasession.key regular file system_u:object_r:ipa_cert_t:s0
I'll open separate tickets for 389-DS and Dogtag.
Issue linked to Bugzilla: Bug 1491419
Metadata Update from @rcritten: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1491419
Metadata Update from @rcritten: - Issue priority set to: normal - Issue set to the milestone: FreeIPA 4.7
Metadata Update from @rcritten: - Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)
FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone
Metadata Update from @rcritten: - Issue set to the milestone: FreeIPA 4.7.2 (was: FreeIPA 4.7.1)
FreeIPA 4.7.1 has been released, moving to FreeIPA 4.7.2 milestone
Associated BZ is closed insufficient_data. We aren't seeing other cases of this, closing as worksforme.
Metadata Update from @rcritten: - Issue close_status updated to: worksforme - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.