This is another SELinux denial encountered when deploying FreeIPA via rolekit in Fedora 21 Beta TC4, following https://fedorahosted.org/rolekit/wiki/DomainController . SELinux is preventing named from create access on the file DNS_25. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that named should be allowed create access on the DNS_25 file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep named /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:named_t:s0 Target Context system_u:object_r:krb5_host_rcache_t:s0 Target Objects DNS_25 [ file ] Source named Source Path named Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-85.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name ipa001.domain.local Platform Linux ipa001.domain.local 3.17.0-301.fc21.x86_64 #1 SMP Wed Oct 8 20:10:50 UTC 2014 x86_64 x86_64 Alert Count 1 First Seen 2014-10-21 13:34:50 PDT Last Seen 2014-10-21 13:34:50 PDT Local ID d6fce4df-a924-47d1-994f-57d618e54c80 Raw Audit Messages type=AVC msg=audit(1413923690.828:576): avc: denied { create } for pid=6344 comm="named" name="DNS_25" scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file permissive=1 Hash: named,named_t,krb5_host_rcache_t,file,create there is a corresponding denial for { open }: SELinux is preventing named from open access on the file /var/tmp/DNS_25. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that named should be allowed open access on the DNS_25 file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep named /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:named_t:s0 Target Context system_u:object_r:krb5_host_rcache_t:s0 Target Objects /var/tmp/DNS_25 [ file ] Source named Source Path named Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-85.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name ipa001.domain.local Platform Linux ipa001.domain.local 3.17.0-301.fc21.x86_64 #1 SMP Wed Oct 8 20:10:50 UTC 2014 x86_64 x86_64 Alert Count 1 First Seen 2014-10-21 13:34:50 PDT Last Seen 2014-10-21 13:34:50 PDT Local ID a17f4b50-0a77-4be7-aa2f-5dc1c91524f2 Raw Audit Messages type=AVC msg=audit(1413923690.829:577): avc: denied { open } for pid=6344 comm="named" path="/var/tmp/DNS_25" dev="dm-2" ino=271063 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:krb5_host_rcache_t:s0 tclass=file permissive=1 Hash: named,named_t,krb5_host_rcache_t,file,open This denial occurs very close in time to the one from #1155304, and the relevant journal snippet is about the same: Oct 21 13:34:45 ipa001.domain.local roled[3817]: 2014-10-21 13:34:45 ERROR: ipa : DEBUG args='/usr/sbin/ipa-client-install' '--on-master' '--unattended' '--domain' 'domain.local' '--server' 'ipa001.domain.local' '--realm' 'DOMAIN.LOCAL' '--hostname' 'ipa001.domain.local' Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00000000 utils.c:87:GetDaemonPid() Can't open /var/run/pcscd/pcscd.pid: No such file or directory Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00027921 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00003571 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00003844 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00003981 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00057417 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00003654 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00005025 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00006426 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00004724 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00004551 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00005456 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00004838 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found Oct 21 13:34:49 ipa001.domain.local httpd[6377]: GSSAPI client step 1 Oct 21 13:34:49 ipa001.domain.local httpd[6377]: GSSAPI client step 1 Oct 21 13:34:49 ipa001.domain.local ns-slapd[5961]: GSSAPI server step 1 Oct 21 13:34:49 ipa001.domain.local httpd[6377]: GSSAPI client step 1 Oct 21 13:34:50 ipa001.domain.local ns-slapd[5961]: GSSAPI server step 2 Oct 21 13:34:50 ipa001.domain.local httpd[6377]: GSSAPI client step 2 Oct 21 13:34:50 ipa001.domain.local ns-slapd[5961]: GSSAPI server step 3 Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 01913391 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 00007573 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 00006100 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 00005847 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 00005779 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found Oct 21 13:34:50 ipa001.domain.local httpd[6376]: GSSAPI client step 1 Oct 21 13:34:50 ipa001.domain.local httpd[6376]: GSSAPI client step 1 Oct 21 13:34:50 ipa001.domain.local ns-slapd[5961]: GSSAPI server step 1 Oct 21 13:34:50 ipa001.domain.local httpd[6376]: GSSAPI client step 1 Oct 21 13:34:50 ipa001.domain.local ns-slapd[5961]: GSSAPI server step 2 Oct 21 13:34:50 ipa001.domain.local httpd[6376]: GSSAPI client step 2 Oct 21 13:34:50 ipa001.domain.local ns-slapd[5961]: GSSAPI server step 3 Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 00081112 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 00004950 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 00004485 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 00004236 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 00004164 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found Oct 21 13:34:50 ipa001.domain.local httpd[6377]: GSSAPI client step 1 Oct 21 13:34:50 ipa001.domain.local httpd[6377]: GSSAPI client step 1 Oct 21 13:34:50 ipa001.domain.local ns-slapd[5961]: GSSAPI server step 1 Oct 21 13:34:50 ipa001.domain.local httpd[6377]: GSSAPI client step 1 Oct 21 13:34:50 ipa001.domain.local ns-slapd[5961]: GSSAPI server step 2 Oct 21 13:34:50 ipa001.domain.local httpd[6377]: GSSAPI client step 2 Oct 21 13:34:50 ipa001.domain.local ns-slapd[5961]: GSSAPI server step 3 Oct 21 13:34:51 ipa001.domain.local kernel: traps: nsupdate[6430] trap stack segment ip:7f4f28fbb64f sp:7f4f246fe0d0 error:0 Oct 21 13:34:52 ipa001.domain.local abrt-hook-ccpp[6431]: Saved core dump of pid 6427 (/usr/bin/nsupdate) to /var/tmp/abrt/ccpp-2014-10-21-13:34:51-6427 (44654592 bytes) Oct 21 13:34:53 ipa001.domain.local systemd[1]: Configuration file /usr/lib/systemd/system/tog-pegasus.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Oct 21 13:34:53 ipa001.domain.local systemd[1]: Configuration file /usr/lib/systemd/system/man-db.service is marked executable. Please remove executable permission bits. Proceeding anyway. Oct 21 13:34:54 ipa001.domain.local systemd[1]: Configuration file /usr/lib/systemd/system/pki-tomcatd.target is marked executable. Please remove executable permission bits. Proceeding anyway. Oct 21 13:34:54 ipa001.domain.local abrt-server[6433]: Generating core_backtrace Oct 21 13:34:54 ipa001.domain.local systemd[1]: Configuration file /usr/lib/systemd/system/tog-pegasus.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Oct 21 13:34:54 ipa001.domain.local systemd[1]: Configuration file /usr/lib/systemd/system/man-db.service is marked executable. Please remove executable permission bits. Proceeding anyway. Oct 21 13:34:54 ipa001.domain.local systemd[1]: Configuration file /usr/lib/systemd/system/pki-tomcatd.target is marked executable. Please remove executable permission bits. Proceeding anyway. Oct 21 13:34:55 ipa001.domain.local systemd[1]: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Oct 21 13:34:55 ipa001.domain.local systemd[1]: Configuration file /usr/lib/systemd/system/man-db.timer is marked executable. Please remove executable permission bits. Proceeding anyway. Oct 21 13:34:55 ipa001.domain.local systemd[1]: Configuration file /usr/lib/systemd/system/man-db.service is marked executable. Please remove executable permission bits. Proceeding anyway. Oct 21 13:34:55 ipa001.domain.local systemd[1]: Configuration file /usr/lib/systemd/system/pki-tomcatd.target is marked executable. Please remove executable permission bits. Proceeding anyway. Oct 21 13:34:55 ipa001.domain.local systemd[1]: Configuration file /lib/systemd/system/pki-tomcatd@.service is marked executable. Please remove executable permission bits. Proceeding anyway. Oct 21 13:34:55 ipa001.domain.local systemd[1]: Failed to reset devices.list on /system.slice: Invalid argument Oct 21 13:34:55 ipa001.domain.local sssd[6521]: Starting up I'm not sure of the exact consequences of this denial: I hit it in Permissive mode, and can't test in Enforcing because the deployment will fail earlier due to #1155301 . Nominating as a Beta blocker on the possibility that it may cause deployment to fail: "Release-blocking roles and the supported role configuration interfaces must meet the core functional Role Definition Requirements to the extent that supported roles can be successfully started, stopped, brought to a working configuration, and queried." https://fedoraproject.org/wiki/Fedora_21_Beta_Release_Criteria#Roles
Discussed at 2014-10-22 blocker review meeting: http://meetbot.fedoraproject.org/fedora-blocker-review/2014-10-22/f21-blocker-review.2014-10-22-16.03.log.txt . Accepted as a blocker per cited criterion - though it's hard to be sure if this actually prevents deployment since there are other selinux bugs 'in front' of it. We can re-vote if those are fixed and it turns out this one is only trivial.
commit 21ad46cb843b032a756abd464ea7de1126f1e8f1 Author: Miroslav Grepl <mgrepl> Date: Wed Oct 22 20:09:24 2014 +0200 Allow named to read /var/tmp/DNS_25 labeled as krb5_host_rcache_t.
selinux-policy-3.13.1-90.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/FEDORA-2014-13454/selinux-policy-3.13.1-90.fc21
Package selinux-policy-3.13.1-90.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-90.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-13454/selinux-policy-3.13.1-90.fc21 then log in and leave karma (feedback).
sgallagh reported success in verifying the fix with Beta RC1: marking as VERIFIED.
selinux-policy-3.13.1-90.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.