On 17.8.2016 09:52, Arthur Fayzullin wrote: > any news? Not really, we are waiting for SELinux policy maintainers to pick this up.
For the time being, you can try this: 1. Switch to permissive mode $ setenforce 0 2. Watch audit log for new AVCs: $ tail -f /var/log/audit.log | grep AVC > /tmp/avcs.log 3. Restart the named-pkcs11 service $ systemctl restart named-pkcs11 4. Generate missing rules: $ audit2allow /tmp/avcs.log 5. Review the rules and load the if necessary Please post the resulting /tmp/avcs.log and rules to the bug https://bugzilla.redhat.com/show_bug.cgi?id=1357665 to speed things up. Thank you! Petr^2 Spacek > I've tried to make selinux permissive and write new policy, > that didn't help. > > require { > type ipa_var_lib_t; > type named_t; > class dir read; > class file { write open lock read getattr }; > } > > #============= named_t ============== > allow named_t ipa_var_lib_t:dir read; > allow named_t ipa_var_lib_t:file { write open lock read getattr }; > > > 22.07.2016 13:04, Roberto Cornacchia пишет: >> Ben and Petr, >> >> Thanks for your inputs, I'll keep an eye on those bug reports. >> >> Roberto >> >> On 22 July 2016 at 09:51, Petr Spacek <pspa...@redhat.com >> <mailto:pspa...@redhat.com>> wrote: >> >> On 22.7.2016 04:43, Ben Lipton wrote: >> > I'm not familiar enough with Fedora release engineering to know >> how this gets >> > fixed permanently, but I'll share some investigation I've done. >> > >> > This appears to be due to a change in the >> selinux-policy-targeted package that >> > happened recently. As of the latest version, named-pkcs11 tries >> to run as type >> > named_t instead of unconfined_service_t, but it isn't allowed to >> read the >> > files from IPA [1]. When I downgraded to the selinux-policy and >> > selinux-policy-targeted packages from [2] I was able to start >> named-pkcs11, so >> > that might be a workaround you can use for now. Ultimately, the >> patch that >> > fixes [3] might need to be backported to F23. >> >> This is being tracked as >> https://bugzilla.redhat.com/show_bug.cgi?id=1357665 >> >> Stay tuned. >> >> Petr^2 Spacek >> >> > >> > Ben >> > >> > [1] >> > ---- >> > time->Fri Jul 22 04:17:44 2016 >> > type=AVC msg=audit(1469153864.756:705): avc: denied { read } >> for pid=11616 >> > comm="named-pkcs11" name="tokens" dev="dm-0" ino=26318195 >> > scontext=system_u:system_r:named_t:s0 >> > tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=dir >> permissive=1 >> > ---- >> > time->Fri Jul 22 04:17:44 2016 >> > type=AVC msg=audit(1469153864.756:706): avc: denied { getattr >> } for >> > pid=11616 comm="named-pkcs11" >> > >> >> path="/var/lib/ipa/dnssec/tokens/12cfb199-b2fe-d328-0b3a-e644756b73d6/token.object" >> > dev="dm-0" ino=609982 scontext=system_u:system_r:named_t:s0 >> > tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file >> permissive=1 >> > ---- >> > time->Fri Jul 22 04:17:44 2016 >> > type=AVC msg=audit(1469153864.756:707): avc: denied { read >> write } for >> > pid=11616 comm="named-pkcs11" name="generation" dev="dm-0" >> ino=731584 >> > scontext=system_u:system_r:named_t:s0 >> > tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file >> permissive=1 >> > ---- >> > time->Fri Jul 22 04:17:44 2016 >> > type=AVC msg=audit(1469153864.757:708): avc: denied { open } >> for pid=11616 >> > comm="named-pkcs11" >> > >> >> path="/var/lib/ipa/dnssec/tokens/12cfb199-b2fe-d328-0b3a-e644756b73d6/generation" >> > dev="dm-0" ino=731584 scontext=system_u:system_r:named_t:s0 >> > tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file >> permissive=1 >> > ---- >> > time->Fri Jul 22 04:17:44 2016 >> > type=AVC msg=audit(1469153864.757:709): avc: denied { lock } >> for pid=11616 >> > comm="named-pkcs11" >> > >> >> path="/var/lib/ipa/dnssec/tokens/12cfb199-b2fe-d328-0b3a-e644756b73d6/generation" >> > dev="dm-0" ino=731584 scontext=system_u:system_r:named_t:s0 >> > tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file >> permissive=1 >> > >> > [2] http://koji.fedoraproject.org/koji/buildinfo?buildID=758088 >> > [3] https://bugzilla.redhat.com/show_bug.cgi?id=1333106 >> > >> > On 07/21/2016 05:51 PM, Roberto Cornacchia wrote: >> >> UPDATE: >> >> >> >> Tried again the whole procedure with ipa-dns-install, and it >> DOES work with >> >> SElinux disable, and still fails with SElinux enabled. >> >> >> >> So the error "Failed to enumerate object store in >> /var/lib/softhsm/tokens/" >> >> makes sense. >> >> >> >> Can someone help me fix it? >> >> >> >> $ ll -Z /var/lib/ipa/dnssec/ >> >> total 12 >> >> -rwxrwx---. 