Bug 2045223

Summary: ipa-restore command is failing when restore after uninstalling the server
Product: Red Hat Enterprise Linux 8 Reporter: mreynolds
Component: 389-ds-baseAssignee: mreynolds
Status: CLOSED ERRATA QA Contact: RHDS QE <ds-qe-bugs>
Severity: high Docs Contact:
Priority: unspecified    
Version: 8.6CC: ds-qe-bugs, frenaud, ldap-maint, lvrabec, mmalik, mreynolds, myusuf, rcritten, sgouvern, ssekidde, sumenon, tbordaz, tscherf
Target Milestone: rcKeywords: Regression, Reopened
Target Release: 8.6   
Hardware: Unspecified   
OS: Linux   
Whiteboard: sync-to-jira
Fixed In Version: 389-ds-1.4-8060020220128214755.ce3e8c9c Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2034880 Environment:
Last Closed: 2022-05-10 13:43:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2034880    
Bug Blocks:    

Description mreynolds 2022-01-25 16:10:49 UTC 
+++ This bug was initially created as a clone of Bug #2034880 +++

Description of problem:
ipa-restore command is failing when restore after uninstalling the server

https://ci-jenkins-csb-idmops.apps.ocp-c1.prod.psi.redhat.com/job/ipa-RHEL9.0/job/Nightly/job/tier-2-RHEL9.0-Nightly-upstream-backup-and-restore-testbackupandrestorewithdnssec/15/




Version-Release number of selected component (if applicable):
ipa-server-4.9.8-1.el9.x86_64

How reproducible:
always

Steps to Reproduce:
1. install ipa-server
2. ipa-backup
3. uninstall ipa server
4. ipa-restore <backup-path>

Actual results:
ipa-backup command fail

Expected results:
ipa-backup command successful

Additional info:
same behavior observed in RHEL8.6 as well

https://ci-jenkins-csb-idmops.apps.ocp-c1.prod.psi.redhat.com/job/ipa-RHEL8.6/job/Nightly/job/tier-2-RHEL8.6-Nightly-upstream-backup-and-restore-testbackupandrestorewithdnssec/6/

--- Additional comment from Florence Blanc-Renaud on 2021-12-22 13:21:01 UTC ---

This is a similar issue to the one seen upstream on fedora 35: BZ #2027730 SELinux is preventing ns-slapd access to /dev/shm/slapd-IPA-TEST/DBVERSION

When ipa-restore is run, it calls internally "/usr/sbin/dsctl TESTRELM-TEST ldif2db userRoot /var/lib/dirsrv/slapd-TESTRELM-TEST/ldif/TESTRELM-TEST-userRoot.ldif", and dsctl creates the directory for the LDAP instance.
A latter step restarts directory server but fails because it can't read the directory:
(from dirsrv error.log)
[22/Dec/2021:06:01:43.445765448 -0500] - ERR - libdb - /dev/shm/slapd-TESTRELM-TEST: Permission denied
[22/Dec/2021:06:01:43.448626695 -0500] - ERR - libdb - /dev/shm/slapd-TESTRELM-TEST/__db.001: Permission denied
[22/Dec/2021:06:01:43.451054639 -0500] - CRIT - bdb_start - Opening database environment (/dev/shm/slapd-TESTRELM-TEST) failed. err=13: Unexpected dbimpl error code
[22/Dec/2021:06:01:43.453336008 -0500] - ERR - ldbm_back_start - Failed to init database, err=13 Unexpected dbimpl error code
[22/Dec/2021:06:01:43.456696652 -0500] - ERR - plugin_dependency_startall - Failed to start database plugin ldbm database
[22/Dec/2021:06:01:43.470451042 -0500] - ERR - schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup!
[22/Dec/2021:06:01:43.480994589 -0500] - CRIT - dblayer_setup - dblayer_init failed
[22/Dec/2021:06:01:43.483139402 -0500] - ERR - ldbm_back_start - Failed to setup dblayer

Moving the bug to selinux component.

--- Additional comment from Milos Malik on 2021-12-22 16:05:57 UTC ---

Please collect SELinux denials and attach them here:

# ausearch -m avc -m user_avc -m selinux_err -i -ts today

What SELinux labels are placed on the /dev/shm/slapd-TESTRELM-TEST directory and its content?

