subject:"\[Freeipa\-users\] named\-pkcs11 doesn't start after bind update"

Re: [Freeipa-users] named-pkcs11 doesn't start after bind update

2016-08-17 Thread Petr Spacek

On 17.8.2016 09:52, Arthur Fayzullin wrote:
> any news?

Not really, we are waiting for SELinux policy maintainers to pick this up.

For the time being, you can try this:
1. Switch to permissive mode
$ setenforce 0

2. Watch audit log for new AVCs:
$ tail -f /var/log/audit.log | grep AVC > /tmp/avcs.log

3. Restart the named-pkcs11 service
$ systemctl restart named-pkcs11

4. Generate missing rules:
$ audit2allow /tmp/avcs.log

5. Review the rules and load the if necessary

Please post the resulting  /tmp/avcs.log and rules to the bug
https://bugzilla.redhat.com/show_bug.cgi?id=1357665
to speed things up.

Thank you!
Petr^2 Spacek

> I've tried to make selinux permissive and write new policy,
> that didn't help.
> 
> require {
> type ipa_var_lib_t;
> type named_t;
> class dir read;
> class file { write open lock read getattr };
> }
> 
> #= named_t ==
> allow named_t ipa_var_lib_t:dir read;
> allow named_t ipa_var_lib_t:file { write open lock read getattr };
> 
> 
> 22.07.2016 13:04, Roberto Cornacchia пишет:
>> Ben and Petr,
>>
>> Thanks for your inputs, I'll keep an eye on those bug reports.
>>
>> Roberto
>>
>> On 22 July 2016 at 09:51, Petr Spacek > > wrote:
>>
>> On 22.7.2016 04:43, Ben Lipton wrote:
>> > I'm not familiar enough with Fedora release engineering to know
>> how this gets
>> > fixed permanently, but I'll share some investigation I've done.
>> >
>> > This appears to be due to a change in the
>> selinux-policy-targeted package that
>> > happened recently. As of the latest version, named-pkcs11 tries
>> to run as type
>> > named_t instead of unconfined_service_t, but it isn't allowed to
>> read the
>> > files from IPA [1]. When I downgraded to the selinux-policy and
>> > selinux-policy-targeted packages from [2] I was able to start
>> named-pkcs11, so
>> > that might be a workaround you can use for now. Ultimately, the
>> patch that
>> > fixes [3] might need to be backported to F23.
>>
>> This is being tracked as
>> https://bugzilla.redhat.com/show_bug.cgi?id=1357665
>>
>> Stay tuned.
>>
>> Petr^2 Spacek
>>
>> >
>> > Ben
>> >
>> > [1]
>> > 
>> > time->Fri Jul 22 04:17:44 2016
>> > type=AVC msg=audit(1469153864.756:705): avc:  denied  { read }
>> for pid=11616
>> > comm="named-pkcs11" name="tokens" dev="dm-0" ino=26318195
>> > scontext=system_u:system_r:named_t:s0
>> > tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=dir
>> permissive=1
>> > 
>> > time->Fri Jul 22 04:17:44 2016
>> > type=AVC msg=audit(1469153864.756:706): avc:  denied  { getattr
>> } for
>> > pid=11616 comm="named-pkcs11"
>> >
>> 
>> path="/var/lib/ipa/dnssec/tokens/12cfb199-b2fe-d328-0b3a-e644756b73d6/token.object"
>> > dev="dm-0" ino=609982 scontext=system_u:system_r:named_t:s0
>> > tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file
>> permissive=1
>> > 
>> > time->Fri Jul 22 04:17:44 2016
>> > type=AVC msg=audit(1469153864.756:707): avc:  denied  { read
>> write } for
>> > pid=11616 comm="named-pkcs11" name="generation" dev="dm-0"
>> ino=731584
>> > scontext=system_u:system_r:named_t:s0
>> > tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file
>> permissive=1
>> > 
>> > time->Fri Jul 22 04:17:44 2016
>> > type=AVC msg=audit(1469153864.757:708): avc:  denied  { open }
>> for pid=11616
>> > comm="named-pkcs11"
>> >
>> 
>> path="/var/lib/ipa/dnssec/tokens/12cfb199-b2fe-d328-0b3a-e644756b73d6/generation"
>> > dev="dm-0" ino=731584 scontext=system_u:system_r:named_t:s0
>> > tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file
>> permissive=1
>> > 
>> > time->Fri Jul 22 04:17:44 2016
>> > type=AVC msg=audit(1469153864.757:709): avc:  denied  { lock }
>> for pid=11616
>> > comm="named-pkcs11"
>> >
>> 
>> path="/var/lib/ipa/dnssec/tokens/12cfb199-b2fe-d328-0b3a-e644756b73d6/generation"
>> > dev="dm-0" ino=731584 scontext=system_u:system_r:named_t:s0
>> > tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file
>> permissive=1
>> >
>> > [2] http://koji.fedoraproject.org/koji/buildinfo?buildID=758088
>> > [3] https://bugzilla.redhat.com/show_bug.cgi?id=1333106
>> >
>> > On 07/21/2016 05:51 PM, Roberto Cornacchia wrote:
>> >> UPDATE:
>> >>
>> >> Tried again the whole procedure with ipa-dns-install, and it
>> DOES work with
>> >> SElinux disable, and still fails with SElinux enabled.
>> >>
>> >> So the error "Failed to enumerate object store in
>> /var/lib/softhsm/tokens/"
>> >> makes sense.
>> >>
>> >> Can someone help me fix it?
>> >>
>> >> $ ll -Z /var/lib/ipa/dnssec/
>> >> total 12
>> >> -rwxrwx---. 1 ods named

