8:31 a.m.
Hi,
I upgraded Fedora staging environment to RHEL 9 and encountered this
issue https://access.redhat.com/solutions/7015184.
To resolve that I tried to run `ipa config-mod --enable-sid --add-sids`,
but it failed on
`The ipa-enable-sid command failed, exception: PermissionError: [Errno
13] Permission denied: '/etc/krb5.conf.ipabkp'`
As expected this was SELinux issue
```
type=AVC msg=audit(1701349641.295:30008): avc: denied { write } for
pid=157909 comm="org.freeipa.ser" name="etc" dev="dm-0"
ino=33685633
scontext=system_u:system_r:ipa_helper_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
```
I tried to relabel the whole system to fix it, but the denial is still
there. Did I miss something?
Shouldn't IPA server had access to /etc?
Michal
9:01 a.m.
Michal Konecny via FreeIPA-users wrote:
Hi,
I upgraded Fedora staging environment to RHEL 9 and encountered this
issue https://access.redhat.com/solutions/7015184.
How did you upgrade from Fedora staging to RHEL 9? What does that mean?
To resolve that I tried to run `ipa config-mod --enable-sid
--add-sids`,
but it failed on
`The ipa-enable-sid command failed, exception: PermissionError: [Errno
13] Permission denied: '/etc/krb5.conf.ipabkp'`
As expected this was SELinux issue
```
type=AVC msg=audit(1701349641.295:30008): avc: denied { write } for
pid=157909 comm="org.freeipa.ser" name="etc" dev="dm-0"
ino=33685633
scontext=system_u:system_r:ipa_helper_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
```
I tried to relabel the whole system to fix it, but the denial is still
there. Did I miss something?
Shouldn't IPA server had access to /etc?
This isn't the server. It is executed as an oddjob task which runs in a
different context.
It ensures that krb5.conf is setup correctly and apparently yours is not
and tries to correct it but fails in making a backup.
Can you file a JIRA ticket on this?
rob
9:29 a.m.
On 30. 11. 23 16:01, Rob Crittenden wrote:
Michal Konecny via FreeIPA-users wrote:
> Hi,
>
> I upgraded Fedora staging environment to RHEL 9 and encountered this
> issue https://access.redhat.com/solutions/7015184.
How did you upgrade from Fedora staging to RHEL 9? What does that mean?
I was following this guide
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/...
The fedora infra ticket for that is here
https://pagure.io/fedora-infrastructure/issue/10358
> To resolve that I tried to run `ipa config-mod --enable-sid --add-sids`,
> but it failed on
> `The ipa-enable-sid command failed, exception: PermissionError: [Errno
> 13] Permission denied: '/etc/krb5.conf.ipabkp'`
>
> As expected this was SELinux issue
> ```
> type=AVC msg=audit(1701349641.295:30008): avc: denied { write } for
> pid=157909 comm="org.freeipa.ser" name="etc" dev="dm-0"
ino=33685633
> scontext=system_u:system_r:ipa_helper_t:s0
> tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
> ```
>
> I tried to relabel the whole system to fix it, but the denial is still
> there. Did I miss something?
> Shouldn't IPA server had access to /etc?
This isn't the server. It is executed as an oddjob task which runs in a
different context.
It ensures that krb5.conf is setup correctly and apparently yours is not
and tries to correct it but fails in making a backup.
Can you file a JIRA ticket on this?
I can, where should I file it?
rob
9:38 a.m.
Michal Konecny wrote:
On 30. 11. 23 16:01, Rob Crittenden wrote:
> Michal Konecny via FreeIPA-users wrote:
>> Hi,
>>
>> I upgraded Fedora staging environment to RHEL 9 and encountered this
>> issue https://access.redhat.com/solutions/7015184.
> How did you upgrade from Fedora staging to RHEL 9? What does that mean?
I was following this guide
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/...
So this is the Fedora project IPA staging system that you upgrading from
RHEL-8 to RHEL-9? The original statement sounded more like directly
upgrading Fedora -> RHEL.
