| Summary: | Unable to set named_write_master_zones boolean on upgrade | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Nikhil Dehadrai <ndehadra> | ||||
| Component: | bind-dyndb-ldap | Assignee: | Petr Spacek <pspacek> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Kaleem <ksiddiqu> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 7.3 | CC: | lvrabec, mbasti, mgrepl, mhruscak, mkosek, mmalik, nsoman, plautrba, pspacek, pvoborni, pvrabec, rcritten, ssekidde, tlavigne | ||||
| Target Milestone: | rc | Keywords: | Regression, TestBlocker | ||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | bind-dyndb-ldap-10.0-5.el7 | Doc Type: | If docs needed, set a value | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2016-11-04 04:51:23 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1256306 | ||||||
| Attachments: |
|
||||||
Please note that those AVCs cannot be reproduced on clean install on RHEL7.3, so upgrade failure of the selinux-policy is probably root cause of bind-dyndb-ldap AVCs Nikhil, Could you attach output of: # semodule -l | grep 400 Thanks. I guess that Lukas made a mistake and the command should have been: # semodule -lfull | grep 400 Seen on the machine you provided (ausearch -m avc -m user_avc -i):
----
type=PATH msg=audit(09/19/2016 15:24:18.078:511) : item=1 name=dyndb-ldap/ipa/master objtype=CREATE
type=PATH msg=audit(09/19/2016 15:24:18.078:511) : item=0 name=dyndb-ldap/ipa/ inode=201593081 dev=fd:00 mode=dir,770 ouid=named ogid=named rdev=00:00 obj=unconfined_u:object_r:named_zone_t:s0 objtype=PARENT
type=CWD msg=audit(09/19/2016 15:24:18.078:511) : cwd=/var/named
type=SYSCALL msg=audit(09/19/2016 15:24:18.078:511) : arch=x86_64 syscall=mkdir success=no exit=-13(Permission denied) a0=0x7f6cd9a2a440 a1=0770 a2=0x5 a3=0x0 items=2 ppid=1 pid=17515 auid=unset uid=named gid=named euid=named suid=named fsuid=named egid=named sgid=named fsgid=named tty=(none) ses=unset comm=named-pkcs11 exe=/usr/sbin/named-pkcs11 subj=system_u:system_r:named_t:s0 key=(null)
type=AVC msg=audit(09/19/2016 15:24:18.078:511) : avc: denied { write } for pid=17515 comm=named-pkcs11 name=ipa dev="dm-0" ino=201593081 scontext=system_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:named_zone_t:s0 tclass=dir
----
# find / -inum 201593081
/var/named/dyndb-ldap/ipa
# matchpathcon /var/
/var system_u:object_r:var_t:s0
# matchpathcon /var/named/
/var/named system_u:object_r:named_zone_t:s0
# matchpathcon /var/named/dyndb-ldap/
/var/named/dyndb-ldap system_u:object_r:named_zone_t:s0
# matchpathcon /var/named/dyndb-ldap/ipa/
/var/named/dyndb-ldap/ipa system_u:object_r:named_zone_t:s0
#
# sesearch -s named_t -t named_zone_t -c dir -A -C -p write
Found 4 semantic av rules:
DT allow named_t named_zone_t : dir { ioctl read write getattr lock add_name remove_name search open } ; [ named_write_master_zones ]
DT allow named_t named_zone_t : dir { ioctl read write getattr lock add_name remove_name search open } ; [ named_write_master_zones ]