Re: [Freeipa-users] named-pkcs11 doesn't start after bind update

2016-08-17 Thread Arthur Fayzullin

any news? I've tried to make selinux permissive and write new policy,
that didn't help.

require {
type ipa_var_lib_t;
type named_t;
class dir read;
class file { write open lock read getattr };
}

#= named_t ==
allow named_t ipa_var_lib_t:dir read;
allow named_t ipa_var_lib_t:file { write open lock read getattr };


22.07.2016 13:04, Roberto Cornacchia пишет:
> Ben and Petr,
>
> Thanks for your inputs, I'll keep an eye on those bug reports.
>
> Roberto
>
> On 22 July 2016 at 09:51, Petr Spacek  > wrote:
>
> On 22.7.2016 04:43, Ben Lipton wrote:
> > I'm not familiar enough with Fedora release engineering to know
> how this gets
> > fixed permanently, but I'll share some investigation I've done.
> >
> > This appears to be due to a change in the
> selinux-policy-targeted package that
> > happened recently. As of the latest version, named-pkcs11 tries
> to run as type
> > named_t instead of unconfined_service_t, but it isn't allowed to
> read the
> > files from IPA [1]. When I downgraded to the selinux-policy and
> > selinux-policy-targeted packages from [2] I was able to start
> named-pkcs11, so
> > that might be a workaround you can use for now. Ultimately, the
> patch that
> > fixes [3] might need to be backported to F23.
>
> This is being tracked as
> https://bugzilla.redhat.com/show_bug.cgi?id=1357665
>
> Stay tuned.
>
> Petr^2 Spacek
>
> >
> > Ben
> >
> > [1]
> > 
> > time->Fri Jul 22 04:17:44 2016
> > type=AVC msg=audit(1469153864.756:705): avc:  denied  { read }
> for pid=11616
> > comm="named-pkcs11" name="tokens" dev="dm-0" ino=26318195
> > scontext=system_u:system_r:named_t:s0
> > tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=dir
> permissive=1
> > 
> > time->Fri Jul 22 04:17:44 2016
> > type=AVC msg=audit(1469153864.756:706): avc:  denied  { getattr
> } for
> > pid=11616 comm="named-pkcs11"
> >
> 
> path="/var/lib/ipa/dnssec/tokens/12cfb199-b2fe-d328-0b3a-e644756b73d6/token.object"
> > dev="dm-0" ino=609982 scontext=system_u:system_r:named_t:s0
> > tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file
> permissive=1
> > 
> > time->Fri Jul 22 04:17:44 2016
> > type=AVC msg=audit(1469153864.756:707): avc:  denied  { read
> write } for
> > pid=11616 comm="named-pkcs11" name="generation" dev="dm-0"
> ino=731584
> > scontext=system_u:system_r:named_t:s0
> > tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file
> permissive=1
> > 
> > time->Fri Jul 22 04:17:44 2016
> > type=AVC msg=audit(1469153864.757:708): avc:  denied  { open }
> for pid=11616
> > comm="named-pkcs11"
> >
> 
> path="/var/lib/ipa/dnssec/tokens/12cfb199-b2fe-d328-0b3a-e644756b73d6/generation"
> > dev="dm-0" ino=731584 scontext=system_u:system_r:named_t:s0
> > tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file
> permissive=1
> > 
> > time->Fri Jul 22 04:17:44 2016
> > type=AVC msg=audit(1469153864.757:709): avc:  denied  { lock }
> for pid=11616
> > comm="named-pkcs11"
> >
> 
> path="/var/lib/ipa/dnssec/tokens/12cfb199-b2fe-d328-0b3a-e644756b73d6/generation"
> > dev="dm-0" ino=731584 scontext=system_u:system_r:named_t:s0
> > tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file
> permissive=1
> >
> > [2] http://koji.fedoraproject.org/koji/buildinfo?buildID=758088
> > [3] https://bugzilla.redhat.com/show_bug.cgi?id=1333106
> >
> > On 07/21/2016 05:51 PM, Roberto Cornacchia wrote:
> >> UPDATE:
> >>
> >> Tried again the whole procedure with ipa-dns-install, and it
> DOES work with
> >> SElinux disable, and still fails with SElinux enabled.
> >>
> >> So the error "Failed to enumerate object store in
> /var/lib/softhsm/tokens/"
> >> makes sense.
> >>
> >> Can someone help me fix it?
> >>
> >> $ ll -Z /var/lib/ipa/dnssec/
> >> total 12
> >> -rwxrwx---. 1 ods named unconfined_u:object_r:ipa_var_lib_t:s0 
>  30 Jul 21
> >> 22:50 softhsm_pin*
> >> drwxrws---. 3 ods named unconfined_u:object_r:ipa_var_lib_t:s0
> 4096 Jul 21
> >> 22:50 tokens/
> >>
> >>
> >>
> >> On 21 July 2016 at 23:11, Roberto Cornacchia
> 
> >>  >> wrote:
> >>
> >> - FC23
> >> - IPA 4.2.4
> >>
> >> After a dnf update, bind was updated (no ipa updates),
> >> and named-pkcs11 doesn't start anymore.
> >>
> >>
> >> $ /usr/sbin/named-pkcs11 -d 9 -g
> >> 21-Jul-2016 23:08:50.332 starting BIND
> >>