The fedora infra ticket for that is here
https://pagure.io/fedora-infrastructure/issue/10358
>
>> To resolve that I tried to run `ipa config-mod --enable-sid --add-sids`,
>> but it failed on
>> `The ipa-enable-sid command failed, exception: PermissionError: [Errno
>> 13] Permission denied: '/etc/krb5.conf.ipabkp'`
>>
>> As expected this was SELinux issue
>> ```
>> type=AVC msg=audit(1701349641.295:30008): avc: denied { write } for
>> pid=157909 comm="org.freeipa.ser" name="etc"
dev="dm-0" ino=33685633
>> scontext=system_u:system_r:ipa_helper_t:s0
>> tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
>> ```
>>
>> I tried to relabel the whole system to fix it, but the denial is still
>> there. Did I miss something?
>> Shouldn't IPA server had access to /etc?
> This isn't the server. It is executed as an oddjob task which runs in a
> different context.
>
> It ensures that krb5.conf is setup correctly and apparently yours is not
> and tries to correct it but fails in making a backup.
>
> Can you file a JIRA ticket on this?
I can, where should I file it?
https://issues.redhat.com/secure/CreateIssue!default.jspa
As a workaround I'd try touching /etc/krb5.conf.ipabkp and setting the
context to match krb5.conf (system_u:object_r:krb5_conf_t:s0 I believe).
Looks like you uncovered a bug and I don't want to lose track of it
while we work out a solution.
thanks
rob
10 a.m.
On 30. 11. 23 16:38, Rob Crittenden wrote:
Michal Konecny wrote:
>
> On 30. 11. 23 16:01, Rob Crittenden wrote:
>> Michal Konecny via FreeIPA-users wrote:
>>> Hi,
>>>
>>> I upgraded Fedora staging environment to RHEL 9 and encountered this
>>> issue https://access.redhat.com/solutions/7015184.
>> How did you upgrade from Fedora staging to RHEL 9? What does that mean?
> I was following this guide
>
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/...
So this is the Fedora project IPA staging system that you upgrading from
RHEL-8 to RHEL-9? The original statement sounded more like directly
upgrading Fedora -> RHEL.
Sorry for the misunderstanding. Yes, I'm trying to
upgrade Fedora
staging IPA from RHEL8 to RHEL9.
>
> The fedora infra ticket for that is here
> https://pagure.io/fedora-infrastructure/issue/10358
>>> To resolve that I tried to run `ipa config-mod --enable-sid --add-sids`,
>>> but it failed on
>>> `The ipa-enable-sid command failed, exception: PermissionError: [Errno
>>> 13] Permission denied: '/etc/krb5.conf.ipabkp'`
>>>
>>> As expected this was SELinux issue
>>> ```
>>> type=AVC msg=audit(1701349641.295:30008): avc: denied { write } for
>>> pid=157909 comm="org.freeipa.ser" name="etc"
dev="dm-0" ino=33685633
>>> scontext=system_u:system_r:ipa_helper_t:s0
>>> tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
>>> ```
>>>
>>> I tried to relabel the whole system to fix it, but the denial is still
>>> there. Did I miss something?
>>> Shouldn't IPA server had access to /etc?
>> This isn't the server. It is executed as an oddjob task which runs in a
>> different context.
>>
>> It ensures that krb5.conf is setup correctly and apparently yours is not
>> and tries to correct it but fails in making a backup.
>>
>> Can you file a JIRA ticket on this?
> I can, where should I file it?
https://issues.redhat.com/secure/CreateIssue!default.jspa
As a workaround I'd try touching /etc/krb5.conf.ipabkp and setting the
context to match krb5.conf (system_u:object_r:krb5_conf_t:s0 I believe).
Even
changing the SELinux context didn't help:
-rw-r--r--. 1 root root system_u:object_r:krb5_conf_t:s0 899 Nov 30
13:37 /etc/krb5.conf
-rw-r--r--. 1 root root unconfined_u:object_r:krb5_conf_t:s0 899 Nov
30 15:49 /etc/krb5.conf.ipabkp
I'm still getting permission denied for `/etc/krb5.conf.ipabkp` by `ipa
config-mod --enable-sid --add-sids`,
but no denial in `/var/log/messages` or `/var/log/audit/audit.log`
Looks like you uncovered a bug and I don't want to lose track of it
while we work out a solution.