DT allow named_t named_zone_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; [ named_write_master_zones ]
DT allow named_t named_zone_t : dir { ioctl read write getattr lock add_name remove_name search open } ; [ named_write_master_zones ]
#
My recommendation is to enable the named_write_master_zones boolean:
# setsebool -P named_write_master_zones on
Full log from yum transaction follows. Please note the scriptlet outputs at the end:
# yum history info 14
Loaded plugins: product-id, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Transaction ID : 14
Begin time : Mon Sep 19 14:51:04 2016
Begin rpmdb : 856:c47d819d43ec63c0314e4e64cf994d9540479a91
End time : 15:04:17 2016 (13 minutes)
End rpmdb : 916:3cecff9b903562e37924bf8bf661ba64a2c8a3bc
User : root <root>
Return-Code : Success
Command Line : -y update ipa* sssd
Transaction performed with:
Installed rpm-4.11.1-16.el7.x86_64 @beaker-Server/7.0
Installed subscription-manager-1.10.14-7.el7.x86_64 @beaker-Server/7.0
Installed yum-3.4.3-118.el7.noarch @beaker-Server/7.0
Installed yum-metadata-parser-1.1.4-10.el7.x86_64 @beaker-Server/7.0
Packages Altered:
Updated 389-ds-base-1.3.1.6-25.el7.x86_64 @beaker-Server
Obsoleted 389-ds-base-1.3.1.6-25.el7.x86_64 @beaker-Server
Obsoleting 389-ds-base-1.3.5.10-11.el7.x86_64 @rhel73
Updated 389-ds-base-libs-1.3.1.6-25.el7.x86_64 @beaker-Server
Update 1.3.5.10-11.el7.x86_64 @rhel73
Dep-Install GeoIP-1.5.0-11.el7.x86_64 @rhel73
Updated bind-32:9.9.4-14.el7.x86_64 @beaker-Server
Update 32:9.9.4-36.el7.x86_64 @rhel73
Updated bind-dyndb-ldap-3.5-4.el7.x86_64 @beaker-Server
Update 10.0-4.el7.x86_64 @rhel73
Updated bind-libs-32:9.9.4-14.el7.x86_64 @beaker-Server/7.0
Update 32:9.9.4-36.el7.x86_64 @rhel73
Updated bind-libs-lite-32:9.9.4-14.el7.x86_64 @beaker-Server/7.0
Update 32:9.9.4-36.el7.x86_64 @rhel73
Updated bind-license-32:9.9.4-14.el7.noarch @beaker-Server/7.0
Update 32:9.9.4-36.el7.noarch @rhel73
Dep-Install bind-pkcs11-32:9.9.4-36.el7.x86_64 @rhel73
Dep-Install bind-pkcs11-libs-32:9.9.4-36.el7.x86_64 @rhel73
Dep-Install bind-pkcs11-utils-32:9.9.4-36.el7.x86_64 @rhel73
Updated certmonger-0.70-2.el7.x86_64 @beaker-Server/7.0
Update 0.78.4-3.el7.x86_64 @rhel73
Updated chkconfig-1.3.61-4.el7.x86_64 @beaker-Server/7.0
Update 1.7.2-1.el7.x86_64 @rhel73
Dep-Install copy-jdk-configs-1.2-1.el7.noarch @rhel73
Dep-Install custodia-0.1.0-4.el7.noarch @rhel73
Updated dracut-033-161.el7.x86_64 @beaker-Server/7.0
Update 033-462.el7.x86_64 @rhel73
Updated dracut-config-rescue-033-161.el7.x86_64 @beaker-Server/7.0
Update 033-462.el7.x86_64 @rhel73
Updated dracut-network-033-161.el7.x86_64 @beaker-Server/7.0
Update 033-462.el7.x86_64 @rhel73
Dep-Install fontawesome-fonts-4.1.0-1.el7.noarch @rhel73
Updated glib2-2.36.3-5.el7.x86_64 @beaker-Server/7.0
Update 2.46.2-4.el7.x86_64 @rhel73
Updated httpd-2.4.6-17.el7.x86_64 @beaker-Server
Update 2.4.6-45.el7.x86_64 @rhel73
Updated httpd-tools-2.4.6-17.el7.x86_64 @beaker-Server
Update 2.4.6-45.el7.x86_64 @rhel73
