ipa_restore.py with "--data --online" fails to restore the LDAP data without message - and all LDAP data is lost. /var/log/dirsrv/slapd-REALM/errors shows:
[07/Nov/2014:10:56:58 +0100] - import userRoot: Could not open LDIF file "EXAMPLE-TEST-userRoot.ldif", errno 13 (Permission denied) [07/Nov/2014:10:57:07 +0100] - import ipaca: Could not open LDIF file "EXAMPLE-TEST-ipaca.ldif", errno 13 (Permission denied)
The files below /tmp/tmp*ipa are correctly set to uid=dirsrv group=dirsrv and have read permissions, however "--online" directs the dirsrv to load the files (via LDAP task object cn=import,cn=tasks,cn=config), and the running dirsrv is prohibited by selinux to access the files.
"setenforce 0" shows success.
Possible fix: add "chcon" on files after extracting the TAR ball in /usr/lib/python2.7/site-packages/ipaserver/install/ipa_restore.py in extract_backup():
--- /usr/lib/python2.7/site-packages/ipaserver/install/ipa_restore.py.bak 2013-11-01 16:34:30.000000000 +0100 +++ /usr/lib/python2.7/site-packages/ipaserver/install/ipa_restore.py 2014-11-07 13:41:19.567269126 +0100 @@ -576,6 +576,7 @@ pent = pwd.getpwnam(DS_USER) os.chown(self.top_dir, pent.pw_uid, pent.pw_gid) recursive_chown(self.dir, pent.pw_uid, pent.pw_gid) + run(['chcon', '-t', 'dirsrv_var_lib_t', '-R', self.top_dir]) if encrypt: # We can remove the decoded tarball
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=951581 (Red Hat Enterprise Linux 7)
Ticket is requested by a downstream RHEL release, bumping priority.
master:
ipa-4-1:
Metadata Update from @mkosek: - Issue assigned to jcholast - Issue set to the milestone: FreeIPA 4.1.2
Login to comment on this ticket.