<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>any news? I've tried to make selinux permissive and write new
policy, that didn't help.</p>
<p>require {<br>
type ipa_var_lib_t;<br>
type named_t;<br>
class dir read;<br>
class file { write open lock read getattr };<br>
}<br>
<br>
#============= named_t ==============<br>
allow named_t ipa_var_lib_t:dir read;<br>
allow named_t ipa_var_lib_t:file { write open lock read getattr };<br>
</p>
<br>
<div class="moz-cite-prefix">22.07.2016 13:04, Roberto Cornacchia
пишет:<br>
</div>
<blockquote
cite="mid:CAFGv-=dsu_nrNSCLjXFq4R7fsji5GmBCvmCwTAO7hfQnGDz7+w@mail.gmail.com"
type="cite">
<div dir="ltr">Ben and Petr,
<div><br>
</div>
<div>Thanks for your inputs, I'll keep an eye on those bug
reports.</div>
<div><br>
</div>
<div>Roberto</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 22 July 2016 at 09:51, Petr Spacek <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:pspacek@redhat.com" target="_blank">pspacek@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex"><span
class="">On 22.7.2016 04:43, Ben Lipton wrote:<br>
> I'm not familiar enough with Fedora release
engineering to know how this gets<br>
> fixed permanently, but I'll share some investigation
I've done.<br>
><br>
> This appears to be due to a change in the
selinux-policy-targeted package that<br>
> happened recently. As of the latest version,
named-pkcs11 tries to run as type<br>
> named_t instead of unconfined_service_t, but it isn't
allowed to read the<br>
> files from IPA [1]. When I downgraded to the
selinux-policy and<br>
> selinux-policy-targeted packages from [2] I was able
to start named-pkcs11, so<br>
> that might be a workaround you can use for now.
Ultimately, the patch that<br>
> fixes [3] might need to be backported to F23.<br>
<br>
</span>This is being tracked as<br>
<a moz-do-not-send="true"
href="https://bugzilla.redhat.com/show_bug.cgi?id=1357665"
rel="noreferrer" target="_blank">https://bugzilla.redhat.com/show_bug.cgi?id=1357665</a><br>
<br>
Stay tuned.<br>
<br>
Petr^2 Spacek<br>
<div class="HOEnZb">
<div class="h5"><br>
><br>
> Ben<br>
><br>
> [1]<br>
> ----<br>
> time->Fri Jul 22 04:17:44 2016<br>
> type=AVC msg=audit(1469153864.756:705): avc:
denied { read } for pid=11616<br>
> comm="named-pkcs11" name="tokens" dev="dm-0"
ino=26318195<br>
> scontext=system_u:system_r:named_t:s0<br>
> tcontext=unconfined_u:object_r:ipa_var_lib_t:s0
tclass=dir permissive=1<br>
> ----<br>
> time->Fri Jul 22 04:17:44 2016<br>
> type=AVC msg=audit(1469153864.756:706): avc:
denied { getattr } for<br>
> pid=11616 comm="named-pkcs11"<br>
>
path="/var/lib/ipa/dnssec/tokens/12cfb199-b2fe-d328-0b3a-e644756b73d6/token.object"<br>
> dev="dm-0" ino=609982
scontext=system_u:system_r:named_t:s0<br>
> tcontext=unconfined_u:object_r:ipa_var_lib_t:s0
tclass=file permissive=1<br>
> ----<br>
> time->Fri Jul 22 04:17:44 2016<br>
> type=AVC msg=audit(1469153864.756:707): avc:
denied { read write } for<br>
> pid=11616 comm="named-pkcs11" name="generation"
dev="dm-0" ino=731584<br>
> scontext=system_u:system_r:named_t:s0<br>
> tcontext=unconfined_u:object_r:ipa_var_lib_t:s0
tclass=file permissive=1<br>
> ----<br>
> time->Fri Jul 22 04:17:44 2016<br>
> type=AVC msg=audit(1469153864.757:708): avc:
denied { open } for pid=11616<br>
> comm="named-pkcs11"<br>
>
