[Freeipa-users] named-pkcs11 doesn't start after bind update
Petr Spacek
pspacek at redhat.com
Wed Aug 17 12:54:44 UTC 2016
On 17.8.2016 09:52, Arthur Fayzullin wrote:
> any news?
Not really, we are waiting for SELinux policy maintainers to pick this up.
For the time being, you can try this:
1. Switch to permissive mode
$ setenforce 0
2. Watch audit log for new AVCs:
$ tail -f /var/log/audit.log | grep AVC > /tmp/avcs.log
3. Restart the named-pkcs11 service
$ systemctl restart named-pkcs11
4. Generate missing rules:
$ audit2allow /tmp/avcs.log
5. Review the rules and load the if necessary
Please post the resulting /tmp/avcs.log and rules to the bug
https://bugzilla.redhat.com/show_bug.cgi?id=1357665
to speed things up.
Thank you!
Petr^2 Spacek
> I've tried to make selinux permissive and write new policy,
> that didn't help.
>
> require {
> type ipa_var_lib_t;
> type named_t;
> class dir read;
> class file { write open lock read getattr };
> }
>
> #============= named_t ==============
> allow named_t ipa_var_lib_t:dir read;
> allow named_t ipa_var_lib_t:file { write open lock read getattr };
>
>
> 22.07.2016 13:04, Roberto Cornacchia пишет:
>> Ben and Petr,
>>
>> Thanks for your inputs, I'll keep an eye on those bug reports.
>>
>> Roberto
>>
>> On 22 July 2016 at 09:51, Petr Spacek <pspacek at redhat.com
>> <mailto:pspacek at redhat.com>> wrote:
>>
>> On 22.7.2016 04:43, Ben Lipton wrote:
>> > I'm not familiar enough with Fedora release engineering to know
>> how this gets
>> > fixed permanently, but I'll share some investigation I've done.
>> >
>> > This appears to be due to a change in the
>> selinux-policy-targeted package that
>> > happened recently. As of the latest version, named-pkcs11 tries
>> to run as type
>> > named_t instead of unconfined_service_t, but it isn't allowed to
>> read the
>> > files from IPA [1]. When I downgraded to the selinux-policy and
>> > selinux-policy-targeted packages from [2] I was able to start
>> named-pkcs11, so
>> > that might be a workaround you can use for now. Ultimately, the
>> patch that
>> > fixes [3] might need to be backported to F23.
>>
>> This is being tracked as
>> https://bugzilla.redhat.com/show_bug.cgi?id=1357665
>>
>> Stay tuned.
>>
>> Petr^2 Spacek
>>
>> >
>> > Ben
>> >
>> > [1]
>> > ----
>> > time->Fri Jul 22 04:17:44 2016
>> > type=AVC msg=audit(1469153864.756:705): avc: denied { read }
>> for pid=11616
>> > comm="named-pkcs11" name="tokens" dev="dm-0" ino=26318195
>> > scontext=system_u:system_r:named_t:s0
>> > tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=dir
>> permissive=1
>> > ----
>> > time->Fri Jul 22 04:17:44 2016
>> > type=AVC msg=audit(1469153864.756:706): avc: denied { getattr
>> } for
>> > pid=11616 comm="named-pkcs11"
>> >
>> path="/var/lib/ipa/dnssec/tokens/12cfb199-b2fe-d328-0b3a-e644756b73d6/token.object"
>> > dev="dm-0" ino=609982 scontext=system_u:system_r:named_t:s0
>> > tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file
>> permissive=1
>> > ----
>> > time->Fri Jul 22 04:17:44 2016
>> > type=AVC msg=audit(1469153864.756:707): avc: denied { read
>> write } for
>> > pid=11616 comm="named-pkcs11" name="generation" dev="dm-0"
>> ino=731584
>> > scontext=system_u:system_r:named_t:s0
>> > tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file
>> permissive=1
>> > ----
>> > time->Fri Jul 22 04:17:44 2016
>> > type=AVC msg=audit(1469153864.757:708): avc: denied { open }
>> for pid=11616
>> > comm="named-pkcs11"
>> >
>> path="/var/lib/ipa/dnssec/tokens/12cfb199-b2fe-d328-0b3a-e644756b73d6/generation"
>> > dev="dm-0" ino=731584 scontext=system_u:system_r:named_t:s0
>> > tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file
>> permissive=1
>> > ----
>> > time->Fri Jul 22 04:17:44 2016
>> > type=AVC msg=audit(1469153864.757:709): avc: denied { lock }
>> for pid=11616
>> > comm="named-pkcs11"
>> >
>> path="/var/lib/ipa/dnssec/tokens/12cfb199-b2fe-d328-0b3a-e644756b73d6/generation"
>> > dev="dm-0" ino=731584 scontext=system_u:system_r:named_t:s0
>> > tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file
>> permissive=1
>> >
>> > [2] http://koji.fedoraproject.org/koji/buildinfo?buildID=758088
>> > [3] https://bugzilla.redhat.com/show_bug.cgi?id=1333106
>> >
>> > On 07/21/2016 05:51 PM, Roberto Cornacchia wrote:
>> >> UPDATE:
>> >>
>> >> Tried again the whole procedure with ipa-dns-install, and it
>> DOES work with
>> >> SElinux disable, and still fails with SElinux enabled.
>> >>
>> >> So the error "Failed to enumerate object store in
>> /var/lib/softhsm/tokens/"
>> >> makes sense.
>> >>
>> >> Can someone help me fix it?