# ls -lRZ /dev/shm/slapd-TESTRELM-TEST

Thank you.

--- Additional comment from Zdenek Pytela on 2021-12-22 16:44:30 UTC ---

Please also verify the status of /dev/shm:

# ls -lZd /dev/shm
# grep shm /proc/mounts
# journalctl -g /dev/shm

--- Additional comment from Mohammad Rizwan on 2021-12-23 06:21:50 UTC ---

Please find avc's at below url:
http://idm-artifacts.usersys.redhat.com/freeipa/Nightly/RHEL9.0/2021-12-16/tier-2/upstream-backup-and-restore-testbackupandrestorewithdnssec/15/logs/AVC.log.gz
http://idm-artifacts.usersys.redhat.com/freeipa/Nightly/RHEL9.0/2021-12-16/tier-2/upstream-backup-and-restore-testbackupandrestorewithdnssec/15/logs/ausearch-master.testrelm.test.log.gz

--- Additional comment from RHEL Program Management on 2021-12-23 06:48:07 UTC ---

Quality Engineering Management has reviewed and declined this request. You may appeal this decision by reopening this request.

--- Additional comment from Mohammad Rizwan on 2021-12-23 12:38:47 UTC ---

[root@master ~]# ausearch -m avc -m user_avc -m selinux_err -i -ts today
----
type=PROCTITLE msg=audit(12/23/2021 01:33:46.345:1342) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:33:46.345:1342) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17134 pid=17137 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:33:46.345:1342) : avc:  denied  { setgid } for  pid=17137 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:33:46.367:1344) : proctitle=sss_cache -G 
type=SYSCALL msg=audit(12/23/2021 01:33:46.367:1344) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17134 pid=17139 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:33:46.367:1344) : avc:  denied  { setgid } for  pid=17139 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:33:46.973:1347) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:33:46.973:1347) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17145 pid=17148 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:33:46.973:1347) : avc:  denied  { setgid } for  pid=17148 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:33:46.989:1348) : proctitle=sss_cache -G 
type=SYSCALL msg=audit(12/23/2021 01:33:46.989:1348) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17145 pid=17150 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:33:46.989:1348) : avc:  denied  { setgid } for  pid=17150 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:33:47.051:1350) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:33:47.051:1350) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17152 pid=17155 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:33:47.051:1350) : avc:  denied  { setgid } for  pid=17155 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:33:47.090:1351) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:33:47.090:1351) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17152 pid=17158 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:33:47.090:1351) : avc:  denied  { setgid } for  pid=17158 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:33:51.528:1355) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:33:51.528:1355) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17196 pid=17199 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:33:51.528:1355) : avc:  denied  { setgid } for  pid=17199 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:33:51.557:1356) : proctitle=sss_cache -G 
type=SYSCALL msg=audit(12/23/2021 01:33:51.557:1356) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17196 pid=17201 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:33:51.557:1356) : avc:  denied  { setgid } for  pid=17201 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:33:53.663:1359) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:33:53.663:1359) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17212 pid=17215 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:33:53.663:1359) : avc:  denied  { setgid } for  pid=17215 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:33:53.681:1360) : proctitle=sss_cache -G 
type=SYSCALL msg=audit(12/23/2021 01:33:53.681:1360) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17212 pid=17217 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:33:53.681:1360) : avc:  denied  { setgid } for  pid=17217 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:33:53.770:1362) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:33:53.770:1362) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17220 pid=17225 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:33:53.770:1362) : avc:  denied  { setgid } for  pid=17225 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:33:53.789:1363) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:33:53.789:1363) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17220 pid=17229 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:33:53.789:1363) : avc:  denied  { setgid } for  pid=17229 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:33:59.077:1406) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:33:59.077:1406) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17313 pid=17316 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:33:59.077:1406) : avc:  denied  { setgid } for  pid=17316 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:33:59.094:1407) : proctitle=sss_cache -G 
type=SYSCALL msg=audit(12/23/2021 01:33:59.094:1407) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17313 pid=17318 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:33:59.094:1407) : avc:  denied  { setgid } for  pid=17318 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:34:03.939:1410) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:34:03.939:1410) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17345 pid=17348 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:34:03.939:1410) : avc:  denied  { setgid } for  pid=17348 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:34:03.961:1411) : proctitle=sss_cache -G 
