<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
I'm not familiar enough with Fedora release engineering to know how
this gets fixed permanently, but I'll share some investigation I've
done.<br>
<br>
This appears to be due to a change in the selinux-policy-targeted
package that happened recently. As of the latest version,
named-pkcs11 tries to run as type named_t instead of
unconfined_service_t, but it isn't allowed to read the files from
IPA [1]. When I downgraded to the selinux-policy and
selinux-policy-targeted packages from [2] I was able to start
named-pkcs11, so that might be a workaround you can use for now.
Ultimately, the patch that fixes [3] might need to be backported to
F23.<br>
<br>
Ben<br>
<br>
[1]<br>
----<br>
time->Fri Jul 22 04:17:44 2016<br>
type=AVC msg=audit(1469153864.756:705): avc: denied { read } for
pid=11616 comm="named-pkcs11" name="tokens" dev="dm-0" ino=26318195
scontext=system_u:system_r:named_t:s0
tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=dir
permissive=1<br>
----<br>
time->Fri Jul 22 04:17:44 2016<br>
type=AVC msg=audit(1469153864.756:706): avc: denied { getattr }
for pid=11616 comm="named-pkcs11"
path="/var/lib/ipa/dnssec/tokens/12cfb199-b2fe-d328-0b3a-e644756b73d6/token.object"
dev="dm-0" ino=609982 scontext=system_u:system_r:named_t:s0
tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file
permissive=1<br>
----<br>
time->Fri Jul 22 04:17:44 2016<br>
type=AVC msg=audit(1469153864.756:707): avc: denied { read write }
for pid=11616 comm="named-pkcs11" name="generation" dev="dm-0"
ino=731584 scontext=system_u:system_r:named_t:s0
tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file
permissive=1<br>
----<br>
time->Fri Jul 22 04:17:44 2016<br>
type=AVC msg=audit(1469153864.757:708): avc: denied { open } for
pid=11616 comm="named-pkcs11"
path="/var/lib/ipa/dnssec/tokens/12cfb199-b2fe-d328-0b3a-e644756b73d6/generation"
dev="dm-0" ino=731584 scontext=system_u:system_r:named_t:s0
tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file
permissive=1<br>
----<br>
time->Fri Jul 22 04:17:44 2016<br>
type=AVC msg=audit(1469153864.757:709): avc: denied { lock } for
pid=11616 comm="named-pkcs11"
path="/var/lib/ipa/dnssec/tokens/12cfb199-b2fe-d328-0b3a-e644756b73d6/generation"
dev="dm-0" ino=731584 scontext=system_u:system_r:named_t:s0
tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file
permissive=1<br>
<br>
[2] <a class="moz-txt-link-freetext" href="http://koji.fedoraproject.org/koji/buildinfo?buildID=758088">http://koji.fedoraproject.org/koji/buildinfo?buildID=758088</a><br>
[3] <a class="moz-txt-link-freetext" href="https://bugzilla.redhat.com/show_bug.cgi?id=1333106">https://bugzilla.redhat.com/show_bug.cgi?id=1333106</a><br>
<br>
<div class="moz-cite-prefix">On 07/21/2016 05:51 PM, Roberto
Cornacchia wrote:<br>
</div>
<blockquote
cite="mid:CAFGv-=fVnoOFr6anenvewEfSK5mxZYEPxB15Y2uT=E-4CVhGWQ@mail.gmail.com"
type="cite">
<div dir="ltr">UPDATE:
<div><br>
</div>
<div>Tried again the whole procedure with ipa-dns-install, and
it DOES work with SElinux disable, and still fails with
SElinux enabled.</div>
<div><br>
</div>
<div>So the error "Failed to enumerate object store in
/var/lib/softhsm/tokens/" makes sense.<br>
</div>
<div><br>
</div>
<div>
<div>Can someone help me fix it?</div>
<div><br>
</div>
<div>$ ll -Z /var/lib/ipa/dnssec/</div>
<div>total 12</div>
<div>-rwxrwx---. 1 ods named
unconfined_u:object_r:ipa_var_lib_t:s0 30 Jul 21 22:50
softhsm_pin*</div>
<div>drwxrws---. 3 ods named
unconfined_u:object_r:ipa_var_lib_t:s0 4096 Jul 21 22:50
tokens/</div>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 21 July 2016 at 23:11, Roberto
Cornacchia <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:roberto.cornacchia@gmail.com" target="_blank">roberto.cornacchia@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">- FC23
<div>- IPA 4.2.4</div>
<div><br>
</div>
<div>After a dnf update, bind was updated (no ipa
updates), and named-pkcs11 doesn't start anymore.</div>
<div><br>
</div>
<div><br>
</div>
<div>
<div>$ /usr/sbin/named-pkcs11 -d 9 -g</div>
<div>21-Jul-2016 23:08:50.332 starting BIND
