The server has a number of problems with SELinux AVC denials. The process was running with the effective uid/gid of ipsilon. If SELinux is enabled things fail silently and mysteriously, mostly because ipsilon's persistent storage cannot be updated.
4517:type=AVC msg=audit(1420410243.355:4229): avc: denied { write } for pid=9789 comm="httpd" name="adminconfig.sqlite" dev="dm-1" ino=5657 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 4545:type=AVC msg=audit(1420410292.644:4257): avc: denied { write } for pid=9789 comm="httpd" name="userprefs.sqlite" dev="dm-1" ino=5203 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
Fields changed
milestone: => 1.0 m3 owner: simo => jdennis status: new => assigned
I could not reproduce the original AVC's. The directory /var/lib/ipsilion is correctly labeled with httpd_var_lib_t (set in RPM %post).
However we are getting an AVC for httpd connecting to LDAP. This can be fixed with:
setsebool -P httpd_can_connect_ldap on
I will patch the spec file and post a review.
In my personal git repo under the httpd_avc topic branch
resolution: => fixed status: assigned => closed
resolution: fixed => status: closed => reopened
The fedora spec files are not in sync with the spec file in the git repo, they are missing the SELinux updates in %post
I am personally very opposed to doing SELinux in RPM spec files.
Relabeling in the spec file is very bad and it should just be added to the Fedora SELinux policy. Reason being that you should always be able to relabel the entire filesystem without breaking services. Please file a bug on the SELinux policy component in Bugzilla.
Setting the boolean is also something we should not do in the spec file, and we should just document this somewhere.
owner: jdennis => puiterwijk patch_available: => 0 status: reopened => assigned
I can see the argument for correct labeling in the OS policy.
As for not setting the boolean, mysterious mostly silent failures are not user/customer friendly. People do not want to use software that makes them read arcane documentation and perform obtuse actions when after installation the package does not work. We should be focused on providing the best customer experience we can.
If we don't set the boolean in the spec file then we need to set it in the installer which is probably the better place to set it. The boolean shouldn't be set just by virtue of installing the package, but once you configure a node to be an ipsilon server it should run with the boolean being set.
Are you OK with setting the boolean in the installer? This is what IPA does. I'll do a new patch that sets the boolean in ipsilon-server-install
Yes, setting it from the installer when you actually enable the function makes some sense.
Although I would prefer it if it's stated clearly in the output (maybe a summary at the end with a high-level overview what the installation did?) and/or a question during installation itself.
But do note that there are situations where other flags might be required. For example, if you use another database, you will need httpd_can_network_connect_db as well. Also, AuthPAM requires httpd_mod_auth_pam and httpd_tmp_exec (which are already set in its installer, should also be added to any summary we provide).
I'm probably missing some entries as well for specific cases.
I opened bug https://bugzilla.redhat.com/show_bug.cgi?id=1186046 with a request to label ipsilon's /var/lib files.
new patch submitted
https://fedorapeople.org/cgit/jdennis/public_git/ipsilon.git/commit/?h=httpd_avc
This exactly echoes what is done elsewhere currently in ipsilon.
We should look into having httpd transition into our own type for Ipsilon. There may be some issues to figure out around getting the transition to take place with the way that mod_wsgi works.
We also need to set the 'httpd_dbus_sssd' boolean to allow the SSSD info plugin to work.
Fix for httpd_dbus_sssd:
master: b6cf2a5
design_link: =>
Fix for httpd_can_connect_ldap:
master: c95d083
milestone: 1.0 m3 => 1.0 m4
cc: => fedora@obfusc8.org
milestone: 1.0 m4 => 1.0
milestone: 1.0 => Backlog
This has made it into Fedora 22 0-day updates. Going to bug the selinux people more about F21/rawhide.
milestone: Backlog => 1.1
This has now also been applied in Rawhide, which leaves just F21.
Note, the cloned bug against rawhide/F21: https://bugzilla.redhat.com/show_bug.cgi?id=1186046
rhbz: => summary: SELinux AVC denials => Write new SELinux policy
milestone: 1.1 => 1.2
milestone: 1.2 => Backlog
Metadata Update from @nkinder: - Issue assigned to puiterwijk - Issue set to the milestone: Backlog
Log in to comment on this ticket.