Bug 1508662
| Summary: | dac_override denials prevent start of 389-ds (FreeIPA) | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Adam Williamson <awilliam> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | rawhide | CC: | dwalsh, gmarr, lvrabec, mgrepl, plautrba, pmoore, robatino |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | AcceptedBlocker | ||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-11-27 22:36:11 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1469204 | ||
Discussed during the 2017-11-27 blocker review meeting: [1] The decision to classify this bug as an AcceptedBlocker was made as it violates the following blocker criteria: "Release-blocking roles and the supported role configuration interfaces must meet the core functional Role Definition Requirements to the extent that supported roles can be successfully deployed..." [1] https://meetbot.fedoraproject.org/fedora-blocker-review/2017-11-27/f27-8-blocker-review.2017-11-27-17.01.txt This looks like it's fixed in current Rawhide. FreeIPA deployment now gets slightly farther and fails on something else. 389-ds startup no longer fails immediately with this AVC and these error messages. |
FreeIPA deployment on Rawhide currently fails due to SELinux dac_override denials preventing 389-ds from starting up during the deployment process. Log messages: Oct 27 06:48:44 ipa001.domain.local systemd[1]: Starting 389 Directory Server DOMAIN-LOCAL.... Oct 27 06:48:44 ipa001.domain.local audit[6012]: AVC avc: denied { dac_override } for pid=6012 comm="ns-slapd" capability=1 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:system_r:dirsrv_t:s0 tclass=capability permissive=0 Oct 27 06:48:44 ipa001.domain.local ns-slapd[6012]: Failed to open file /var/log/dirsrv/slapd-DOMAIN-LOCAL/errors. error -5966 (Access Denied.). Exiting... Oct 27 06:48:44 ipa001.domain.local ns-slapd[6012]: [27/Oct/2017:09:48:44.906058630 -0400] - ERR - slapd_bootstrap_config - %s: %s: %s. Oct 27 06:48:44 ipa001.domain.local ns-slapd[6012]: Cannot open errorlog file "/var/log/dirsrv/slapd-DOMAIN-LOCAL/errors", errors cannot be logged. Exiting... Oct 27 06:48:44 ipa001.domain.local audit[6012]: AVC avc: denied { dac_override } for pid=6012 comm="ns-slapd" capability=1 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:system_r:dirsrv_t:s0 tclass=capability permissive=0 Oct 27 06:48:44 ipa001.domain.local audit[6012]: AVC avc: denied { dac_override } for pid=6012 comm="ns-slapd" capability=1 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:system_r:dirsrv_t:s0 tclass=capability permissive=0 Oct 27 06:48:44 ipa001.domain.local audit[6012]: AVC avc: denied { dac_override } for pid=6012 comm="ns-slapd" capability=1 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:system_r:dirsrv_t:s0 tclass=capability permissive=0 Oct 27 06:48:44 ipa001.domain.local ns-slapd[6012]: - /etc/dirsrv/slapd-DOMAIN-LOCAL/dse.ldif[27/Oct/2017:09:48:44.987599418 -0400] - WARN - log_update_accesslogdir - Can't open file %s. errno %d (%s) Oct 27 06:48:44 ipa001.domain.local ns-slapd[6012]: - /var/log/dirsrv/slapd-DOMAIN-LOCAL/access[27/Oct/2017:09:48:44.987658826 -0400] - ERR - dse_read_one_file - The entry cn=config in file /etc/dirsrv/slapd-DOMAIN-LOCAL/dse.ldif (lineno: 1) is invalid, error code 53 (Server is unwilling to perform) - Cannot open accesslog directory "/var/log/dirsrv/slapd-DOMAIN-LOCAL/access", client accesses will not be logged. Oct 27 06:48:45 ipa001.domain.local ns-slapd[6012]: [27/Oct/2017:09:48:45.014574217 -0400] - ERR - init_dse_file - Could not load config file [dse.ldif] Oct 27 06:48:45 ipa001.domain.local ns-slapd[6012]: [27/Oct/2017:09:48:45.014638429 -0400] - ERR - setup_internal_backends - Please edit the file to correct the reported problems and then restart the server. Oct 27 06:48:45 ipa001.domain.local systemd[1]: dirsrv: Main process exited, code=exited, status=1/FAILURE Oct 27 06:48:45 ipa001.domain.local audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dirsrv@DOMAIN-LOCAL comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' Oct 27 06:48:45 ipa001.domain.local systemd[1]: dirsrv: Failed with result 'exit-code'. Oct 27 06:48:45 ipa001.domain.local systemd[1]: Failed to start 389 Directory Server DOMAIN-LOCAL.. Proposing as a Fedora 28 Beta blocker, per Basic criterion "Release-blocking roles and the supported role configuration interfaces must meet the core functional Role Definition Requirements to the extent that supported roles can be successfully deployed, started, stopped, brought to a working configuration, and queried" - domain controller is a release-blocking role.