1 ods named unconfined_u:object_r:ipa_var_lib_t:s0 >> 30 Jul 21 >> >> 22:50 softhsm_pin* >> >> drwxrws---. 3 ods named unconfined_u:object_r:ipa_var_lib_t:s0 >> 4096 Jul 21 >> >> 22:50 tokens/ >> >> >> >> >> >> >> >> On 21 July 2016 at 23:11, Roberto Cornacchia >> <roberto.cornacc...@gmail.com <mailto:roberto.cornacc...@gmail.com> >> >> <mailto:roberto.cornacc...@gmail.com >> <mailto:roberto.cornacc...@gmail.com>>> wrote: >> >> >> >> - FC23 >> >> - IPA 4.2.4 >> >> >> >> After a dnf update, bind was updated (no ipa updates), >> >> and named-pkcs11 doesn't start anymore. >> >> >> >> >> >> $ /usr/sbin/named-pkcs11 -d 9 -g >> >> 21-Jul-2016 23:08:50.332 starting BIND >> >> 9.10.3-P4-RedHat-9.10.3-13.P4.fc23 <id:ebd72b3> -d 9 -g >> >> 21-Jul-2016 23:08:50.332 built with >> >> '--build=x86_64-redhat-linux-gnu' >> '--host=x86_64-redhat-linux-gnu' >> >> '--program-prefix=' '--disable-dependency-tracking' >> >> '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' >> >> '--sbindir=/usr/sbin' '--sysconfdir=/etc' >> '--datadir=/usr/share' >> >> '--includedir=/usr/include' '--libdir=/usr/lib64' >> >> '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' >> >> '--mandir=/usr/share/man' '--infodir=/usr/share/info' >> >> '--with-python=/usr/bin/python3' '--with-libtool' >> >> '--localstatedir=/var' '--enable-threads' '--enable-ipv6' >> >> '--enable-filter-aaaa' '--with-pic' '--disable-static' >> >> '--disable-openssl-version-check' >> >> '--includedir=/usr/include/bind9' '--with-tuning=large' >> >> '--with-geoip' '--enable-native-pkcs11' >> >> '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' >> >> '--with-dlopen=yes' '--with-dlz-ldap=yes' >> >> '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' >> >> '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' >> >> '--with-gssapi=yes' '--disable-isc-spnego' >> '--enable-fixed-rrset' >> >> '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' >> >> '--enable-full-report' 'build_alias=x86_64-redhat-linux-gnu' >> >> 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe >> -Wall >> >> -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions >> >> -fstack-protector-strong --param=ssp-buffer-size=4 >> >> -grecord-gcc-switches >> >> -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 >> >> -mtune=generic' 'LDFLAGS=-Wl,-z,relro >> >> -specs=/usr/lib/rpm/redhat/redhat-hardened-ld' 'CPPFLAGS= >> >> -DDIG_SIGCHASE' >> >> 21-Jul-2016 23:08:50.332 >> >> ---------------------------------------------------- >> >> 21-Jul-2016 23:08:50.332 BIND 9 is maintained by Internet >> Systems >> >> Consortium, >> >> 21-Jul-2016 23:08:50.332 Inc. (ISC), a non-profit 501(c)(3) >> >> public-benefit >> >> 21-Jul-2016 23:08:50.332 corporation. Support and training for >> >> BIND 9 are >> >> 21-Jul-2016 23:08:50.332 available at >> https://www.isc.org/support >> >> 21-Jul-2016 23:08:50.332 >> >> ---------------------------------------------------- >> >> 21-Jul-2016 23:08:50.332 adjusted limit on open files from >> 4096 to >> >> 1048576 >> >> 21-Jul-2016 23:08:50.332 found 2 CPUs, using 2 worker threads >> >> 21-Jul-2016 23:08:50.332 using 2 UDP listeners per interface >> >> 21-Jul-2016 23:08:50.332 using up to 21000 sockets >> >> 21-Jul-2016 23:08:50.332 Registering DLZ_dlopen driver >> >> 21-Jul-2016 23:08:50.332 Registering SDLZ driver 'dlopen' >> >> 21-Jul-2016 23:08:50.332 Registering DLZ driver 'dlopen' >> >> 21-Jul-2016 23:08:50.335 initializing DST: PKCS#11 >> initialization >> >> failed >> >> 21-Jul-2016 23:08:50.335 exiting (due to fatal error) >> >> >> >> journalctl shows: >> >> >> >> named-pkcs11[9085]: ObjectStore.cpp(59): Failed to enumerate >> >> object store in /var/lib/softhsm/tokens/ >> >> named-pkcs11[9085]: SoftHSM.cpp(476): Could not load the >> object store >> >> >> >> >> >> >> >> $ ll -Z /var/lib/ipa/dnssec/ >> >> total 12 >> >> -rwxrwx---. 1 ods named >> unconfined_u:object_r:ipa_var_lib_t:s0 30 >> >> Jul 21 22:50 softhsm_pin* >> >> drwxrws---. 3 ods named unconfined_u:object_r:ipa_var_lib_t:s0 >> >> 4096 Jul 21 22:50 tokens/ >> >> >> >> >> >> - I have seen https://fedorahosted.org/freeipa/ticket/5520 , it >> >> doesn't help. >> >> - With setenforce 0, same error. >> >> - I have run ipa-dns-install, it recreates named.conf, tokens >> >> etc. named-pkcs11 still doesn't start. >> >> >> >> >> >> Please, any idea? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project