Updated initscripts-9.49.17-1.el7.x86_64 @beaker-Server/7.0
Update 9.49.37-1.el7.x86_64 @rhel73
Updated ipa-admintools-3.3.3-28.el7.x86_64 @beaker-Server/7.0
Update 4.4.0-12.el7.noarch @rhel73
Updated ipa-client-3.3.3-28.el7.x86_64 @beaker-Server/7.0
Update 4.4.0-12.el7.x86_64 @rhel73
Dep-Install ipa-client-common-4.4.0-12.el7.noarch @rhel73
Dep-Install ipa-common-4.4.0-12.el7.noarch @rhel73
Obsoleted ipa-python-3.3.3-28.el7.x86_64 @beaker-Server/7.0
Obsoleting ipa-python-compat-4.4.0-12.el7.noarch @rhel73
Updated ipa-server-3.3.3-28.el7.x86_64 @beaker-Server
Obsoleted ipa-server-3.3.3-28.el7.x86_64 @beaker-Server
Obsoleting ipa-server-4.4.0-12.el7.x86_64 @rhel73
Dep-Install ipa-server-common-4.4.0-12.el7.noarch @rhel73
Obsoleting ipa-server-dns-4.4.0-12.el7.noarch @rhel73
Dep-Install jackson-1.9.4-7.el7.noarch @beaker-Server-optional
Dep-Install java-1.8.0-openjdk-headless-1:1.8.0.102-4.b14.el7.x86_64 @rhel73
Dep-Install jboss-annotations-1.1-api-1.0.1-0.6.20120212git76e1a2.el7.noarch @beaker-Server-optional
Dep-Install joda-convert-1.3-5.el7.noarch @beaker-Server-optional
Dep-Install joda-time-2.2-3.tzdata2013c.el7.noarch @beaker-Server-optional
Dep-Install jsr-311-1.1.1-6.el7.noarch @beaker-Server-optional
Updated jss-4.2.6-33.el7.x86_64 @beaker-Server
Update 4.2.6-42.el7.x86_64 @rhel73
Updated kmod-14-9.el7.x86_64 @beaker-Server/7.0
Update 20-9.el7.x86_64 @rhel73
Updated krb5-libs-1.11.3-49.el7.x86_64 @beaker-Server/7.0
Update 1.14.1-26.el7.x86_64 @rhel73
Updated krb5-pkinit-1.11.3-49.el7.x86_64 @beaker-Server
Update 1.14.1-26.el7.x86_64 @rhel73
Updated krb5-server-1.11.3-49.el7.x86_64 @beaker-Server
Update 1.14.1-26.el7.x86_64 @rhel73
Updated krb5-workstation-1.11.3-49.el7.x86_64 @beaker-Server/7.0
Update 1.14.1-26.el7.x86_64 @rhel73
Dep-Install ldns-1.6.16-10.el7.x86_64 @rhel73
Updated libbasicobjects-0.1.0-22.el7.x86_64 @beaker-Server/7.0
Update 0.1.1-27.el7.x86_64 @rhel73
Updated libcollection-0.6.2-22.el7.x86_64 @beaker-Server/7.0
Update 0.6.2-27.el7.x86_64 @rhel73
Updated libdhash-0.4.3-22.el7.x86_64 @beaker-Server/7.0
Update 0.4.3-27.el7.x86_64 @rhel73
Updated libgudev1-208-11.el7.x86_64 @beaker-Server/7.0
Update 219-30.el7.x86_64 @rhel73
Updated libini_config-1.0.0.1-22.el7.x86_64 @beaker-Server/7.0
Update 1.3.0-27.el7.x86_64 @rhel73
Updated libipa_hbac-1.11.2-65.el7.x86_64 @beaker-Server/7.0
Update 1.14.0-42.el7.x86_64 @rhel73
Obsoleted libipa_hbac-python-1.11.2-65.el7.x86_64 @beaker-Server/7.0
Dep-Install libkadm5-1.14.1-26.el7.x86_64 @rhel73
Updated libldb-1.1.16-4.el7.x86_64 @beaker-Server/7.0
Update 1.1.26-1.el7.x86_64 @rhel73
Updated libpath_utils-0.2.1-22.el7.x86_64 @beaker-Server/7.0
Update 0.2.1-27.el7.x86_64 @rhel73
Updated libref_array-0.1.3-22.el7.x86_64 @beaker-Server/7.0
Update 0.1.5-27.el7.x86_64 @rhel73
Updated libselinux-2.2.2-6.el7.x86_64 @beaker-Server/7.0
Update 2.5-6.el7.x86_64 @rhel73
Updated libselinux-python-2.2.2-6.el7.x86_64 @beaker-Server/7.0
Update 2.5-6.el7.x86_64 @rhel73
Updated libselinux-utils-2.2.2-6.el7.x86_64 @beaker-Server/7.0
