[Freeipa-users] Re: SELinux is preventing generating SID on RHEL9

On 30. 11. 23 16:38, Rob Crittenden wrote: > Michal Konecny wrote: >> >> On 30. 11. 23 16:01, Rob Crittenden wrote: >>> Michal Konecny via FreeIPA-users wrote: >>>> Hi, >>>> >>>> I upgraded Fedora staging environment to RHEL 9 and encountered this >>>> issue https://access.redhat.com/solutions/7015184. >>> How did you upgrade from Fedora staging to RHEL 9? What does that >>> mean? >> I was following this guide >> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/... >> > So this is the Fedora project IPA staging system that you upgrading from > RHEL-8 to RHEL-9? The original statement sounded more like directly > upgrading Fedora -> RHEL. Sorry for the misunderstanding. Yes, I'm trying to upgrade Fedora staging IPA from RHEL8 to RHEL9. > > >> >> The fedora infra ticket for that is here >> https://pagure.io/fedora-infrastructure/issue/10358 >>>> To resolve that I tried to run `ipa config-mod --enable-sid >>>> --add-sids`, >>>> but it failed on >>>> `The ipa-enable-sid command failed, exception: PermissionError: >>>> [Errno >>>> 13] Permission denied: '/etc/krb5.conf.ipabkp'` >>>> >>>> As expected this was SELinux issue >>>> ``` >>>> type=AVC msg=audit(1701349641.295:30008): avc:  denied  { write } for >>>> pid=157909 comm="org.freeipa.ser" name="etc" dev="dm-0" ino=33685633 >>>> scontext=system_u:system_r:ipa_helper_t:s0 >>>> tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0 >>>> ``` >>>> >>>> I tried to relabel the whole system to fix it, but the denial is >>>> still >>>> there. Did I miss something? >>>> Shouldn't IPA server had access to /etc? >>> This isn't the server. It is executed as an oddjob task which runs >>> in a >>> different context. >>> >>> It ensures that krb5.conf is setup correctly and apparently yours >>> is not >>> and tries to correct it but fails in making a backup. >>> >>> Can you file a JIRA ticket on this? >> I can, where should I file it? > https://issues.redhat.com/secure/CreateIssue!default.jspa > > As a workaround I'd try touching /etc/krb5.conf.ipabkp and setting the > context to match krb5.conf (system_u:object_r:krb5_conf_t:s0 I believe). Even changing the SELinux context didn't help: -rw-r--r--. 1 root   root   system_u:object_r:krb5_conf_t:s0 899 Nov 30 13:37 /etc/krb5.conf -rw-r--r--. 1 root   root   unconfined_u:object_r:krb5_conf_t:s0 899 Nov 30 15:49 /etc/krb5.conf.ipabkp I'm still getting permission denied for `/etc/krb5.conf.ipabkp` by `ipa config-mod --enable-sid --add-sids`, but no denial in `/var/log/messages` or `/var/log/audit/audit.log` > > Looks like you uncovered a bug and I don't want to lose track of it > while we work out a solution. I found the FreeIPA project on JIRA, but I'm unable to create issue in it. Do you want me to file issue under another project? > > thanks > > rob >