I found the FreeIPA project on JIRA, but I'm
unable to create issue in it.
Do you want me to file issue under another project?
thanks
rob
10:21 a.m.
We were able to solve that by running the sidgen manually, following
this guide
https://freeipa.readthedocs.io/en/latest/designs/adtrust/sidconfig.html#t...
It seems that the staging instance is now running as it should.
Michal
On 30. 11. 23 17:00, Michal Konecny wrote:
On 30. 11. 23 16:38, Rob Crittenden wrote:
> Michal Konecny wrote:
>>
>> On 30. 11. 23 16:01, Rob Crittenden wrote:
>>> Michal Konecny via FreeIPA-users wrote:
>>>> Hi,
>>>>
>>>> I upgraded Fedora staging environment to RHEL 9 and encountered this
>>>> issue https://access.redhat.com/solutions/7015184.
>>> How did you upgrade from Fedora staging to RHEL 9? What does that
>>> mean?
>> I was following this guide
>>
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/...
>>
> So this is the Fedora project IPA staging system that you upgrading from
> RHEL-8 to RHEL-9? The original statement sounded more like directly
> upgrading Fedora -> RHEL.
Sorry for the misunderstanding. Yes, I'm trying to upgrade Fedora
staging IPA from RHEL8 to RHEL9.
>
>
>>
>> The fedora infra ticket for that is here
>> https://pagure.io/fedora-infrastructure/issue/10358
>>>> To resolve that I tried to run `ipa config-mod --enable-sid
>>>> --add-sids`,
>>>> but it failed on
>>>> `The ipa-enable-sid command failed, exception: PermissionError:
>>>> [Errno
>>>> 13] Permission denied: '/etc/krb5.conf.ipabkp'`
>>>>
>>>> As expected this was SELinux issue
>>>> ```
>>>> type=AVC msg=audit(1701349641.295:30008): avc: denied { write } for
>>>> pid=157909 comm="org.freeipa.ser" name="etc"
dev="dm-0" ino=33685633
>>>> scontext=system_u:system_r:ipa_helper_t:s0
>>>> tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
>>>> ```
>>>>
>>>> I tried to relabel the whole system to fix it, but the denial is
>>>> still
>>>> there. Did I miss something?
>>>> Shouldn't IPA server had access to /etc?
>>> This isn't the server. It is executed as an oddjob task which runs
>>> in a
>>> different context.
>>>
>>> It ensures that krb5.conf is setup correctly and apparently yours
>>> is not
>>> and tries to correct it but fails in making a backup.
>>>
>>> Can you file a JIRA ticket on this?
>> I can, where should I file it?
> https://issues.redhat.com/secure/CreateIssue!default.jspa
>
> As a workaround I'd try touching /etc/krb5.conf.ipabkp and setting the
> context to match krb5.conf (system_u:object_r:krb5_conf_t:s0 I believe).
Even changing the SELinux context didn't help:
-rw-r--r--. 1 root root system_u:object_r:krb5_conf_t:s0 899 Nov
30 13:37 /etc/krb5.conf
-rw-r--r--. 1 root root unconfined_u:object_r:krb5_conf_t:s0 899
Nov 30 15:49 /etc/krb5.conf.ipabkp
I'm still getting permission denied for `/etc/krb5.conf.ipabkp` by
`ipa config-mod --enable-sid --add-sids`,
but no denial in `/var/log/messages` or `/var/log/audit/audit.log`
>
> Looks like you uncovered a bug and I don't want to lose track of it
> while we work out a solution.
I found the FreeIPA project on JIRA, but I'm unable to create issue in
it.
Do you want me to file issue under another project?
>
> thanks
>
> rob
>
3:30 p.m.
