Hide Forgot
Description of problem: selinux-policy update failure noticed during ipa server upgrade for IPA server hosted on RHEL 7.0 to RHEL 7.3. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.13.1-99.el7.noarch ipa-4.4.0-12.el7 How reproducible: Always Steps to Reproduce: 1. Setup IPA server on RHEL 7.0 ( SELinux for IPA server is in Enforcing mode) 2. Setup repo links for the latest version of RHEL 7.3. 3. Initiate on IPA server using command "yum update -y 'ipa*' sssd" Actual results: 1. After step3, ipa server upgrade is successful. 2. But during yum update process noticed following message at console: Updating : selinux-policy-targeted-3.13.1-99.el7.noarch 91/270 Re-declaration of type pkcsslotd_t Failed to create node Bad type declaration at /etc/selinux/targeted/tmp/modules/400/pkcsslotd/cil:1 semodule: Failed! Installing : opencryptoki-3.5-6.el7.x86_64 92/270 Installing : opendnssec-1.4.7-3.el7.x86_64 93/270 3. Also noticed avc denied messages once the upgrade process is complete. #ausearch -m AVC ---- time->Fri Sep 16 11:05:38 2016 type=PATH msg=audit(1474038338.723:524): item=1 name="dyndb-ldap/ipa/master" objtype=CREATE type=PATH msg=audit(1474038338.723:524): item=0 name="dyndb-ldap/ipa/" inode=202189506 dev=fd:00 mode=040770 ouid=25 ogid=25 rdev=00:00 obj=unconfined_u:object_r:named_zone_t:s0 objtype=PARENT type=CWD msg=audit(1474038338.723:524): cwd="/var/named" type=SYSCALL msg=audit(1474038338.723:524): arch=c000003e syscall=83 success=no exit=-13 a0=7f78f41cb440 a1=1f8 a2=0 a3=3 items=2 ppid=1 pid=15504 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="named-pkcs11" exe="/usr/sbin/named-pkcs11" subj=system_u:system_r:named_t:s0 key=(null) type=AVC msg=audit(1474038338.723:524): avc: denied { write } for pid=15504 comm="named-pkcs11" name="ipa" dev="dm-0" ino=202189506 scontext=system_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:named_zone_t:s0 tclass=dir Expected results: No Errors should be observed during upgrade process. Additional info:
Please note that those AVCs cannot be reproduced on clean install on RHEL7.3, so upgrade failure of the selinux-policy is probably root cause of bind-dyndb-ldap AVCs
Nikhil, Could you attach output of: # semodule -l | grep 400 Thanks.
I guess that Lukas made a mistake and the command should have been: # semodule -lfull | grep 400
Seen on the machine you provided (ausearch -m avc -m user_avc -i): ---- type=PATH msg=audit(09/19/2016 15:24:18.078:511) : item=1 name=dyndb-ldap/ipa/master objtype=CREATE type=PATH msg=audit(09/19/2016 15:24:18.078:511) : item=0 name=dyndb-ldap/ipa/ inode=201593081 dev=fd:00 mode=dir,770 ouid=named ogid=named rdev=00:00 obj=unconfined_u:object_r:named_zone_t:s0 objtype=PARENT type=CWD msg=audit(09/19/2016 15:24:18.078:511) : cwd=/var/named type=SYSCALL msg=audit(09/19/2016 15:24:18.078:511) : arch=x86_64 syscall=mkdir success=no