Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1251526
Description of problem: The ipa-client-install seems to execute at least ntpd and sshd directly - in the case of ntpd, it's on a custom config file in /tmp, in case of sshd, it's to check "dynamically loading authorized user keys" support. This causes various issues with selinux - not only it doesn't work under the MLS policy (sysadm_r role), it has a potential to break things in the targeted policy as well - ie. by creating pid/lock/log files as unconfined_t. The only supported (AFAIK) way to run daemons is via sysvinit / systemd where the daemon is executed with correct context according to appropriate selinux transition rules. Anything else (even a simple daemon --help) can cause issues. Therefore please modify the ipa-*-install scripts to only interact with services/daemons using service(8) or systemctl(1). Example alternatives covering the use cases currently used by ipa-client-install: - ntpd: modify /etc/ntpd.conf directly, if you need to do only one-time synchronization, use ntpdate, if you need to just check if a NTP server is working, use 'ntpdate -q' - sshd: modify /etc/ssh/ssh(d)_config directly, restart sshd and see if it fails on missing support - the live ssh sessions won't be killed on sshd restart I've also noticed ipa-client-install has 'services' and 'services.knownservices' classes - these also need to use service(8)/systemctl(1) if they aren't using it already. Version-Release number of selected component (if applicable): ipa-client-4.1.0-18.el7 How reproducible: always Steps to Reproduce: 1. switch the system to selinux-policy-mls (see RH knowledgebase, RHEL7 / "SELinux User's and Administrator's Guide", section 4.11.2) 2. semodule -d sysadm_secadm 3. login under the sysadm_r role 4. try ipa-client-install Actual results: ipa-*-install executes services/daemons directly Expected results: ipa-*-install uses service(8) or systemctl(1) to launch daemons Additional info: Upgrading to ipa-4.2.0-3.el7 still shows the same issue.
Metadata Update from @pvoborni: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5 backlog
FreeIPA 4.8 already has rewritten NTP configuration management and now addresses all services through systemctl .. commands. This bug is therefore already fixed.
systemctl ..
Metadata Update from @abbra: - Issue close_status updated to: fixed - Issue set to the milestone: None (was: FreeIPA 4.5 backlog) - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.