type=SYSCALL msg=audit(12/23/2021 01:34:03.961:1411) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17345 pid=17350 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:34:03.961:1411) : avc:  denied  { setgid } for  pid=17350 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:34:04.086:1413) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:34:04.086:1413) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17353 pid=17359 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:34:04.086:1413) : avc:  denied  { setgid } for  pid=17359 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:34:04.108:1414) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:34:04.108:1414) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17353 pid=17362 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:34:04.108:1414) : avc:  denied  { setgid } for  pid=17362 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:34:04.190:1417) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:34:04.190:1417) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17365 pid=17370 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:34:04.190:1417) : avc:  denied  { setgid } for  pid=17370 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:34:04.211:1418) : proctitle=sss_cache -G 
type=SYSCALL msg=audit(12/23/2021 01:34:04.211:1418) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17365 pid=17372 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:34:04.211:1418) : avc:  denied  { setgid } for  pid=17372 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:34:04.298:1420) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:34:04.298:1420) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17375 pid=17380 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:34:04.298:1420) : avc:  denied  { setgid } for  pid=17380 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:34:04.322:1421) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:34:04.322:1421) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17375 pid=17383 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:34:04.322:1421) : avc:  denied  { setgid } for  pid=17383 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:34:04.410:1424) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:34:04.410:1424) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17387 pid=17391 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:34:04.410:1424) : avc:  denied  { setgid } for  pid=17391 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:34:04.428:1425) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:34:04.428:1425) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17387 pid=17395 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:34:04.428:1425) : avc:  denied  { setgid } for  pid=17395 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:34:31.172:1455) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:34:31.172:1455) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17667 pid=17670 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:34:31.172:1455) : avc:  denied  { setgid } for  pid=17670 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:34:31.191:1456) : proctitle=sss_cache -G 
type=SYSCALL msg=audit(12/23/2021 01:34:31.191:1456) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17667 pid=17672 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:34:31.191:1456) : avc:  denied  { setgid } for  pid=17672 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:34:31.284:1458) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:34:31.284:1458) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17675 pid=17678 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:34:31.284:1458) : avc:  denied  { setgid } for  pid=17678 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:34:31.305:1459) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:34:31.305:1459) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17675 pid=17681 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:34:31.305:1459) : avc:  denied  { setgid } for  pid=17681 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:34:31.494:1462) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:34:31.494:1462) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17684 pid=17687 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:34:31.494:1462) : avc:  denied  { setgid } for  pid=17687 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:34:31.511:1463) : proctitle=sss_cache -G 
type=SYSCALL msg=audit(12/23/2021 01:34:31.511:1463) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17684 pid=17689 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:34:31.511:1463) : avc:  denied  { setgid } for  pid=17689 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:34:31.606:1465) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:34:31.606:1465) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17690 pid=17693 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:34:31.606:1465) : avc:  denied  { setgid } for  pid=17693 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:34:31.630:1466) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:34:31.630:1466) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17690 pid=17696 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:34:31.630:1466) : avc:  denied  { setgid } for  pid=17696 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:34:43.826:1472) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:34:43.826:1472) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17771 pid=17774 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:34:43.826:1472) : avc:  denied  { setgid } for  pid=17774 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:34:43.845:1473) : proctitle=sss_cache -G 