exit=-13(Permission denied) a0=0x7f6cd9a2a440 a1=0770 a2=0x5 a3=0x0 items=2 ppid=1 pid=17515 auid=unset uid=named gid=named euid=named suid=named fsuid=named egid=named sgid=named fsgid=named tty=(none) ses=unset comm=named-pkcs11 exe=/usr/sbin/named-pkcs11 subj=system_u:system_r:named_t:s0 key=(null) type=AVC msg=audit(09/19/2016 15:24:18.078:511) : avc: denied { write } for pid=17515 comm=named-pkcs11 name=ipa dev="dm-0" ino=201593081 scontext=system_u:system_r:named_t:s0 tcontext=unconfined_u:object_r:named_zone_t:s0 tclass=dir ---- # find / -inum 201593081 /var/named/dyndb-ldap/ipa # matchpathcon /var/ /var system_u:object_r:var_t:s0 # matchpathcon /var/named/ /var/named system_u:object_r:named_zone_t:s0 # matchpathcon /var/named/dyndb-ldap/ /var/named/dyndb-ldap system_u:object_r:named_zone_t:s0 # matchpathcon /var/named/dyndb-ldap/ipa/ /var/named/dyndb-ldap/ipa system_u:object_r:named_zone_t:s0 # # sesearch -s named_t -t named_zone_t -c dir -A -C -p write Found 4 semantic av rules: DT allow named_t named_zone_t : dir { ioctl read write getattr lock add_name remove_name search open } ; [ named_write_master_zones ] DT allow named_t named_zone_t : dir { ioctl read write getattr lock add_name remove_name search open } ; [ named_write_master_zones ] DT allow named_t named_zone_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; [ named_write_master_zones ] DT allow named_t named_zone_t : dir { ioctl read write getattr lock add_name remove_name search open } ; [ named_write_master_zones ] # My recommendation is to enable the named_write_master_zones boolean: # setsebool -P named_write_master_zones on
Full log from yum transaction follows. Please note the scriptlet outputs at the end: # yum history info 14 Loaded plugins: product-id, subscription-manager This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. Transaction ID : 14 Begin time : Mon Sep 19 14:51:04 2016 Begin rpmdb : 856:c47d819d43ec63c0314e4e64cf994d9540479a91 End time : 15:04:17 2016 (13 minutes) End rpmdb : 916:3cecff9b903562e37924bf8bf661ba64a2c8a3bc User : root <root> Return-Code : Success Command Line : -y update ipa* sssd Transaction performed with: Installed rpm-4.11.1-16.el7.x86_64 @beaker-Server/7.0 Installed subscription-manager-1.10.14-7.el7.x86_64 @beaker-Server/7.0 Installed yum-3.4.3-118.el7.noarch @beaker-Server/7.0 Installed yum-metadata-parser-1.1.4-10.el7.x86_64 @beaker-Server/7.0 Packages Altered: Updated 389-ds-base-1.3.1.6-25.el7.x86_64 @beaker-Server Obsoleted 389-ds-base-1.3.1.6-25.el7.x86_64 @beaker-Server Obsoleting 389-ds-base-1.3.5.10-11.el7.x86_64 @rhel73 Updated 389-ds-base-libs-1.3.1.6-25.el7.x86_64 @beaker-Server Update 1.3.5.10-11.el7.x86_64 @rhel73 Dep-Install GeoIP-1.5.0-11.el7.x86_64 @rhel73 Updated bind-32:9.9.4-14.el7.x86_64 @beaker-Server Update 32:9.9.4-36.el7.x86_64 @rhel73 Updated bind-dyndb-ldap-3.5-4.el7.x86_64 @beaker-Server Update 