fapolicy restrictions causing IdM installation failures

Environment

• Red Hat Enterprise Linux 8.3+
• Red Hat Enterprise Linux 9
• IdM
• Red Hat Certificate System 10
• fapolicyd

Issue

IdM installation on RHEL 8.3 with fapolicy running fails to install.
If fapolicy was stopped before install, and started after, pki-tomcat will fail to start.

• The installation of IdM fails with the following error:

[error] RuntimeError: CA configuration failed.
CA configuration failed.
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information.

• In /var/log/pki/pki-tomcat we see the following errors:

2020-11-05 13:20:07 INFO: Creating new security domain
2020-11-05 13:20:07 INFO: Storing subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
2020-11-05 13:20:07 INFO: Storing registry config: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg
2020-11-05 13:20:07 INFO: Removing existing database
2020-11-05 13:20:07 DEBUG: Command: sudo -u pkiuser /usr/lib/jvm/jre-openjdk/bin/java -classpath /usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/tomcat-servlet-api.jar:/usr/share/pki/ca/webapps/ca/WEB-INF/lib/*:/var/lib/pki/pki-tomcat/common/lib/*:/usr/share/pki/lib/* -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/etc/pki/pki-tomcat/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Dcom.redhat.fips=false org.dogtagpki.server.cli.PKIServerCLI ca-db-remove --force --debug
2020-11-05 13:20:08 ERROR: CalledProcessError: Command '['sudo', '-u', 'pkiuser', '/usr/lib/jvm/jre-openjdk/bin/java', '-classpath', '/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/tomcat-servlet-api.jar:/usr/share/pki/ca/webapps/ca/WEB-INF/lib/*:/var/lib/pki/pki-tomcat/common/lib/*:/usr/share/pki/lib/*', '-Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory', '-Dcatalina.base=/var/lib/pki/pki-tomcat', '-Dcatalina.home=/usr/share/tomcat', '-Djava.endorsed.dirs=', '-Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp', '-Djava.util.logging.config.file=/etc/pki/pki-tomcat/logging.properties', '-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager', '-Dcom.redhat.fips=false', 'org.dogtagpki.server.cli.PKIServerCLI', 'ca-db-remove', '--force', '--debug']' returned non-zero exit status 1.
  File "/usr/lib/python3.6/site-packages/pki/server/pkispawn.py", line 575, in main
    scriptlet.spawn(deployer)
  File "/usr/lib/python3.6/site-packages/pki/server/deployment/scriptlets/configuration.py", line 820, in spawn
    subsystem.remove_database(force=True)
  File "/usr/lib/python3.6/site-packages/pki/server/subsystem.py", line 945, in remove_database
    self.run(cmd, as_current_user=as_current_user)
  File "/usr/lib/python3.6/site-packages/pki/server/subsystem.py", line 1137, in run
    subprocess.run(cmd, check=True)
  File "/usr/lib64/python3.6/subprocess.py", line 438, in run
    output=stdout, stderr=stderr)

Resolution

For RHEL 8.3 - 8.5 follow:
Adding the following two rules to /etc/fapolicyd/fapolicyd.rules allow IdM to install and run successfully:

allow perm=open dir=/usr/lib/jvm/ : dir=/var/lib/pki/<instance>/work/Catalina/localhost/                                                   

This rule need to be inserted above:

deny_audit perm=any all : ftype=%languages

For RHEL 8.6/8.7 and RHEL 9.0/9.1:
Create a file, starting with a number between 31 and 39, under /etc/fapolicyd/rules.d with the following:

allow perm=open dir=/usr/lib/jvm/ : dir=/var/lib/pki/<instance>/work/Catalina/localhost/                                                   

For RHEL 8.8+ create a file, starting with a number between 31 and 39, under /etc/fapolicyd/rules.d with the following:

allow perm=open dir=/usr/lib/jvm/ : dir=/var/lib/pki/pki-tomcat/work/Catalina/localhost/   
allow perm=open  exe=/usr/libexec/platform-python3.6 : all ftype=text/x-python trust=0

For RHEL 9.2+ create a file, starting with a number between 31 and 39, under /etc/fapolicyd/rules.d with the following:

allow perm=open dir=/usr/lib/jvm/ : dir=/var/lib/pki/pki-tomcat/work/Catalina/localhost/   
allow perm=open exe=/usr/bin/python3.9 : all ftype=text/x-python trust=0

Then run following to recompile the rules:

# systemctl restart fapolicyd.service

Root Cause

fapolicyd prevents untrusted application from running.

Following rules block untrusted interpreted languages and Java programs.

deny_audit perm=any all : ftype=%languages

Amongst languages, the followings are relevant to IPA server installation:

• application/java-archive
• text/x-java
• application/x-java-applet

And following Java and Java class are required during installation:

• /var/lib/pki/pki-tomcat/work/Catalina/localhost/ROOT/org/apache/jsp/index_jsp.java ftype=text/x-java
• /var/lib/pki/pki-tomcat/work/Catalina/localhost/ROOT/org/apache/jsp/index_jsp.class ftype=application/x-java-applet
• /var/lib/pki/pki-tomcat/work/Catalina/localhost/pki/org/apache/jsp/index_jsp.java ftype=text/x-java
• /var/lib/pki/pki-tomcat/work/Catalina/localhost/pki/org/apache/jsp/index_jsp.class ftype=application/x-java-applet

Diagnostic Steps

You can follow the fapolicy chapter about running debug on fapolicy to see any errors that occur concerning fapolicy rules.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.