Update 2.5-6.el7.x86_64 @rhel73
Updated libsemanage-2.1.10-16.el7.x86_64 @beaker-Server/7.0
Update 2.5-4.el7.x86_64 @rhel73
Updated libsemanage-python-2.1.10-16.el7.x86_64 @beaker-Server
Update 2.5-4.el7.x86_64 @rhel73
Updated libsepol-2.1.9-3.el7.x86_64 @beaker-Server/7.0
Update 2.5-6.el7.x86_64 @rhel73
Dep-Install libsmbclient-4.4.4-9.el7.x86_64 @rhel73
Dep-Install libsss_autofs-1.14.0-42.el7.x86_64 @rhel73
Updated libsss_idmap-1.11.2-65.el7.x86_64 @beaker-Server/7.0
Update 1.14.0-42.el7.x86_64 @rhel73
Updated libsss_nss_idmap-1.11.2-65.el7.x86_64 @beaker-Server
Update 1.14.0-42.el7.x86_64 @rhel73
Updated libtalloc-2.0.8-4.el7.x86_64 @beaker-Server/7.0
Update 2.1.6-1.el7.x86_64 @rhel73
Updated libtdb-1.2.12-3.el7.x86_64 @beaker-Server/7.0
Update 1.3.8-1.el7.x86_64 @rhel73
Updated libtevent-0.9.18-6.el7.x86_64 @beaker-Server/7.0
Update 0.9.28-1.el7.x86_64 @rhel73
Updated libwbclient-4.1.1-31.el7.x86_64 @beaker-Server/7.0
Update 4.4.4-9.el7.x86_64 @rhel73
Dep-Install lksctp-tools-1.0.17-2.el7.x86_64 @rhel73
Dep-Install mod_auth_gssapi-1.4.0-1.el7.x86_64 @rhel73
Updated nspr-4.10.2-4.el7.x86_64 @beaker-Server/7.0
Update 4.11.0-1.el7_2.x86_64 @rhel73
Updated nss-3.15.4-6.el7.x86_64 @beaker-Server/7.0
Update 3.21.0-17.el7.x86_64 @rhel73
Updated nss-softokn-3.15.4-2.el7.x86_64 @beaker-Server/7.0
Update 3.16.2.3-14.4.el7.x86_64 @rhel73
Updated nss-softokn-freebl-3.15.4-2.el7.x86_64 @beaker-Server/7.0
Update 3.16.2.3-14.4.el7.x86_64 @rhel73
Updated nss-sysinit-3.15.4-6.el7.x86_64 @beaker-Server/7.0
Update 3.21.0-17.el7.x86_64 @rhel73
Updated nss-tools-3.15.4-6.el7.x86_64 @beaker-Server/7.0
Update 3.21.0-17.el7.x86_64 @rhel73
Updated nss-util-3.15.4-2.el7.x86_64 @beaker-Server/7.0
Update 3.21.0-2.2.el7_2.x86_64 @rhel73
Dep-Install nuxwdog-1.0.3-5.el7.x86_64 @rhel73
Dep-Install nuxwdog-client-java-1.0.3-5.el7.x86_64 @rhel73
Dep-Install objectweb-asm-3.3.1-9.el7.noarch @beaker-Server-optional
Dep-Install open-sans-fonts-1.10-1.el7.noarch @rhel73
Dep-Install opencryptoki-3.5-6.el7.x86_64 @rhel73
Dep-Install opencryptoki-libs-3.5-6.el7.x86_64 @rhel73
Dep-Install opencryptoki-swtok-3.5-6.el7.x86_64 @rhel73
Dep-Install opendnssec-1.4.7-3.el7.x86_64 @rhel73
Updated openssl-1:1.0.1e-34.el7.x86_64 @beaker-Server/7.0
Update 1:1.0.1e-58.el7.x86_64 @rhel73
Updated openssl-libs-1:1.0.1e-34.el7.x86_64 @beaker-Server/7.0
Update 1:1.0.1e-58.el7.x86_64 @rhel73
Dep-Install perl-Archive-Tar-1.92-2.el7.noarch @beaker-Server
Dep-Install perl-IO-Zlib-1:1.10-291.el7.noarch @rhel73
Dep-Install perl-Package-Constants-1:0.02-291.el7.noarch @rhel73
Updated pki-base-10.0.5-3.el7.noarch @beaker-Server
Update 10.3.3-10.el7.noarch @rhel73
Dep-Install pki-base-java-10.3.3-10.el7.noarch @rhel73
Updated pki-ca-10.0.5-3.el7.noarch @beaker-Server
Update 10.3.3-10.el7.noarch @rhel73
Dep-Install pki-kra-10.3.3-10.el7.noarch @rhel73
Updated pki-server-10.0.5-3.el7.noarch @beaker-Server
Update 10.3.3-10.el7.noarch @rhel73
Updated pki-tools-10.0.5-3.el7.x86_64 @beaker-Server