Re: [Freeipa-users] named-pkcs11 doesn't start after bind update

2016-07-22 Thread Roberto Cornacchia

Ben and Petr,

Thanks for your inputs, I'll keep an eye on those bug reports.

Roberto

On 22 July 2016 at 09:51, Petr Spacek  wrote:

> On 22.7.2016 04:43, Ben Lipton wrote:
> > I'm not familiar enough with Fedora release engineering to know how this
> gets
> > fixed permanently, but I'll share some investigation I've done.
> >
> > This appears to be due to a change in the selinux-policy-targeted
> package that
> > happened recently. As of the latest version, named-pkcs11 tries to run
> as type
> > named_t instead of unconfined_service_t, but it isn't allowed to read the
> > files from IPA [1]. When I downgraded to the selinux-policy and
> > selinux-policy-targeted packages from [2] I was able to start
> named-pkcs11, so
> > that might be a workaround you can use for now. Ultimately, the patch
> that
> > fixes [3] might need to be backported to F23.
>
> This is being tracked as
> https://bugzilla.redhat.com/show_bug.cgi?id=1357665
>
> Stay tuned.
>
> Petr^2 Spacek
>
> >
> > Ben
> >
> > [1]
> > 
> > time->Fri Jul 22 04:17:44 2016
> > type=AVC msg=audit(1469153864.756:705): avc:  denied  { read } for
> pid=11616
> > comm="named-pkcs11" name="tokens" dev="dm-0" ino=26318195
> > scontext=system_u:system_r:named_t:s0
> > tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=dir permissive=1
> > 
> > time->Fri Jul 22 04:17:44 2016
> > type=AVC msg=audit(1469153864.756:706): avc:  denied  { getattr } for
> > pid=11616 comm="named-pkcs11"
> >
> path="/var/lib/ipa/dnssec/tokens/12cfb199-b2fe-d328-0b3a-e644756b73d6/token.object"
> > dev="dm-0" ino=609982 scontext=system_u:system_r:named_t:s0
> > tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file permissive=1
> > 
> > time->Fri Jul 22 04:17:44 2016
> > type=AVC msg=audit(1469153864.756:707): avc:  denied  { read write } for
> > pid=11616 comm="named-pkcs11" name="generation" dev="dm-0" ino=731584
> > scontext=system_u:system_r:named_t:s0
> > tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file permissive=1
> > 
> > time->Fri Jul 22 04:17:44 2016
> > type=AVC msg=audit(1469153864.757:708): avc:  denied  { open } for
> pid=11616
> > comm="named-pkcs11"
> >
> path="/var/lib/ipa/dnssec/tokens/12cfb199-b2fe-d328-0b3a-e644756b73d6/generation"
> > dev="dm-0" ino=731584 scontext=system_u:system_r:named_t:s0
> > tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file permissive=1
> > 
> > time->Fri Jul 22 04:17:44 2016
> > type=AVC msg=audit(1469153864.757:709): avc:  denied  { lock } for
> pid=11616
> > comm="named-pkcs11"
> >
> path="/var/lib/ipa/dnssec/tokens/12cfb199-b2fe-d328-0b3a-e644756b73d6/generation"
> > dev="dm-0" ino=731584 scontext=system_u:system_r:named_t:s0
> > tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file permissive=1
> >
> > [2] http://koji.fedoraproject.org/koji/buildinfo?buildID=758088