9.10.3-P4-RedHat-9.10.3-13.P4.fc23 <id:ebd72b3>
-d 9 -g</div>
<div>21-Jul-2016 23:08:50.332 built with
'--build=x86_64-redhat-linux-gnu'
'--host=x86_64-redhat-linux-gnu' '--program-prefix='
'--disable-dependency-tracking' '--prefix=/usr'
'--exec-prefix=/usr' '--bindir=/usr/bin'
'--sbindir=/usr/sbin' '--sysconfdir=/etc'
'--datadir=/usr/share' '--includedir=/usr/include'
'--libdir=/usr/lib64' '--libexecdir=/usr/libexec'
'--sharedstatedir=/var/lib' '--mandir=/usr/share/man'
'--infodir=/usr/share/info'
'--with-python=/usr/bin/python3' '--with-libtool'
'--localstatedir=/var' '--enable-threads'
'--enable-ipv6' '--enable-filter-aaaa' '--with-pic'
'--disable-static' '--disable-openssl-version-check'
'--includedir=/usr/include/bind9'
'--with-tuning=large' '--with-geoip'
'--enable-native-pkcs11'
'--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so'
'--with-dlopen=yes' '--with-dlz-ldap=yes'
'--with-dlz-postgres=yes' '--with-dlz-mysql=yes'
'--with-dlz-filesystem=yes' '--with-dlz-bdb=yes'
'--with-gssapi=yes' '--disable-isc-spnego'
'--enable-fixed-rrset'
'--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets'
'--enable-full-report'
'build_alias=x86_64-redhat-linux-gnu'
'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g
-pipe -Wall -Werror=format-security
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector-strong --param=ssp-buffer-size=4
-grecord-gcc-switches
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64
-mtune=generic' 'LDFLAGS=-Wl,-z,relro
-specs=/usr/lib/rpm/redhat/redhat-hardened-ld'
'CPPFLAGS= -DDIG_SIGCHASE'</div>
<div>21-Jul-2016 23:08:50.332
----------------------------------------------------</div>
<div>21-Jul-2016 23:08:50.332 BIND 9 is maintained by
Internet Systems Consortium,</div>
<div>21-Jul-2016 23:08:50.332 Inc. (ISC), a non-profit
501(c)(3) public-benefit </div>
<div>21-Jul-2016 23:08:50.332 corporation. Support and
training for BIND 9 are </div>
<div>21-Jul-2016 23:08:50.332 available at <a
moz-do-not-send="true"
href="https://www.isc.org/support" target="_blank"><a class="moz-txt-link-freetext" href="https://www.isc.org/support">https://www.isc.org/support</a></a></div>
<div>21-Jul-2016 23:08:50.332
----------------------------------------------------</div>
<div>21-Jul-2016 23:08:50.332 adjusted limit on open
files from 4096 to 1048576</div>
<div>21-Jul-2016 23:08:50.332 found 2 CPUs, using 2
worker threads</div>
<div>21-Jul-2016 23:08:50.332 using 2 UDP listeners per
interface</div>
<div>21-Jul-2016 23:08:50.332 using up to 21000 sockets</div>
<div>21-Jul-2016 23:08:50.332 Registering DLZ_dlopen
driver</div>
<div>21-Jul-2016 23:08:50.332 Registering SDLZ driver
'dlopen'</div>
<div>21-Jul-2016 23:08:50.332 Registering DLZ driver
'dlopen'</div>
<div>21-Jul-2016 23:08:50.335 initializing DST: PKCS#11
initialization failed</div>
<div>21-Jul-2016 23:08:50.335 exiting (due to fatal
error)</div>
</div>
<div><br>
</div>
<div>journalctl shows:</div>
<div><br>
</div>
<div>
<div>named-pkcs11[9085]: ObjectStore.cpp(59): Failed to
enumerate object store in /var/lib/softhsm/tokens/</div>
<div>named-pkcs11[9085]: SoftHSM.cpp(476): Could not
load the object store</div>
<div><br>
</div>
</div>
<div><br>
</div>
<div><br>
</div>
<div>
<div>$ ll -Z /var/lib/ipa/dnssec/</div>
<div>total 12</div>
<div>-rwxrwx---. 1 ods named
unconfined_u:object_r:ipa_var_lib_t:s0 30 Jul 21
22:50 softhsm_pin*</div>
<div>drwxrws---. 3 ods named
unconfined_u:object_r:ipa_var_lib_t:s0 4096 Jul 21
22:50 tokens/</div>
</div>
<div><br>
</div>
<div><br>
</div>
<div>- I have seen <a moz-do-not-send="true"
href="https://fedorahosted.org/freeipa/ticket/5520"
target="_blank">https://fedorahosted.org/freeipa/ticket/5520</a>
, it doesn't help.</div>
<div>- With setenforce 0, same error.</div>
<div>- I have run ipa-dns-install, it recreates
named.conf, tokens etc. named-pkcs11 still doesn't
start.</div>
<div><br>
</div>
<div><br>
</div>
<div>Please, any idea?</div>
<span class="HOEnZb"><font color="#888888">
<div><br>
</div>
<div>Roberto</div>
</font></span></div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
</body>
</html>