10.0-4.el7.x86_64 @rhel73 Updated bind-libs-32:9.9.4-14.el7.x86_64 @beaker-Server/7.0 Update 32:9.9.4-36.el7.x86_64 @rhel73 Updated bind-libs-lite-32:9.9.4-14.el7.x86_64 @beaker-Server/7.0 Update 32:9.9.4-36.el7.x86_64 @rhel73 Updated bind-license-32:9.9.4-14.el7.noarch @beaker-Server/7.0 Update 32:9.9.4-36.el7.noarch @rhel73 Dep-Install bind-pkcs11-32:9.9.4-36.el7.x86_64 @rhel73 Dep-Install bind-pkcs11-libs-32:9.9.4-36.el7.x86_64 @rhel73 Dep-Install bind-pkcs11-utils-32:9.9.4-36.el7.x86_64 @rhel73 Updated certmonger-0.70-2.el7.x86_64 @beaker-Server/7.0 Update 0.78.4-3.el7.x86_64 @rhel73 Updated chkconfig-1.3.61-4.el7.x86_64 @beaker-Server/7.0 Update 1.7.2-1.el7.x86_64 @rhel73 Dep-Install copy-jdk-configs-1.2-1.el7.noarch @rhel73 Dep-Install custodia-0.1.0-4.el7.noarch @rhel73 Updated dracut-033-161.el7.x86_64 @beaker-Server/7.0 Update 033-462.el7.x86_64 @rhel73 Updated dracut-config-rescue-033-161.el7.x86_64 @beaker-Server/7.0 Update 033-462.el7.x86_64 @rhel73 Updated dracut-network-033-161.el7.x86_64 @beaker-Server/7.0 Update 033-462.el7.x86_64 @rhel73 Dep-Install fontawesome-fonts-4.1.0-1.el7.noarch @rhel73 Updated glib2-2.36.3-5.el7.x86_64 @beaker-Server/7.0 Update 2.46.2-4.el7.x86_64 @rhel73 Updated httpd-2.4.6-17.el7.x86_64 @beaker-Server Update 2.4.6-45.el7.x86_64 @rhel73 Updated httpd-tools-2.4.6-17.el7.x86_64 @beaker-Server Update 2.4.6-45.el7.x86_64 @rhel73 Updated initscripts-9.49.17-1.el7.x86_64 @beaker-Server/7.0 Update 9.49.37-1.el7.x86_64 @rhel73 Updated ipa-admintools-3.3.3-28.el7.x86_64 @beaker-Server/7.0 Update 4.4.0-12.el7.noarch @rhel73 Updated ipa-client-3.3.3-28.el7.x86_64 @beaker-Server/7.0 Update 4.4.0-12.el7.x86_64 @rhel73 Dep-Install ipa-client-common-4.4.0-12.el7.noarch @rhel73 Dep-Install ipa-common-4.4.0-12.el7.noarch @rhel73 Obsoleted ipa-python-3.3.3-28.el7.x86_64 @beaker-Server/7.0 Obsoleting ipa-python-compat-4.4.0-12.el7.noarch @rhel73 Updated ipa-server-3.3.3-28.el7.x86_64 @beaker-Server Obsoleted ipa-server-3.3.3-28.el7.x86_64 @beaker-Server Obsoleting ipa-server-4.4.0-12.el7.x86_64 @rhel73 Dep-Install ipa-server-common-4.4.0-12.el7.noarch @rhel73 Obsoleting ipa-server-dns-4.4.0-12.el7.noarch @rhel73 Dep-Install jackson-1.9.4-7.el7.noarch @beaker-Server-optional Dep-Install java-1.8.0-openjdk-headless-1:1.8.0.102-4.b14.el7.x86_64 @rhel73 Dep-Install jboss-annotations-1.1-api-1.0.1-0.6.20120212git76e1a2.el7.noarch @beaker-Server-optional Dep-Install joda-convert-1.3-5.el7.noarch @beaker-Server-optional Dep-Install joda-time-2.2-3.tzdata2013c.el7.noarch @beaker-Server-optional Dep-Install jsr-311-1.1.1-6.el7.noarch @beaker-Server-optional Updated jss-4.2.6-33.el7.x86_64 @beaker-Server Update 4.2.6-42.el7.x86_64 @rhel73 Updated kmod-14-9.el7.x86_64 @beaker-Server/7.0 Update 20-9.el7.x86_64 @rhel73 Updated krb5-libs-1.11.3-49.el7.x86_64 @beaker-Server/7.0 Update 1.14.1-26.el7.x86_64 @rhel73 Updated