Bug 1991840
| Summary: | IPA: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Deepak Das <ddas> | |
| Component: | opencryptoki | Assignee: | Than Ngo <than> | |
| Status: | CLOSED ERRATA | QA Contact: | Karel Srot <ksrot> | |
| Severity: | high | Docs Contact: | Šárka Jana <sjanderk> | |
| Priority: | unspecified | |||
| Version: | 8.4 | CC: | fkrska, frenaud, ovasik, rcritten, sjanderk, than, tscherf | |
| Target Milestone: | beta | Keywords: | Reopened, Triaged, ZStream | |
| Target Release: | 8.6 | |||
| Hardware: | x86_64 | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | opencryptoki-3.17.0-1.el8 | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 2009328 (view as bug list) | Environment: | ||
| Last Closed: | 2022-05-10 15:21:16 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 2009328 | |||
A few notes on this error message: - it has no relationship with FIPS mode, can happen also in non-FIPS mode - it happens as soon as opencryptoki is installed - it also happens in SElinux permissive mode Simple reproducer: 1. p11-kit list-modules does not produce the log in the journal 2. dnf install -y opencryptoki; p11-kit list-modules produces the log in the journal: p11-kit[5645]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock Hence I am moving this issue to opencryptoki component. Reproduced with opencryptoki-3.15.1-5.el8.x86_64 (rhel 8.4) Not reproduced with opencryptoki-3.14.0-5.el8.x86_64 (rhel 8.3) Note: an selinux-policy BZ also mentions this issue (https://bugzilla.redhat.com/show_bug.cgi?id=1894132) but it seems unrelated as there is no AVC in this case it looks like the same issue reported at https://bugzilla.redhat.com/show_bug.cgi?id=1894132 *** This bug has been marked as a duplicate of bug 1894132 *** Note that manually enabling + starting pkcsslotd fixes the issue: # systemctl enable --now pkcsslotd >> creates the /run/lock/opencryptoki/LCK..APIlock file # p11-kit list-modules >> does not produce the issue anymore I can reproduce this issue with your reproduce. Thanks Hi Than
I have tried the provided test package and noticed a regression.
Previously (opencryptoki-3.15.1-6.el8_4.x86_64), with pkcsslotd started I can see opencryptoki tokens listed in p11-kit list-modules output:
# p11-kit list-modules
p11-kit-trust: p11-kit-trust.so
library-description: PKCS#11 Kit Trust Module
library-manufacturer: PKCS#11 Kit
library-version: 0.23
token: System Trust
manufacturer: PKCS#11 Kit
model: p11-kit-trust
serial-number: 1
hardware-version: 0.23
flags:
token-initialized
token: Default Trust
manufacturer: PKCS#11 Kit
model: p11-kit-trust
serial-number: 1
hardware-version: 0.23
flags:
write-protected
token-initialized
opencryptoki: libopencryptoki.so
library-description: openCryptoki
library-manufacturer: IBM
library-version: 3.15
and with opencryptoki-swtok installed I can see:
...