Update 10.3.3-10.el7.x86_64 @rhel73
Updated policycoreutils-2.2.5-11.el7.x86_64 @beaker-Server/7.0
Update 2.5-8.el7.x86_64 @rhel73
Updated policycoreutils-python-2.2.5-11.el7.x86_64 @beaker-Server
Update 2.5-8.el7.x86_64 @rhel73
Updated pytalloc-2.0.8-4.el7.x86_64 @beaker-Server/7.0
Update 2.1.6-1.el7.x86_64 @rhel73
Dep-Install python-cffi-1.6.0-5.el7.x86_64 @rhel73
Updated python-chardet-2.0.1-7.el7.noarch @beaker-Server
Update 2.2.1-1.el7_1.noarch @rhel73
Dep-Install python-custodia-0.1.0-4.el7.noarch @rhel73
Updated python-dns-1.10.0-5.el7.noarch @beaker-Server/7.0
Update 1.12.0-2.20150617git465785f.el7.noarch @rhel73
Dep-Install python-enum34-1.0.4-1.el7.noarch @rhel73
Dep-Install python-gssapi-1.2.0-2.el7.x86_64 @rhel73
Dep-Install python-idna-2.0-1.el7.noarch @rhel73
Dep-Install python-ipaddress-1.0.16-2.el7.noarch @rhel73
Dep-Install python-jwcrypto-0.2.1-2.el7.noarch @rhel73
Dep-Install python-kdcproxy-0.3.2-1.el7.noarch @rhel73
Updated python-ldap-2.4.6-6.el7.x86_64 @beaker-Server/7.0
Update 2.4.15-2.el7.x86_64 @rhel73
Obsoleting python-libipa_hbac-1.14.0-42.el7.x86_64 @rhel73
Dep-Install python-netifaces-0.10.4-3.el7.x86_64 @rhel73
Updated python-nss-0.14.0-5.el7.x86_64 @beaker-Server/7.0
Update 0.16.0-3.el7.x86_64 @rhel73
Dep-Install python-ply-3.4-10.el7.noarch @rhel73
Obsoleted python-pyasn1-0.1.6-2.el7.noarch @beaker-Server
Dep-Install python-pycparser-2.14-1.el7.noarch @rhel73
Dep-Install python-qrcode-core-5.0.1-1.el7.noarch @rhel73
Updated python-requests-1.1.0-8.el7.noarch @beaker-Server
Update 2.6.0-1.el7_1.noarch @rhel73
Updated python-six-1.3.0-4.el7.noarch @beaker-Server
Update 1.9.0-2.el7.noarch @rhel73
Dep-Install python-sss-murmur-1.14.0-42.el7.x86_64 @rhel73
Updated python-sssdconfig-1.11.2-65.el7.noarch @beaker-Server/7.0
Update 1.14.0-42.el7.noarch @rhel73
Updated python-urllib3-1.5-8.el7.noarch @beaker-Server
Update 1.10.2-2.el7_1.noarch @rhel73
Dep-Install python-yubico-1.2.3-1.el7.noarch @rhel73
Dep-Install python2-cryptography-1.3.1-3.el7.x86_64 @rhel73
Dep-Install python2-ipaclient-4.4.0-12.el7.noarch @rhel73
Dep-Install python2-ipalib-4.4.0-12.el7.noarch @rhel73
Dep-Install python2-ipaserver-4.4.0-12.el7.noarch @rhel73
Obsoleting python2-pyasn1-0.1.9-7.el7.noarch @rhel73
Dep-Install pyusb-1.0.0-0.11.b1.el7.noarch @rhel73
Updated resteasy-base-atom-provider-2.3.5-2.el7.noarch @beaker-Server
Update 3.0.6-3.el7.noarch @rhel73
Dep-Install resteasy-base-client-3.0.6-3.el7.noarch @rhel73
Dep-Install resteasy-base-jackson-provider-3.0.6-3.el7.noarch @rhel73
Updated resteasy-base-jaxb-provider-2.3.5-2.el7.noarch @beaker-Server
Update 3.0.6-3.el7.noarch @rhel73
Updated resteasy-base-jaxrs-2.3.5-2.el7.noarch @beaker-Server
Update 3.0.6-3.el7.noarch @rhel73
Updated resteasy-base-jaxrs-api-2.3.5-2.el7.noarch @beaker-Server
Update 3.0.6-3.el7.noarch @rhel73
Updated resteasy-base-jettison-provider-2.3.5-2.el7.noarch @beaker-Server
Update 3.0.6-3.el7.noarch @rhel73
Dep-Install samba-client-libs-4.4.4-9.el7.x86_64 @rhel73