krb5-pkinit-1.11.3-49.el7.x86_64 @beaker-Server Update 1.14.1-26.el7.x86_64 @rhel73 Updated krb5-server-1.11.3-49.el7.x86_64 @beaker-Server Update 1.14.1-26.el7.x86_64 @rhel73 Updated krb5-workstation-1.11.3-49.el7.x86_64 @beaker-Server/7.0 Update 1.14.1-26.el7.x86_64 @rhel73 Dep-Install ldns-1.6.16-10.el7.x86_64 @rhel73 Updated libbasicobjects-0.1.0-22.el7.x86_64 @beaker-Server/7.0 Update 0.1.1-27.el7.x86_64 @rhel73 Updated libcollection-0.6.2-22.el7.x86_64 @beaker-Server/7.0 Update 0.6.2-27.el7.x86_64 @rhel73 Updated libdhash-0.4.3-22.el7.x86_64 @beaker-Server/7.0 Update 0.4.3-27.el7.x86_64 @rhel73 Updated libgudev1-208-11.el7.x86_64 @beaker-Server/7.0 Update 219-30.el7.x86_64 @rhel73 Updated libini_config-1.0.0.1-22.el7.x86_64 @beaker-Server/7.0 Update 1.3.0-27.el7.x86_64 @rhel73 Updated libipa_hbac-1.11.2-65.el7.x86_64 @beaker-Server/7.0 Update 1.14.0-42.el7.x86_64 @rhel73 Obsoleted libipa_hbac-python-1.11.2-65.el7.x86_64 @beaker-Server/7.0 Dep-Install libkadm5-1.14.1-26.el7.x86_64 @rhel73 Updated libldb-1.1.16-4.el7.x86_64 @beaker-Server/7.0 Update 1.1.26-1.el7.x86_64 @rhel73 Updated libpath_utils-0.2.1-22.el7.x86_64 @beaker-Server/7.0 Update 0.2.1-27.el7.x86_64 @rhel73 Updated libref_array-0.1.3-22.el7.x86_64 @beaker-Server/7.0 Update 0.1.5-27.el7.x86_64 @rhel73 Updated libselinux-2.2.2-6.el7.x86_64 @beaker-Server/7.0 Update 2.5-6.el7.x86_64 @rhel73 Updated libselinux-python-2.2.2-6.el7.x86_64 @beaker-Server/7.0 Update 2.5-6.el7.x86_64 @rhel73 Updated libselinux-utils-2.2.2-6.el7.x86_64 @beaker-Server/7.0 Update 2.5-6.el7.x86_64 @rhel73 Updated libsemanage-2.1.10-16.el7.x86_64 @beaker-Server/7.0 Update 2.5-4.el7.x86_64 @rhel73 Updated libsemanage-python-2.1.10-16.el7.x86_64 @beaker-Server Update 2.5-4.el7.x86_64 @rhel73 Updated libsepol-2.1.9-3.el7.x86_64 @beaker-Server/7.0 Update 2.5-6.el7.x86_64 @rhel73 Dep-Install libsmbclient-4.4.4-9.el7.x86_64 @rhel73 Dep-Install libsss_autofs-1.14.0-42.el7.x86_64 @rhel73 Updated libsss_idmap-1.11.2-65.el7.x86_64 @beaker-Server/7.0 Update 1.14.0-42.el7.x86_64 @rhel73 Updated libsss_nss_idmap-1.11.2-65.el7.x86_64 @beaker-Server Update 1.14.0-42.el7.x86_64 @rhel73 Updated libtalloc-2.0.8-4.el7.x86_64 @beaker-Server/7.0 Update 2.1.6-1.el7.x86_64 @rhel73 Updated libtdb-1.2.12-3.el7.x86_64 @beaker-Server/7.0 Update 1.3.8-1.el7.x86_64 @rhel73 Updated libtevent-0.9.18-6.el7.x86_64 @beaker-Server/7.0 Update 0.9.28-1.el7.x86_64 @rhel73 Updated libwbclient-4.1.1-31.el7.x86_64 @beaker-Server/7.0 Update 4.4.4-9.el7.x86_64 @rhel73 Dep-Install lksctp-tools-1.0.17-2.el7.x86_64 @rhel73 Dep-Install mod_auth_gssapi-1.4.0-1.el7.x86_64 @rhel73 Updated nspr-4.10.2-4.el7.x86_64 @beaker-Server/7.0 Update 4.11.0-1.el7_2.x86_64 @rhel73 Updated nss-3.15.4-6.el7.x86_64 @beaker-Server/7.0 Update 3.21.0-17.el7.x86_64 @rhel73 Updated nss-softokn-3.15.4-2.el7.x86_64 @beaker-Server/7.0 Update 3.16.2.3-14.4.el7.x86_64 @rhel73 