search

389ds / 389-ds-base

The enterprise-class Open Source LDAP server for Linux
https://www.port389.org/
Other
210 stars 88 forks source link

ipa-restore broken in selinux enforcing mode #5031

Open flo-renaud opened 2 years ago

flo-renaud commented 2 years ago

Issue Description With the repository updates-testing enabled + selinux mode enforcing, the command ipa-restore is broken. It is failing in the step restarting the directory server.

Package Version and Platform:

Steps to Reproduce Steps to reproduce the behavior:

  1. Enable the updates-testing repository, update the packages: dnf update -y --enablerepo=updates-testing
  2. Install ipa server withipa-server-install --domain ipa.test --realm IPA.TEST -a $PASSWORD -p $PASSWORD -U
  3. Perform a full backup of the installation with ipa-backup
  4. Uninstall the server: ipa-server-install --uninstall -U
  5. Restore with ipa-restore $PATH_TO_BACKUP

The ipa-restore command is failing in a step re-starting the LDAP server:

# ipa-restore $PATH_TO_BACKUP
...
Stopping IPA services
Restoring files
Systemwide CA database updated.
Restoring from userRoot in IPA-TEST
Restoring from ipaca in IPA-TEST
Restarting GSS-proxy
Starting IPA services
Restoring umask to 18
CalledProcessError(Command ['/usr/sbin/ipactl', 'start'] returned non-zero exit status 1: "Existing service file detected!\nAssuming stale, cleaning and proceeding\nFailed to start Directory Service: CalledProcessError(Command ['/bin/systemctl', 'start', 'dirsrv@IPA-TEST.service'] returned non-zero exit status 1)\n")
The ipa-restore command failed. See /var/log/iparestore.log for more information

There are numerous ERR in slapd error log:

[24/Nov/2021:16:09:41.321789348 +0000] - ERR - bdb_version_write - Could not open file "/dev/shm/slapd-IPA-TEST/DBVERSION" for writing Netscape Portable Runtime -5950 (File not found.)
...
[24/Nov/2021:16:10:04.339925602 +0000] - ERR - bdb_version_write - Could not open file "/dev/shm/slapd-IPA-TEST/DBVERSION" for writing Netscape Portable Runtime -5966 (Access Denied.)
[24/Nov/2021:16:10:04.344860262 +0000] - INFO - bdb_start - Resizing db cache size: 744941158 -> 139094630
[24/Nov/2021:16:10:04.347519630 +0000] - ERR - libdb - /dev/shm/slapd-IPA-TEST: Permission denied
[24/Nov/2021:16:10:04.349912709 +0000] - ERR - libdb - /dev/shm/slapd-IPA-TEST/__db.001: Permission denied
[24/Nov/2021:16:10:04.351606875 +0000] - CRIT - bdb_start - Opening database environment (/dev/shm/slapd-IPA-TEST) failed. err=13: Unexpected dbimpl error code
[24/Nov/2021:16:10:04.352992960 +0000] - ERR - ldbm_back_start - Failed to init database, err=13 Unexpected dbimpl error code
[24/Nov/2021:16:10:04.354489096 +0000] - ERR - plugin_dependency_startall - Failed to start database plugin ldbm database
[24/Nov/2021:16:10:04.377732124 +0000] - ERR - schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup!
[24/Nov/2021:16:10:04.386586830 +0000] - CRIT - dblayer_setup - dblayer_init failed
[24/Nov/2021:16:10:04.388831647 +0000] - ERR - ldbm_back_start - Failed to setup dblayer

and corresponding AVCs:

type=AVC msg=audit(1637770204.338:4369): avc:  denied  { open } for  pid=32015 comm="ns-slapd" path="/dev/shm/slapd-IPA-TEST/DBVERSION" dev="tmpfs" ino=29 scontext=system_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0
type=AVC msg=audit(1637770204.341:4370): avc:  denied  { read } for  pid=32015 comm="ns-slapd" name="slapd-IPA-TEST" dev="tmpfs" ino=25 scontext=system_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1637770204.345:4371): avc:  denied  { read } for  pid=32015 comm="ns-slapd" name="slapd-IPA-TEST" dev="tmpfs" ino=25 scontext=system_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1637770204.347:4372): avc:  denied  { read } for  pid=32015 comm="ns-slapd" name="slapd-IPA-TEST" dev="tmpfs" ino=25 scontext=system_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1637770204.348:4373): avc:  denied  { write } for  pid=32015 comm="ns-slapd" name="slapd-IPA-TEST" dev="tmpfs" ino=25 scontext=system_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=0

Looks like the selinux-policy is missing some patches.

FreeIPA nightly run available in PR#1330 with the following logs and report

flo-renaud commented 2 years ago

Note: also seen with latest selinux update selinux-policy-35.6-1.fc35.noarch

flo-renaud commented 2 years ago

BZ https://bugzilla.redhat.com/show_bug.cgi?id=2027730 opened against selinux-policy