-
Bug
-
Resolution: Unresolved
-
Normal
-
rhel-9.3.0
-
ipa-4.12.2-2.el9
-
None
-
Moderate
-
8
-
sst_idm_ipa
-
ssg_idm
-
10
-
12
-
3
-
QE ack, Dev ack
-
False
-
-
No
-
2024-Q3-Alpha-S2, 2024-Q3-Alpha-S3, 2024-Q3-Alpha-S4, 2024-Q3-Alpha-S5, 2024-Q3-Alpha-S6, 2024-Q4-Alpha-S1, 2024-Q4-Alpha-S2, 2024-Q4-Alpha-S3
-
Pass
-
Automated
-
Unspecified Release Note Type - Unknown
-
None
What were you trying to do that didn't work?
The SID generation task fails when SELinux is in Enforcing mode.
Please provide the package NVR for which bug is seen:
# cat /etc/redhat-release Red Hat Enterprise Linux release 9.3 (Plow) # # rpm -qa | grep ^ipa ipa-client-common-4.10.2-4.el9_3.1.noarch ipa-selinux-4.10.2-4.el9_3.1.noarch ipa-common-4.10.2-4.el9_3.1.noarch ipa-server-common-4.10.2-4.el9_3.1.noarch ipa-healthcheck-core-0.12-4.el9.noarch ipa-client-4.10.2-4.el9_3.1.x86_64 ipa-server-4.10.2-4.el9_3.1.x86_64 ipa-server-dns-4.10.2-4.el9_3.1.noarch ipa-healthcheck-0.12-4.el9.noarch #
How reproducible:
Always.
Steps to reproduce
1. Make sure SELinux is enforced:
# getenforce Enforcing #
2. Run the SID task:
# ipa config-mod --enable-sid --add-sids ipa: ERROR: Configuration of SID failed. See details in the error log #
3. After enabling DBus debugging:
string "[Errno 13] Permission denied: '/var/log/ipaserver-enable-sid.log'
The ipa-enable-sid command failed.
"
4. Check the SELinux alert message:
# sealert -a /var/log/audit/audit.log ... --------------------------------------------------------------------------------SELinux is preventing /usr/bin/python3.9 from open access on the file /var/log/ipaserver-enable-sid.log.***** Plugin catchall (100. confidence) suggests **************************If you believe that python3.9 should be allowed open access on the ipaserver-enable-sid.log file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'org.freeipa.ser' --raw | audit2allow -M my-orgfreeipaser # semodule -X 300 -i my-orgfreeipaser.pp Additional Information: Source Context system_u:system_r:ipa_helper_t:s0 Target Context unconfined_u:object_r:var_log_t:s0 Target Objects /var/log/ipaserver-enable-sid.log [ file ] Source org.freeipa.ser Source Path /usr/bin/python3.9 Port <Unknown> Host <Unknown> Source RPM Packages python3-3.9.18-1.el9_3.x86_64 Target RPM Packages SELinux Policy RPM selinux-policy-targeted-38.1.23-1.el9.noarch Local Policy RPM ipa-selinux-4.10.2-4.el9_3.1.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name <HOST> Platform Linux <HOST> 5.14.0-362.8.1.el9_3.x86_64 #1 SMP PREEMPT_DYNAMIC Tue Oct 3 11:12:36 EDT 2023 x86_64 x86_64 Alert Count 6 First Seen 2024-03-19 15:19:35 CET Last Seen 2024-05-13 18:29:12 CEST Local ID 5cdd2e98-cb7f-4b9e-aa31-915236371de9Raw Audit Messages type=AVC msg=audit(1715617752.463:7478): avc: denied { open } for pid=393419 comm="org.freeipa.ser" path="/var/log/ipaserver-enable-sid.log" dev="dm-0" ino=642 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file permissive=1
5. Settings for the SID log file:
# ls -lZ /var/log/ipaserver-enable-sid.log -rw-------. 1 root root system_u:object_r:var_log_t:s0 10495 Jun 7 09:29 /var/log/ipaserver-enable-sid.log # # matchpathcon -V /var/log/ipaserver-enable-sid.log /var/log/ipaserver-enable-sid.log verified. #
Expected results
Working SID generation task.
Actual results
The SID generation task is failing.
- links to
-
RHBA-2024:141066 ipa update