Description of problem: FreeIPA DNSSEC component is broken because of SELinux policy disallowing proper service communication. There is socket activated service ipa-ods-exporter: $ systemctl cat ipa-ods-exporter.socket # /usr/lib/systemd/system/ipa-ods-exporter.socket [Socket] ListenStream=/var/run/opendnssec/engine.sock [Install] WantedBy=sockets.target Apparently the current policy prevents systemd from creating the socket: Version-Release number of selected component (if applicable): selinux-policy-3.13.1-191.10.fc24.noarch freeipa-server-4.3.2-1.fc24.x86_64 systemd-229-12.fc24.x86_64 How reproducible: 100 % Steps to Reproduce: 1. install FreeIPA: ipa-server-install --ds-password="$ADMINPW" --admin-password="$ADMINPW" "--domain=$(echo $DOMAIN | tr "[:upper:]" "[:lower:]")" --realm="$(echo $DOMAIN | tr "[:lower:]" "[:upper:]")" --unattended --setup-dns --auto-forwarders 2. install DNSSEC component of FreeIPA: ipa-dns-install --unattended --dnssec-master --forwarder=<IP address of an DNS server> 3. check logs of ipa-ods-exporter.socket systemd unit Actual results: systemd[1]: ipa-ods-exporter.socket: Failed to listen on sockets: Permission denied systemd[1]: Failed to listen on ipa-ods-exporter.socket. Expected results: The service should run. Additional info: In permissive mode, I can see this: $ sudo ausearch -m avc ---- time->Fri Aug 12 15:23:39 2016 type=AVC msg=audit(1471008219.050:264): avc: denied { create } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1 ---- time->Fri Aug 12 15:23:39 2016 type=AVC msg=audit(1471008219.050:265): avc: denied { setopt } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1 ---- time->Fri Aug 12 15:23:39 2016 type=AVC msg=audit(1471008219.050:266): avc: denied { bind } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1 ---- time->Fri Aug 12 15:23:39 2016 type=AVC msg=audit(1471008219.050:267): avc: denied { listen } for pid=1 comm="systemd" path="/run/opendnssec/engine.sock" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1 This used to work in the past so it is an regression, I'm just not sure from which version.
More information about environment where it worked can be found here: https://fedorahosted.org/freeipa/ticket/5870
Hi, How was opendnssec daemon started?
It was not started at all. Supposedly the service should be started by systemd using socket activation. The problem is that systemd is not able to even create the named socket (file), so we are not even close to starting anything. Error messages in "Actual results" above are directly from systemd, not from the OpenDNSSEC daemon.
selinux-policy-3.13.1-191.16.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-fe39b806b6
selinux-policy-3.13.1-191.16.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-fe39b806b6
selinux-policy-3.13.1-191.16.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.