> > [3] https://bugzilla.redhat.com/show_bug.cgi?id=1333106
> >
> > On 07/21/2016 05:51 PM, Roberto Cornacchia wrote:
> >> UPDATE:
> >>
> >> Tried again the whole procedure with ipa-dns-install, and it DOES work
> with
> >> SElinux disable, and still fails with SElinux enabled.
> >>
> >> So the error "Failed to enumerate object store in
> /var/lib/softhsm/tokens/"
> >> makes sense.
> >>
> >> Can someone help me fix it?
> >>
> >> $ ll -Z /var/lib/ipa/dnssec/
> >> total 12
> >> -rwxrwx---. 1 ods named unconfined_u:object_r:ipa_var_lib_t:s0   30 Jul
> 21
> >> 22:50 softhsm_pin*
> >> drwxrws---. 3 ods named unconfined_u:object_r:ipa_var_lib_t:s0 4096 Jul
> 21
> >> 22:50 tokens/
> >>
> >>
> >>
> >> On 21 July 2016 at 23:11, Roberto Cornacchia <
> roberto.cornacc...@gmail.com
> >> > wrote:
> >>
> >> - FC23
> >> - IPA 4.2.4
> >>
> >> After a dnf update, bind was updated (no ipa updates),
> >> and named-pkcs11 doesn't start anymore.
> >>
> >>
> >> $ /usr/sbin/named-pkcs11 -d 9 -g
> >> 21-Jul-2016 23:08:50.332 starting BIND
> >> 9.10.3-P4-RedHat-9.10.3-13.P4.fc23  -d 9 -g
> >> 21-Jul-2016 23:08:50.332 built with
> >> '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu'
> >> '--program-prefix=' '--disable-dependency-tracking'
> >> '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin'
> >> '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share'
> >> '--includedir=/usr/include' '--libdir=/usr/lib64'
> >> '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib'
> >> '--mandir=/usr/share/man' '--infodir=/usr/share/info'
> >> '--with-python=/usr/bin/python3' '--with-libtool'
> >> '--localstatedir=/var' '--enable-threads' '--enable-ipv6'
> >> '--enable-filter-' '--with-pic' '--disable-static'
> >> '--disable-openssl-version-check'
> >> '--includedir=/usr/include/bind9' '--with-tuning=large'
> >> '--with-geoip' '--enable-native-pkcs11'
> >> '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so'
> >> '--with-dlopen=yes' '--with-dlz-ldap=yes'
> >>

Re: [Freeipa-users] named-pkcs11 doesn't start after bind update

2016-07-22 Thread Petr Spacek

On 22.7.2016 04:43, Ben Lipton wrote:
> I'm not familiar enough with Fedora release engineering to know how this gets
> fixed permanently, but I'll share some investigation I've done.
> 
> This appears to be due to a change in the selinux-policy-targeted package that
> happened recently. As of the latest version, named-pkcs11 tries to run as type
> named_t instead of unconfined_service_t, but it isn't allowed to read the
> files from IPA [1]. When I downgraded to the selinux-policy and
> selinux-policy-targeted packages from [2] I was able to start named-pkcs11, so
> that might be a workaround you can use for now. Ultimately, the patch that
> fixes [3] might need to be backported to F23.

This is being tracked as
https://bugzilla.redhat.com/show_bug.cgi?id=1357665

Stay tuned.

