Description of problem: Running ipa-server-install fails with [4/7]: setting up SoftHSM [5/7]: adding DNSSEC containers [6/7]: creating replica keys [7/7]: configuring ipa-dnskeysyncd to start on boot Done configuring DNS key synchronization service (ipa-dnskeysyncd). Restarting ipa-dnskeysyncd Restarting named ipa : ERROR Named service failed to start (Command ''/bin/systemctl' 'restart' 'named-pkcs11.service'' returned non-zero exit status 1) named service failed to start Restarting the web server ipa.ipapython.install.cli.install_tool(Server): ERROR Command ''/bin/systemctl' 'restart' 'ipa.service'' returned non-zero exit status 1 Version-Release number of selected component (if applicable): freeipa-server-4.2.4-1.fc23.x86_64 bind-pkcs11-9.10.3-13.P4.fc23.x86_64 How reproducible: Deterministic Steps to Reproduce: 1. Run /usr/sbin/ipa-server-install --setup-dns --forwarder=10.11.12.13 -r EXAMPLE.TEST -n example.test -p Secret123 -a Secret123 -U Actual results: Failure with error message shown above. Expected results: FreeIPA server installed. Additional info:
systemctl status named-pkcs11.service -l says ● named-pkcs11.service - Berkeley Internet Name Domain (DNS) with native PKCS#11 Loaded: loaded (/usr/lib/systemd/system/named-pkcs11.service; disabled; vendor preset: disabled) Active: failed (Result: exit-code) since Wed 2016-08-03 18:33:13 IST; 18h ago Process: 10676 ExecStart=/usr/sbin/named-pkcs11 -u named $OPTIONS (code=exited, status=1/FAILURE) Process: 10673 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z /etc/named.conf; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS) Aug 03 18:33:13 vm-idm-029.lab.eng.pnq.redhat.com named-pkcs11[10682]: using up to 21000 sockets Aug 03 18:33:13 vm-idm-029.lab.eng.pnq.redhat.com named-pkcs11[10682]: ObjectStore.cpp(59): Failed to enumerate object store in /var/lib/ipa/dnssec/tokens Aug 03 18:33:13 vm-idm-029.lab.eng.pnq.redhat.com named-pkcs11[10682]: SoftHSM.cpp(476): Could not load the object store Aug 03 18:33:13 vm-idm-029.lab.eng.pnq.redhat.com named-pkcs11[10682]: initializing DST: PKCS#11 initialization failed Aug 03 18:33:13 vm-idm-029.lab.eng.pnq.redhat.com named-pkcs11[10682]: exiting (due to fatal error) Aug 03 18:33:13 vm-idm-029.lab.eng.pnq.redhat.com systemd[1]: named-pkcs11.service: Control process exited, code=exited status=1 Aug 03 18:33:13 vm-idm-029.lab.eng.pnq.redhat.com systemd[1]: Failed to start Berkeley Internet Name Domain (DNS) with native PKCS#11. Aug 03 18:33:13 vm-idm-029.lab.eng.pnq.redhat.com systemd[1]: named-pkcs11.service: Unit entered failed state. Aug 03 18:33:13 vm-idm-029.lab.eng.pnq.redhat.com systemd[1]: named-pkcs11.service: Failed with result 'exit-code'. Aug 03 18:33:13 vm-idm-029.lab.eng.pnq.redhat.com systemd[1]: Stopped Berkeley Internet Name Domain (DNS) with native PKCS#11.
Perhaps this is Fedora 23 version of bug 1350957?
In permissive, the following AVC denials are logged: type=AVC msg=audit(1470239051.337:288): avc: denied { read } for pid=17537 comm="named-pkcs11" name="tokens" dev="dm-0" ino=428452 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:ipa_var_lib_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1470239051.337:289): avc: denied { getattr } for pid=17537 comm="named-pkcs11" path="/var/lib/ipa/dnssec/tokens/b8806455-d245-e917-3fd4-c854e06586fe/token.object" dev="dm-0" ino=34485738 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:ipa_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1470239051.337:290): avc: denied { read write } for pid=17537 comm="named-pkcs11" name="generation" dev="dm-0" ino=34485740 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:ipa_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1470239051.337:291): avc: denied { open } for pid=17537 comm="named-pkcs11" path="/var/lib/ipa/dnssec/tokens/b8806455-d245-e917-3fd4-c854e06586fe/generation" dev="dm-0" ino=34485740 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:ipa_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1470239051.337:292): avc: denied { lock } for pid=17537 comm="named-pkcs11" path="/var/lib/ipa/dnssec/tokens/b8806455-d245-e917-3fd4-c854e06586fe/generation" dev="dm-0" ino=34485740 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:ipa_var_lib_t:s0 tclass=file permissive=1
This looks like the same thing which was fixed in Fedora 24 (bug 1333106) and RHEL 7 (bug 1350957). Moving to selinux-policy so Fedora 23 can be fixed as well.
Could we get new package built for Fedora 23 updates-testing?
Is this a dupe of bug 1357665?
selinux-policy-3.13.1-158.24.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-f739cc7524
selinux-policy-3.13.1-158.24.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-f739cc7524
selinux-policy-3.13.1-158.24.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.