path="/var/lib/ipa/dnssec/tokens/12cfb199-b2fe-d328-0b3a-e644756b73d6/generation"<br>
> dev="dm-0" ino=731584
scontext=system_u:system_r:named_t:s0<br>
> tcontext=unconfined_u:object_r:ipa_var_lib_t:s0
tclass=file permissive=1<br>
> ----<br>
> time->Fri Jul 22 04:17:44 2016<br>
> type=AVC msg=audit(1469153864.757:709): avc:
denied { lock } for pid=11616<br>
> comm="named-pkcs11"<br>
>
path="/var/lib/ipa/dnssec/tokens/12cfb199-b2fe-d328-0b3a-e644756b73d6/generation"<br>
> dev="dm-0" ino=731584
scontext=system_u:system_r:named_t:s0<br>
> tcontext=unconfined_u:object_r:ipa_var_lib_t:s0
tclass=file permissive=1<br>
><br>
> [2] <a moz-do-not-send="true"
href="http://koji.fedoraproject.org/koji/buildinfo?buildID=758088"
rel="noreferrer" target="_blank">http://koji.fedoraproject.org/koji/buildinfo?buildID=758088</a><br>
> [3] <a moz-do-not-send="true"
href="https://bugzilla.redhat.com/show_bug.cgi?id=1333106"
rel="noreferrer" target="_blank">https://bugzilla.redhat.com/show_bug.cgi?id=1333106</a><br>
><br>
> On 07/21/2016 05:51 PM, Roberto Cornacchia wrote:<br>
>> UPDATE:<br>
>><br>
>> Tried again the whole procedure with
ipa-dns-install, and it DOES work with<br>
>> SElinux disable, and still fails with SElinux
enabled.<br>
>><br>
>> So the error "Failed to enumerate object store
in /var/lib/softhsm/tokens/"<br>
>> makes sense.<br>
>><br>
>> Can someone help me fix it?<br>
>><br>
>> $ ll -Z /var/lib/ipa/dnssec/<br>
>> total 12<br>
>> -rwxrwx---. 1 ods named
unconfined_u:object_r:ipa_var_lib_t:s0 30 Jul 21<br>
>> 22:50 softhsm_pin*<br>
>> drwxrws---. 3 ods named
unconfined_u:object_r:ipa_var_lib_t:s0 4096 Jul 21<br>
>> 22:50 tokens/<br>
>><br>
>><br>
>><br>
>> On 21 July 2016 at 23:11, Roberto Cornacchia
<<a moz-do-not-send="true"
href="mailto:roberto.cornacchia@gmail.com">roberto.cornacchia@gmail.com</a><br>
</div>
</div>
<div class="HOEnZb">
<div class="h5">>> <mailto:<a
moz-do-not-send="true"
href="mailto:roberto.cornacchia@gmail.com">roberto.cornacchia@gmail.com</a>>>
wrote:<br>
>><br>
>> - FC23<br>
>> - IPA 4.2.4<br>
>><br>
>> After a dnf update, bind was updated (no
ipa updates),<br>
>> and named-pkcs11 doesn't start anymore.<br>
>><br>
>><br>
>> $ /usr/sbin/named-pkcs11 -d 9 -g<br>
>> 21-Jul-2016 23:08:50.332 starting BIND<br>
>> 9.10.3-P4-RedHat-9.10.3-13.P4.fc23
<id:ebd72b3> -d 9 -g<br>
>> 21-Jul-2016 23:08:50.332 built with<br>
>> '--build=x86_64-redhat-linux-gnu'
'--host=x86_64-redhat-linux-gnu'<br>
>> '--program-prefix='
'--disable-dependency-tracking'<br>
>> '--prefix=/usr' '--exec-prefix=/usr'
'--bindir=/usr/bin'<br>
>> '--sbindir=/usr/sbin' '--sysconfdir=/etc'
'--datadir=/usr/share'<br>
>> '--includedir=/usr/include'
'--libdir=/usr/lib64'<br>
>> '--libexecdir=/usr/libexec'
'--sharedstatedir=/var/lib'<br>
>> '--mandir=/usr/share/man'
'--infodir=/usr/share/info'<br>
>> '--with-python=/usr/bin/python3'
'--with-libtool'<br>
>> '--localstatedir=/var' '--enable-threads'
'--enable-ipv6'<br>
>> '--enable-filter-aaaa' '--with-pic'
'--disable-static'<br>
>> '--disable-openssl-version-check'<br>
>> '--includedir=/usr/include/bind9'
'--with-tuning=large'<br>
>> '--with-geoip' '--enable-native-pkcs11'<br>
>>
'--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so'<br>
>> '--with-dlopen=yes' '--with-dlz-ldap=yes'<br>
>> '--with-dlz-postgres=yes'
'--with-dlz-mysql=yes'<br>
