Re: [Freeipa-users] named-pkcs11 doesn't start after bind update

2016-08-17 Thread Petr Spacek
On 17.8.2016 09:52, Arthur Fayzullin wrote: > any news? Not really, we are waiting for SELinux policy maintainers to pick this up. For the time being, you can try this: 1. Switch to permissive mode $ setenforce 0 2. Watch audit log for new AVCs: $ tail -f /var/log/audit.log | grep AVC >

Re: [Freeipa-users] named-pkcs11 doesn't start after bind update

2016-08-17 Thread Arthur Fayzullin
any news? I've tried to make selinux permissive and write new policy, that didn't help. require { type ipa_var_lib_t; type named_t; class dir read; class file { write open lock read getattr }; } #= named_t == allow named_t ipa_var_lib_t:dir

Re: [Freeipa-users] named-pkcs11 doesn't start after bind update

2016-07-22 Thread Roberto Cornacchia
Ben and Petr, Thanks for your inputs, I'll keep an eye on those bug reports. Roberto On 22 July 2016 at 09:51, Petr Spacek wrote: > On 22.7.2016 04:43, Ben Lipton wrote: > > I'm not familiar enough with Fedora release engineering to know how this > gets > > fixed

Re: [Freeipa-users] named-pkcs11 doesn't start after bind update

2016-07-22 Thread Petr Spacek
On 22.7.2016 04:43, Ben Lipton wrote: > I'm not familiar enough with Fedora release engineering to know how this gets > fixed permanently, but I'll share some investigation I've done. > > This appears to be due to a change in the selinux-policy-targeted package that > happened recently. As of the

Re: [Freeipa-users] named-pkcs11 doesn't start after bind update

2016-07-21 Thread Ben Lipton
I'm not familiar enough with Fedora release engineering to know how this gets fixed permanently, but I'll share some investigation I've done. This appears to be due to a change in the selinux-policy-targeted package that happened recently. As of the latest version, named-pkcs11 tries to run

Re: [Freeipa-users] named-pkcs11 doesn't start after bind update

2016-07-21 Thread Roberto Cornacchia
UPDATE: Tried again the whole procedure with ipa-dns-install, and it DOES work with SElinux disable, and still fails with SElinux enabled. So the error "Failed to enumerate object store in /var/lib/softhsm/tokens/" makes sense. Can someone help me fix it? $ ll -Z /var/lib/ipa/dnssec/ total 12

[Freeipa-users] named-pkcs11 doesn't start after bind update

2016-07-21 Thread Roberto Cornacchia
- FC23 - IPA 4.2.4 After a dnf update, bind was updated (no ipa updates), and named-pkcs11 doesn't start anymore. $ /usr/sbin/named-pkcs11 -d 9 -g 21-Jul-2016 23:08:50.332 starting BIND 9.10.3-P4-RedHat-9.10.3-13.P4.fc23 -d 9 -g 21-Jul-2016 23:08:50.332 built with