Issue #5870: [tracker] DNSSEC signing is broken on Fedora 24 - freeipa

freeipa

#5870 [tracker] DNSSEC signing is broken on Fedora 24

Closed: Fixed None Opened 7 years ago by pspacek.

Is SELinux to blame?

# systemctl status ipa-ods-exporter.socket
systemd[1]: ipa-ods-exporter.socket: Failed to listen on sockets: Permission denied
systemd[1]: Failed to listen on ipa-ods-exporter.socket.

# tail -n 0 -f /var/log/audit/audit.log
# systemctl start ipa-ods-exporter.socket 
type=AVC msg=audit(1462278071.358:11885): avc:  denied  { create } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=0

In permissive mode we get a bit further:

type=USER_AVC msg=audit(1462278193.008:11889): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=AVC msg=audit(1462278193.010:11890): avc:  denied  { create } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1462278193.010:11891): avc:  denied  { setopt } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1462278193.012:11892): avc:  denied  { bind } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1462278193.012:11893): avc:  denied  { listen } for  pid=1 comm="systemd" path="/run/opendnssec/engine.sock" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1

More investigation is needed.

mbasti commented 7 years ago

Probably related issue https://bugzilla.redhat.com/show_bug.cgi?id=1333106

mbasti commented 7 years ago

Fixed in selinux-policy: https://bodhi.fedoraproject.org/updates/FEDORA-2016-f85aa7dd6b

pspacek commented 7 years ago

It seems that we have regressed: https://bugzilla.redhat.com/show_bug.cgi?id=1366640

Metadata Update from @pspacek:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.3.2

7 years ago

Metadata

Assignee

someone

Tags

None

Blocking

None

Depending on

None

Priority

normal

Milestone

FreeIPA 4.3.2

None

affects_doc

None

source

None

knownissue

None

type

defect

blockedby

None

test_case

None

component

DNS

blocking

None

on_review

keywords

tracker

test_coverage

None

reviewer

None

external_tracker

https://bugzilla.redhat.com/show_bug.cgi?id=1333106

rhbz

tester

None

changelog

None

design

None

freeipa

Source Code

#5870 [tracker] DNSSEC signing is broken on Fedora 24 Closed: Fixed None Opened 7 years ago by pspacek.

Metadata

#5870 [tracker] DNSSEC signing is broken on Fedora 24

Closed: Fixed None Opened 7 years ago by pspacek.