opencryptoki: libopencryptoki.so
library-description: openCryptoki
library-manufacturer: IBM
library-version: 3.15
token: softtok
manufacturer: IBM
model: Soft
serial-number:
flags:
rng
login-required
clock-on-token
user-pin-to-be-changed
so-pin-to-be-changed
However, with opencryptoki-3.15.1-7.1.el8_4.x86_64 installed the output is only:
# p11-kit list-modules
p11-kit-trust: p11-kit-trust.so
library-description: PKCS#11 Kit Trust Module
library-manufacturer: PKCS#11 Kit
library-version: 0.23
token: System Trust
manufacturer: PKCS#11 Kit
model: p11-kit-trust
serial-number: 1
hardware-version: 0.23
flags:
token-initialized
token: Default Trust
manufacturer: PKCS#11 Kit
model: p11-kit-trust
serial-number: 1
hardware-version: 0.23
flags:
write-protected
token-initialized
# ls -l /run/lock/opencryptoki/LCK..APIlock
-r--r-----. 1 root pkcs11 0 Sep 10 05:30 /run/lock/opencryptoki/LCK..APIlock
# ls -Z /run/lock/opencryptoki/LCK..APIlock
system_u:object_r:pkcs_slotd_lock_t:s0 /run/lock/opencryptoki/LCK..APIlock
There are not AVCs and it doesn't work SELinux in permissive mode.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (opencryptoki bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:2030 |
Description of problem: The below error is observed in RHEL 8.4 in customer IPA environment where FIPS is enabled. The error is observed for IPA services. But this error can be observed in both FIPS and Non-FIPS environment. - /var/log/messages ---------------------------------------------------------------------------- Jul 6 12:35:21 ipaserver java[4621]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock Jul 6 12:37:40 ipaserver sslget[4663]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock Jul 6 12:37:42 ipaserver dogtag-ipa-renew-agent-submit[4783]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock Jul 6 12:37:52 ipaserver certutil[5026]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock Jul 6 12:39:55 ipaserver ns-slapd[5205]: usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock ---------------------------------------------------------------------------- - The customer environment is as below. * /etc/redhat-release Red Hat Enterprise Linux release 8.4 (Ootpa) * sos_commands/crypto/fips-mode-setup_--check FIPS mode is enabled. 1) Issue IPA server contains following files. - crypto-policies-20210209-1.gitbfb6bed.el8_3.noarch: /etc/crypto-policies/back-ends/nss.config ---------------------------------------------------------------------- library= name=Policy NSS=flags=policyOnly,moduleDB config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128- cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA- MIN=2048" name=p11-kit-proxy library=p11-kit-proxy.so ---------------------------------------------------------------------- - nss-3.53.1-17.el8_3.x86_64: /etc/crypto-policies/local.d/nss-p11-kit.config --------------------------------- name=p11-kit-proxy library=p11-kit-proxy.so --------------------------------- $ ls -l etc/crypto-policies/back-ends/nss.config -rw-rwxrw-+ 1 yank yank 391 Jun 23 18:05 etc/crypto-policies/back-ends/nss.config 2) Removing parameters "name=p11-kit-proxy" and "library=p11-kit-proxy.so" resolves the error generation in "/var/log/messages" files. 3) If the file "/etc/crypto-policies/local.d/nss-p11-kit.config" is not present then when the below command is run a soft link file is created. # fips-mode-setup --enable After above command is run the file "/etc/crypto-policies/back-ends/nss.config" is create as soft link to "/usr/share/crypto-policies/FIPS/nss.txt" which does not have the 2 parameter and no error is observed. - # cat /usr/share/crypto-policies/FIPS/nss.txt ---------------------------------------------------------------------- library= name=Policy NSS=flags=policyOnly,moduleDB config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128- cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA- MIN=2048" ---------------------------------------------------------------------- $ ls -l /etc/crypto-policies/back-ends/nss.config lrwxrwxrwx. 1 root root 39 Jul 28 16:33 /etc/crypto-policies/back-ends/nss.config -> /usr/share/crypto-policies/FIPS/nss.txt 4) As per link [1] it was mentioned that the issue was fixed in IPA 4.8.0 for softHSM but on further review it was only for testing. Please refer PR links [2] and [3] 5) As mentioned in point 2, the error is not observed if the 2 parameter is removed from the file. But instead of work around, is there any other method through which we can avoid the error? [1]: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/XFYVC6MUAKYLRIR6H6WM6SD4USLMIG2E/ [2]: https://github.com/freeipa/freeipa/pull/2680 [3]: https://github.com/freeipa/freeipa/pull/2679 Version-Release number of selected component (if applicable): ipa-server-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64 How reproducible: Always Steps to Reproduce: 1. Make sure file "/etc/crypto-policies/local.d/nss-p11-kit.config" is present. 2. Enable FIPS as below. # fips-mode-setup --enable 3. Reboot the server. 4. Make sure the below is a normal file and has entries entries parameters "name=p11-kit-proxy" and "library=p11-kit-proxy.so" # ls -l /etc/crypto-policies/back-ends/nss.config # cat /etc/crypto-policies/back-ends/nss.config 5. Restart IPA service # ipactl restart # ipactl status 6. Check for the error in "/var/log/messages" file. # grep LCK..APIlock /var/log/messages Actual results: Error "usr/lib/api/apiutil.c Could not open /run/lock/opencryptoki/LCK..APIlock" is observed for IPA services in "/var/log/messages". Expected results: The error should not be observed. Additional info: There does not seems to be any impact on IPA performance / operations.