I no longer get that AVC messages after going through the steps I described
on Bugzilla.
I ran your command

<ausearch -m avc -ts recent > and it came back with
<no matches>

On the issue of database error in bind logs.
  It is always there, whenever bind does a ldap lookup for any dns entry.
However doesn't affect or stop it from returning the correct query results.
It just that the prefix database error on each ldap lookup causes our
monitoring system to go crazy. I have updated from version 1.9.0-pre4 to the
nightly builds but it did not make any difference. If anything I now lost
the web interface. The web interface is not a problem since I don't use it
anyway.

Thanks

Ide


On Tue, Nov 9, 2010 at 9:46 AM, Rob Crittenden <rcrit...@redhat.com> wrote:

> Rob Crittenden wrote:
>
>> Uzor Ide wrote:
>>
>>>
>>> We have a network that relies on kerberos, 389-ds, bind and nfs4. I am
>>> currently testing out the freeipa version 2 to see if we can use it to
>>> consolidate the various configuration into one interface. For the most
>>> part it works great apart from the obvious area where it has not been
>>> completed. However there are somethings that I have noticed.
>>>
>>
>> Hey, sorry we didn't forget about you. Ticket
>> https://fedorahosted.org/freeipa/ticket/409 was opened for your DNS
>> problem.
>>
>> Do you get this query error frequently? Do you know what triggers it? I
>> haven't been able to reproduce it myself yet. I wonder if this happens
>> when logs roll.
>>
>> For the certmonger problem this looks like a new one to me, I'll file a
>> bug.
>>
>> regards
>>
>> rob
>>
>>  1.) The DNS logging always logs database error every time it access the
>>> ldap. even though the query returns okay and the dns reply is fine.
>>>
>>> here is an excerpt of the log named.run
>>>
>>> 24-Oct-2010 10:32:33.025 edns-disabled: info: success resolving
>>> 'www.mailscanner.tv/A <http://www.mailscanner.tv/A>' (in 'mailscanner.tv
>>> <http://mailscanner.tv>'?) after reducing the advertised EDNS UDP packet
>>> size to 512 octets
>>> 24-Oct-2010 10:34:41.137 database: error: querying 'idnsName=wpad,
>>> idnsname=uzdomain.ca <http://uzdomain.ca>,cn=dns,dc=uzdomain,dc=ca' with
>>> '(objectClass=idnsRecord)'
>>> 24-Oct-2010 10:34:41.140 database: error: querying 'idnsname=uzdomain.ca
>>> <http://uzdomain.ca>,cn=dns,dc=uzdomain,dc=ca' with
>>> '(objectClass=idnsRecord)'
>>> 24-Oct-2010 10:34:41.143 database: error: entry count: 1
>>> 24-Oct-2010 10:34:41.146 database: error: querying 'idnsName=wpad,
>>> idnsname=uzdomain.ca <http://uzdomain.ca>,cn=dns,dc=uzdomain,dc=ca' with
>>> '(objectClass=idnsRecord)'
>>> 24-Oct-2010 10:39:43.581 database: error: querying 'idnsName=wpad,
>>> idnsname=uzdomain.ca <http://uzdomain.ca>,cn=dns,dc=uzdomain,dc=ca' with
>>> '(objectClass=idnsRecord)'
>>> 24-Oct-2010 10:39:43.583 database: error: querying 'idnsname=uzdomain.ca
>>> <http://uzdomain.ca>,cn=dns,dc=uzdomain,dc=ca' with
>>> '(objectClass=idnsRecord)'
>>> 24-Oct-2010 10:39:43.586 database: error: entry count: 1
>>> 24-Oct-2010 10:39:43.589 database: error: querying 'idnsName=wpad,
>>> idnsname=uzdomain.ca <http://uzdomain.ca>,cn=dns,dc=uzdomain,dc=ca' with
>>> '(objectClass=idnsRecord)'
>>>
>>> here is our logging configuration
>>>
>>> // *******************
>>> // Logging definitions
>>> // *******************
>>>
>>> // Logging
>>> logging {
>>> channel "named_log" {
>>> file "data/log/named.run" versions 5 size 4m;
>>> severity dynamic;
>>> print-category yes;
>>> print-severity yes;
>>> print-time yes;
>>> };
>>>
>>> channel "security_log" {
>>> file "data/log/security.log" versions 5 size 10m;
>>> severity dynamic;
>>> print-category yes;
>>> print-severity yes;
>>> print-time yes;
>>> };
>>>
>>> channel "query_log" {
>>> file "data/log/query.log" versions 5 size 50m;
>>> #severity dynamic;
>>> severity debug;
>>> print-category yes;
>>> print-severity yes;
>>> print-time yes;
>>> };
>>>
>>> channel "transfer_log" {
>>> file "data/log/transfer.log" versions 5 size 10m;
>>> severity dynamic;
>>> print-category yes;
>>> print-severity yes;
>>> };
>>>
>>> category "default" {
>>> "named_log";
>>> "default_syslog";
>>> "default_debug";
>>> };
>>>
>>> category "general" {
>>> "named_log";
>>> };
>>>
>>> category "queries" {
>>> "query_log";
>>> };
>>>
>>> category "lame-servers" {
>>> null;
>>> };
>>>
>>> category "security" {
>>> "security_log";
>>> };
>>>
>>> category "config" {
>>> "named_log";
>>> };
>>>
>>> category "resolver" {
>>> "query_log";
>>> };
>>>
>>> category "xfer-in" {
>>> "transfer_log";
>>> };
>>>
>>> category "xfer-out" {
>>> "transfer_log";
