freeipa

Clone
Source Code
GIT

#2603 IPA Upgrade Web UI failure with internal server error
Closed: Fixed None Opened 12 years ago by mkosek.

Closed: Fixed
Reopen Issue

https://bugzilla.redhat.com/show_bug.cgi?id=809262 (Red Hat Enterprise Linux 6)

Description of problem:

After upgrading from 2.1.3-9 in RHEL6.2 to 2.2.0-5, Web UI shows an Internal
Server Error after login.  This was also seen on 2.1.3-9 -> 2.2.0-5 -> 2.2.0-7.
This appears related (at least somewhat) to bug 783592.   The SELinux
httpd_manage_ipa boolean appears to be set to off after the upgrade.  Setting
it to true/on fixes the problem.

Version-Release number of selected component (if applicable):
ipa-server-2.2.0-5.el6.x86_64
selinux-policy-3.7.19-142.el6.noarch


How reproducible:
very.

Steps to Reproduce:
1.  <setup IPA server on RHEL6.2>
2.  kinit admin
3.  <install firefox and xauth if necessary>
4.  firefox https://$MASTER/ipa/ui
5.  <follow steps to configure firefox for single sign-on to IPA>


Actual results:

IPA returns an Internal Server Error in the browser.

6.  setsebool httpd_manage_ipa=on
7.  <select retry in browser>

IPA returns expected user page

Expected results:

Should not need to manually turn on the httpd_manage_ipa boolean.

Additional info:

Can check this entirely from the command line with this:

kinit admin

jsonfile=/tmp/jsoninput

echo '{"method":"user_find","params":[[],{"sizelimit":0,"pkey_only":true}]}' >
$jsonfile

sessionid=$(curl -v --negotiate -u: https://$MASTER/ipa/session/login_kerberos
--cacert /etc/ipa/ca.crt 2>&1 |grep ipa_session 2>&1|sed
's/^.*ipa_session=\([0-Z]*\).*$/\1/')

curl  -H "Content-Type:application/json" -H "Referer: https://$MASTER/ipa/xml"
-H "Accept:application/json"  -H "Accept-Language:en" --cacert /etc/ipa/ca.crt
-d  @$jsonfile -X POST -b "ipa_session=$sessionid; httponly; Path=/ipa; secure"
https://$MASTER/ipa/session/json 2>&1|grep "dn.*uid="

It will return html for the user list or an Internal Server Error page
depending on how httpd_manage_ipa is set.

This is what the failure looks like:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
misconfiguration and was unable to complete
your request.</p>
<p>Please contact the server administrator,
 root@localhost and inform them of the time the error occurred,
and anything you might have done that may have
caused the error.</p>
<p>More information about this error may be available
in the server error log.</p>
<hr>
<address>Apache/2.2.15 (Red Hat) Server at storm.testrelm.com Port
443</address>
</body></html>

And we see AVCs:

# ausearch -m avc -ts 17:47
----
time->Mon Apr  2 17:48:01 2012
type=SYSCALL msg=audit(1333403281.476:373): arch=c000003e syscall=2 success=no
exit=-13 a0=7f0ebc115310 a1=241 a2=1b6 a3=0 items=0 ppid=20402 pid=20540 auid=0
uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none)
ses=6 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0
key=(null)
type=AVC msg=audit(1333403281.476:373): avc:  denied  { write } for  pid=20540
comm="httpd" name="ipa_memcached" dev=dm-0 ino=394187
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=system_u:object_r:memcached_var_run_t:s0 tclass=dir

And here's the error_log traceback:

[Mon Apr 02 17:48:01 2012] [error] [client 10.16.96.68] mod_wsgi (pid=20422):
Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
[Mon Apr 02 17:48:01 2012] [error] [client 10.16.96.68] Traceback (most recent
call last):
[Mon Apr 02 17:48:01 2012] [error] [client 10.16.96.68]   File
"/usr/share/ipa/wsgi.py", line 49, in application
[Mon Apr 02 17:48:01 2012] [error] [client 10.16.96.68]     return
api.Backend.wsgi_dispatch(environ, s
tart_response)
[Mon Apr 02 17:48:01 2012] [error] [client 10.16.96.68]   File
"/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 229, in
__call__
[Mon Apr 02 17:48:01 2012] [error] [client 10.16.96.68]     return
self.route(environ, start_response)
[Mon Apr 02 17:48:01 2012] [error] [client 10.16.96.68]   File
"/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 241, in route
[Mon Apr 02 17:48:01 2012] [error] [client 10.16.96.68]     return app(environ,
start_response)
[Mon Apr 02 17:48:01 2012] [error] [client 10.16.96.68]   File
"/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 792, in
__call__
[Mon Apr 02 17:48:01 2012] [error] [client 10.16.96.68]     ipa_ccache_name =
bind_ipa_ccache(ccache_data)
[Mon Apr 02 17:48:01 2012] [error] [client 10.16.96.68]   File
"/usr/lib/python2.6/site-packages/ipalib/session.py", line 1228, in
bind_ipa_ccache
[Mon Apr 02 17:48:01 2012] [error] [client 10.16.96.68]     dst = open(name,
'w')
[Mon Apr 02 17:48:01 2012] [error] [client 10.16.96.68] IOError: [Errno 13]
Permission denied: '/var/run/ipa_memcached/krbcc_20422'

Patch freeipa-mkosek-246-configure-selinux-for-httpd-during-upgrades.patch sent for review

master: 17a0738

ipa-2-2: 56196b2

Metadata Update from @mkosek:
- Issue assigned to mkosek
- Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/04
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
defect
None
None
IPA
None
1
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=809262
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.