Dep-Install samba-common-4.4.4-9.el7.noarch @rhel73
Updated samba-libs-4.1.1-31.el7.x86_64 @beaker-Server/7.0
Update 4.4.4-9.el7.x86_64 @rhel73
Updated selinux-policy-3.12.1-153.el7.noarch @beaker-Server/7.0
Update 3.13.1-99.el7.noarch @rhel73
Updated selinux-policy-targeted-3.12.1-153.el7.noarch @beaker-Server/7.0
Update 3.13.1-99.el7.noarch @rhel73
Updated setools-libs-3.3.7-46.el7.x86_64 @beaker-Server
Update 3.3.8-1.1.el7.x86_64 @rhel73
Updated slapi-nis-0.52-4.el7.x86_64 @beaker-Server
Update 0.56.0-4.el7.x86_64 @rhel73
Dep-Install softhsm-2.1.0-2.el7.x86_64 @rhel73
Updated sssd-1.11.2-65.el7.x86_64 @beaker-Server/7.0
Update 1.14.0-42.el7.x86_64 @rhel73
Updated sssd-ad-1.11.2-65.el7.x86_64 @beaker-Server/7.0
Update 1.14.0-42.el7.x86_64 @rhel73
Updated sssd-client-1.11.2-65.el7.x86_64 @beaker-Server/7.0
Update 1.14.0-42.el7.x86_64 @rhel73
Updated sssd-common-1.11.2-65.el7.x86_64 @beaker-Server/7.0
Update 1.14.0-42.el7.x86_64 @rhel73
Updated sssd-common-pac-1.11.2-65.el7.x86_64 @beaker-Server/7.0
Update 1.14.0-42.el7.x86_64 @rhel73
Updated sssd-ipa-1.11.2-65.el7.x86_64 @beaker-Server/7.0
Update 1.14.0-42.el7.x86_64 @rhel73
Updated sssd-krb5-1.11.2-65.el7.x86_64 @beaker-Server/7.0
Update 1.14.0-42.el7.x86_64 @rhel73
Updated sssd-krb5-common-1.11.2-65.el7.x86_64 @beaker-Server/7.0
Update 1.14.0-42.el7.x86_64 @rhel73
Updated sssd-ldap-1.11.2-65.el7.x86_64 @beaker-Server/7.0
Update 1.14.0-42.el7.x86_64 @rhel73
Updated sssd-proxy-1.11.2-65.el7.x86_64 @beaker-Server/7.0
Update 1.14.0-42.el7.x86_64 @rhel73
Updated svrcore-4.0.4-11.el7.x86_64 @beaker-Server
Update 4.1.2-1.el7.x86_64 @rhel73
Updated systemd-208-11.el7.x86_64 @beaker-Server/7.0
Update 219-30.el7.x86_64 @rhel73
Updated systemd-libs-208-11.el7.x86_64 @beaker-Server/7.0
Update 219-30.el7.x86_64 @rhel73
Updated systemd-python-208-11.el7.x86_64 @beaker-Server
Update 219-30.el7.x86_64 @rhel73
Updated systemd-sysv-208-11.el7.x86_64 @beaker-Server/7.0
Update 219-30.el7.x86_64 @rhel73
Updated tomcat-7.0.42-4.el7.noarch @beaker-Server
Update 7.0.69-10.el7.noarch @rhel73
Updated tomcat-el-2.2-api-7.0.42-4.el7.noarch @beaker-Server
Update 7.0.69-10.el7.noarch @rhel73
Updated tomcat-jsp-2.2-api-7.0.42-4.el7.noarch @beaker-Server
Update 7.0.69-10.el7.noarch @rhel73
Updated tomcat-lib-7.0.42-4.el7.noarch @beaker-Server
Update 7.0.69-10.el7.noarch @rhel73
Updated tomcat-servlet-3.0-api-7.0.42-4.el7.noarch @beaker-Server
Update 7.0.69-10.el7.noarch @rhel73
Updated tomcatjss-7.1.0-4.el7.noarch @beaker-Server
Update 7.1.2-3.el7.noarch @rhel73
Updated tzdata-java-2014b-1.el7.noarch @beaker-Server
Update 2016f-1.el7.noarch @rhel73
Scriptlet output:
1 warning: /etc/krb5.conf created as /etc/krb5.conf.rpmnew
2 warning: /etc/named.conf created as /etc/named.conf.rpmnew
3 Enabling SELinux boolean named_write_master_zones
4 Cannot set persistent booleans without managed policy.
5 Re-declaration of type pkcsslotd_t
6 Failed to create node
7 Bad type declaration at /etc/selinux/targeted/tmp/modules/400/pkcsslotd/cil:1