type=SYSCALL msg=audit(12/23/2021 01:34:43.845:1473) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17771 pid=17776 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:34:43.845:1473) : avc:  denied  { setgid } for  pid=17776 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:34:43.973:1475) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:34:43.973:1475) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17778 pid=17784 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:34:43.973:1475) : avc:  denied  { setgid } for  pid=17784 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:34:43.998:1476) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:34:43.998:1476) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17778 pid=17788 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:34:43.998:1476) : avc:  denied  { setgid } for  pid=17788 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:34:44.311:1479) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:34:44.311:1479) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17803 pid=17806 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:34:44.311:1479) : avc:  denied  { setgid } for  pid=17806 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:34:44.336:1480) : proctitle=sss_cache -G 
type=SYSCALL msg=audit(12/23/2021 01:34:44.336:1480) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17803 pid=17809 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:34:44.336:1480) : avc:  denied  { setgid } for  pid=17809 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:34:44.543:1482) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:34:44.543:1482) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17812 pid=17820 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:34:44.543:1482) : avc:  denied  { setgid } for  pid=17820 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:34:44.563:1483) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:34:44.563:1483) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17812 pid=17824 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:34:44.563:1483) : avc:  denied  { setgid } for  pid=17824 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 07:35:43.928:3316) : proctitle=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-TESTRELM-TEST -i /run/dirsrv/slapd-TESTRELM-TEST.pid 
type=SYSCALL msg=audit(12/23/2021 07:35:43.928:3316) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7f4bbe51f7a0 a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=0 ppid=1 pid=28160 auid=unset uid=dirsrv gid=dirsrv euid=dirsrv suid=dirsrv fsuid=dirsrv egid=dirsrv sgid=dirsrv fsgid=dirsrv tty=(none) ses=unset comm=ns-slapd exe=/usr/sbin/ns-slapd subj=system_u:system_r:dirsrv_t:s0 key=(null) 
type=AVC msg=audit(12/23/2021 07:35:43.928:3316) : avc:  denied  { read } for  pid=28160 comm=ns-slapd name=slapd-TESTRELM-TEST dev="tmpfs" ino=32 scontext=system_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 07:35:43.953:3317) : proctitle=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-TESTRELM-TEST -i /run/dirsrv/slapd-TESTRELM-TEST.pid 
type=SYSCALL msg=audit(12/23/2021 07:35:43.953:3317) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7f4bbd0dad60 a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=0 ppid=1 pid=28160 auid=unset uid=dirsrv gid=dirsrv euid=dirsrv suid=dirsrv fsuid=dirsrv egid=dirsrv sgid=dirsrv fsgid=dirsrv tty=(none) ses=unset comm=ns-slapd exe=/usr/sbin/ns-slapd subj=system_u:system_r:dirsrv_t:s0 key=(null) 
type=AVC msg=audit(12/23/2021 07:35:43.953:3317) : avc:  denied  { read } for  pid=28160 comm=ns-slapd name=slapd-TESTRELM-TEST dev="tmpfs" ino=32 scontext=system_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 07:35:43.987:3319) : proctitle=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-TESTRELM-TEST -i /run/dirsrv/slapd-TESTRELM-TEST.pid 
type=SYSCALL msg=audit(12/23/2021 07:35:43.987:3319) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7f4bbe51f7a0 a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=0 ppid=1 pid=28160 auid=unset uid=dirsrv gid=dirsrv euid=dirsrv suid=dirsrv fsuid=dirsrv egid=dirsrv sgid=dirsrv fsgid=dirsrv tty=(none) ses=unset comm=ns-slapd exe=/usr/sbin/ns-slapd subj=system_u:system_r:dirsrv_t:s0 key=(null) 
type=AVC msg=audit(12/23/2021 07:35:43.987:3319) : avc:  denied  { read } for  pid=28160 comm=ns-slapd name=slapd-TESTRELM-TEST dev="tmpfs" ino=32 scontext=system_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 07:35:43.987:3320) : proctitle=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-TESTRELM-TEST -i /run/dirsrv/slapd-TESTRELM-TEST.pid 
type=SYSCALL msg=audit(12/23/2021 07:35:43.987:3320) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7f4bbd121540 a2=O_RDWR|O_CREAT|O_EXCL a3=0x180 items=0 ppid=1 pid=28160 auid=unset uid=dirsrv gid=dirsrv euid=dirsrv suid=dirsrv fsuid=dirsrv egid=dirsrv sgid=dirsrv fsgid=dirsrv tty=(none) ses=unset comm=ns-slapd exe=/usr/sbin/ns-slapd subj=system_u:system_r:dirsrv_t:s0 key=(null) 
type=AVC msg=audit(12/23/2021 07:35:43.987:3320) : avc:  denied  { write } for  pid=28160 comm=ns-slapd name=slapd-TESTRELM-TEST dev="tmpfs" ino=32 scontext=system_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=0 
[root@master ~]# 
[root@master ~]# 
[root@master ~]# ls -lRZ /dev/shm/slapd-TESTRELM-TEST
/dev/shm/slapd-TESTRELM-TEST:
total 4
-rw-------. 1 dirsrv dirsrv unconfined_u:object_r:user_tmp_t:s0 51 Dec 23 07:35 DBVERSION
[root@master ~]# 
[root@master ~]# 
[root@master ~]#  ls -lZd /dev/shm
drwxrwxrwt. 3 root root system_u:object_r:tmpfs_t:s0 80 Dec 23 07:35 /dev/shm
[root@master ~]# 
[root@master ~]# 
[root@master ~]#  grep shm /proc/mounts
tmpfs /dev/shm tmpfs rw,seclabel,nosuid,nodev,inode64 0 0
[root@master ~]# 
[root@master ~]# 
[root@master ~]# journalctl -g /dev/shm
-- Journal begins at Thu 2021-12-23 01:25:08 EST, ends at Thu 2021-12-23 07:36:57 EST. --
Dec 23 01:25:11 localhost systemd[1]: Relabelled /dev, /dev/shm, /run, /sys/fs/cgroup in 30.658ms.
Dec 23 07:35:43 master.testrelm.test ns-slapd[28160]: [23/Dec/2021:07:35:43.954904540 -0500] - ERR - libdb - /dev/shm/slapd-TE>
Dec 23 07:35:43 master.testrelm.test ns-slapd[28160]: [23/Dec/2021:07:35:43.990006099 -0500] - ERR - libdb - /dev/shm/slapd-TE>
Dec 23 07:35:44 master.testrelm.test ns-slapd[28160]: [23/Dec/2021:07:35:44.005987077 -0500] - CRIT - bdb_start - Opening data>
[root@master ~]#

