Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2034880

Summary:	ipa-restore command is failing when restore after uninstalling the server
Product:	Red Hat Enterprise Linux 9	Reporter:	Mohammad Rizwan <myusuf>
Component:	389-ds-base	Assignee:	mreynolds
Status:	CLOSED ERRATA	QA Contact:	RHDS QE <ds-qe-bugs>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	9.0	CC:	frenaud, ldap-maint, lvrabec, mmalik, mreynolds, rcritten, sgouvern, ssekidde, tbordaz, tscherf
Target Milestone:	rc	Keywords:	Regression, Reopened
Target Release:	9.0	Flags:	pm-rhel: mirror+
Hardware:	Unspecified
OS:	Linux
Whiteboard:	sync-to-jira
Fixed In Version:	389-ds-base-2.0.14-1.el9	Doc Type:	No Doc Update
Doc Text:		Story Points:	---
Clone Of:
Clones:	2045223 (view as bug list)		Environment:
Last Closed:	2022-05-17 12:31:11 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	2045223

Description Mohammad Rizwan 2021-12-22 11:21:19 UTC

Description of problem:
ipa-restore command is failing when restore after uninstalling the server

https://ci-jenkins-csb-idmops.apps.ocp-c1.prod.psi.redhat.com/job/ipa-RHEL9.0/job/Nightly/job/tier-2-RHEL9.0-Nightly-upstream-backup-and-restore-testbackupandrestorewithdnssec/15/




Version-Release number of selected component (if applicable):
ipa-server-4.9.8-1.el9.x86_64

How reproducible:
always

Steps to Reproduce:
1. install ipa-server
2. ipa-backup
3. uninstall ipa server
4. ipa-restore <backup-path>

Actual results:
ipa-backup command fail

Expected results:
ipa-backup command successful

Additional info:
same behavior observed in RHEL8.6 as well

https://ci-jenkins-csb-idmops.apps.ocp-c1.prod.psi.redhat.com/job/ipa-RHEL8.6/job/Nightly/job/tier-2-RHEL8.6-Nightly-upstream-backup-and-restore-testbackupandrestorewithdnssec/6/

Comment 1 Florence Blanc-Renaud 2021-12-22 13:21:01 UTC

This is a similar issue to the one seen upstream on fedora 35: BZ #2027730 SELinux is preventing ns-slapd access to /dev/shm/slapd-IPA-TEST/DBVERSION

When ipa-restore is run, it calls internally "/usr/sbin/dsctl TESTRELM-TEST ldif2db userRoot /var/lib/dirsrv/slapd-TESTRELM-TEST/ldif/TESTRELM-TEST-userRoot.ldif", and dsctl creates the directory for the LDAP instance.
A latter step restarts directory server but fails because it can't read the directory:
(from dirsrv error.log)
[22/Dec/2021:06:01:43.445765448 -0500] - ERR - libdb - /dev/shm/slapd-TESTRELM-TEST: Permission denied
[22/Dec/2021:06:01:43.448626695 -0500] - ERR - libdb - /dev/shm/slapd-TESTRELM-TEST/__db.001: Permission denied
[22/Dec/2021:06:01:43.451054639 -0500] - CRIT - bdb_start - Opening database environment (/dev/shm/slapd-TESTRELM-TEST) failed. err=13: Unexpected dbimpl error code
[22/Dec/2021:06:01:43.453336008 -0500] - ERR - ldbm_back_start - Failed to init database, err=13 Unexpected dbimpl error code
[22/Dec/2021:06:01:43.456696652 -0500] - ERR - plugin_dependency_startall - Failed to start database plugin ldbm database
[22/Dec/2021:06:01:43.470451042 -0500] - ERR - schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup!
[22/Dec/2021:06:01:43.480994589 -0500] - CRIT - dblayer_setup - dblayer_init failed
[22/Dec/2021:06:01:43.483139402 -0500] - ERR - ldbm_back_start - Failed to setup dblayer

Moving the bug to selinux component.

