1350957 – ipa named-pkcs11 failed to enumerate object store

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1350957 - ipa named-pkcs11 failed to enumerate object store

Summary: ipa named-pkcs11 failed to enumerate object store

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.3
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1353631 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-06-28 20:15 UTC by Scott Poore
Modified:	2016-11-04 02:33 UTC (History)
CC List:	12 users (show)
Fixed In Version:	selinux-policy-3.13.1-91.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-11-04 02:33:22 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
ausearch output after update (27.30 KB, text/plain) 2016-07-14 22:08 UTC, Scott Poore	no flags	Details
ausearch output after update to 89 release (15.85 KB, text/plain) 2016-07-18 13:52 UTC, Scott Poore	no flags	Details
ausearch output after update to 89 release in permissive mode (3.95 KB, text/plain) 2016-07-18 18:01 UTC, Scott Poore	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:2283	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2016-11-03 13:36:25 UTC

Description Scott Poore 2016-06-28 20:15:02 UTC

Description of problem:

IPA fails to start with named error (listed below).  If I make SELinux permissive, I'm able to start. However, I am not able to consistently see AVC denials.

[root@cloud-qe-21 ~]# ipactl start
ipa: WARNING: session memcached servers not running
Existing service file detected!
Assuming stale, cleaning and proceeding
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Failed to start named Service
Shutting down
Hint: You can use --ignore-service-failure option for forced start in case that a non-critical service failed
Aborting ipactl

[root@cloud-qe-21 ~]# ausearch -m avc -ts 15:56
<no matches>

When I put it in permissive mode though, I get AVCs that look like named_t can't access ipa_var_lib_t.


Version-Release number of selected component (if applicable):
bind-9.9.4-36.el7.x86_64
bind-pkcs11-9.9.4-36.el7.x86_64
selinux-policy-3.13.1-82.el7.noarch
selinux-policy-targeted-3.13.1-82.el7.noarch
ipa-server-4.4.0-0.el7.2.alpha1.x86_64


How reproducible:
always

Steps to Reproduce:
1.  use repo with latest rpms
2.  yum -y install ipa-server-dns
3.  ipa-server-install --setup-dns --forwarder=$DNSFORWARDER --hostname=$HOSTNAME --ip-address=$IP -n $DNSDOMAIN -r $REALM -a $PASSWORD -p $PASSWORD -U
4.  ipactl restart

Actual results:
ipa-server-install actually fails because of named issue mentioned.  Able to reproduce afterwards with ipactl as in step 4.

Expected results:
no failures

Additional info:

From /var/log/messages:

Jun 28 15:41:57 localhost named-pkcs11[25696]: ObjectStore.cpp(59): Failed to enumerate object store in /var/lib/ipa/dnssec/tokens
Jun 28 15:41:57 localhost named-pkcs11[25696]: SoftHSM.cpp(476): Could not load the object store
Jun 28 15:41:57 localhost named-pkcs11[25696]: initializing DST: PKCS#11 initialization failed
Jun 28 15:41:57 localhost named-pkcs11[25696]: exiting (due to fatal error)

