I'm not familiar enough with Fedora release engineering to know how this gets fixed permanently, but I'll share some investigation I've done.

This appears to be due to a change in the selinux-policy-targeted package that happened recently. As of the latest version, named-pkcs11 tries to run as type named_t instead of unconfined_service_t, but it isn't allowed to read the files from IPA [1]. When I downgraded to the selinux-policy and selinux-policy-targeted packages from [2] I was able to start named-pkcs11, so that might be a workaround you can use for now. Ultimately, the patch that fixes [3] might need to be backported to F23.


Ben

[1]
----
time->Fri Jul 22 04:17:44 2016
type=AVC msg=audit(1469153864.756:705): avc: denied { read } for pid=11616 comm="named-pkcs11" name="tokens" dev="dm-0" ino=26318195 scontext=system_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=dir permissive=1
----
time->Fri Jul 22 04:17:44 2016
type=AVC msg=audit(1469153864.756:706): avc: denied { getattr } for pid=11616 comm="named-pkcs11" path="/var/lib/ipa/dnssec/tokens/12cfb199-b2fe-d328-0b3a-e644756b73d6/token.object" dev="dm-0" ino=609982 scontext=system_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file permissive=1
----
time->Fri Jul 22 04:17:44 2016
type=AVC msg=audit(1469153864.756:707): avc: denied { read write } for pid=11616 comm="named-pkcs11" name="generation" dev="dm-0" ino=731584 scontext=system_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file permissive=1
----
time->Fri Jul 22 04:17:44 2016
type=AVC msg=audit(1469153864.757:708): avc: denied { open } for pid=11616 comm="named-pkcs11" path="/var/lib/ipa/dnssec/tokens/12cfb199-b2fe-d328-0b3a-e644756b73d6/generation" dev="dm-0" ino=731584 scontext=system_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file permissive=1
----
time->Fri Jul 22 04:17:44 2016
type=AVC msg=audit(1469153864.757:709): avc: denied { lock } for pid=11616 comm="named-pkcs11" path="/var/lib/ipa/dnssec/tokens/12cfb199-b2fe-d328-0b3a-e644756b73d6/generation" dev="dm-0" ino=731584 scontext=system_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file permissive=1

[2] http://koji.fedoraproject.org/koji/buildinfo?buildID=758088
[3] https://bugzilla.redhat.com/show_bug.cgi?id=1333106

On 07/21/2016 05:51 PM, Roberto Cornacchia wrote:
UPDATE:

Tried again the whole procedure with ipa-dns-install, and it DOES work with SElinux disable, and still fails with SElinux enabled.

So the error "Failed to enumerate object store in /var/lib/softhsm/tokens/" makes sense.

Can someone help me fix it?

$ ll -Z /var/lib/ipa/dnssec/
total 12
-rwxrwx---. 1 ods named unconfined_u:object_r:ipa_var_lib_t:s0 30 Jul 21 22:50 softhsm_pin* drwxrws---. 3 ods named unconfined_u:object_r:ipa_var_lib_t:s0 4096 Jul 21 22:50 tokens/



On 21 July 2016 at 23:11, Roberto Cornacchia <roberto.cornacc...@gmail.com <mailto:roberto.cornacc...@gmail.com>> wrote:

    - FC23
    - IPA 4.2.4

    After a dnf update, bind was updated (no ipa updates),
    and named-pkcs11 doesn't start anymore.


    $ /usr/sbin/named-pkcs11 -d 9 -g
    21-Jul-2016 23:08:50.332 starting BIND
    9.10.3-P4-RedHat-9.10.3-13.P4.fc23 <id:ebd72b3> -d 9 -g
    21-Jul-2016 23:08:50.332 built with
    '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu'
    '--program-prefix=' '--disable-dependency-tracking'
    '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin'
    '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share'
    '--includedir=/usr/include' '--libdir=/usr/lib64'
    '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib'
    '--mandir=/usr/share/man' '--infodir=/usr/share/info'
    '--with-python=/usr/bin/python3' '--with-libtool'
    '--localstatedir=/var' '--enable-threads' '--enable-ipv6'
    '--enable-filter-aaaa' '--with-pic' '--disable-static'
    '--disable-openssl-version-check'
    '--includedir=/usr/include/bind9' '--with-tuning=large'
    '--with-geoip' '--enable-native-pkcs11'
    '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so'
    '--with-dlopen=yes' '--with-dlz-ldap=yes'
    '--with-dlz-postgres=yes' '--with-dlz-mysql=yes'
    '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes'
    '--with-gssapi=yes' '--disable-isc-spnego' '--enable-fixed-rrset'
    '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets'
    '--enable-full-report' 'build_alias=x86_64-redhat-linux-gnu'
    'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall
    -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
    -fstack-protector-strong --param=ssp-buffer-size=4
    -grecord-gcc-switches
    -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64
    -mtune=generic' 'LDFLAGS=-Wl,-z,relro
    -specs=/usr/lib/rpm/redhat/redhat-hardened-ld' 'CPPFLAGS=
    -DDIG_SIGCHASE'
    21-Jul-2016 23:08:50.332
    ----------------------------------------------------
    21-Jul-2016 23:08:50.332 BIND 9 is maintained by Internet Systems
    Consortium,
    21-Jul-2016 23:08:50.332 Inc. (ISC), a non-profit 501(c)(3)
    public-benefit
    21-Jul-2016 23:08:50.332 corporation.  Support and training for
    BIND 9 are
    21-Jul-2016 23:08:50.332 available at https://www.isc.org/support
    21-Jul-2016 23:08:50.332
    ----------------------------------------------------
    21-Jul-2016 23:08:50.332 adjusted limit on open files from 4096 to
    1048576
    21-Jul-2016 23:08:50.332 found 2 CPUs, using 2 worker threads
    21-Jul-2016 23:08:50.332 using 2 UDP listeners per interface
    21-Jul-2016 23:08:50.332 using up to 21000 sockets
    21-Jul-2016 23:08:50.332 Registering DLZ_dlopen driver
    21-Jul-2016 23:08:50.332 Registering SDLZ driver 'dlopen'
    21-Jul-2016 23:08:50.332 Registering DLZ driver 'dlopen'
    21-Jul-2016 23:08:50.335 initializing DST: PKCS#11 initialization
    failed
    21-Jul-2016 23:08:50.335 exiting (due to fatal error)

    journalctl shows:

    named-pkcs11[9085]: ObjectStore.cpp(59): Failed to enumerate
    object store in /var/lib/softhsm/tokens/
    named-pkcs11[9085]: SoftHSM.cpp(476): Could not load the object store



    $ ll -Z /var/lib/ipa/dnssec/
    total 12
-rwxrwx---. 1 ods named unconfined_u:object_r:ipa_var_lib_t:s0 30 Jul 21 22:50 softhsm_pin*
    drwxrws---. 3 ods named unconfined_u:object_r:ipa_var_lib_t:s0
    4096 Jul 21 22:50 tokens/


    - I have seen https://fedorahosted.org/freeipa/ticket/5520 , it
    doesn't help.
    - With setenforce 0, same error.
    - I have run ipa-dns-install, it recreates named.conf, tokens
    etc. named-pkcs11 still doesn't start.


    Please, any idea?

    Roberto





-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to