We were able to solve that by running the sidgen manually, following
this guide
It seems that the staging instance is now running as it should.
Michal
On 30. 11. 23 17:00, Michal Konecny wrote:
On 30. 11. 23 16:38, Rob Crittenden wrote:
> Michal Konecny wrote:
>>
>> On 30. 11. 23 16:01, Rob Crittenden wrote:
>>> Michal Konecny via FreeIPA-users wrote:
>>>> Hi,
>>>>
>>>> I upgraded Fedora staging environment to RHEL 9 and encountered this
>>>> issue
https://access.redhat.com/solutions/7015184.
>>> How did you upgrade from Fedora staging to RHEL 9? What does that
>>> mean?
>> I was following this guide
>>
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/...
>>
> So this is the Fedora project IPA staging system that you upgrading from
> RHEL-8 to RHEL-9? The original statement sounded more like directly
> upgrading Fedora -> RHEL.
Sorry for the misunderstanding. Yes, I'm trying to upgrade Fedora
staging IPA from RHEL8 to RHEL9.
>
>
>>
>> The fedora infra ticket for that is here
>>
https://pagure.io/fedora-infrastructure/issue/10358
>>>> To resolve that I tried to run `ipa config-mod --enable-sid
>>>> --add-sids`,
>>>> but it failed on
>>>> `The ipa-enable-sid command failed, exception: PermissionError:
>>>> [Errno
>>>> 13] Permission denied: '/etc/krb5.conf.ipabkp'`
>>>>
>>>> As expected this was SELinux issue
>>>> ```
>>>> type=AVC msg=audit(1701349641.295:30008): avc: denied { write } for
>>>> pid=157909 comm="org.freeipa.ser" name="etc"
dev="dm-0" ino=33685633
>>>> scontext=system_u:system_r:ipa_helper_t:s0
>>>> tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
>>>> ```
>>>>
>>>> I tried to relabel the whole system to fix it, but the denial is
>>>> still
>>>> there. Did I miss something?
>>>> Shouldn't IPA server had access to /etc?
>>> This isn't the server. It is executed as an oddjob task which runs
>>> in a
>>> different context.
>>>
>>> It ensures that krb5.conf is setup correctly and apparently yours
>>> is not
>>> and tries to correct it but fails in making a backup.
>>>
>>> Can you file a JIRA ticket on this?
>> I can, where should I file it?
>
https://issues.redhat.com/secure/CreateIssue!default.jspa
>
> As a workaround I'd try touching /etc/krb5.conf.ipabkp and setting the
> context to match krb5.conf (system_u:object_r:krb5_conf_t:s0 I believe).
Even changing the SELinux context didn't help:
-rw-r--r--. 1 root root system_u:object_r:krb5_conf_t:s0 899 Nov
30 13:37 /etc/krb5.conf
-rw-r--r--. 1 root root unconfined_u:object_r:krb5_conf_t:s0 899
Nov 30 15:49 /etc/krb5.conf.ipabkp
I'm still getting permission denied for `/etc/krb5.conf.ipabkp` by
`ipa config-mod --enable-sid --add-sids`,
but no denial in `/var/log/messages` or `/var/log/audit/audit.log`
>
> Looks like you uncovered a bug and I don't want to lose track of it
> while we work out a solution.
I found the FreeIPA project on JIRA, but I'm unable to create issue in
it.
Do you want me to file issue under another project?
>
> thanks
>
> rob
>