>> '--with-dlz-filesystem=yes'
'--with-dlz-bdb=yes'<br>
>> '--with-gssapi=yes' '--disable-isc-spnego'
'--enable-fixed-rrset'<br>
>>
'--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets'<br>
>> '--enable-full-report'
'build_alias=x86_64-redhat-linux-gnu'<br>
>> 'host_alias=x86_64-redhat-linux-gnu'
'CFLAGS= -O2 -g -pipe -Wall<br>
>> -Werror=format-security
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions<br>
>> -fstack-protector-strong
--param=ssp-buffer-size=4<br>
>> -grecord-gcc-switches<br>
>>
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64<br>
>> -mtune=generic' 'LDFLAGS=-Wl,-z,relro<br>
>>
-specs=/usr/lib/rpm/redhat/redhat-hardened-ld'
'CPPFLAGS=<br>
>> -DDIG_SIGCHASE'<br>
>> 21-Jul-2016 23:08:50.332<br>
>>
----------------------------------------------------<br>
>> 21-Jul-2016 23:08:50.332 BIND 9 is
maintained by Internet Systems<br>
>> Consortium,<br>
>> 21-Jul-2016 23:08:50.332 Inc. (ISC), a
non-profit 501(c)(3)<br>
>> public-benefit<br>
>> 21-Jul-2016 23:08:50.332 corporation.
Support and training for<br>
>> BIND 9 are<br>
>> 21-Jul-2016 23:08:50.332 available at <a
moz-do-not-send="true"
href="https://www.isc.org/support" rel="noreferrer"
target="_blank">https://www.isc.org/support</a><br>
>> 21-Jul-2016 23:08:50.332<br>
>>
----------------------------------------------------<br>
>> 21-Jul-2016 23:08:50.332 adjusted limit on
open files from 4096 to<br>
>> 1048576<br>
>> 21-Jul-2016 23:08:50.332 found 2 CPUs,
using 2 worker threads<br>
>> 21-Jul-2016 23:08:50.332 using 2 UDP
listeners per interface<br>
>> 21-Jul-2016 23:08:50.332 using up to 21000
sockets<br>
>> 21-Jul-2016 23:08:50.332 Registering
DLZ_dlopen driver<br>
>> 21-Jul-2016 23:08:50.332 Registering SDLZ
driver 'dlopen'<br>
>> 21-Jul-2016 23:08:50.332 Registering DLZ
driver 'dlopen'<br>
>> 21-Jul-2016 23:08:50.335 initializing DST:
PKCS#11 initialization<br>
>> failed<br>
>> 21-Jul-2016 23:08:50.335 exiting (due to
fatal error)<br>
>><br>
>> journalctl shows:<br>
>><br>
>> named-pkcs11[9085]: ObjectStore.cpp(59):
Failed to enumerate<br>
>> object store in /var/lib/softhsm/tokens/<br>
>> named-pkcs11[9085]: SoftHSM.cpp(476): Could
not load the object store<br>
>><br>
>><br>
>><br>
>> $ ll -Z /var/lib/ipa/dnssec/<br>
>> total 12<br>
>> -rwxrwx---. 1 ods named
unconfined_u:object_r:ipa_var_lib_t:s0 30<br>
>> Jul 21 22:50 softhsm_pin*<br>
>> drwxrws---. 3 ods named
unconfined_u:object_r:ipa_var_lib_t:s0<br>
>> 4096 Jul 21 22:50 tokens/<br>
>><br>
>><br>
>> - I have seen <a moz-do-not-send="true"
href="https://fedorahosted.org/freeipa/ticket/5520"
rel="noreferrer" target="_blank">https://fedorahosted.org/freeipa/ticket/5520</a>
, it<br>
>> doesn't help.<br>
>> - With setenforce 0, same error.<br>
>> - I have run ipa-dns-install, it recreates
named.conf, tokens<br>
>> etc. named-pkcs11 still doesn't start.<br>
>><br>
>><br>
>> Please, any idea?<br>
<br>
</div>
</div>
<span class="HOEnZb"><font color="#888888">--<br>
Manage your subscription for the Freeipa-users mailing
list:<br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go to <a moz-do-not-send="true"
href="http://freeipa.org" rel="noreferrer"
target="_blank">http://freeipa.org</a> for more info
on the project<br>
</font></span></blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
</body>
</html>