SELinux policy module ipa.te is missing a rule from apache.te for ipa_custodia_stream_connect interface. The missing policy causes a AVC and failing installation:
ipa.te
apache.te
ipa_custodia_stream_connect
type=AVC msg=audit(1594745346.857:2709): avc: denied { connectto } for pid=32294 comm="httpd" path="/run/httpd/ipa-custodia.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:ipa_custodia_t:s0 tclass=unix_stream_socket permissive=0
HTTPd is unable to connect to ipa-custodia Unix socket.
No AVC
Current master and latest 4.8 release on RHEL
Any additional information, configuration, data or log snippets that is needed for reproduction or investigation of the issue.
Log file locations: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/config-files-logs.html Troubleshooting guide: https://www.freeipa.org/page/Troubleshooting
Metadata Update from @cheimes: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/4920
With decentralized SELinux policy it might be necessary to pull some more rules into the ipa domain policy:
apache.te: ipa_read_lib(httpd_t) apache.te: ipa_manage_pid_files(httpd_t) apache.te: ipa_custodia_stream_connect(httpd_t) apache.te: ipa_domtrans_helper(httpd_t) apache.te: ipa_cert_filetrans_named_content(httpd_t) bind.te: ipa_manage_lib(named_t) certmonger.te: ipa_manage_lib(certmonger_t) certmonger.te: ipa_manage_log(certmonger_t) certmonger.te: ipa_manage_pid_files(certmonger_t) certmonger.te: ipa_filetrans_pid(certmonger_t,"renewal.lock") certmonger.te: ipa_named_filetrans_log_dir(certmonger_t) gssproxy.te: ipa_read_lib(gssproxy_t) kerberos.te: ipa_stream_connect_otpd(krb5kdc_t) oddjob.te:ifdef(`ipa_helper_noatsecure',` oddjob.te: ipa_helper_noatsecure(oddjob_t) opendnssec.te: ipa_manage_lib(opendnssec_t) opendnssec.te: ipa_stream_connect_ods_exporter(opendnssec_t) pki.te: ipa_read_lib(pki_tomcat_t) tomcat.te: ipa_read_lib(tomcat_t) tomcat.te: ipa_read_tmp(tomcat_t)
Metadata Update from @ksiddiqu: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1857157
master:
ipa-4-8:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue set to the milestone: None (was: FreeIPA 4.8.8) - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.