AVC seen when in permissive mode:
time->Tue Jun 28 15:58:55 2016
type=SYSCALL msg=audit(1467143935.025:348): arch=c000003e syscall=257 success=yes exit=9 a0=ffffffffffffff9c a1=7fb92eba7a08 a2=90800 a3=0 items=0 ppid=27053 pid=27055 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="named-pkcs11" exe="/usr/sbin/named-pkcs11" subj=system_u:system_r:named_t:s0 key=(null)
type=AVC msg=audit(1467143935.025:348): avc:  denied  { read } for  pid=27055 comm="named-pkcs11" name="tokens" dev="dm-0" ino=33565592 scontext=system_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=dir
----
time->Tue Jun 28 15:58:55 2016
type=SYSCALL msg=audit(1467143935.025:349): arch=c000003e syscall=2 success=yes exit=9 a0=7fb92eba80b8 a1=42 a2=180 a3=ffffe000 items=0 ppid=27053 pid=27055 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="named-pkcs11" exe="/usr/sbin/named-pkcs11" subj=system_u:system_r:named_t:s0 key=(null)
type=AVC msg=audit(1467143935.025:349): avc:  denied  { open } for  pid=27055 comm="named-pkcs11" path="/var/lib/ipa/dnssec/tokens/67565689-8135-6d50-0a6d-1c5e3a2143e5/generation" dev="dm-0" ino=68045545 scontext=system_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file
type=AVC msg=audit(1467143935.025:349): avc:  denied  { read write } for  pid=27055 comm="named-pkcs11" name="generation" dev="dm-0" ino=68045545 scontext=system_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file
----
time->Tue Jun 28 15:58:55 2016
type=SYSCALL msg=audit(1467143935.025:350): arch=c000003e syscall=72 success=yes exit=0 a0=9 a1=7 a2=7ffdd60180d0 a3=24 items=0 ppid=27053 pid=27055 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="named-pkcs11" exe="/usr/sbin/named-pkcs11" subj=system_u:system_r:named_t:s0 key=(null)
type=AVC msg=audit(1467143935.025:350): avc:  denied  { lock } for  pid=27055 comm="named-pkcs11" path="/var/lib/ipa/dnssec/tokens/67565689-8135-6d50-0a6d-1c5e3a2143e5/generation" dev="dm-0" ino=68045545 scontext=system_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file
----
time->Tue Jun 28 15:58:55 2016
type=SYSCALL msg=audit(1467143935.025:351): arch=c000003e syscall=5 success=yes exit=0 a0=9 a1=7ffdd6018070 a2=7ffdd6018070 a3=24 items=0 ppid=27053 pid=27055 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="named-pkcs11" exe="/usr/sbin/named-pkcs11" subj=system_u:system_r:named_t:s0 key=(null)
type=AVC msg=audit(1467143935.025:351): avc:  denied  { getattr } for  pid=27055 comm="named-pkcs11" path="/var/lib/ipa/dnssec/tokens/67565689-8135-6d50-0a6d-1c5e3a2143e5/generation" dev="dm-0" ino=68045545 scontext=system_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file

Comment 1 Scott Poore 2016-06-28 20:43:55 UTC

This appears to be similar to Fedora bug #1333106

Changing component to selinux-policy.

Comment 4 Petr Spacek 2016-07-08 08:08:00 UTC

*** Bug 1353631 has been marked as a duplicate of this bug. ***

Comment 5 Petr Spacek 2016-07-08 11:30:17 UTC

*** Bug 1353631 has been marked as a duplicate of this bug. ***

Comment 7 Scott Poore 2016-07-14 22:07:19 UTC

OK, I'm seeing IPA install and restart without failure now.

I'm now seeing quite a few other AVC denials.  I'll post the actual AVCs as an attachment.

This is what I see from audit2allow for the failures:

[root@rhel7-1 ~]# cat /var/log/audit/audit.log | audit2allow
libsepol.sepol_string_to_security_class: unrecognized class (null)


#============= certmonger_t ==============
allow certmonger_t var_log_t:dir write;

#============= ipa_dnskey_t ==============
allow ipa_dnskey_t named_cache_t:dir search;
allow ipa_dnskey_t proc_t:file read;

#============= policykit_t ==============
allow policykit_t tuned_t:(null) 0x2;

#============= sssd_t ==============
allow sssd_t fs_t:filesystem getattr;

Comment 8 Scott Poore 2016-07-14 22:08:58 UTC

Created attachment 1179966 [details]
ausearch output after update

This is a listing of the AVC denials I see after ipa-server-install and ipactl stop/start.

selinux-policy-3.13.1-88.el7.noarch
ipa-server-4.4.0-2.1.el7.x86_64

Comment 15 Scott Poore 2016-07-18 13:51:15 UTC

Hi Lukas,

I am still seeing most of the AVC denials I saw previously in the attachment.

