Description of problem: FreeIPA with DNSSEC support is failing to install on a F32 machine. It looks like the problem is caused by an AVC in ods-enforcerd. The ODS enforcer daemon starts as root but root has no permission to read/write files in /var/opendnssec and /run/opendnssec. The files are owned by ods:ods and most directories are not accessible by other users. Version-Release number of selected component (if applicable): opendnssec-2.1.6-4.fc32.x86_64 freeipa-server-4.8.6-1.fc32.x86_64 selinux-policy-3.14.5-32.fc32.noarch How reproducible: always Steps to Reproduce: 1. ipa-server-install 2. ipa-dns-install --dnssec-master --auto-reverse --auto-forwarders -U Actual results: DNS server installation is failing while ods-enforcerd is started: [7/8]: starting OpenDNSSEC enforcer", " [error] CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'restart', 'ods-enforcerd.service'] returned non-zero exit status 1: 'Job for ods-enforcerd.service failed because the control process exited with error code. ods-enforcerd[27230]: Could not connect to database or database not set up properly. ausearch is showing multiple AVCs: AVC avc: denied { dac_override } for pid=27230 comm="ods-enforcerd" capability=1 scontext=system_u:system_r:opendnssec_t:s0 tcontext=system_u:system_r:opendnssec_t:s0 tclass=capability permissive=0 Expected results: no error Additional info: # ls -laZ /var/run/opendnssec/ /var/opendnssec/ /var/opendnssec/: total 128 drwxrwx---. 6 root ods system_u:object_r:opendnssec_var_t:s0 4096 Apr 20 06:16 . drwxr-xr-x. 21 root root system_u:object_r:var_t:s0 4096 Apr 20 06:05 .. drwxrwx---. 2 ods ods system_u:object_r:opendnssec_var_t:s0 4096 Mar 10 22:53 enforcer -rw-rw----. 1 ods ods unconfined_u:object_r:opendnssec_var_t:s0 102400 Apr 20 06:16 kasp.db drwxrwx---. 2 ods ods system_u:object_r:opendnssec_var_t:s0 4096 Mar 10 22:53 signconf drwxrwx---. 2 ods ods system_u:object_r:opendnssec_var_t:s0 4096 Mar 10 22:53 signed drwxrwx---. 2 ods ods system_u:object_r:opendnssec_var_t:s0 4096 Apr 20 06:16 tmp /var/run/opendnssec/: total 0 drwxr-xr-x. 2 ods ods system_u:object_r:opendnssec_var_run_t:s0 60 Apr 20 06:16 . drwxr-xr-x. 34 root root system_u:object_r:var_run_t:s0 1000 Apr 20 06:15 .. srw-rw-rw-. 1 root root system_u:object_r:opendnssec_var_run_t:s0 0 Apr 20 06:16 engine.sock # auditctl -w /etc/shadow -p w # setenforce 0 # systemctl restart ods-enforcerd.service # ausearch -m AVC ... time->Mon Apr 20 06:24:35 2020 type=PROCTITLE msg=audit(1587378275.081:2130): proctitle="/usr/sbin/ods-enforcerd" type=PATH msg=audit(1587378275.081:2130): item=0 name="/var/opendnssec/kasp.db" inode=267656 dev=fc:01 mode=0100660 ouid=995 ogid=992 rdev=00:00 obj=unconfined_u:object_r:opendnssec_var_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(1587378275.081:2130): cwd="/" type=SYSCALL msg=audit(1587378275.081:2130): arch=c000003e syscall=257 success=yes exit=4 a0=ffffff9c a1=55774f9eebac a2=a0002 a3=0 items=1 ppid=1 pid=26878 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ods-enforcerd" exe="/usr/sbin/ods-enforcerd" subj=system_u:system_r:opendnssec_t:s0 key=(null) type=AVC msg=audit(1587378275.081:2130): avc: denied { dac_override } for pid=26878 comm="ods-enforcerd" capability=1 scontext=system_u:system_r:opendnssec_t:s0 tcontext=system_u:system_r:opendnssec_t:s0 tclass=capability permissive=1 ---- time->Mon Apr 20 06:24:35 2020 type=PROCTITLE msg=audit(1587378275.083:2131): proctitle="/usr/sbin/ods-enforcerd" type=PATH msg=audit(1587378275.083:2131): item=0 name="/var/opendnssec/enforcer" inode=267655 dev=fc:01 mode=040770 ouid=995 ogid=992 rdev=00:00 obj=system_u:object_r:opendnssec_var_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(1587378275.083:2131): cwd="/" type=SYSCALL msg=audit(1587378275.083:2131): arch=c000003e syscall=80 success=yes exit=0 a0=55774f9e74a0 a1=3e3 a2=3e0 a3=2000 items=1 ppid=1 pid=26878 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ods-enforcerd" exe="/usr/sbin/ods-enforcerd" subj=system_u:system_r:opendnssec_t:s0 key=(null) type=AVC msg=audit(1587378275.083:2131): avc: denied { dac_read_search } for pid=26878 comm="ods-enforcerd" capability=2 scontext=system_u:system_r:opendnssec_t:s0 tcontext=system_u:system_r:opendnssec_t:s0 tclass=capability permissive=1
This systemd drop-in seems to fix the startup problem for me: # /etc/systemd/system/ods-enforcerd.service.d/override.conf [Service] User=ods Group=ods
FEDORA-2020-fd0589ddff has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-fd0589ddff
FEDORA-2020-fd0589ddff has been pushed to the Fedora 32 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-fd0589ddff` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-fd0589ddff See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2020-fd0589ddff has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report.