Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1490762
Summary: | [Modular Server] Ipa-server-install update dse.ldif with wrong SELinux context | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Lukas Slebodnik <lslebodn> |
Component: | freeipa | Assignee: | IPA Maintainers <ipa-maint> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 27 | CC: | abokovoy, awilliam, dgilmore, ipa-maint, jcholast, jhrozek, kparal, mkosek, pvoborni, rcritten, robatino, sgallagh, slaznick, ssorce, tkrizek |
Target Milestone: | --- | Keywords: | Regression, Reopened |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | AcceptedBlocker | ||
Fixed In Version: | freeipa-4.6.0-3.fc27 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-10-16 22:22:04 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1396702 |
Description
Lukas Slebodnik
2017-09-12 08:01:36 UTC
freeipa-server should update dse.ldif but it should not change SELinux context for that file. What selinux-policy version do you have? Note that this is very similar to bug 1483170, see comment 5 where rolekit_tmp_t is carried over to /etc/dirsrv/ too. The difference is only which method is used to deploy IPA server: you did it manually under user context while Adam used rolekit for that. In both cases it looks like an issue with 389-ds python installer which should be doing restorecon by itself. (In reply to Alexander Bokovoy from comment #2) > What selinux-policy version do you have? It has nothing to do with selinux-policy it is a bug in ipa-server-install. As you can see in description of this bug 5th step updated dse.ding and 6th step tried to start 389-ds. But it failed because dse.ldif had wrong SELinux context sh# ls -lZ /etc/dirsrv/slapd-TESTRELM-TEST/dse.ldif -rw-------. 1 dirsrv dirsrv unconfined_u:object_r:user_tmp_t:s0 67949 Sep 12 03:58 /etc/dirsrv/slapd-TESTRELM-TEST/dse.ldif So I checked that actual code in dsinstance.py and it looks like we do it miss tasks.restore_context(dse_filename) after shutil.copy2() call: def __update_dse_ldif(self): """ This method updates dse.ldif right after instance creation. This is supposed to allow admin modify configuration of the DS which has to be done before IPA is fully installed (for example: settings for replication on replicas) DS must be turned off. """ dse_filename = os.path.join( paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % self.serverid, 'dse.ldif' ) with tempfile.NamedTemporaryFile( mode='w', delete=False) as new_dse_ldif: temp_filename = new_dse_ldif.name with open(dse_filename, "r") as input_file: parser = installutils.ModifyLDIF(input_file, new_dse_ldif) parser.replace_value( 'cn=config,cn=ldbm database,cn=plugins,cn=config', 'nsslapd-db-locks', [b'50000'] ) if self.config_ldif: # parse modifications from ldif file supplied by the admin with open(self.config_ldif, "r") as config_ldif: parser.modifications_from_ldif(config_ldif) parser.parse() new_dse_ldif.flush() shutil.copy2(temp_filename, dse_filename) try: os.remove(temp_filename) except OSError as e: logger.debug("Failed to clean temporary file: %s", e) Patched version of ipa shows that it is bug in freeipa 2017-09-12T08:19:33Z DEBUG [4/45]: stopping directory server 2017-09-12T08:19:33Z DEBUG Starting external process 2017-09-12T08:19:33Z DEBUG args=/bin/systemctl stop dirsrv 2017-09-12T08:19:35Z DEBUG Process finished, return code=0 2017-09-12T08:19:35Z DEBUG stdout= 2017-09-12T08:19:35Z DEBUG stderr= 2017-09-12T08:19:35Z DEBUG duration: 2 seconds 2017-09-12T08:19:35Z DEBUG [5/45]: updating configuration in dse.ldif 2017-09-12T08:19:35Z DEBUG Starting external process 2017-09-12T08:19:35Z DEBUG args=/bin/ls -lZ /etc/dirsrv/slapd-TESTRELM-TEST/dse.ldif 2017-09-12T08:19:35Z DEBUG Process finished, return code=0 2017-09-12T08:19:35Z DEBUG stdout=-rw-------. 1 dirsrv dirsrv system_u:object_r:dirsrv_config_t:s0 67928 Sep 12 04:19 /etc/dirsrv/slapd-TESTRELM-TEST/dse.ldif 2017-09-12T08:19:35Z DEBUG stderr= 2017-09-12T08:19:35Z DEBUG Starting external process 2017-09-12T08:19:35Z DEBUG args=/bin/ls -lZ /etc/dirsrv/slapd-TESTRELM-TEST/dse.ldif 2017-09-12T08:19:35Z DEBUG Process finished, return code=0 2017-09-12T08:19:35Z DEBUG stdout=-rw-------. 1 dirsrv dirsrv unconfined_u:object_r:user_tmp_t:s0 67949 Sep 12 04:19 /etc/dirsrv/slapd-TESTRELM-TEST/dse.ldif 2017-09-12T08:19:35Z DEBUG stderr= 2017-09-12T08:19:35Z DEBUG duration: 0 seconds 2017-09-12T08:19:35Z DEBUG [6/45]: starting directory server Added https://github.com/freeipa/freeipa/pull/1062 to fix this. Proposing this as a Beta blocker. ab, can you please do a freeipa package build and submit an update for this? Thanks. +1 Blocker +1 blocker +1 blocker That's +3 and this is a nice clear case, so marking AcceptedBlocker. For the record, the criterion is good old Alpha "Release-blocking roles and the supported role configuration interfaces must meet the core functional Role Definition Requirements to the extent that supported roles can be successfully deployed, started, stopped, brought to a working configuration, and queried." - 'domain controller' is a release-blocking role. Upstream ticket: https://pagure.io/freeipa/issue/7150 Fixed upstream master: https://pagure.io/freeipa/c/473ddbdb66e563d93a30ac51b1ac559adbd18190 freeipa-4.6.0-3.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-9a6df5d962 freeipa-4.6.0-3.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-9a6df5d962 freeipa-4.6.0-3.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. This is an accepted blocker, we still need to verify the fix. openQA has verified the fix many times. |