>>> };
>>>
>>> category "notify" {
>>> "transfer_log";
>>> };
>>>
>>> category "client" {
>>> "query_log";
>>> };
>>>
>>> category "network" {
>>> "named_log";
>>> };
>>>
>>> category "update" {
>>> "transfer_log";
>>> };
>>>
>>> category "dnssec" {
>>> "security_log";
>>> };
>>>
>>> category "dispatch" {
>>> "security_log";
>>> };
>>> };
>>>
>>> This error message keeps triggering our monitoring systems.
>>>
>>> 2.) I currently have only one ipa-client; and certmonger keeps getting
>>> seliux AVC denials
>>>
>>> Oct 24 10:57:24 ulasi setroubleshoot: SELinux is preventing
>>> /usr/sbin/certmonger "execute" access on
>>> /usr/libexec/certmonger/ipa-submit. For complete SELinux messages. run
>>> sealert -l 8db766a3-6100-4be5-aec6-2a3a713290e2
>>> Oct 24 10:57:56 ulasi setroubleshoot: SELinux is preventing
>>> /usr/sbin/certmonger "execute" access on
>>> /usr/libexec/certmonger/ipa-submit. For complete SELinux messages. run
>>> sealert -l 8db766a3-6100-4be5-aec6-2a3a713290e2
>>> Oct 24 10:58:26 ulasi setroubleshoot: SELinux is preventing
>>> /usr/sbin/certmonger "execute" access on
>>> /usr/libexec/certmonger/ipa-submit. For complete SELinux messages. run
>>> sealert -l 8db766a3-6100-4be5-aec6-2a3a713290e2
>>> Oct 24 10:58:57 ulasi setroubleshoot: SELinux is preventing
>>> /usr/sbin/certmonger "execute" access on
>>> /usr/libexec/certmonger/ipa-submit. For complete SELinux messages. run
>>> sealert -l 8db766a3-6100-4be5-aec6-2a3a713290e2
>>>
>>>
>>> Summary:
>>>
>>> SELinux is preventing /usr/sbin/certmonger "execute" access on
>>> /usr/libexec/certmonger/ipa-submit.
>>>
>>> Detailed Description:
>>>
>>> SELinux denied access requested by certmonger. It is not expected that
>>> this
>>> access is required by certmonger and this access may signal an intrusion
>>> attempt. It is also possible that the specific version or configuration
>>> of the
>>> application is causing it to require additional access.
>>>
>>> Allowing Access:
>>>
>>> You can generate a local policy module to allow this access - see FAQ
>>> (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file
>>> a bug
>>> report.
>>>
>>> Additional Information:
>>>
>>> Source Context system_u:system_r:certmonger_t:s0
>>> Target Context system_u:object_r:bin_t:s0
>>> Target Objects /usr/libexec/certmonger/ipa-submit [ file ]
>>> Source certmonger
>>> Source Path /usr/sbin/certmonger
>>> Port <Unknown>
>>> Host ulasi.uzdomain.ca <http://ulasi.uzdomain.ca>
>>> Source RPM Packages certmonger-0.32-0.2010101515git5920eca.fc13
>>> Target RPM Packages certmonger-0.32-0.2010101515git5920eca.fc13
>>> Policy RPM selinux-policy-3.7.19-65.fc13
>>> Selinux Enabled True
>>> Policy Type targeted
>>> Enforcing Mode Enforcing
>>> Plugin Name catchall
>>> Host Name ulasi.uzdomain.ca <http://ulasi.uzdomain.ca>
>>> Platform Linux ulasi.uzdomain.ca
>>> <http://ulasi.uzdomain.ca> 2.6.34.7-61.fc13.i686.PAE
>>> #1 SMP Tue Oct 19 04:24:06 UTC 2010 i686 i686
>>> Alert Count 1646
>>> First Seen Sat Oct 23 15:48:48 2010
>>> Last Seen Sun Oct 24 10:59:52 2010
>>> Local ID 8db766a3-6100-4be5-aec6-2a3a713290e2
>>> Line Numbers
>>>
>>> Raw Audit Messages
>>>
>>> node=ulasi.uzdomain.ca <http://ulasi.uzdomain.ca> type=AVC
>>> msg=audit(1287932392.282:21690): avc: denied { execute } for pid=3472
>>> comm="certmonger" name="ipa-submit" dev=dm-0 ino=790251
>>> scontext=system_u:system_r:certmonger_t:s0
>>> tcontext=system_u:object_r:bin_t:s0 tclass=file
>>>
>>> node=ulasi.uzdomain.ca <http://ulasi.uzdomain.ca> type=SYSCALL
>>> msg=audit(1287932392.282:21690): arch=40000003 syscall=11 success=no
>>> exit=-13 a0=9f99490 a1=9f99450 a2=9f98e60 a3=9f99450 items=0 ppid=1555
>>> pid=3472 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
>>> fsgid=0 tty=(none) ses=4294967295 comm="certmonger"
>>> exe="/usr/sbin/certmonger" subj=system_u:system_r:certmonger_t:s0
>>> key=(null)
>>>
>>> I was using certmonger-0.30-1.fc13.i686 from source [ freeipa-devel ]
>>> because of the problem I updated to the nightly build
>>> certmonger-0.32-0.2010101515git5920eca.fc13 but the problem continues.
>>>
>>> These are the selinux rpms
>>> selinux-policy-targeted-3.7.19-65.fc13.noarch
>>> selinux-policy-3.7.19-65.fc13.noarch
>>> libselinux-python-2.0.94-2.fc13.i686
>>> libselinux-utils-2.0.94-2.fc13.i686
>>>
>>
> Uzor, the SELinux guys have updated the bug asking this:
>
> Can you execute:
>
> # semanage permissive -a certmonger_t
>
> and re-test it. After that execute
>
> # ausearch -m avc -ts recent
>
>
> I just want to see if you get another AVC messages. Thanks.
>
> rob
>
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to