[Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag

Sat Aug 27 02:28:26 UTC 2011

On 08/26/2011 08:57 PM, Adam Young wrote:
> On 08/26/2011 06:30 PM, Simo Sorce wrote:
>> On Fri, 2011-08-26 at 17:41 -0400, Adam Young wrote:
>>> On 08/26/2011 02:34 PM, Simo Sorce wrote:
>>>> On Fri, 2011-08-26 at 14:03 -0400, Simo Sorce wrote:
>>>>> On Fri, 2011-08-26 at 12:45 -0400, Adam Young wrote:
>>>>>> On 08/25/2011 05:24 PM, Adam Young wrote:
>>>>>>> Uses the updated version of pkicreate which makes an ipa specific
>>>>>>> proxy config file.
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Freeipa-devel mailing list
>>>>>>> Freeipa-devel at redhat.com
>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>>>>> The test for the proxy file in /etc/httpd/conf.d  was "isfile'  but
>>>>>> since the file is actually a symlink, it needs to be "islink".   
>>>>>> This
>>>>>> one checks for either.
>>>>> Nack, install fails after configuring the http service.
>>>>> Restart bails out
>>>>>
>>>>> using export SYSTEMCL_SKIP_REDIRECT=1 to get systemd out of the 
>>>>> way (it
>>>>> was suppressing the error output) I get an permission denied error
>>>>> trying to open /etc/httpd/conf.d/proxy-ipa.conf
>>>>> That's a symlink into /etc/pki-ca/proxy-ipa.conf which is a file 
>>>>> owned
>>>>> by pkiuser:pkiuser with permission 660 (therefore not readable by the
>>>>> apache user).
>>>> Ok it turns out permissions are not the real issue as the file is read
>>>> while apache is till root, it's a selinux issue.
>>>> Apache starts if I setenforce 0
>>>>
>>>> Still a NAck of course, it needs to work with selinux in enforcing 
>>>> mode
>>>>
>>>> Simo.
>>>>
>>> This version owns the proxy config file.  It works with setenforce 0,
>>> but does not work with SELinux, so, preemptive-nack. But I will be gone
>>> for a week, so if someone wants to pick this up and run with it, start
>>> from here.
>> The previous patch with the corrected isfile vs islink issue works fine
>> as long as the SELinux policy is fixed to allow access
>> to /etc/pki-ca/proxy-ipa.conf
>>
>> I have tested a mastyer and then replica install with no issues after I
>> loaded a custom SeLinux policy that allow that.
>>
>> So tentative ACK to the former patch.
>> I will discuss with Ade how to resolve the SELinux issue and willpush to
>> master once that is solved.
>>
>> Simo.
>>
> Previous patch is based on a change for PKI-CA that we are not going 
> to push, so we can't go with that.  The file 
> /etc/pki-ca/proxy-ipa.conf will not be available for IPA to use.  
> Whatever the issue is with this patch it has to be fairly minor.  The 
> difference in approach is that this one includes the conf file and 
> places it in /etc/httpd/conf.d.  The problem is possibly the fact that 
> this one uses localhost instead of the FQDN, although I did test it 
> both ways prior to adding it to the RPM, and it worked with localhost 
> and SELinux in enforcing mode.
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
Failure seems to be from this step in the install log:

After configuration, the server can be operated by the command:

     /sbin/service pki-cad restart pki-ca

2011-08-26 21:51:47,114 DEBUG stderr=[error] FAILED 
run_command("/sbin/service p
ki-cad restart pki-ca"), exit status=126 output="Stopping pki-ca: [  OK  ]
/usr/bin/runcon: /var/lib/pki-ca/pki-ca: Permission denied"

And in the Audit log:

type=AVC msg=audit(1314409907.089:2397): avc:  denied  { transition } 
for  pid=21040 comm="runcon" path="/etc/rc.d/init.d/tomcat6" dev=dm-0 
ino=35449 scontext=system_u:system_r:kernel_t:s0 
tcontext=system_u:system_r:pki_ca_script_t:s0 tclass=process
type=AVC msg=audit(1314410048.272:2398): avc:  denied  { transition } 
for  pid=21124 comm="runcon" path="/etc/rc.d/init.d/tomcat6" dev=dm-0 
ino=35449 scontext=system_u:system_r:kernel_t:s0 
tcontext=system_u:system_r:pki_ca_script_t:s0 tclass=process