Bug 1366649
| Summary: | IdM DNSSEC component is broken because too restrictive SELinux policy | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Petr Spacek <pspacek> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.3 | CC: | lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde |
| Target Milestone: | rc | Keywords: | Regression |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.13.1-94.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-11-04 02:36:48 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I confirm it started to work with: $ rpm -q ipa-server selinux-policy-targeted opendnssec softhsm bind ipa-server-4.4.0-7.el7.x86_64 selinux-policy-targeted-3.13.1-94.el7.noarch opendnssec-1.4.7-3.el7.x86_64 softhsm-2.1.0-2.el7.x86_64 bind-9.9.4-36.el7.x86_64 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2283.html |
Description of problem: Version-Release number of selected component (if applicable): ipa-server-4.4.0-7.el7.x86_64 selinux-policy-3.13.1-93.el7.noarch opendnssec-1.4.7-3.el7.x86_64 How reproducible: 100 % Steps to Reproduce: 1. install IdM/IPA $ ipa-server-install --ds-password="$ADMINPW" --admin-password="$ADMINPW" "--domain=$(echo $DOMAIN | tr "[:upper:]" "[:lower:]")" --realm="$(echo $DOMAIN | tr "[:lower:]" "[:upper:]")" --unattended --setup-dns --auto-forwarders 2. install DNSSEC component of FreeIPA: ipa-dns-install --unattended --dnssec-master --forwarder=<IP address of an DNS server> 3. add a DNS zone into IdM $ ipa dnszone-add test. 4. enable DNSSEC for a DNS zone $ ipa dnszone-mod test. --dnssec=1 Actual results: * ipa-dnskeysyncd service fails with following error message: ipa-dnskeysyncd: subprocess.CalledProcessError: Command 'ods-ksmutil zonelist export' returned non-zero exit status 1 ipa-dnskeysyncd.service: main process exited, code=exited, status=1/FAILURE Expected results: It should not fail. Additional info: Here are messages from permissive mode: $ sudo ausearch -m avc | grep AVC type=AVC msg=audit(1471009482.193:261): avc: denied { write } for pid=3013 comm="ods-ksmutil" name="opendnssec" dev="dm-0" ino=25942765 scontext=system_u:system_r:ipa_dnskey_t:s0 tcontext=system_u:object_r:opendnssec_conf_t:s0 tclass=dir type=AVC msg=audit(1471009482.222:262): avc: denied { add_name } for pid=3013 comm="ods-ksmutil" name="zonelist.xml.backup" scontext=system_u:system_r:ipa_dnskey_t:s0 tcontext=system_u:object_r:opendnssec_conf_t:s0 tclass=dir type=AVC msg=audit(1471009482.237:263): avc: denied { open } for pid=3017 comm="ods-control" path="/proc/meminfo" dev="proc" ino=4026532028 scontext=system_u:system_r:opendnssec_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=AVC msg=audit(1471009482.237:263): avc: denied { read } for pid=3017 comm="ods-control" name="meminfo" dev="proc" ino=4026532028 scontext=system_u:system_r:opendnssec_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=AVC msg=audit(1471009482.238:264): avc: denied { getattr } for pid=3017 comm="ods-control" path="/proc/meminfo" dev="proc" ino=4026532028 scontext=system_u:system_r:opendnssec_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=AVC msg=audit(1471009483.150:265): avc: denied { read write } for pid=2783 comm="ods-enforcerd" name="tmp" dev="dm-0" ino=69 scontext=system_u:system_r:opendnssec_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=AVC msg=audit(1471009483.150:266): avc: denied { write open } for pid=2783 comm="ods-enforcerd" path="/var/tmp/etilqs_Z8VMXybe1SlKscu" dev="dm-0" ino=322643 scontext=system_u:system_r:opendnssec_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file type=AVC msg=audit(1471009483.150:266): avc: denied { create } for pid=2783 comm="ods-enforcerd" name="etilqs_Z8VMXybe1SlKscu" scontext=system_u:system_r:opendnssec_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file type=AVC msg=audit(1471009483.150:266): avc: denied { add_name } for pid=2783 comm="ods-enforcerd" name="etilqs_Z8VMXybe1SlKscu" scontext=system_u:system_r:opendnssec_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=AVC msg=audit(1471009483.151:267): avc: denied { unlink } for pid=2783 comm="ods-enforcerd" name="etilqs_Z8VMXybe1SlKscu" dev="dm-0" ino=322643 scontext=system_u:system_r:opendnssec_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file type=AVC msg=audit(1471009483.151:267): avc: denied { remove_name } for pid=2783 comm="ods-enforcerd" name="etilqs_Z8VMXybe1SlKscu" dev="dm-0" ino=322643 scontext=system_u:system_r:opendnssec_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir Interestingly, this is different from Fedora 24 bug 1366640. In Fedora there is a problem with systemd socket activation but I cannot see other AVCs like the ones listed above. On the other hand, the Fedora problem is not present in RHEL because the socket activation seems to work in RHEL but we have other problems in RHEL. Maybe if you combine rules from Fedora 24 and RHEL together it could start working.