Bug 1991840
Summary: | IPA: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Deepak Das <ddas> | |
Component: | opencryptoki | Assignee: | Than Ngo <than> | |
Status: | CLOSED ERRATA | QA Contact: | Karel Srot <ksrot> | |
Severity: | high | Docs Contact: | Šárka Jana <sjanderk> | |
Priority: | unspecified | |||
Version: | 8.4 | CC: | fkrska, frenaud, ovasik, rcritten, sjanderk, than, tscherf | |
Target Milestone: | beta | Keywords: | Reopened, Triaged, ZStream | |
Target Release: | 8.6 | |||
Hardware: | x86_64 | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | opencryptoki-3.17.0-1.el8 | Doc Type: | No Doc Update | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 2009328 (view as bug list) | Environment: | ||
Last Closed: | 2022-05-10 15:21:16 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 2009328 |
Description
Deepak Das
2021-08-10 07:21:03 UTC
A few notes on this error message: - it has no relationship with FIPS mode, can happen also in non-FIPS mode - it happens as soon as opencryptoki is installed - it also happens in SElinux permissive mode Simple reproducer: 1. p11-kit list-modules does not produce the log in the journal 2. dnf install -y opencryptoki; p11-kit list-modules produces the log in the journal: p11-kit[5645]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock Hence I am moving this issue to opencryptoki component. Reproduced with opencryptoki-3.15.1-5.el8.x86_64 (rhel 8.4) Not reproduced with opencryptoki-3.14.0-5.el8.x86_64 (rhel 8.3) Note: an selinux-policy BZ also mentions this issue (https://bugzilla.redhat.com/show_bug.cgi?id=1894132) but it seems unrelated as there is no AVC in this case it looks like the same issue reported at https://bugzilla.redhat.com/show_bug.cgi?id=1894132 *** This bug has been marked as a duplicate of bug 1894132 *** Note that manually enabling + starting pkcsslotd fixes the issue: # systemctl enable --now pkcsslotd >> creates the /run/lock/opencryptoki/LCK..APIlock file # p11-kit list-modules >> does not produce the issue anymore I can reproduce this issue with your reproduce. Thanks Hi Than I have tried the provided test package and noticed a regression. Previously (opencryptoki-3.15.1-6.el8_4.x86_64), with pkcsslotd started I can see opencryptoki tokens listed in p11-kit list-modules output: # p11-kit list-modules p11-kit-trust: p11-kit-trust.so library-description: PKCS#11 Kit Trust Module library-manufacturer: PKCS#11 Kit library-version: 0.23 token: System Trust manufacturer: PKCS#11 Kit model: p11-kit-trust serial-number: 1 hardware-version: 0.23 flags: token-initialized token: Default Trust manufacturer: PKCS#11 Kit model: p11-kit-trust serial-number: 1 hardware-version: 0.23 flags: write-protected token-initialized opencryptoki: libopencryptoki.so library-description: openCryptoki library-manufacturer: IBM library-version: 3.15 and with opencryptoki-swtok installed I can see: ... opencryptoki: libopencryptoki.so library-description: openCryptoki library-manufacturer: IBM library-version: 3.15 token: softtok manufacturer: IBM model: Soft serial-number: flags: rng login-required clock-on-token user-pin-to-be-changed so-pin-to-be-changed However, with opencryptoki-3.15.1-7.1.el8_4.x86_64 installed the output is only: # p11-kit list-modules p11-kit-trust: p11-kit-trust.so library-description: PKCS#11 Kit Trust Module library-manufacturer: PKCS#11 Kit library-version: 0.23 token: System Trust manufacturer: PKCS#11 Kit model: p11-kit-trust serial-number: 1 hardware-version: 0.23 flags: token-initialized token: Default Trust manufacturer: PKCS#11 Kit model: p11-kit-trust serial-number: 1 hardware-version: 0.23 flags: write-protected token-initialized # ls -l /run/lock/opencryptoki/LCK..APIlock -r--r-----. 1 root pkcs11 0 Sep 10 05:30 /run/lock/opencryptoki/LCK..APIlock # ls -Z /run/lock/opencryptoki/LCK..APIlock system_u:object_r:pkcs_slotd_lock_t:s0 /run/lock/opencryptoki/LCK..APIlock There are not AVCs and it doesn't work SELinux in permissive mode. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (opencryptoki bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:2030 |