Petr^2 Spacek

> 
> Ben
> 
> [1]
> 
> time->Fri Jul 22 04:17:44 2016
> type=AVC msg=audit(1469153864.756:705): avc:  denied  { read } for pid=11616
> comm="named-pkcs11" name="tokens" dev="dm-0" ino=26318195
> scontext=system_u:system_r:named_t:s0
> tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=dir permissive=1
> 
> time->Fri Jul 22 04:17:44 2016
> type=AVC msg=audit(1469153864.756:706): avc:  denied  { getattr } for 
> pid=11616 comm="named-pkcs11"
> path="/var/lib/ipa/dnssec/tokens/12cfb199-b2fe-d328-0b3a-e644756b73d6/token.object"
> dev="dm-0" ino=609982 scontext=system_u:system_r:named_t:s0
> tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file permissive=1
> 
> time->Fri Jul 22 04:17:44 2016
> type=AVC msg=audit(1469153864.756:707): avc:  denied  { read write } for 
> pid=11616 comm="named-pkcs11" name="generation" dev="dm-0" ino=731584
> scontext=system_u:system_r:named_t:s0
> tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file permissive=1
> 
> time->Fri Jul 22 04:17:44 2016
> type=AVC msg=audit(1469153864.757:708): avc:  denied  { open } for pid=11616
> comm="named-pkcs11"
> path="/var/lib/ipa/dnssec/tokens/12cfb199-b2fe-d328-0b3a-e644756b73d6/generation"
> dev="dm-0" ino=731584 scontext=system_u:system_r:named_t:s0
> tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file permissive=1
> 
> time->Fri Jul 22 04:17:44 2016
> type=AVC msg=audit(1469153864.757:709): avc:  denied  { lock } for pid=11616
> comm="named-pkcs11"
> path="/var/lib/ipa/dnssec/tokens/12cfb199-b2fe-d328-0b3a-e644756b73d6/generation"
> dev="dm-0" ino=731584 scontext=system_u:system_r:named_t:s0
> tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file permissive=1
> 
> [2] http://koji.fedoraproject.org/koji/buildinfo?buildID=758088
> [3] https://bugzilla.redhat.com/show_bug.cgi?id=1333106
> 
> On 07/21/2016 05:51 PM, Roberto Cornacchia wrote:
>> UPDATE:
>>
>> Tried again the whole procedure with ipa-dns-install, and it DOES work with
>> SElinux disable, and still fails with SElinux enabled.
>>
>> So the error "Failed to enumerate object store in /var/lib/softhsm/tokens/"
>> makes sense.
>>
>> Can someone help me fix it?
>>
>> $ ll -Z /var/lib/ipa/dnssec/
>> total 12
>> -rwxrwx---. 1 ods named unconfined_u:object_r:ipa_var_lib_t:s0   30 Jul 21
>> 22:50 softhsm_pin*
>> drwxrws---. 3 ods named unconfined_u:object_r:ipa_var_lib_t:s0 4096 Jul 21
>> 22:50 tokens/
>>
>>
>>
>> On 21 July 2016 at 23:11, Roberto Cornacchia > > wrote:
>>
>> - FC23
>> - IPA 4.2.4
>>
>> After a dnf update, bind was updated (no ipa updates),
>> and named-pkcs11 doesn't start anymore.
>>
>>
>> $ /usr/sbin/named-pkcs11 -d 9 -g
>> 21-Jul-2016 23:08:50.332 starting BIND
>> 9.10.3-P4-RedHat-9.10.3-13.P4.fc23  -d 9 -g
>> 21-Jul-2016 23:08:50.332 built with
>> '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu'
>> '--program-prefix=' '--disable-dependency-tracking'
>> '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin'
>> '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share'
>> '--includedir=/usr/include' '--libdir=/usr/lib64'
>> '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib'
>> '--mandir=/usr/share/man' '--infodir=/usr/share/info'
>> '--with-python=/usr/bin/python3' '--with-libtool'
>> '--localstatedir=/var' '--enable-threads' '--enable-ipv6'
>> '--enable-filter-' '--with-pic' '--disable-static'
>> '--disable-openssl-version-check'
>> '--includedir=/usr/include/bind9' '--with-tuning=large'
>> '--with-geoip' '--enable-native-pkcs11'
>> '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so'
>> '--with-dlopen=yes' '--with-dlz-ldap=yes'
>> '--with-dlz-postgres=yes' '--with-dlz-mysql=yes'
>> '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes'
>> '--with-gssapi=yes' '--disable-isc-spnego' '--enable-fixed-rrset'
>> '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets'
>> '--enable-full-report' 'build_alias=x86_64-redhat-linux-gnu'
>> 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall
>>

Re: [Freeipa-users] named-pkcs11 doesn't start after bind update

2016-07-21 Thread Ben Lipton

I'm not familiar enough with Fedora release engineering to know how this 
gets fixed permanently, but I'll share some investigation I've done.


