Hi,
I upgraded Fedora staging environment to RHEL 9 and encountered this issue https://access.redhat.com/solutions/7015184.
To resolve that I tried to run `ipa config-mod --enable-sid --add-sids`, but it failed on `The ipa-enable-sid command failed, exception: PermissionError: [Errno 13] Permission denied: '/etc/krb5.conf.ipabkp'`
As expected this was SELinux issue ``` type=AVC msg=audit(1701349641.295:30008): avc: denied { write } for pid=157909 comm="org.freeipa.ser" name="etc" dev="dm-0" ino=33685633 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0 ```
I tried to relabel the whole system to fix it, but the denial is still there. Did I miss something? Shouldn't IPA server had access to /etc?
Michal
Michal Konecny via FreeIPA-users wrote:
Hi,
I upgraded Fedora staging environment to RHEL 9 and encountered this issue https://access.redhat.com/solutions/7015184.
How did you upgrade from Fedora staging to RHEL 9? What does that mean?
To resolve that I tried to run `ipa config-mod --enable-sid --add-sids`, but it failed on `The ipa-enable-sid command failed, exception: PermissionError: [Errno 13] Permission denied: '/etc/krb5.conf.ipabkp'`
As expected this was SELinux issue
type=AVC msg=audit(1701349641.295:30008): avc: denied { write } for pid=157909 comm="org.freeipa.ser" name="etc" dev="dm-0" ino=33685633 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
I tried to relabel the whole system to fix it, but the denial is still there. Did I miss something? Shouldn't IPA server had access to /etc?
This isn't the server. It is executed as an oddjob task which runs in a different context.
It ensures that krb5.conf is setup correctly and apparently yours is not and tries to correct it but fails in making a backup.
Can you file a JIRA ticket on this?
rob
On 30. 11. 23 16:01, Rob Crittenden wrote:
Michal Konecny via FreeIPA-users wrote:
Hi,
I upgraded Fedora staging environment to RHEL 9 and encountered this issue https://access.redhat.com/solutions/7015184.
How did you upgrade from Fedora staging to RHEL 9? What does that mean?
I was following this guide https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/htm...
The fedora infra ticket for that is here https://pagure.io/fedora-infrastructure/issue/10358
To resolve that I tried to run `ipa config-mod --enable-sid --add-sids`, but it failed on `The ipa-enable-sid command failed, exception: PermissionError: [Errno 13] Permission denied: '/etc/krb5.conf.ipabkp'`
As expected this was SELinux issue
type=AVC msg=audit(1701349641.295:30008): avc: denied { write } for pid=157909 comm="org.freeipa.ser" name="etc" dev="dm-0" ino=33685633 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
I tried to relabel the whole system to fix it, but the denial is still there. Did I miss something? Shouldn't IPA server had access to /etc?
This isn't the server. It is executed as an oddjob task which runs in a different context.
It ensures that krb5.conf is setup correctly and apparently yours is not and tries to correct it but fails in making a backup.
Can you file a JIRA ticket on this?
I can, where should I file it?
rob
Michal Konecny wrote:
On 30. 11. 23 16:01, Rob Crittenden wrote:
Michal Konecny via FreeIPA-users wrote:
Hi,
I upgraded Fedora staging environment to RHEL 9 and encountered this issue https://access.redhat.com/solutions/7015184.
How did you upgrade from Fedora staging to RHEL 9? What does that mean?
I was following this guide https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/htm...
So this is the Fedora project IPA staging system that you upgrading from RHEL-8 to RHEL-9? The original statement sounded more like directly upgrading Fedora -> RHEL.
The fedora infra ticket for that is here https://pagure.io/fedora-infrastructure/issue/10358
To resolve that I tried to run `ipa config-mod --enable-sid --add-sids`, but it failed on `The ipa-enable-sid command failed, exception: PermissionError: [Errno 13] Permission denied: '/etc/krb5.conf.ipabkp'`
As expected this was SELinux issue
type=AVC msg=audit(1701349641.295:30008): avc: denied { write } for pid=157909 comm="org.freeipa.ser" name="etc" dev="dm-0" ino=33685633 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
I tried to relabel the whole system to fix it, but the denial is still there. Did I miss something? Shouldn't IPA server had access to /etc?
This isn't the server. It is executed as an oddjob task which runs in a different context.
It ensures that krb5.conf is setup correctly and apparently yours is not and tries to correct it but fails in making a backup.
Can you file a JIRA ticket on this?