Updated nss-softokn-freebl-3.15.4-2.el7.x86_64 @beaker-Server/7.0 Update 3.16.2.3-14.4.el7.x86_64 @rhel73 Updated nss-sysinit-3.15.4-6.el7.x86_64 @beaker-Server/7.0 Update 3.21.0-17.el7.x86_64 @rhel73 Updated nss-tools-3.15.4-6.el7.x86_64 @beaker-Server/7.0 Update 3.21.0-17.el7.x86_64 @rhel73 Updated nss-util-3.15.4-2.el7.x86_64 @beaker-Server/7.0 Update 3.21.0-2.2.el7_2.x86_64 @rhel73 Dep-Install nuxwdog-1.0.3-5.el7.x86_64 @rhel73 Dep-Install nuxwdog-client-java-1.0.3-5.el7.x86_64 @rhel73 Dep-Install objectweb-asm-3.3.1-9.el7.noarch @beaker-Server-optional Dep-Install open-sans-fonts-1.10-1.el7.noarch @rhel73 Dep-Install opencryptoki-3.5-6.el7.x86_64 @rhel73 Dep-Install opencryptoki-libs-3.5-6.el7.x86_64 @rhel73 Dep-Install opencryptoki-swtok-3.5-6.el7.x86_64 @rhel73 Dep-Install opendnssec-1.4.7-3.el7.x86_64 @rhel73 Updated openssl-1:1.0.1e-34.el7.x86_64 @beaker-Server/7.0 Update 1:1.0.1e-58.el7.x86_64 @rhel73 Updated openssl-libs-1:1.0.1e-34.el7.x86_64 @beaker-Server/7.0 Update 1:1.0.1e-58.el7.x86_64 @rhel73 Dep-Install perl-Archive-Tar-1.92-2.el7.noarch @beaker-Server Dep-Install perl-IO-Zlib-1:1.10-291.el7.noarch @rhel73 Dep-Install perl-Package-Constants-1:0.02-291.el7.noarch @rhel73 Updated pki-base-10.0.5-3.el7.noarch @beaker-Server Update 10.3.3-10.el7.noarch @rhel73 Dep-Install pki-base-java-10.3.3-10.el7.noarch @rhel73 Updated pki-ca-10.0.5-3.el7.noarch @beaker-Server Update 10.3.3-10.el7.noarch @rhel73 Dep-Install pki-kra-10.3.3-10.el7.noarch @rhel73 Updated pki-server-10.0.5-3.el7.noarch @beaker-Server Update 10.3.3-10.el7.noarch @rhel73 Updated pki-tools-10.0.5-3.el7.x86_64 @beaker-Server Update 10.3.3-10.el7.x86_64 @rhel73 Updated policycoreutils-2.2.5-11.el7.x86_64 @beaker-Server/7.0 Update 2.5-8.el7.x86_64 @rhel73 Updated policycoreutils-python-2.2.5-11.el7.x86_64 @beaker-Server Update 2.5-8.el7.x86_64 @rhel73 Updated pytalloc-2.0.8-4.el7.x86_64 @beaker-Server/7.0 Update 2.1.6-1.el7.x86_64 @rhel73 Dep-Install python-cffi-1.6.0-5.el7.x86_64 @rhel73 Updated python-chardet-2.0.1-7.el7.noarch @beaker-Server Update 2.2.1-1.el7_1.noarch @rhel73 Dep-Install python-custodia-0.1.0-4.el7.noarch @rhel73 Updated python-dns-1.10.0-5.el7.noarch @beaker-Server/7.0 Update 1.12.0-2.20150617git465785f.el7.noarch @rhel73 Dep-Install python-enum34-1.0.4-1.el7.noarch @rhel73 Dep-Install python-gssapi-1.2.0-2.el7.x86_64 @rhel73 Dep-Install python-idna-2.0-1.el7.noarch @rhel73 Dep-Install python-ipaddress-1.0.16-2.el7.noarch @rhel73 Dep-Install python-jwcrypto-0.2.1-2.el7.noarch @rhel73 Dep-Install python-kdcproxy-0.3.2-1.el7.noarch @rhel73 Updated python-ldap-2.4.6-6.el7.x86_64 @beaker-Server/7.0 Update 2.4.15-2.el7.x86_64 @rhel73 Obsoleting python-libipa_hbac-1.14.0-42.el7.x86_64 @rhel73 Dep-Install python-netifaces-0.10.4-3.el7.x86_64 @rhel73 Updated python-nss-0.14.0-5.el7.x86_64 @beaker-Server/7.0 Update 0.16.0-3.el7.x86_64 @rhel73 