Comment 2 Milos Malik 2021-12-22 16:05:57 UTC

Please collect SELinux denials and attach them here:

# ausearch -m avc -m user_avc -m selinux_err -i -ts today

What SELinux labels are placed on the /dev/shm/slapd-TESTRELM-TEST directory and its content?

# ls -lRZ /dev/shm/slapd-TESTRELM-TEST

Thank you.

Comment 3 Zdenek Pytela 2021-12-22 16:44:30 UTC

Please also verify the status of /dev/shm:

# ls -lZd /dev/shm
# grep shm /proc/mounts
# journalctl -g /dev/shm

Comment 4 Mohammad Rizwan 2021-12-23 06:21:50 UTC

Please find avc's at below url:
http://idm-artifacts.usersys.redhat.com/freeipa/Nightly/RHEL9.0/2021-12-16/tier-2/upstream-backup-and-restore-testbackupandrestorewithdnssec/15/logs/AVC.log.gz
http://idm-artifacts.usersys.redhat.com/freeipa/Nightly/RHEL9.0/2021-12-16/tier-2/upstream-backup-and-restore-testbackupandrestorewithdnssec/15/logs/ausearch-master.testrelm.test.log.gz

Comment 5 RHEL Program Management 2021-12-23 06:48:07 UTC

Quality Engineering Management has reviewed and declined this request. You may appeal this decision by reopening this request.