Michal Konecny wrote:
We were able to solve that by running the sidgen manually, following
this guide
https://freeipa.readthedocs.io/en/latest/designs/adtrust/sidconfig.html#t...
It seems that the staging instance is now running as it should.
Ok, that's good. FYI RHEL bugs should be filed in the RHEL JIRA project
against the affected component.
rob
Michal
On 30. 11. 23 17:00, Michal Konecny wrote:
>
>
> On 30. 11. 23 16:38, Rob Crittenden wrote:
>> Michal Konecny wrote:
>>>
>>> On 30. 11. 23 16:01, Rob Crittenden wrote:
>>>> Michal Konecny via FreeIPA-users wrote:
>>>>> Hi,
>>>>>
>>>>> I upgraded Fedora staging environment to RHEL 9 and encountered this
>>>>> issue https://access.redhat.com/solutions/7015184.
>>>> How did you upgrade from Fedora staging to RHEL 9? What does that
>>>> mean?
>>> I was following this guide
>>>
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/...
>>>
>> So this is the Fedora project IPA staging system that you upgrading from
>> RHEL-8 to RHEL-9? The original statement sounded more like directly
>> upgrading Fedora -> RHEL.
> Sorry for the misunderstanding. Yes, I'm trying to upgrade Fedora
> staging IPA from RHEL8 to RHEL9.
>>
>>
>>>
>>> The fedora infra ticket for that is here
>>> https://pagure.io/fedora-infrastructure/issue/10358
>>>>> To resolve that I tried to run `ipa config-mod --enable-sid
>>>>> --add-sids`,
>>>>> but it failed on
>>>>> `The ipa-enable-sid command failed, exception: PermissionError:
>>>>> [Errno
>>>>> 13] Permission denied: '/etc/krb5.conf.ipabkp'`
>>>>>
>>>>> As expected this was SELinux issue
>>>>> ```
>>>>> type=AVC msg=audit(1701349641.295:30008): avc: denied { write }
for
>>>>> pid=157909 comm="org.freeipa.ser" name="etc"
dev="dm-0" ino=33685633
>>>>> scontext=system_u:system_r:ipa_helper_t:s0
>>>>> tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
>>>>> ```
>>>>>
>>>>> I tried to relabel the whole system to fix it, but the denial is
>>>>> still
>>>>> there. Did I miss something?
>>>>> Shouldn't IPA server had access to /etc?
>>>> This isn't the server. It is executed as an oddjob task which runs
>>>> in a
>>>> different context.
>>>>
>>>> It ensures that krb5.conf is setup correctly and apparently yours
>>>> is not
>>>> and tries to correct it but fails in making a backup.
>>>>
>>>> Can you file a JIRA ticket on this?
>>> I can, where should I file it?
>> https://issues.redhat.com/secure/CreateIssue!default.jspa
>>
>> As a workaround I'd try touching /etc/krb5.conf.ipabkp and setting the
>> context to match krb5.conf (system_u:object_r:krb5_conf_t:s0 I believe).
> Even changing the SELinux context didn't help:
> -rw-r--r--. 1 root root system_u:object_r:krb5_conf_t:s0 899 Nov
> 30 13:37 /etc/krb5.conf
> -rw-r--r--. 1 root root unconfined_u:object_r:krb5_conf_t:s0 899
> Nov 30 15:49 /etc/krb5.conf.ipabkp
>
> I'm still getting permission denied for `/etc/krb5.conf.ipabkp` by
> `ipa config-mod --enable-sid --add-sids`,
> but no denial in `/var/log/messages` or `/var/log/audit/audit.log`
>>
>> Looks like you uncovered a bug and I don't want to lose track of it
>> while we work out a solution.
> I found the FreeIPA project on JIRA, but I'm unable to create issue in
> it.
> Do you want me to file issue under another project?
>>
>> thanks
>>
>> rob
>>
>
152
days inactive
152
days old
freeipa-users@lists.fedorahosted.org
6 comments
2 participants
participants (2)
-
Michal Konecny -
Rob Crittenden