Dep-Install python-ply-3.4-10.el7.noarch @rhel73 Obsoleted python-pyasn1-0.1.6-2.el7.noarch @beaker-Server Dep-Install python-pycparser-2.14-1.el7.noarch @rhel73 Dep-Install python-qrcode-core-5.0.1-1.el7.noarch @rhel73 Updated python-requests-1.1.0-8.el7.noarch @beaker-Server Update 2.6.0-1.el7_1.noarch @rhel73 Updated python-six-1.3.0-4.el7.noarch @beaker-Server Update 1.9.0-2.el7.noarch @rhel73 Dep-Install python-sss-murmur-1.14.0-42.el7.x86_64 @rhel73 Updated python-sssdconfig-1.11.2-65.el7.noarch @beaker-Server/7.0 Update 1.14.0-42.el7.noarch @rhel73 Updated python-urllib3-1.5-8.el7.noarch @beaker-Server Update 1.10.2-2.el7_1.noarch @rhel73 Dep-Install python-yubico-1.2.3-1.el7.noarch @rhel73 Dep-Install python2-cryptography-1.3.1-3.el7.x86_64 @rhel73 Dep-Install python2-ipaclient-4.4.0-12.el7.noarch @rhel73 Dep-Install python2-ipalib-4.4.0-12.el7.noarch @rhel73 Dep-Install python2-ipaserver-4.4.0-12.el7.noarch @rhel73 Obsoleting python2-pyasn1-0.1.9-7.el7.noarch @rhel73 Dep-Install pyusb-1.0.0-0.11.b1.el7.noarch @rhel73 Updated resteasy-base-atom-provider-2.3.5-2.el7.noarch @beaker-Server Update 3.0.6-3.el7.noarch @rhel73 Dep-Install resteasy-base-client-3.0.6-3.el7.noarch @rhel73 Dep-Install resteasy-base-jackson-provider-3.0.6-3.el7.noarch @rhel73 Updated resteasy-base-jaxb-provider-2.3.5-2.el7.noarch @beaker-Server Update 3.0.6-3.el7.noarch @rhel73 Updated resteasy-base-jaxrs-2.3.5-2.el7.noarch @beaker-Server Update 3.0.6-3.el7.noarch @rhel73 Updated resteasy-base-jaxrs-api-2.3.5-2.el7.noarch @beaker-Server Update 3.0.6-3.el7.noarch @rhel73 Updated resteasy-base-jettison-provider-2.3.5-2.el7.noarch @beaker-Server Update 3.0.6-3.el7.noarch @rhel73 Dep-Install samba-client-libs-4.4.4-9.el7.x86_64 @rhel73 Dep-Install samba-common-4.4.4-9.el7.noarch @rhel73 Updated samba-libs-4.1.1-31.el7.x86_64 @beaker-Server/7.0 Update 4.4.4-9.el7.x86_64 @rhel73 Updated selinux-policy-3.12.1-153.el7.noarch @beaker-Server/7.0 Update 3.13.1-99.el7.noarch @rhel73 Updated selinux-policy-targeted-3.12.1-153.el7.noarch @beaker-Server/7.0 Update 3.13.1-99.el7.noarch @rhel73 Updated setools-libs-3.3.7-46.el7.x86_64 @beaker-Server Update 3.3.8-1.1.el7.x86_64 @rhel73 Updated slapi-nis-0.52-4.el7.x86_64 @beaker-Server Update 0.56.0-4.el7.x86_64 @rhel73 Dep-Install softhsm-2.1.0-2.el7.x86_64 @rhel73 Updated sssd-1.11.2-65.el7.x86_64 @beaker-Server/7.0 Update 1.14.0-42.el7.x86_64 @rhel73 Updated sssd-ad-1.11.2-65.el7.x86_64 @beaker-Server/7.0 Update 1.14.0-42.el7.x86_64 @rhel73 Updated sssd-client-1.11.2-65.el7.x86_64 @beaker-Server/7.0 Update 1.14.0-42.el7.x86_64 @rhel73 Updated sssd-common-1.11.2-65.el7.x86_64 @beaker-Server/7.0 Update 1.14.0-42.el7.x86_64 @rhel73 Updated sssd-common-pac-1.11.2-65.el7.x86_64 @beaker-Server/7.0 Update 1.14.0-42.el7.x86_64 @rhel73 Updated sssd-ipa-1.11.2-65.el7.x86_64 @beaker-Server/7.0 Update 1.14.0-42.el7.x86_64 @rhel73 Updated