Comment 6 Mohammad Rizwan 2021-12-23 12:38:47 UTC

[root@master ~]# ausearch -m avc -m user_avc -m selinux_err -i -ts today
----
type=PROCTITLE msg=audit(12/23/2021 01:33:46.345:1342) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:33:46.345:1342) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17134 pid=17137 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:33:46.345:1342) : avc:  denied  { setgid } for  pid=17137 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:33:46.367:1344) : proctitle=sss_cache -G 
type=SYSCALL msg=audit(12/23/2021 01:33:46.367:1344) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17134 pid=17139 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:33:46.367:1344) : avc:  denied  { setgid } for  pid=17139 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:33:46.973:1347) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:33:46.973:1347) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17145 pid=17148 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:33:46.973:1347) : avc:  denied  { setgid } for  pid=17148 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:33:46.989:1348) : proctitle=sss_cache -G 
type=SYSCALL msg=audit(12/23/2021 01:33:46.989:1348) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17145 pid=17150 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:33:46.989:1348) : avc:  denied  { setgid } for  pid=17150 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:33:47.051:1350) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:33:47.051:1350) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17152 pid=17155 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:33:47.051:1350) : avc:  denied  { setgid } for  pid=17155 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:33:47.090:1351) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:33:47.090:1351) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17152 pid=17158 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:33:47.090:1351) : avc:  denied  { setgid } for  pid=17158 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:33:51.528:1355) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:33:51.528:1355) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17196 pid=17199 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:33:51.528:1355) : avc:  denied  { setgid } for  pid=17199 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:33:51.557:1356) : proctitle=sss_cache -G 
type=SYSCALL msg=audit(12/23/2021 01:33:51.557:1356) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17196 pid=17201 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:33:51.557:1356) : avc:  denied  { setgid } for  pid=17201 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:33:53.663:1359) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:33:53.663:1359) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17212 pid=17215 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:33:53.663:1359) : avc:  denied  { setgid } for  pid=17215 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:33:53.681:1360) : proctitle=sss_cache -G 
type=SYSCALL msg=audit(12/23/2021 01:33:53.681:1360) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17212 pid=17217 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:33:53.681:1360) : avc:  denied  { setgid } for  pid=17217 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:33:53.770:1362) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:33:53.770:1362) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17220 pid=17225 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:33:53.770:1362) : avc:  denied  { setgid } for  pid=17225 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:33:53.789:1363) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:33:53.789:1363) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17220 pid=17229 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:33:53.789:1363) : avc:  denied  { setgid } for  pid=17229 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:33:59.077:1406) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:33:59.077:1406) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17313 pid=17316 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:33:59.077:1406) : avc:  denied  { setgid } for  pid=17316 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:33:59.094:1407) : proctitle=sss_cache -G 
type=SYSCALL msg=audit(12/23/2021 01:33:59.094:1407) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17313 pid=17318 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:33:59.094:1407) : avc:  denied  { setgid } for  pid=17318 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:34:03.939:1410) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:34:03.939:1410) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17345 pid=17348 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:34:03.939:1410) : avc:  denied  { setgid } for  pid=17348 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:34:03.961:1411) : proctitle=sss_cache -G 
type=SYSCALL msg=audit(12/23/2021 01:34:03.961:1411) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17345 pid=17350 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:34:03.961:1411) : avc:  denied  { setgid } for  pid=17350 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:34:04.086:1413) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:34:04.086:1413) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17353 pid=17359 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:34:04.086:1413) : avc:  denied  { setgid } for  pid=17359 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:34:04.108:1414) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:34:04.108:1414) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17353 pid=17362 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:34:04.108:1414) : avc:  denied  { setgid } for  pid=17362 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:34:04.190:1417) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:34:04.190:1417) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17365 pid=17370 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:34:04.190:1417) : avc:  denied  { setgid } for  pid=17370 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:34:04.211:1418) : proctitle=sss_cache -G 