This appears to be due to a change in the selinux-policy-targeted 
package that happened recently. As of the latest version, named-pkcs11 
tries to run as type named_t instead of unconfined_service_t, but it 
isn't allowed to read the files from IPA [1]. When I downgraded to the 
selinux-policy and selinux-policy-targeted packages from [2] I was able 
to start named-pkcs11, so that might be a workaround you can use for 
now. Ultimately, the patch that fixes [3] might need to be backported to 
F23.


Ben

[1]

time->Fri Jul 22 04:17:44 2016
type=AVC msg=audit(1469153864.756:705): avc:  denied  { read } for 
pid=11616 comm="named-pkcs11" name="tokens" dev="dm-0" ino=26318195 
scontext=system_u:system_r:named_t:s0 
tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=dir permissive=1


time->Fri Jul 22 04:17:44 2016
type=AVC msg=audit(1469153864.756:706): avc:  denied  { getattr } for  
pid=11616 comm="named-pkcs11" 
path="/var/lib/ipa/dnssec/tokens/12cfb199-b2fe-d328-0b3a-e644756b73d6/token.object" 
dev="dm-0" ino=609982 scontext=system_u:system_r:named_t:s0 
tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file permissive=1


time->Fri Jul 22 04:17:44 2016
type=AVC msg=audit(1469153864.756:707): avc:  denied  { read write } 
for  pid=11616 comm="named-pkcs11" name="generation" dev="dm-0" 
ino=731584 scontext=system_u:system_r:named_t:s0 
tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file permissive=1


time->Fri Jul 22 04:17:44 2016
type=AVC msg=audit(1469153864.757:708): avc:  denied  { open } for 
pid=11616 comm="named-pkcs11" 
path="/var/lib/ipa/dnssec/tokens/12cfb199-b2fe-d328-0b3a-e644756b73d6/generation" 
dev="dm-0" ino=731584 scontext=system_u:system_r:named_t:s0 
tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file permissive=1


time->Fri Jul 22 04:17:44 2016
type=AVC msg=audit(1469153864.757:709): avc:  denied  { lock } for 
pid=11616 comm="named-pkcs11" 
path="/var/lib/ipa/dnssec/tokens/12cfb199-b2fe-d328-0b3a-e644756b73d6/generation" 
dev="dm-0" ino=731584 scontext=system_u:system_r:named_t:s0 
tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file permissive=1


[2] http://koji.fedoraproject.org/koji/buildinfo?buildID=758088
[3] https://bugzilla.redhat.com/show_bug.cgi?id=1333106

On 07/21/2016 05:51 PM, Roberto Cornacchia wrote:

UPDATE:

Tried again the whole procedure with ipa-dns-install, and it DOES work 
with SElinux disable, and still fails with SElinux enabled.


So the error "Failed to enumerate object store in 
/var/lib/softhsm/tokens/" makes sense.


Can someone help me fix it?

$ ll -Z /var/lib/ipa/dnssec/
total 12
-rwxrwx---. 1 ods named unconfined_u:object_r:ipa_var_lib_t:s0   30 
Jul 21 22:50 softhsm_pin*
drwxrws---. 3 ods named unconfined_u:object_r:ipa_var_lib_t:s0 4096 
Jul 21 22:50 tokens/




On 21 July 2016 at 23:11, Roberto Cornacchia 
> 
wrote:


- FC23
- IPA 4.2.4

After a dnf update, bind was updated (no ipa updates),
and named-pkcs11 doesn't start anymore.


$ /usr/sbin/named-pkcs11 -d 9 -g
21-Jul-2016 23:08:50.332 starting BIND
9.10.3-P4-RedHat-9.10.3-13.P4.fc23  -d 9 -g
21-Jul-2016 23:08:50.332 built with
'--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu'
'--program-prefix=' '--disable-dependency-tracking'
'--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin'
'--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share'
'--includedir=/usr/include' '--libdir=/usr/lib64'
'--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib'
'--mandir=/usr/share/man' '--infodir=/usr/share/info'
'--with-python=/usr/bin/python3' '--with-libtool'
'--localstatedir=/var' '--enable-threads' '--enable-ipv6'
'--enable-filter-' '--with-pic' '--disable-static'
'--disable-openssl-version-check'
'--includedir=/usr/include/bind9' '--with-tuning=large'
'--with-geoip' '--enable-native-pkcs11'
'--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so'
'--with-dlopen=yes' '--with-dlz-ldap=yes'
'--with-dlz-postgres=yes' '--with-dlz-mysql=yes'
'--with-dlz-filesystem=yes' '--with-dlz-bdb=yes'
'--with-gssapi=yes' '--disable-isc-spnego' '--enable-fixed-rrset'
'--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets'
'--enable-full-report' 'build_alias=x86_64-redhat-linux-gnu'
'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall
-Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector-strong --param=ssp-buffer-size=4
-grecord-gcc-switches
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64
-mtune=generic' 'LDFLAGS=-Wl,-z,relro
-specs=/usr/lib/rpm/redhat/redhat-hardened-ld' 'CPPFLAGS=
-DDIG_SIGCHASE'
21-Jul-2016 23:08:50.332

Re: [Freeipa-users] named-pkcs11 doesn't start after bind update

2016-07-21 Thread Roberto Cornacchia

UPDATE:

Tried again the whole procedure with ipa-dns-install, and it DOES work with
SElinux disable, and still fails with SElinux enabled.