I can, where should I file it?
https://issues.redhat.com/secure/CreateIssue!default.jspa
As a workaround I'd try touching /etc/krb5.conf.ipabkp and setting the context to match krb5.conf (system_u:object_r:krb5_conf_t:s0 I believe).
Looks like you uncovered a bug and I don't want to lose track of it while we work out a solution.
thanks
rob
On 30. 11. 23 16:38, Rob Crittenden wrote:
Michal Konecny wrote:
On 30. 11. 23 16:01, Rob Crittenden wrote:
Michal Konecny via FreeIPA-users wrote:
Hi,
I upgraded Fedora staging environment to RHEL 9 and encountered this issue https://access.redhat.com/solutions/7015184.
How did you upgrade from Fedora staging to RHEL 9? What does that mean?
I was following this guide https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/htm...
So this is the Fedora project IPA staging system that you upgrading from RHEL-8 to RHEL-9? The original statement sounded more like directly upgrading Fedora -> RHEL.
Sorry for the misunderstanding. Yes, I'm trying to upgrade Fedora staging IPA from RHEL8 to RHEL9.
The fedora infra ticket for that is here https://pagure.io/fedora-infrastructure/issue/10358
To resolve that I tried to run `ipa config-mod --enable-sid --add-sids`, but it failed on `The ipa-enable-sid command failed, exception: PermissionError: [Errno 13] Permission denied: '/etc/krb5.conf.ipabkp'`
As expected this was SELinux issue
type=AVC msg=audit(1701349641.295:30008): avc: denied { write } for pid=157909 comm="org.freeipa.ser" name="etc" dev="dm-0" ino=33685633 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
I tried to relabel the whole system to fix it, but the denial is still there. Did I miss something? Shouldn't IPA server had access to /etc?
This isn't the server. It is executed as an oddjob task which runs in a different context.
It ensures that krb5.conf is setup correctly and apparently yours is not and tries to correct it but fails in making a backup.
Can you file a JIRA ticket on this?
I can, where should I file it?
https://issues.redhat.com/secure/CreateIssue!default.jspa
As a workaround I'd try touching /etc/krb5.conf.ipabkp and setting the context to match krb5.conf (system_u:object_r:krb5_conf_t:s0 I believe).
Even changing the SELinux context didn't help: -rw-r--r--. 1 root root system_u:object_r:krb5_conf_t:s0 899 Nov 30 13:37 /etc/krb5.conf -rw-r--r--. 1 root root unconfined_u:object_r:krb5_conf_t:s0 899 Nov 30 15:49 /etc/krb5.conf.ipabkp
I'm still getting permission denied for `/etc/krb5.conf.ipabkp` by `ipa config-mod --enable-sid --add-sids`, but no denial in `/var/log/messages` or `/var/log/audit/audit.log`
Looks like you uncovered a bug and I don't want to lose track of it while we work out a solution.
I found the FreeIPA project on JIRA, but I'm unable to create issue in it. Do you want me to file issue under another project?
thanks
rob
We were able to solve that by running the sidgen manually, following this guide https://freeipa.readthedocs.io/en/latest/designs/adtrust/sidconfig.html#trou...
It seems that the staging instance is now running as it should.
Michal
On 30. 11. 23 17:00, Michal Konecny wrote:
On 30. 11. 23 16:38, Rob Crittenden wrote:
Michal Konecny wrote:
On 30. 11. 23 16:01, Rob Crittenden wrote:
Michal Konecny via FreeIPA-users wrote:
Hi,
I upgraded Fedora staging environment to RHEL 9 and encountered this issue https://access.redhat.com/solutions/7015184.
How did you upgrade from Fedora staging to RHEL 9? What does that mean?
I was following this guide https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/htm...
So this is the Fedora project IPA staging system that you upgrading from RHEL-8 to RHEL-9? The original statement sounded more like directly upgrading Fedora -> RHEL.
Sorry for the misunderstanding. Yes, I'm trying to upgrade Fedora staging IPA from RHEL8 to RHEL9.
The fedora infra ticket for that is here https://pagure.io/fedora-infrastructure/issue/10358
To resolve that I tried to run `ipa config-mod --enable-sid --add-sids`, but it failed on `The ipa-enable-sid command failed, exception: PermissionError: [Errno 13] Permission denied: '/etc/krb5.conf.ipabkp'`
As expected this was SELinux issue
type=AVC msg=audit(1701349641.295:30008): avc: denied { write } for pid=157909 comm="org.freeipa.ser" name="etc" dev="dm-0" ino=33685633 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
I tried to relabel the whole system to fix it, but the denial is still there. Did I miss something? Shouldn't IPA server had access to /etc?
This isn't the server. It is executed as an oddjob task which runs in a different context.
It ensures that krb5.conf is setup correctly and apparently yours is not and tries to correct it but fails in making a backup.
Can you file a JIRA ticket on this?
I can, where should I file it?
https://issues.redhat.com/secure/CreateIssue!default.jspa
As a workaround I'd try touching /etc/krb5.conf.ipabkp and setting the context to match krb5.conf (system_u:object_r:krb5_conf_t:s0 I believe).
Even changing the SELinux context didn't help: -rw-r--r--. 1 root root system_u:object_r:krb5_conf_t:s0 899 Nov 30 13:37 /etc/krb5.conf -rw-r--r--. 1 root root unconfined_u:object_r:krb5_conf_t:s0 899 Nov 30 15:49 /etc/krb5.conf.ipabkp
I'm still getting permission denied for `/etc/krb5.conf.ipabkp` by `ipa config-mod --enable-sid --add-sids`, but no denial in `/var/log/messages` or `/var/log/audit/audit.log`
Looks like you uncovered a bug and I don't want to lose track of it while we work out a solution.
I found the FreeIPA project on JIRA, but I'm unable to create issue in it. Do you want me to file issue under another project?
thanks
rob
Michal Konecny wrote:
We were able to solve that by running the sidgen manually, following this guide https://freeipa.readthedocs.io/en/latest/designs/adtrust/sidconfig.html#trou...
It seems that the staging instance is now running as it should.
Ok, that's good. FYI RHEL bugs should be filed in the RHEL JIRA project against the affected component.
rob
Michal
On 30. 11. 23 17:00, Michal Konecny wrote:
On 30. 11. 23 16:38, Rob Crittenden wrote:
Michal Konecny wrote:
On 30. 11. 23 16:01, Rob Crittenden wrote:
Michal Konecny via FreeIPA-users wrote:
Hi,
I upgraded Fedora staging environment to RHEL 9 and encountered this issue https://access.redhat.com/solutions/7015184.
How did you upgrade from Fedora staging to RHEL 9? What does that mean?
I was following this guide https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/htm...
So this is the Fedora project IPA staging system that you upgrading from RHEL-8 to RHEL-9? The original statement sounded more like directly upgrading Fedora -> RHEL.
Sorry for the misunderstanding. Yes, I'm trying to upgrade Fedora staging IPA from RHEL8 to RHEL9.
The fedora infra ticket for that is here https://pagure.io/fedora-infrastructure/issue/10358
To resolve that I tried to run `ipa config-mod --enable-sid --add-sids`, but it failed on `The ipa-enable-sid command failed, exception: PermissionError: [Errno 13] Permission denied: '/etc/krb5.conf.ipabkp'`
As expected this was SELinux issue
type=AVC msg=audit(1701349641.295:30008): avc: denied { write } for pid=157909 comm="org.freeipa.ser" name="etc" dev="dm-0" ino=33685633 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
I tried to relabel the whole system to fix it, but the denial is still there. Did I miss something? Shouldn't IPA server had access to /etc?
This isn't the server. It is executed as an oddjob task which runs in a different context.
It ensures that krb5.conf is setup correctly and apparently yours is not and tries to correct it but fails in making a backup.
Can you file a JIRA ticket on this?
I can, where should I file it?
https://issues.redhat.com/secure/CreateIssue!default.jspa
As a workaround I'd try touching /etc/krb5.conf.ipabkp and setting the context to match krb5.conf (system_u:object_r:krb5_conf_t:s0 I believe).
Even changing the SELinux context didn't help: -rw-r--r--. 1 root root system_u:object_r:krb5_conf_t:s0 899 Nov 30 13:37 /etc/krb5.conf -rw-r--r--. 1 root root unconfined_u:object_r:krb5_conf_t:s0 899 Nov 30 15:49 /etc/krb5.conf.ipabkp
I'm still getting permission denied for `/etc/krb5.conf.ipabkp` by `ipa config-mod --enable-sid --add-sids`, but no denial in `/var/log/messages` or `/var/log/audit/audit.log`
Looks like you uncovered a bug and I don't want to lose track of it while we work out a solution.
I found the FreeIPA project on JIRA, but I'm unable to create issue in it. Do you want me to file issue under another project?
thanks
rob
freeipa-users@lists.fedorahosted.org