type=SYSCALL msg=audit(12/23/2021 01:34:04.211:1418) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17365 pid=17372 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:34:04.211:1418) : avc:  denied  { setgid } for  pid=17372 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:34:04.298:1420) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:34:04.298:1420) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17375 pid=17380 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:34:04.298:1420) : avc:  denied  { setgid } for  pid=17380 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:34:04.322:1421) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:34:04.322:1421) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17375 pid=17383 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:34:04.322:1421) : avc:  denied  { setgid } for  pid=17383 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:34:04.410:1424) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:34:04.410:1424) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17387 pid=17391 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:34:04.410:1424) : avc:  denied  { setgid } for  pid=17391 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:34:04.428:1425) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:34:04.428:1425) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17387 pid=17395 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:34:04.428:1425) : avc:  denied  { setgid } for  pid=17395 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:34:31.172:1455) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:34:31.172:1455) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17667 pid=17670 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:34:31.172:1455) : avc:  denied  { setgid } for  pid=17670 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:34:31.191:1456) : proctitle=sss_cache -G 
type=SYSCALL msg=audit(12/23/2021 01:34:31.191:1456) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17667 pid=17672 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:34:31.191:1456) : avc:  denied  { setgid } for  pid=17672 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:34:31.284:1458) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:34:31.284:1458) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17675 pid=17678 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:34:31.284:1458) : avc:  denied  { setgid } for  pid=17678 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:34:31.305:1459) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:34:31.305:1459) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17675 pid=17681 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:34:31.305:1459) : avc:  denied  { setgid } for  pid=17681 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:34:31.494:1462) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:34:31.494:1462) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17684 pid=17687 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:34:31.494:1462) : avc:  denied  { setgid } for  pid=17687 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:34:31.511:1463) : proctitle=sss_cache -G 
type=SYSCALL msg=audit(12/23/2021 01:34:31.511:1463) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17684 pid=17689 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:34:31.511:1463) : avc:  denied  { setgid } for  pid=17689 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:34:31.606:1465) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:34:31.606:1465) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17690 pid=17693 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:34:31.606:1465) : avc:  denied  { setgid } for  pid=17693 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:34:31.630:1466) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:34:31.630:1466) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17690 pid=17696 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:34:31.630:1466) : avc:  denied  { setgid } for  pid=17696 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:34:43.826:1472) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:34:43.826:1472) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17771 pid=17774 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:34:43.826:1472) : avc:  denied  { setgid } for  pid=17774 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:34:43.845:1473) : proctitle=sss_cache -G 
type=SYSCALL msg=audit(12/23/2021 01:34:43.845:1473) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17771 pid=17776 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:34:43.845:1473) : avc:  denied  { setgid } for  pid=17776 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:34:43.973:1475) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:34:43.973:1475) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17778 pid=17784 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:34:43.973:1475) : avc:  denied  { setgid } for  pid=17784 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:34:43.998:1476) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:34:43.998:1476) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17778 pid=17788 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:34:43.998:1476) : avc:  denied  { setgid } for  pid=17788 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:34:44.311:1479) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:34:44.311:1479) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17803 pid=17806 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:34:44.311:1479) : avc:  denied  { setgid } for  pid=17806 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:34:44.336:1480) : proctitle=sss_cache -G 