8 semodule: Failed!
9 Could not load host key: /etc/ssh/ssh_host_dsa_key
10 warning: /etc/sysconfig/dirsrv created as /etc/sysconfig/dirsrv.rpmnew
11 DNS query for qe-blade-13.testrelm.test. A failed: The DNS operation timed out after 30.0009379387 seconds
12 Skipping update of global DNS forwarder in LDAP: Unable to determine if local server is using an IP address belonging to an automatic empty zone. Consider changing forwarding policy to "only". DNS exception: The DNS operation timed out after 30.0009379387 seconds
13 unable to resolve host name qe-blade-13.testrelm.test. to IP address, ipa-ca DNS record will be incomplete
history info
Following lines indicate a problem with setsebool:
3 Enabling SELinux boolean named_write_master_zones
4 Cannot set persistent booleans without managed policy.
I do not why it failed... but RPM tried to configure the boolean and it failed for some reason. It does not seem like a problem in IPA because IPA/bind-dyndb-ldap packages tried to set the boolean and failed for some reason.
I believe bug is in bind-dyndb-ldap spec file, "Requires: selinux-policy" is missing. I need to test it on rhel-7.0. After testing will provide info. It's as I said. Attaching patch and changing component. (In reply to Lukas Vrabec from comment #12) > It's as I said. Attaching patch and changing component. Thanks for the patch! Just checking, does it really guarantee that the right version of selinux-policy is installed before IdM packages? In FreeIPA, we usually used a line like following: Requires(pre): 389-ds-base >= 1.3.5.6 Even more interestingly, how is it possible that the bug manifested itself only on RHEL 7.3 and not in RHEL 7.1/7.2? The setseboolean call was there for at least these releases. Are you 100% sure that the dependency is not missing is some other package? How the system can possibly be in enforcing mode without selinux-policy installed? Alternativelly, was the system in permissive/disabled mode without selinux-policy and later switched to enforcing? It seems very weird to me. The question is, can be or is bind-dyndb-ldap used on systems with disabled SELinux? If the answer is yes then the proposed fix is not correct as it enforces users to install selinux-policy and it could be considered as a regression. You can install selinux-policy package with SELinux disabled state, so I don't think this could be regression. Anyway, it is a dependency creep. Do you see a solution which does not break either case? (I'm not saying that we have to fix this now but in general case, how this should be handled?) *** Bug 1374022 has been marked as a duplicate of this bug. *** I think that the correct solution would be to move setsebool from %post to %posttrans so it's run at the end of the transaction when the SELinux modules store is already migrated and userspace updated, Created attachment 1203687 [details]
Patch for bind-dyndb-ldap with posttrans
Petr is right. I tested it with following patch and boolean was turned on.