So the error "Failed to enumerate object store in /var/lib/softhsm/tokens/"
makes sense.

Can someone help me fix it?

$ ll -Z /var/lib/ipa/dnssec/
total 12
-rwxrwx---. 1 ods named unconfined_u:object_r:ipa_var_lib_t:s0   30 Jul 21
22:50 softhsm_pin*
drwxrws---. 3 ods named unconfined_u:object_r:ipa_var_lib_t:s0 4096 Jul 21
22:50 tokens/



On 21 July 2016 at 23:11, Roberto Cornacchia 
wrote:

> - FC23
> - IPA 4.2.4
>
> After a dnf update, bind was updated (no ipa updates), and named-pkcs11
> doesn't start anymore.
>
>
> $ /usr/sbin/named-pkcs11 -d 9 -g
> 21-Jul-2016 23:08:50.332 starting BIND 9.10.3-P4-RedHat-9.10.3-13.P4.fc23
>  -d 9 -g
> 21-Jul-2016 23:08:50.332 built with '--build=x86_64-redhat-linux-gnu'
> '--host=x86_64-redhat-linux-gnu' '--program-prefix='
> '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr'
> '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc'
> '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64'
> '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib'
> '--mandir=/usr/share/man' '--infodir=/usr/share/info'
> '--with-python=/usr/bin/python3' '--with-libtool' '--localstatedir=/var'
> '--enable-threads' '--enable-ipv6' '--enable-filter-' '--with-pic'
> '--disable-static' '--disable-openssl-version-check'
> '--includedir=/usr/include/bind9' '--with-tuning=large' '--with-geoip'
> '--enable-native-pkcs11' '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so'
> '--with-dlopen=yes' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes'
> '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes'
> '--with-gssapi=yes' '--disable-isc-spnego' '--enable-fixed-rrset'
> '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets'
> '--enable-full-report' 'build_alias=x86_64-redhat-linux-gnu'
> 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall
> -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
> -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches
> -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic'
> 'LDFLAGS=-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld'
> 'CPPFLAGS= -DDIG_SIGCHASE'
> 21-Jul-2016 23:08:50.332
> 
> 21-Jul-2016 23:08:50.332 BIND 9 is maintained by Internet Systems
> Consortium,
> 21-Jul-2016 23:08:50.332 Inc. (ISC), a non-profit 501(c)(3) public-benefit
> 21-Jul-2016 23:08:50.332 corporation.  Support and training for BIND 9 are
> 21-Jul-2016 23:08:50.332 available at https://www.isc.org/support
> 21-Jul-2016 23:08:50.332
> 
> 21-Jul-2016 23:08:50.332 adjusted limit on open files from 4096 to 1048576
> 21-Jul-2016 23:08:50.332 found 2 CPUs, using 2 worker threads
> 21-Jul-2016 23:08:50.332 using 2 UDP listeners per interface
> 21-Jul-2016 23:08:50.332 using up to 21000 sockets
> 21-Jul-2016 23:08:50.332 Registering DLZ_dlopen driver
> 21-Jul-2016 23:08:50.332 Registering SDLZ driver 'dlopen'
> 21-Jul-2016 23:08:50.332 Registering DLZ driver 'dlopen'
> 21-Jul-2016 23:08:50.335 initializing DST: PKCS#11 initialization failed
> 21-Jul-2016 23:08:50.335 exiting (due to fatal error)
>
> journalctl shows:
>
> named-pkcs11[9085]: ObjectStore.cpp(59): Failed to enumerate object store
> in /var/lib/softhsm/tokens/
> named-pkcs11[9085]: SoftHSM.cpp(476): Could not load the object store
>
>
>
> $ ll -Z /var/lib/ipa/dnssec/
> total 12
> -rwxrwx---. 1 ods named unconfined_u:object_r:ipa_var_lib_t:s0   30 Jul 21
> 22:50 softhsm_pin*
> drwxrws---. 3 ods named unconfined_u:object_r:ipa_var_lib_t:s0 4096 Jul 21
> 22:50 tokens/
>
>
> - I have seen https://fedorahosted.org/freeipa/ticket/5520 , it doesn't
> help.
> - With setenforce 0, same error.
> - I have run ipa-dns-install, it recreates named.conf, tokens
> etc. named-pkcs11 still doesn't start.
>
>
> Please, any idea?
>
> Roberto
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] named-pkcs11 doesn't start after bind update

2016-07-21 Thread Roberto Cornacchia

- FC23
- IPA 4.2.4

After a dnf update, bind was updated (no ipa updates), and named-pkcs11
doesn't start anymore.