type=SYSCALL msg=audit(12/23/2021 01:34:44.336:1480) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17803 pid=17809 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:34:44.336:1480) : avc:  denied  { setgid } for  pid=17809 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:34:44.543:1482) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:34:44.543:1482) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17812 pid=17820 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:34:44.543:1482) : avc:  denied  { setgid } for  pid=17820 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 01:34:44.563:1483) : proctitle=sss_cache -UG 
type=SYSCALL msg=audit(12/23/2021 01:34:44.563:1483) : arch=x86_64 syscall=setresgid success=yes exit=0 a0=unset a1=root a2=unset a3=0x0 items=0 ppid=17812 pid=17824 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/23/2021 01:34:44.563:1483) : avc:  denied  { setgid } for  pid=17824 comm=sss_cache capability=setgid  scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 07:35:43.928:3316) : proctitle=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-TESTRELM-TEST -i /run/dirsrv/slapd-TESTRELM-TEST.pid 
type=SYSCALL msg=audit(12/23/2021 07:35:43.928:3316) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7f4bbe51f7a0 a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=0 ppid=1 pid=28160 auid=unset uid=dirsrv gid=dirsrv euid=dirsrv suid=dirsrv fsuid=dirsrv egid=dirsrv sgid=dirsrv fsgid=dirsrv tty=(none) ses=unset comm=ns-slapd exe=/usr/sbin/ns-slapd subj=system_u:system_r:dirsrv_t:s0 key=(null) 
type=AVC msg=audit(12/23/2021 07:35:43.928:3316) : avc:  denied  { read } for  pid=28160 comm=ns-slapd name=slapd-TESTRELM-TEST dev="tmpfs" ino=32 scontext=system_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 07:35:43.953:3317) : proctitle=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-TESTRELM-TEST -i /run/dirsrv/slapd-TESTRELM-TEST.pid 
type=SYSCALL msg=audit(12/23/2021 07:35:43.953:3317) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7f4bbd0dad60 a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=0 ppid=1 pid=28160 auid=unset uid=dirsrv gid=dirsrv euid=dirsrv suid=dirsrv fsuid=dirsrv egid=dirsrv sgid=dirsrv fsgid=dirsrv tty=(none) ses=unset comm=ns-slapd exe=/usr/sbin/ns-slapd subj=system_u:system_r:dirsrv_t:s0 key=(null) 
type=AVC msg=audit(12/23/2021 07:35:43.953:3317) : avc:  denied  { read } for  pid=28160 comm=ns-slapd name=slapd-TESTRELM-TEST dev="tmpfs" ino=32 scontext=system_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 07:35:43.987:3319) : proctitle=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-TESTRELM-TEST -i /run/dirsrv/slapd-TESTRELM-TEST.pid 
type=SYSCALL msg=audit(12/23/2021 07:35:43.987:3319) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7f4bbe51f7a0 a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=0 ppid=1 pid=28160 auid=unset uid=dirsrv gid=dirsrv euid=dirsrv suid=dirsrv fsuid=dirsrv egid=dirsrv sgid=dirsrv fsgid=dirsrv tty=(none) ses=unset comm=ns-slapd exe=/usr/sbin/ns-slapd subj=system_u:system_r:dirsrv_t:s0 key=(null) 
type=AVC msg=audit(12/23/2021 07:35:43.987:3319) : avc:  denied  { read } for  pid=28160 comm=ns-slapd name=slapd-TESTRELM-TEST dev="tmpfs" ino=32 scontext=system_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(12/23/2021 07:35:43.987:3320) : proctitle=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-TESTRELM-TEST -i /run/dirsrv/slapd-TESTRELM-TEST.pid 
type=SYSCALL msg=audit(12/23/2021 07:35:43.987:3320) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7f4bbd121540 a2=O_RDWR|O_CREAT|O_EXCL a3=0x180 items=0 ppid=1 pid=28160 auid=unset uid=dirsrv gid=dirsrv euid=dirsrv suid=dirsrv fsuid=dirsrv egid=dirsrv sgid=dirsrv fsgid=dirsrv tty=(none) ses=unset comm=ns-slapd exe=/usr/sbin/ns-slapd subj=system_u:system_r:dirsrv_t:s0 key=(null) 
type=AVC msg=audit(12/23/2021 07:35:43.987:3320) : avc:  denied  { write } for  pid=28160 comm=ns-slapd name=slapd-TESTRELM-TEST dev="tmpfs" ino=32 scontext=system_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=0 
[root@master ~]# 
[root@master ~]# 
[root@master ~]# ls -lRZ /dev/shm/slapd-TESTRELM-TEST
/dev/shm/slapd-TESTRELM-TEST:
total 4
-rw-------. 1 dirsrv dirsrv unconfined_u:object_r:user_tmp_t:s0 51 Dec 23 07:35 DBVERSION
[root@master ~]# 
[root@master ~]# 
[root@master ~]#  ls -lZd /dev/shm
drwxrwxrwt. 3 root root system_u:object_r:tmpfs_t:s0 80 Dec 23 07:35 /dev/shm
[root@master ~]# 
[root@master ~]# 
[root@master ~]#  grep shm /proc/mounts
tmpfs /dev/shm tmpfs rw,seclabel,nosuid,nodev,inode64 0 0
[root@master ~]# 
[root@master ~]# 
[root@master ~]# journalctl -g /dev/shm
-- Journal begins at Thu 2021-12-23 01:25:08 EST, ends at Thu 2021-12-23 07:36:57 EST. --
Dec 23 01:25:11 localhost systemd[1]: Relabelled /dev, /dev/shm, /run, /sys/fs/cgroup in 30.658ms.
Dec 23 07:35:43 master.testrelm.test ns-slapd[28160]: [23/Dec/2021:07:35:43.954904540 -0500] - ERR - libdb - /dev/shm/slapd-TE>
Dec 23 07:35:43 master.testrelm.test ns-slapd[28160]: [23/Dec/2021:07:35:43.990006099 -0500] - ERR - libdb - /dev/shm/slapd-TE>
Dec 23 07:35:44 master.testrelm.test ns-slapd[28160]: [23/Dec/2021:07:35:44.005987077 -0500] - CRIT - bdb_start - Opening data>
[root@master ~]#