Here are a couple examples:

----
time->Mon Jul 18 08:36:13 2016
type=SYSCALL msg=audit(1468848973.979:169): arch=c000003e syscall=83 success=no exit=-13 a0=19a7140 a1=1ff a2=1 a3=7ffdfb090fd0 items=0 ppid=2689 pid=2725 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dogtag-ipa-ca-r" exe="/usr/bin/python2.7" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1468848973.979:169): avc:  denied  { write } for  pid=2725 comm="dogtag-ipa-ca-r" name="log" dev="dm-0" ino=93 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
----
time->Mon Jul 18 08:38:58 2016
type=SYSCALL msg=audit(1468849138.745:226): arch=c000003e syscall=2 success=no exit=-13 a0=7fe617122a1d a1=80000 a2=1b6 a3=24 items=0 ppid=4510 pid=4517 auid=4294967295 uid=995 gid=25 euid=995 suid=995 fsuid=995 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:ipa_dnskey_t:s0 key=(null)
type=AVC msg=audit(1468849138.745:226): avc:  denied  { read } for  pid=4517 comm="sh" name="meminfo" dev="proc" ino=4026532028 scontext=system_u:system_r:ipa_dnskey_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
----

These are occurring during ipa-server-install.  And are just a couple examples of many that are like the ones from previous attachment.  I'll include a new attachment showing the current ones.

Can these be addressed as well?

Thanks,
Scott

Comment 16 Scott Poore 2016-07-18 13:52:18 UTC

Created attachment 1181107 [details]
ausearch output after update to 89 release

These are the AVC denials I'm now seeing with this version of selinux-policy:

selinux-policy-3.13.1-89.el7.noarch

Comment 17 Lukas Vrabec 2016-07-18 15:34:53 UTC

Scott, 
yes, it can be addressed but could you test it in permissive mode to collect all AVCs and attahc them? Then I fix policy. 

Thank you for testing.

Comment 18 Scott Poore 2016-07-18 18:01:27 UTC

Created attachment 1181224 [details]
ausearch output after update to 89 release in permissive mode

This is the list of AVC denials from ipa-server-install with SELinux in permissive mode.

Comment 22 Scott Poore 2016-07-19 14:07:11 UTC

selinux-policy-3.13.1-90.el7.noarch

Not sure why we didn't see these until now but, now I'm seeing this:


[root@rhel7-4 ~]# ausearch -m avc
----
time->Tue Jul 19 08:57:06 2016
type=SYSCALL msg=audit(1468936626.889:216): arch=c000003e syscall=4 success=no exit=-2 a0=12cd0a0 a1=7ffff4ad7700 a2=7ffff4ad7700 a3=0 items=0 ppid=1 pid=4560 auid=4294967295 uid=995 gid=25 euid=995 suid=995 fsuid=995 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="ipa-dnskeysyncd" exe="/usr/bin/python2.7" subj=system_u:system_r:ipa_dnskey_t:s0 key=(null)
type=AVC msg=audit(1468936626.889:216): avc:  denied  { search } for  pid=4560 comm="ipa-dnskeysyncd" name="softhsm" dev="dm-0" ino=8415058 scontext=system_u:system_r:ipa_dnskey_t:s0 tcontext=system_u:object_r:named_cache_t:s0 tclass=dir
----
time->Tue Jul 19 08:57:08 2016
type=SYSCALL msg=audit(1468936628.858:218): arch=c000003e syscall=2 success=no exit=-2 a0=4eff1c0 a1=0 a2=1b6 a3=24 items=0 ppid=1 pid=4560 auid=4294967295 uid=995 gid=25 euid=995 suid=995 fsuid=995 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="ipa-dnskeysyncd" exe="/usr/bin/python2.7" subj=system_u:system_r:ipa_dnskey_t:s0 key=(null)
type=AVC msg=audit(1468936628.858:218): avc:  denied  { search } for  pid=4560 comm="ipa-dnskeysyncd" name="softhsm" dev="dm-0" ino=8415058 scontext=system_u:system_r:ipa_dnskey_t:s0 tcontext=system_u:object_r:named_cache_t:s0 tclass=dir

Comment 23 Lukas Vrabec 2016-07-19 14:08:29 UTC

Could you please test it in permissive mode? We need to catch all AVCs. 

Thank you.

Comment 25 Scott Poore 2016-07-19 14:10:49 UTC

Hi Lukas,

In my test from comment #22, that was in permissive mode:

[root@rhel7-4 ~]# getenforce
Permissive

I'm not sure what changed that this wasn't caught before but, that's what we're seeing now.

Comment 33 errata-xmlrpc 2016-11-04 02:33:22 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html

Note You need to log in before you can comment on or make changes to this bug.