Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1161592
Summary: | SELinux is preventing kadmind from unlink and write access on the file kadmin_0 | |||
---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Petr Vobornik <pvoborni> | |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | |
Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
Severity: | high | Docs Contact: | ||
Priority: | high | |||
Version: | 21 | CC: | brian, dominick.grift, dwalsh, lvrabec, mgrepl, mkosek, nalin, plautrba, pvoborni, robatino, sgallagh | |
Target Milestone: | --- | |||
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1210421 (view as bug list) | Environment: | ||
Last Closed: | 2014-11-07 14:49:49 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1043129 |
Description
Petr Vobornik
2014-11-07 12:21:21 UTC
This is Fedora 21 Final blocker as it blocks FreeIPA server installation, Stephen is already in copy. Proposed as a Blocker for 21-final by Fedora user sgallagh using the blocker tracking app because: Proposed criterion: https://lists.fedoraproject.org/pipermail/server/2014-November/001551.html From Alpha Criteria: "Unless explicitly specified otherwise, after system installation SELinux must be enabled and in enforcing mode" Could you confirm it happens also if you remove /tmp/kadmin_0 a re-test it with ipa-server-install? Something created "kadmin_0" in /tmp with tmp_t. Have you ever run in permissive mode? More likely it's kadmind's replay cache, which would be in /var/tmp, and would usually be labeled kadmind_tmp_t when it's created by kadmind. removal of /var/tmp/kadmin_0 fixes the issue and FreeIPA is successfully installed. kadmin_0 is recreated with correct kadmind_tmp_t label. Seems that comment 4 is the source of the error. Therefore probably NOT A BUG. Cause of the mistake: * server was initially installed with old SELinux Policy. * installation was run in permissive mode * SELinux Policy was updated * installation was run in enforcing mode On new clear vm with updated policy and in enforcing mode the installation succeeds. Sorry for noise. OK, closing as NOTABUG. I will reopen it if it reappears during testing. Thanks for the quick response, folks! Of course I meant /vat/tmp//kadmin_0. Basically this was probably caused by a combination of these reasons. I hit this issue on RHEL 6.6 also. It happened to me because I switched a system from selinux disabled to selinux enforcing. But I did invoke an autorelabel between those two states. It seems like a bug that /var/tmp/kadmin_0 can be left around and not relabeled by an autolabel. Could we get this reopened as such? (In reply to Brian J. Murrell from comment #9) > I hit this issue on RHEL 6.6 also. It happened to me because I switched a > system from selinux disabled to selinux enforcing. But I did invoke an > autorelabel between those two states. > > It seems like a bug that /var/tmp/kadmin_0 can be left around and not > relabeled by an autolabel. > > Could we get this reopened as such? If so, please open a new RHEL6 bug. |