--- Additional comment from Zdenek Pytela on 2021-12-23 12:44:21 UTC ---

Thank you, so /dev/shm has correct label but /dev/shm/slapd-TESTRELM-TEST does not. Do you know which service created that directory?

--- Additional comment from Mohammad Rizwan on 2021-12-27 06:04:43 UTC ---

dirsrv service might have created it. Flo can confirm.

--- Additional comment from Florence Blanc-Renaud on 2021-12-27 09:57:32 UTC ---

(In reply to Zdenek Pytela from comment #7)
> Thank you, so /dev/shm has correct label but /dev/shm/slapd-TESTRELM-TEST
> does not. Do you know which service created that directory?

It’s the dsctl cli that creates the directory, shipped with dirsrv. Please see https://bugzilla.redhat.com/show_bug.cgi?id=2027730#c3 for more details (same issue on fedora 35).

--- Additional comment from Milos Malik on 2022-01-07 10:09:59 UTC ---

Majority of SELinux denials shown in comment#6 are already addressed in BZ#2030156.

The last 4 SELinux denials shown in comment#6 indicate that /dev/shm/slapd-TESTRELM-TEST directory is not labeled correctly. The correct label should be dirsrv_tmpfs_t.

Either ipa-backup did not save the SELinux context of the directory or ipa-restore did not restore the SELinux context of the directory.

I believe that the following command (executed before starting the ns-slapd service) should the labeling issue:

# chcon -R -t dirsrv_tmpfs_t /dev/shm/slapd-TESTRELM-TEST

--- Additional comment from Milos Malik on 2022-01-07 10:18:29 UTC ---

I believe that the following command (executed before starting the ns-slapd service) should fix the labeling issue:

# chcon -R -t dirsrv_tmpfs_t /dev/shm/slapd-TESTRELM-TEST

Another way to fix the labeling issue is to call the restorecon command before starting the ns-slapd service:

# restorecon -Rv /dev/shm/slapd-TESTRELM-TEST

The last 4 SELinux denials shown in comment#6 are related to the /dev/shm/slapd-TESTRELM-TEST directory, but all objects in that directory need to be labeled correctly as well. That's why the -R option is needed.

--- Additional comment from Milos Malik on 2022-01-07 10:22:45 UTC ---

If I understand the function of the ipa-backup command correctly, it creates some kind of archive. And the ipa-restore command works with that archive.
Is it possible to list the content of the archive so that SELinux denials of all objects are displayed?
Thank you.

--- Additional comment from Florence Blanc-Renaud on 2022-01-11 10:21:07 UTC ---

Moving to 389-ds component as agreed with tbordaz

--- Additional comment from Mohammad Rizwan on 2022-01-12 07:11:47 UTC ---

[root@master ~]# ipa-backup 
Preparing backup on master.testrelm.test
Local roles match globally used roles, proceeding.
Stopping IPA services
Backing up ipaca in TESTRELM-TEST to LDIF
Backing up userRoot in TESTRELM-TEST to LDIF
Backing up TESTRELM-TEST
Backing up files
Starting IPA service
Backed up to /var/lib/ipa/backup/ipa-full-2022-01-12-01-15-18
The ipa-backup command was successful

[root@master ~]# ls /var/lib/ipa/backup/ipa-full-2022-01-12-01-15-18
header  ipa-full.tar

[root@master backp]# tar -xvf /var/lib/ipa/backup/ipa-full-2022-01-12-01-15-18/ipa-full.tar 
./
./TESTRELM-TEST-ipaca.ldif
[..]
./TESTRELM-TEST/dse_index.ldif
./files.tar

[root@master backp]# ls
files.tar  TESTRELM-TEST  TESTRELM-TEST-ipaca.ldif  TESTRELM-TEST-userRoot.ldif
[root@master backp]# 


[root@master backp]# ls -rZ */*
unconfined_u:object_r:admin_home_t:s0 TESTRELM-TEST/log.0000000004
unconfined_u:object_r:admin_home_t:s0 TESTRELM-TEST/dse_instance.ldif
unconfined_u:object_r:admin_home_t:s0 TESTRELM-TEST/dse_index.ldif
unconfined_u:object_r:admin_home_t:s0 TESTRELM-TEST/DBVERSION

TESTRELM-TEST/userRoot:
unconfined_u:object_r:admin_home_t:s0 userCertificate.db
unconfined_u:object_r:admin_home_t:s0 uniquemember.db
unconfined_u:object_r:admin_home_t:s0 uidnumber.db
unconfined_u:object_r:admin_home_t:s0 uid.db
unconfined_u:object_r:admin_home_t:s0 sourcehost.db
unconfined_u:object_r:admin_home_t:s0 sn.db
unconfined_u:object_r:admin_home_t:s0 serverhostname.db
unconfined_u:object_r:admin_home_t:s0 seealso.db
unconfined_u:object_r:admin_home_t:s0 secretary.db
unconfined_u:object_r:admin_home_t:s0 parentid.db
unconfined_u:object_r:admin_home_t:s0 owner.db
unconfined_u:object_r:admin_home_t:s0 ou.db
unconfined_u:object_r:admin_home_t:s0 objectclass.db
unconfined_u:object_r:admin_home_t:s0 numsubordinates.db
unconfined_u:object_r:admin_home_t:s0 nsuniqueid.db
unconfined_u:object_r:admin_home_t:s0 nscpEntryDN.db
unconfined_u:object_r:admin_home_t:s0 memberUser.db
unconfined_u:object_r:admin_home_t:s0 memberservice.db
unconfined_u:object_r:admin_home_t:s0 memberPrincipal.db
unconfined_u:object_r:admin_home_t:s0 memberOf.db
unconfined_u:object_r:admin_home_t:s0 memberManager.db
unconfined_u:object_r:admin_home_t:s0 memberHost.db
unconfined_u:object_r:admin_home_t:s0 memberdenycmd.db
unconfined_u:object_r:admin_home_t:s0 member.db
unconfined_u:object_r:admin_home_t:s0 memberallowcmd.db
unconfined_u:object_r:admin_home_t:s0 manager.db
unconfined_u:object_r:admin_home_t:s0 managedby.db
unconfined_u:object_r:admin_home_t:s0 mail.db
unconfined_u:object_r:admin_home_t:s0 macAddress.db
unconfined_u:object_r:admin_home_t:s0 krbPrincipalName.db
unconfined_u:object_r:admin_home_t:s0 krbPasswordExpiration.db
unconfined_u:object_r:admin_home_t:s0 krbCanonicalName.db
unconfined_u:object_r:admin_home_t:s0 ipauniqueid.db
unconfined_u:object_r:admin_home_t:s0 ipatokenradiusconfiglink.db
unconfined_u:object_r:admin_home_t:s0 ipasudorunasgroup.db
unconfined_u:object_r:admin_home_t:s0 ipasudorunas.db
unconfined_u:object_r:admin_home_t:s0 ipaOwner.db
unconfined_u:object_r:admin_home_t:s0 ipaNTSecurityIdentifier.db
unconfined_u:object_r:admin_home_t:s0 ipaMemberCertProfile.db
unconfined_u:object_r:admin_home_t:s0 ipaMemberCa.db
unconfined_u:object_r:admin_home_t:s0 ipalocation.db
unconfined_u:object_r:admin_home_t:s0 ipakrbprincipalalias.db
unconfined_u:object_r:admin_home_t:s0 ipaKrbAuthzData.db
unconfined_u:object_r:admin_home_t:s0 ipaEnabledFlag.db
unconfined_u:object_r:admin_home_t:s0 ipaConfigString.db
unconfined_u:object_r:admin_home_t:s0 ipaCASubjectDN.db
unconfined_u:object_r:admin_home_t:s0 ipaassignedidview.db
unconfined_u:object_r:admin_home_t:s0 ipaallowedtarget.db
unconfined_u:object_r:admin_home_t:s0 idnsName.db
unconfined_u:object_r:admin_home_t:s0 id2entry.db
unconfined_u:object_r:admin_home_t:s0 hostCategory.db
unconfined_u:object_r:admin_home_t:s0 givenName.db
unconfined_u:object_r:admin_home_t:s0 gidnumber.db
unconfined_u:object_r:admin_home_t:s0 fqdn.db
unconfined_u:object_r:admin_home_t:s0 entryUUID.db
unconfined_u:object_r:admin_home_t:s0 entryusn.db
unconfined_u:object_r:admin_home_t:s0 entryrdn.db
unconfined_u:object_r:admin_home_t:s0 displayname.db
unconfined_u:object_r:admin_home_t:s0 description.db
unconfined_u:object_r:admin_home_t:s0 DBVERSION
unconfined_u:object_r:admin_home_t:s0 cn.db
unconfined_u:object_r:admin_home_t:s0 automountMapName.db
unconfined_u:object_r:admin_home_t:s0 automountkey.db
unconfined_u:object_r:admin_home_t:s0 ancestorid.db
unconfined_u:object_r:admin_home_t:s0 aci.db
unconfined_u:object_r:admin_home_t:s0 accessRuleType.db

TESTRELM-TEST/ipaca:
unconfined_u:object_r:admin_home_t:s0 vlv#capendingpkitomcatindex.db
unconfined_u:object_r:admin_home_t:s0 vlv#capendingenrollmentpkitomcatindex.db
unconfined_u:object_r:admin_home_t:s0 vlv#caenrollmentpkitomcatindex.db
unconfined_u:object_r:admin_home_t:s0 vlv#cacompletepkitomcatindex.db
unconfined_u:object_r:admin_home_t:s0 vlv#cacompleteenrollmentpkitomcatindex.db
unconfined_u:object_r:admin_home_t:s0 vlv#caallpkitomcatindex.db
unconfined_u:object_r:admin_home_t:s0 vlv#allvalidorrevokedcertspkitomcatindex.db
unconfined_u:object_r:admin_home_t:s0 vlv#allvalidcertspkitomcatindex.db
unconfined_u:object_r:admin_home_t:s0 vlv#allvalidcertsnotafterpkitomcatindex.db
unconfined_u:object_r:admin_home_t:s0 vlv#allnonrevokedcertspkitomcatindex.db
unconfined_u:object_r:admin_home_t:s0 vlv#allcertspkitomcatindex.db
unconfined_u:object_r:admin_home_t:s0 uniquemember.db
unconfined_u:object_r:admin_home_t:s0 uid.db
unconfined_u:object_r:admin_home_t:s0 subjectname.db
unconfined_u:object_r:admin_home_t:s0 sn.db
unconfined_u:object_r:admin_home_t:s0 serialno.db
unconfined_u:object_r:admin_home_t:s0 seeAlso.db
unconfined_u:object_r:admin_home_t:s0 requesttype.db
unconfined_u:object_r:admin_home_t:s0 requeststate.db
unconfined_u:object_r:admin_home_t:s0 requestid.db
unconfined_u:object_r:admin_home_t:s0 publicKeyData.db
unconfined_u:object_r:admin_home_t:s0 parentid.db
unconfined_u:object_r:admin_home_t:s0 owner.db
unconfined_u:object_r:admin_home_t:s0 objectclass.db
unconfined_u:object_r:admin_home_t:s0 numsubordinates.db
unconfined_u:object_r:admin_home_t:s0 nsuniqueid.db
unconfined_u:object_r:admin_home_t:s0 notbefore.db
unconfined_u:object_r:admin_home_t:s0 notafter.db
unconfined_u:object_r:admin_home_t:s0 metaInfo.db
unconfined_u:object_r:admin_home_t:s0 member.db
unconfined_u:object_r:admin_home_t:s0 mail.db
unconfined_u:object_r:admin_home_t:s0 issuername.db
unconfined_u:object_r:admin_home_t:s0 issuedby.db
unconfined_u:object_r:admin_home_t:s0 id2entry.db
unconfined_u:object_r:admin_home_t:s0 extension.db
unconfined_u:object_r:admin_home_t:s0 entryUUID.db
unconfined_u:object_r:admin_home_t:s0 entryusn.db
unconfined_u:object_r:admin_home_t:s0 entryrdn.db
unconfined_u:object_r:admin_home_t:s0 duration.db
unconfined_u:object_r:admin_home_t:s0 description.db
unconfined_u:object_r:admin_home_t:s0 DBVERSION
unconfined_u:object_r:admin_home_t:s0 dateOfCreate.db
unconfined_u:object_r:admin_home_t:s0 cn.db
unconfined_u:object_r:admin_home_t:s0 certstatus.db
unconfined_u:object_r:admin_home_t:s0 ancestorid.db
unconfined_u:object_r:admin_home_t:s0 acmeExpires.db
unconfined_u:object_r:admin_home_t:s0 aci.db