ipa-server runs ipa-server-upgrade in %posttrans, will yum/dnf make sure that the bind-dyndb-ldap part is run before IPA's? ipa-server-dns requires ipa-server and bind-dyndb-ldap, ipa-server itself doesn't required bind-dyndb-ldap I suspect that we should have Requires(posttrans): bind-dyndb-ldap in IPA's spec file and use %posttrans in bind-dyndb-ldap.spec. IPA server version: ipa-server-4.4.0-12.el7.x86_64 Bind-ldap: bind-dyndb-ldap-10.0-5.el7.x86_64 Verified the bug on the basis of following points: 1. Verified that upgrade is successful for RHE 7.0 to RHEL 7.3. 2. "DNS timed out error" message is not displayed at the console. 3. The dummy dns forwardzone details created at 7.0 are reflected after upgrade. 4. Also noticed that the boolean values is "on" and IPA server works as per the comment#15, comment#16 and comment#17 inside bug 1373910. # getsebool -a | grep named named_tcp_bind_http_port --> off named_write_master_zones --> on 5. Logged separate bug Bz1378837 for semodule: Failed! message displayed during update. Thus on the basis of observations above observations, marking the status of bug to "VERIFIED". Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-2375.html |
Description of problem: selinux-policy update failure noticed during ipa server upgrade for IPA server hosted on RHEL 7.0 to RHEL 7.3. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.13.1-99.el7.noarch ipa-4.4.0-12.el7 How reproducible: Always Steps to Reproduce: 1. Setup IPA server on RHEL 7.0 ( SELinux for IPA server is in Enforcing mode) 2. Setup repo links for the latest version of RHEL 7.3. 3. Initiate on IPA server using command "yum update -y 'ipa*' sssd" Actual results: 1. After step3, ipa server upgrade is successful. 2. But during yum update process noticed following message at console: Updating : selinux-policy-targeted-3.13.1-99.el7.noarch 91/270 Re-declaration of type pkcsslotd_t Failed to create node Bad type declaration at /etc/selinux/targeted/tmp/modules/400/pkcsslotd/cil:1 semodule: Failed! Installing : opencryptoki-3.5-6.el7.x86_64 92/270 Installing : opendnssec-1.4.7-3.el7.x86_64 93/270 3. Also noticed avc denied messages once the upgrade process is complete. #ausearch -m AVC ---- time->Fri Sep 16 11:05:38 2016 type=PATH msg=audit(1474038338.723:524): item=1 name="dyndb-ldap/ipa/master" objtype=CREATE type=PATH msg=audit(1474038338.723:524): item=0 name="dyndb-ldap/ipa/" inode=202189506 dev=fd:00 mode=040770 ouid=25 ogid=25 rdev=00:00 obj=unconfined_u:object_r:named_zone_t:s0 objtype=PARENT type=CWD msg=audit(1474038338.723:524): cwd="/var/named" type=SYSCALL msg=audit(1474038338.723:524): arch=c000003e syscall=83 success=no exit=-13 a0=7f78f41cb440 a1=1f8 a2=0 a3=3 items=2 ppid=1 pid=15504 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="named-pkcs11" exe="/usr/sbin/named-pkcs11" subj=system_u:system_r:named_t:s0 key=(null) type=AVC msg=audit(1474038338.723:524): avc: denied { write } for pid=15504 comm="named-pkcs11" name="ipa" dev="dm-0" ino=202189506 scontext=system_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:named_zone_t:s0 tclass=dir Expected results: No Errors should be observed during upgrade process. Additional info: