https://bugzilla.redhat.com/show_bug.cgi?id=809262 (Red Hat Enterprise Linux 6)
Description of problem: After upgrading from 2.1.3-9 in RHEL6.2 to 2.2.0-5, Web UI shows an Internal Server Error after login. This was also seen on 2.1.3-9 -> 2.2.0-5 -> 2.2.0-7. This appears related (at least somewhat) to bug 783592. The SELinux httpd_manage_ipa boolean appears to be set to off after the upgrade. Setting it to true/on fixes the problem. Version-Release number of selected component (if applicable): ipa-server-2.2.0-5.el6.x86_64 selinux-policy-3.7.19-142.el6.noarch How reproducible: very. Steps to Reproduce: 1. <setup IPA server on RHEL6.2> 2. kinit admin 3. <install firefox and xauth if necessary> 4. firefox https://$MASTER/ipa/ui 5. <follow steps to configure firefox for single sign-on to IPA> Actual results: IPA returns an Internal Server Error in the browser. 6. setsebool httpd_manage_ipa=on 7. <select retry in browser> IPA returns expected user page Expected results: Should not need to manually turn on the httpd_manage_ipa boolean. Additional info: Can check this entirely from the command line with this: kinit admin jsonfile=/tmp/jsoninput echo '{"method":"user_find","params":[[],{"sizelimit":0,"pkey_only":true}]}' > $jsonfile sessionid=$(curl -v --negotiate -u: https://$MASTER/ipa/session/login_kerberos --cacert /etc/ipa/ca.crt 2>&1 |grep ipa_session 2>&1|sed 's/^.*ipa_session=\([0-Z]*\).*$/\1/') curl -H "Content-Type:application/json" -H "Referer: https://$MASTER/ipa/xml" -H "Accept:application/json" -H "Accept-Language:en" --cacert /etc/ipa/ca.crt -d @$jsonfile -X POST -b "ipa_session=$sessionid; httponly; Path=/ipa; secure" https://$MASTER/ipa/session/json 2>&1|grep "dn.*uid=" It will return html for the user list or an Internal Server Error page depending on how httpd_manage_ipa is set. This is what the failure looks like: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>500 Internal Server Error</title> </head><body> <h1>Internal Server Error</h1> <p>The server encountered an internal error or misconfiguration and was unable to complete your request.</p> <p>Please contact the server administrator, root@localhost and inform them of the time the error occurred, and anything you might have done that may have caused the error.</p> <p>More information about this error may be available in the server error log.</p> <hr> <address>Apache/2.2.15 (Red Hat) Server at storm.testrelm.com Port 443</address> </body></html> And we see AVCs: # ausearch -m avc -ts 17:47 ---- time->Mon Apr 2 17:48:01 2012 type=SYSCALL msg=audit(1333403281.476:373): arch=c000003e syscall=2 success=no exit=-13 a0=7f0ebc115310 a1=241 a2=1b6 a3=0 items=0 ppid=20402 pid=20540 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=6 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1333403281.476:373): avc: denied { write } for pid=20540 comm="httpd" name="ipa_memcached" dev=dm-0 ino=394187 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:memcached_var_run_t:s0 tclass=dir And here's the error_log traceback: [Mon Apr 02 17:48:01 2012] [error] [client 10.16.96.68] mod_wsgi (pid=20422): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. [Mon Apr 02 17:48:01 2012] [error] [client 10.16.96.68] Traceback (most recent call last): [Mon Apr 02 17:48:01 2012] [error] [client 10.16.96.68] File "/usr/share/ipa/wsgi.py", line 49, in application [Mon Apr 02 17:48:01 2012] [error] [client 10.16.96.68] return api.Backend.wsgi_dispatch(environ, s tart_response) [Mon Apr 02 17:48:01 2012] [error] [client 10.16.96.68] File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 229, in __call__ [Mon Apr 02 17:48:01 2012] [error] [client 10.16.96.68] return self.route(environ, start_response) [Mon Apr 02 17:48:01 2012] [error] [client 10.16.96.68] File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 241, in route [Mon Apr 02 17:48:01 2012] [error] [client 10.16.96.68] return app(environ, start_response) [Mon Apr 02 17:48:01 2012] [error] [client 10.16.96.68] File "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 792, in __call__ [Mon Apr 02 17:48:01 2012] [error] [client 10.16.96.68] ipa_ccache_name = bind_ipa_ccache(ccache_data) [Mon Apr 02 17:48:01 2012] [error] [client 10.16.96.68] File "/usr/lib/python2.6/site-packages/ipalib/session.py", line 1228, in bind_ipa_ccache [Mon Apr 02 17:48:01 2012] [error] [client 10.16.96.68] dst = open(name, 'w') [Mon Apr 02 17:48:01 2012] [error] [client 10.16.96.68] IOError: [Errno 13] Permission denied: '/var/run/ipa_memcached/krbcc_20422'
attachment freeipa-mkosek-246-configure-selinux-for-httpd-during-upgrades.patch
Patch freeipa-mkosek-246-configure-selinux-for-httpd-during-upgrades.patch sent for review
master: 17a0738
ipa-2-2: 56196b2
Metadata Update from @mkosek: - Issue assigned to mkosek - Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/04
Login to comment on this ticket.