sssd-krb5-1.11.2-65.el7.x86_64 @beaker-Server/7.0 Update 1.14.0-42.el7.x86_64 @rhel73 Updated sssd-krb5-common-1.11.2-65.el7.x86_64 @beaker-Server/7.0 Update 1.14.0-42.el7.x86_64 @rhel73 Updated sssd-ldap-1.11.2-65.el7.x86_64 @beaker-Server/7.0 Update 1.14.0-42.el7.x86_64 @rhel73 Updated sssd-proxy-1.11.2-65.el7.x86_64 @beaker-Server/7.0 Update 1.14.0-42.el7.x86_64 @rhel73 Updated svrcore-4.0.4-11.el7.x86_64 @beaker-Server Update 4.1.2-1.el7.x86_64 @rhel73 Updated systemd-208-11.el7.x86_64 @beaker-Server/7.0 Update 219-30.el7.x86_64 @rhel73 Updated systemd-libs-208-11.el7.x86_64 @beaker-Server/7.0 Update 219-30.el7.x86_64 @rhel73 Updated systemd-python-208-11.el7.x86_64 @beaker-Server Update 219-30.el7.x86_64 @rhel73 Updated systemd-sysv-208-11.el7.x86_64 @beaker-Server/7.0 Update 219-30.el7.x86_64 @rhel73 Updated tomcat-7.0.42-4.el7.noarch @beaker-Server Update 7.0.69-10.el7.noarch @rhel73 Updated tomcat-el-2.2-api-7.0.42-4.el7.noarch @beaker-Server Update 7.0.69-10.el7.noarch @rhel73 Updated tomcat-jsp-2.2-api-7.0.42-4.el7.noarch @beaker-Server Update 7.0.69-10.el7.noarch @rhel73 Updated tomcat-lib-7.0.42-4.el7.noarch @beaker-Server Update 7.0.69-10.el7.noarch @rhel73 Updated tomcat-servlet-3.0-api-7.0.42-4.el7.noarch @beaker-Server Update 7.0.69-10.el7.noarch @rhel73 Updated tomcatjss-7.1.0-4.el7.noarch @beaker-Server Update 7.1.2-3.el7.noarch @rhel73 Updated tzdata-java-2014b-1.el7.noarch @beaker-Server Update 2016f-1.el7.noarch @rhel73 Scriptlet output: 1 warning: /etc/krb5.conf created as /etc/krb5.conf.rpmnew 2 warning: /etc/named.conf created as /etc/named.conf.rpmnew 3 Enabling SELinux boolean named_write_master_zones 4 Cannot set persistent booleans without managed policy. 5 Re-declaration of type pkcsslotd_t 6 Failed to create node 7 Bad type declaration at /etc/selinux/targeted/tmp/modules/400/pkcsslotd/cil:1 8 semodule: Failed! 9 Could not load host key: /etc/ssh/ssh_host_dsa_key 10 warning: /etc/sysconfig/dirsrv created as /etc/sysconfig/dirsrv.rpmnew 11 DNS query for qe-blade-13.testrelm.test. A failed: The DNS operation timed out after 30.0009379387 seconds 12 Skipping update of global DNS forwarder in LDAP: Unable to determine if local server is using an IP address belonging to an automatic empty zone. Consider changing forwarding policy to "only". DNS exception: The DNS operation timed out after 30.0009379387 seconds 13 unable to resolve host name qe-blade-13.testrelm.test. to IP address, ipa-ca DNS record will be incomplete history info Following lines indicate a problem with setsebool: 3 Enabling SELinux boolean named_write_master_zones 4 Cannot set persistent booleans without managed policy. I do not why it failed... but RPM tried to configure the boolean and it failed for some reason. It does not seem like a problem in IPA because IPA/bind-dyndb-ldap packages tried to set the boolean and failed for some reason.