>> >>
>> >> $ ll -Z /var/lib/ipa/dnssec/
>> >> total 12
>> >> -rwxrwx---. 1 ods named unconfined_u:object_r:ipa_var_lib_t:s0
>> 30 Jul 21
>> >> 22:50 softhsm_pin*
>> >> drwxrws---. 3 ods named unconfined_u:object_r:ipa_var_lib_t:s0
>> 4096 Jul 21
>> >> 22:50 tokens/
>> >>
>> >>
>> >>
>> >> On 21 July 2016 at 23:11, Roberto Cornacchia
>> <roberto.cornacchia at gmail.com <mailto:roberto.cornacchia at gmail.com>
>> >> <mailto:roberto.cornacchia at gmail.com
>> <mailto:roberto.cornacchia at gmail.com>>> wrote:
>> >>
>> >> - FC23
>> >> - IPA 4.2.4
>> >>
>> >> After a dnf update, bind was updated (no ipa updates),
>> >> and named-pkcs11 doesn't start anymore.
>> >>
>> >>
>> >> $ /usr/sbin/named-pkcs11 -d 9 -g
>> >> 21-Jul-2016 23:08:50.332 starting BIND
>> >> 9.10.3-P4-RedHat-9.10.3-13.P4.fc23 <id:ebd72b3> -d 9 -g
>> >> 21-Jul-2016 23:08:50.332 built with
>> >> '--build=x86_64-redhat-linux-gnu'
>> '--host=x86_64-redhat-linux-gnu'
>> >> '--program-prefix=' '--disable-dependency-tracking'
>> >> '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin'
>> >> '--sbindir=/usr/sbin' '--sysconfdir=/etc'
>> '--datadir=/usr/share'
>> >> '--includedir=/usr/include' '--libdir=/usr/lib64'
>> >> '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib'
>> >> '--mandir=/usr/share/man' '--infodir=/usr/share/info'
>> >> '--with-python=/usr/bin/python3' '--with-libtool'
>> >> '--localstatedir=/var' '--enable-threads' '--enable-ipv6'
>> >> '--enable-filter-aaaa' '--with-pic' '--disable-static'
>> >> '--disable-openssl-version-check'
>> >> '--includedir=/usr/include/bind9' '--with-tuning=large'
>> >> '--with-geoip' '--enable-native-pkcs11'
>> >> '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so'
>> >> '--with-dlopen=yes' '--with-dlz-ldap=yes'
>> >> '--with-dlz-postgres=yes' '--with-dlz-mysql=yes'
>> >> '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes'
>> >> '--with-gssapi=yes' '--disable-isc-spnego'
>> '--enable-fixed-rrset'
>> >> '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets'
>> >> '--enable-full-report' 'build_alias=x86_64-redhat-linux-gnu'
>> >> 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe
>> -Wall
>> >> -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
>> >> -fstack-protector-strong --param=ssp-buffer-size=4
>> >> -grecord-gcc-switches
>> >> -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64
>> >> -mtune=generic' 'LDFLAGS=-Wl,-z,relro
>> >> -specs=/usr/lib/rpm/redhat/redhat-hardened-ld' 'CPPFLAGS=
>> >> -DDIG_SIGCHASE'
>> >> 21-Jul-2016 23:08:50.332
>> >> ----------------------------------------------------
>> >> 21-Jul-2016 23:08:50.332 BIND 9 is maintained by Internet
>> Systems
>> >> Consortium,
>> >> 21-Jul-2016 23:08:50.332 Inc. (ISC), a non-profit 501(c)(3)
>> >> public-benefit
>> >> 21-Jul-2016 23:08:50.332 corporation. Support and training for
>> >> BIND 9 are
>> >> 21-Jul-2016 23:08:50.332 available at
>> https://www.isc.org/support
>> >> 21-Jul-2016 23:08:50.332
>> >> ----------------------------------------------------
>> >> 21-Jul-2016 23:08:50.332 adjusted limit on open files from
>> 4096 to
>> >> 1048576
>> >> 21-Jul-2016 23:08:50.332 found 2 CPUs, using 2 worker threads
>> >> 21-Jul-2016 23:08:50.332 using 2 UDP listeners per interface
>> >> 21-Jul-2016 23:08:50.332 using up to 21000 sockets
>> >> 21-Jul-2016 23:08:50.332 Registering DLZ_dlopen driver
>> >> 21-Jul-2016 23:08:50.332 Registering SDLZ driver 'dlopen'
>> >> 21-Jul-2016 23:08:50.332 Registering DLZ driver 'dlopen'
>> >> 21-Jul-2016 23:08:50.335 initializing DST: PKCS#11
>> initialization
>> >> failed
>> >> 21-Jul-2016 23:08:50.335 exiting (due to fatal error)
>> >>
>> >> journalctl shows:
>> >>
>> >> named-pkcs11[9085]: ObjectStore.cpp(59): Failed to enumerate
>> >> object store in /var/lib/softhsm/tokens/
>> >> named-pkcs11[9085]: SoftHSM.cpp(476): Could not load the
>> object store
>> >>
>> >>
>> >>
>> >> $ ll -Z /var/lib/ipa/dnssec/
>> >> total 12
>> >> -rwxrwx---. 1 ods named
>> unconfined_u:object_r:ipa_var_lib_t:s0 30
>> >> Jul 21 22:50 softhsm_pin*
>> >> drwxrws---. 3 ods named unconfined_u:object_r:ipa_var_lib_t:s0
>> >> 4096 Jul 21 22:50 tokens/
>> >>
>> >>
>> >> - I have seen https://fedorahosted.org/freeipa/ticket/5520 , it
>> >> doesn't help.
>> >> - With setenforce 0, same error.
>> >> - I have run ipa-dns-install, it recreates named.conf, tokens
>> >> etc. named-pkcs11 still doesn't start.
>> >>
>> >>
>> >> Please, any idea?
More information about the Freeipa-users
mailing list