$ /usr/sbin/named-pkcs11 -d 9 -g
21-Jul-2016 23:08:50.332 starting BIND 9.10.3-P4-RedHat-9.10.3-13.P4.fc23
 -d 9 -g
21-Jul-2016 23:08:50.332 built with '--build=x86_64-redhat-linux-gnu'
'--host=x86_64-redhat-linux-gnu' '--program-prefix='
'--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr'
'--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc'
'--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64'
'--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib'
'--mandir=/usr/share/man' '--infodir=/usr/share/info'
'--with-python=/usr/bin/python3' '--with-libtool' '--localstatedir=/var'
'--enable-threads' '--enable-ipv6' '--enable-filter-' '--with-pic'
'--disable-static' '--disable-openssl-version-check'
'--includedir=/usr/include/bind9' '--with-tuning=large' '--with-geoip'
'--enable-native-pkcs11' '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so'
'--with-dlopen=yes' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes'
'--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes'
'--with-gssapi=yes' '--disable-isc-spnego' '--enable-fixed-rrset'
'--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets'
'--enable-full-report' 'build_alias=x86_64-redhat-linux-gnu'
'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall
-Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic'
'LDFLAGS=-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld'
'CPPFLAGS= -DDIG_SIGCHASE'
21-Jul-2016 23:08:50.332

21-Jul-2016 23:08:50.332 BIND 9 is maintained by Internet Systems
Consortium,
21-Jul-2016 23:08:50.332 Inc. (ISC), a non-profit 501(c)(3) public-benefit
21-Jul-2016 23:08:50.332 corporation.  Support and training for BIND 9 are
21-Jul-2016 23:08:50.332 available at https://www.isc.org/support
21-Jul-2016 23:08:50.332

21-Jul-2016 23:08:50.332 adjusted limit on open files from 4096 to 1048576
21-Jul-2016 23:08:50.332 found 2 CPUs, using 2 worker threads
21-Jul-2016 23:08:50.332 using 2 UDP listeners per interface
21-Jul-2016 23:08:50.332 using up to 21000 sockets
21-Jul-2016 23:08:50.332 Registering DLZ_dlopen driver
21-Jul-2016 23:08:50.332 Registering SDLZ driver 'dlopen'
21-Jul-2016 23:08:50.332 Registering DLZ driver 'dlopen'
21-Jul-2016 23:08:50.335 initializing DST: PKCS#11 initialization failed
21-Jul-2016 23:08:50.335 exiting (due to fatal error)

journalctl shows:

named-pkcs11[9085]: ObjectStore.cpp(59): Failed to enumerate object store
in /var/lib/softhsm/tokens/
named-pkcs11[9085]: SoftHSM.cpp(476): Could not load the object store



$ ll -Z /var/lib/ipa/dnssec/
total 12
-rwxrwx---. 1 ods named unconfined_u:object_r:ipa_var_lib_t:s0   30 Jul 21
22:50 softhsm_pin*
drwxrws---. 3 ods named unconfined_u:object_r:ipa_var_lib_t:s0 4096 Jul 21
22:50 tokens/


- I have seen https://fedorahosted.org/freeipa/ticket/5520 , it doesn't
help.
- With setenforce 0, same error.
- I have run ipa-dns-install, it recreates named.conf, tokens
etc. named-pkcs11 still doesn't start.


Please, any idea?

Roberto
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] named-pkcs11 doesn't start after bind update

Re: [Freeipa-users] named-pkcs11 doesn't start after bind update

Re: [Freeipa-users] named-pkcs11 doesn't start after bind update

Re: [Freeipa-users] named-pkcs11 doesn't start after bind update

Re: [Freeipa-users] named-pkcs11 doesn't start after bind update

Re: [Freeipa-users] named-pkcs11 doesn't start after bind update

[Freeipa-users] named-pkcs11 doesn't start after bind update

7 matches

Site Navigation

Mail list logo

Footer information