TESTRELM-TEST/changelog:
unconfined_u:object_r:admin_home_t:s0 targetuniqueid.db   unconfined_u:object_r:admin_home_t:s0 entryusn.db
unconfined_u:object_r:admin_home_t:s0 seeAlso.db          unconfined_u:object_r:admin_home_t:s0 entryrdn.db
unconfined_u:object_r:admin_home_t:s0 parentid.db         unconfined_u:object_r:admin_home_t:s0 DBVERSION
unconfined_u:object_r:admin_home_t:s0 objectclass.db      unconfined_u:object_r:admin_home_t:s0 cn.db
unconfined_u:object_r:admin_home_t:s0 numsubordinates.db  unconfined_u:object_r:admin_home_t:s0 changenumber.db
unconfined_u:object_r:admin_home_t:s0 nsuniqueid.db       unconfined_u:object_r:admin_home_t:s0 ancestorid.db
unconfined_u:object_r:admin_home_t:s0 id2entry.db         unconfined_u:object_r:admin_home_t:s0 aci.db
unconfined_u:object_r:admin_home_t:s0 entryUUID.db
[root@master backp]#
Comment 1 mreynolds 2022-01-25 16:24:31 UTC 
Upstream ticket

https://github.com/389ds/389-ds-base/issues/5127
Comment 4 Florence Blanc-Renaud 2022-02-02 13:51:54 UTC 
*** Bug 2049587 has been marked as a duplicate of this bug. ***
Comment 5 Mohammad Rizwan 2022-02-10 09:24:52 UTC 
version:
ipa-server-4.9.8-2.module+el8.6.0+13621+937b8cd9.x86_64
389-ds-base-1.4.3.28-5.module+el8.6.0+14049+0319e5ef.x86_64

https://ci-jenkins-csb-idmops.apps.ocp-c1.prod.psi.redhat.com/job/ipa-RHEL8.6/job/Nightly/job/tier-2-RHEL8.6-Nightly-upstream-backup-and-restore-testbackupreinstallrestorewithdnssec/15/
https://ci-jenkins-csb-idmops.apps.ocp-c1.prod.psi.redhat.com/job/ipa-RHEL8.6/job/Nightly/job/tier-2-RHEL8.6-Nightly-upstream-backup-and-restore-testbackupandrestorewithreplica/17/

Automation passed, markng the bug as verified.
Comment 7 errata-xmlrpc 2022-05-10 13:43:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (389-ds:1.4 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1815