Description of problem: I'm no longer able to enable DNSSEC support in freeIPA. ``ipa dnszone-mod $DOMAIN --dnssec=true`` fails silently with a AVC. After I have put the opendnssec_t domain into permissive mode, DNSSEC support works as expected. The ods-signer binary is part of opendnssec package. avc: denied { execute_no_trans } for pid=104865 comm="sh" path="/usr/sbin/ods-signer" dev="dm-0" ino=180013 scontext=system_u:system_r:opendnssec_t:s0 tcontext=system_u:object_r:opendnssec_exec_t:s0 tclass=file permissive=1 Version-Release number of selected component (if applicable): selinux-policy-3.13.1-283.21.fc27.noarch opendnssec-1.4.14-1.fc27.x86_64 freeipa-server-dns-4.6.2.dev201801240728+git57a869329-0.fc27.noarch How reproducible: Always Steps to Reproduce: 1. ipa-server-install 2. ipa-dns-install --dnssec-master --auto-forwarders --auto-reverse --unattended 3. ipa dnszone-mod $DOMAIN --dnssec=true Actual results: AVC denial, ipa-ods-exporter is failing with "socket activation did not return socket with a command", dig isn't reporting RRSIG for the domain. Expected results: DNSSEC works Additional info: See https://pagure.io/freeipa/issue/7378 for more information
The AVC denial in my original post was with ``semanage permissive -a opendnssec_t``. Here is a full log: ---- time->Wed Jan 24 09:15:02 2018 type=AVC msg=audit(1516781702.689:1031): avc: denied { execute_no_trans } for pid=104673 comm="sh" path="/usr/sbin/ods-signer" dev="dm-0" ino=180013 scontext=system_u:system_r:opendnssec_t:s0 tcontext=system_u:object_r:opendnssec_exec_t:s0 tclass=file permissive=0 ---- time->Wed Jan 24 09:20:46 2018 type=AVC msg=audit(1516782046.828:1126): avc: denied { execute_no_trans } for pid=104865 comm="sh" path="/usr/sbin/ods-signer" dev="dm-0" ino=180013 scontext=system_u:system_r:opendnssec_t:s0 tcontext=system_u:object_r:opendnssec_exec_t:s0 tclass=file permissive=1 ods-signer doesn't have execute_no_trans: # ls -laZ /usr/sbin/ods-signer -rwxr-xr-x. 1 root root system_u:object_r:opendnssec_exec_t:s0 416856 Dec 12 19:26 /usr/sbin/ods-signer # sesearch -s opendnssec_t -t opendnssec_exec_t -c file -p entrypoint -A allow opendnssec_t opendnssec_exec_t:file { entrypoint execute getattr ioctl lock map open read };
RHEL 7 has execute_no_trans in the opendnssec_exec_t rule. This is clearly a Fedora bug. # sesearch -s opendnssec_t -t opendnssec_exec_t -c file -p entrypoint -A Found 1 semantic av rules: allow opendnssec_t opendnssec_exec_t : file { ioctl read getattr lock execute execute_no_trans entrypoint open } ; # rpm -qa selinux-policy-targeted selinux-policy-targeted-3.13.1-186.el7.noarch
Lukas, any progress on this? DNSSEC cannot be used with FreeIPA until this fixed.
Lukas, I opened https://github.com/fedora-selinux/selinux-policy-contrib/pull/48
Hi, Thanks for help. Merged and backported to Fedora 27. Lukas,
selinux-policy-3.13.1-283.24.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a144eca5a8
selinux-policy-3.13.1-283.24.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a144eca5a8
selinux-policy-3.13.1-283.24.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
This issue is back as of 3/2021. Freeipa 4.9.2-4.fc33 SELinux=permissive as well. The length of the 'timeout=1' addition didn't work, timeout=10 didn't work. timeout=100, neither did 600. Mar 07 09:40:32 registry1.1.quietfountain.com ipa-ods-exporter[108845]: ipa-ods-exporter: CRITICAL socket activation did not return a readable socket with a command. Mar 07 09:40:33 registry1.1.quietfountain.com systemd[1]: ipa-ods-exporter.service: Main process exited, code=exited, status=1/FAILURE Mar 07 09:40:33 registry1.1.quietfountain.com audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=ipa-ods-exporter comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' Mar 07 09:40:33 registry1.1.quietfountain.com systemd[1]: ipa-ods-exporter.service: Failed with result 'exit-code'. Mar 07 09:40:33 registry1.1.quietfountain.com systemd[1]: ipa-ods-exporter.service: Consumed 16.676s CPU time. Added to related item https://pagure.io/freeipa/issue/7378
A re-install on fc33 no longer generates this message on the same vm on the same host. DS records don't make it into named, but all the opendnssec debugging tips look normal. I'll open a different bug report since it appears I can't reproduce this on an install on a later date. Still probably some race condition.