I believe bug is in bind-dyndb-ldap spec file, "Requires: selinux-policy" is missing. I need to test it on rhel-7.0. After testing will provide info.
It's as I said. Attaching patch and changing component.
(In reply to Lukas Vrabec from comment #12) > It's as I said. Attaching patch and changing component. Thanks for the patch! Just checking, does it really guarantee that the right version of selinux-policy is installed before IdM packages? In FreeIPA, we usually used a line like following: Requires(pre): 389-ds-base >= 1.3.5.6
Even more interestingly, how is it possible that the bug manifested itself only on RHEL 7.3 and not in RHEL 7.1/7.2? The setseboolean call was there for at least these releases. Are you 100% sure that the dependency is not missing is some other package? How the system can possibly be in enforcing mode without selinux-policy installed? Alternativelly, was the system in permissive/disabled mode without selinux-policy and later switched to enforcing? It seems very weird to me.
The question is, can be or is bind-dyndb-ldap used on systems with disabled SELinux? If the answer is yes then the proposed fix is not correct as it enforces users to install selinux-policy and it could be considered as a regression.
You can install selinux-policy package with SELinux disabled state, so I don't think this could be regression.
Anyway, it is a dependency creep. Do you see a solution which does not break either case? (I'm not saying that we have to fix this now but in general case, how this should be handled?)
*** Bug 1374022 has been marked as a duplicate of this bug. ***
I think that the correct solution would be to move setsebool from %post to %posttrans so it's run at the end of the transaction when the SELinux modules store is already migrated and userspace updated,
Created attachment 1203687 [details] Patch for bind-dyndb-ldap with posttrans Petr is right. I tested it with following patch and boolean was turned on.
ipa-server runs ipa-server-upgrade in %posttrans, will yum/dnf make sure that the bind-dyndb-ldap part is run before IPA's? ipa-server-dns requires ipa-server and bind-dyndb-ldap, ipa-server itself doesn't required bind-dyndb-ldap
I suspect that we should have Requires(posttrans): bind-dyndb-ldap in IPA's spec file and use %posttrans in bind-dyndb-ldap.spec.
IPA server version: ipa-server-4.4.0-12.el7.x86_64 Bind-ldap: bind-dyndb-ldap-10.0-5.el7.x86_64 Verified the bug on the basis of following points: 1. Verified that upgrade is successful for RHE 7.0 to RHEL 7.3. 2. "DNS timed out error" message is not displayed at the console. 3. The dummy dns forwardzone details created at 7.0 are reflected after upgrade. 4. Also noticed that the boolean values is "on" and IPA server works as per the comment#15, comment#16 and comment#17 inside bug 1373910. # getsebool -a | grep named named_tcp_bind_http_port --> off named_write_master_zones --> on 5. Logged separate bug Bz1378837 for semodule: Failed! message displayed during update. Thus on the basis of observations above observations, marking the status of bug to "VERIFIED".
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-2375.html