Comment 7 Zdenek Pytela 2021-12-23 12:44:21 UTC

Thank you, so /dev/shm has correct label but /dev/shm/slapd-TESTRELM-TEST does not. Do you know which service created that directory?

Comment 8 Mohammad Rizwan 2021-12-27 06:04:43 UTC

dirsrv service might have created it. Flo can confirm.

Comment 9 Florence Blanc-Renaud 2021-12-27 09:57:32 UTC

(In reply to Zdenek Pytela from comment #7)
> Thank you, so /dev/shm has correct label but /dev/shm/slapd-TESTRELM-TEST
> does not. Do you know which service created that directory?

It’s the dsctl cli that creates the directory, shipped with dirsrv. Please see https://bugzilla.redhat.com/show_bug.cgi?id=2027730#c3 for more details (same issue on fedora 35).

Comment 10 Milos Malik 2022-01-07 10:09:59 UTC

Majority of SELinux denials shown in comment#6 are already addressed in BZ#2030156.

The last 4 SELinux denials shown in comment#6 indicate that /dev/shm/slapd-TESTRELM-TEST directory is not labeled correctly. The correct label should be dirsrv_tmpfs_t.

Either ipa-backup did not save the SELinux context of the directory or ipa-restore did not restore the SELinux context of the directory.

I believe that the following command (executed before starting the ns-slapd service) should the labeling issue:

# chcon -R -t dirsrv_tmpfs_t /dev/shm/slapd-TESTRELM-TEST

Comment 11 Milos Malik 2022-01-07 10:18:29 UTC

I believe that the following command (executed before starting the ns-slapd service) should fix the labeling issue:

# chcon -R -t dirsrv_tmpfs_t /dev/shm/slapd-TESTRELM-TEST

Another way to fix the labeling issue is to call the restorecon command before starting the ns-slapd service:

# restorecon -Rv /dev/shm/slapd-TESTRELM-TEST

The last 4 SELinux denials shown in comment#6 are related to the /dev/shm/slapd-TESTRELM-TEST directory, but all objects in that directory need to be labeled correctly as well. That's why the -R option is needed.

Comment 12 Milos Malik 2022-01-07 10:22:45 UTC

If I understand the function of the ipa-backup command correctly, it creates some kind of archive. And the ipa-restore command works with that archive.
Is it possible to list the content of the archive so that SELinux denials of all objects are displayed?
Thank you.

Comment 13 Florence Blanc-Renaud 2022-01-11 10:21:07 UTC

Moving to 389-ds component as agreed with tbordaz

Comment 14 Mohammad Rizwan 2022-01-12 07:11:47 UTC

[root@master ~]# ipa-backup 
Preparing backup on master.testrelm.test
Local roles match globally used roles, proceeding.
Stopping IPA services
Backing up ipaca in TESTRELM-TEST to LDIF
Backing up userRoot in TESTRELM-TEST to LDIF
Backing up TESTRELM-TEST
Backing up files
Starting IPA service
Backed up to /var/lib/ipa/backup/ipa-full-2022-01-12-01-15-18
The ipa-backup command was successful

[root@master ~]# ls /var/lib/ipa/backup/ipa-full-2022-01-12-01-15-18
header  ipa-full.tar

[root@master backp]# tar -xvf /var/lib/ipa/backup/ipa-full-2022-01-12-01-15-18/ipa-full.tar 
./
./TESTRELM-TEST-ipaca.ldif
[..]
./TESTRELM-TEST/dse_index.ldif
./files.tar

[root@master backp]# ls
files.tar  TESTRELM-TEST  TESTRELM-TEST-ipaca.ldif  TESTRELM-TEST-userRoot.ldif
[root@master backp]# 


[root@master backp]# ls -rZ */*
unconfined_u:object_r:admin_home_t:s0 TESTRELM-TEST/log.0000000004
unconfined_u:object_r:admin_home_t:s0 TESTRELM-TEST/dse_instance.ldif
unconfined_u:object_r:admin_home_t:s0 TESTRELM-TEST/dse_index.ldif
unconfined_u:object_r:admin_home_t:s0 TESTRELM-TEST/DBVERSION

TESTRELM-TEST/userRoot:
unconfined_u:object_r:admin_home_t:s0 userCertificate.db
unconfined_u:object_r:admin_home_t:s0 uniquemember.db
unconfined_u:object_r:admin_home_t:s0 uidnumber.db
unconfined_u:object_r:admin_home_t:s0 uid.db
unconfined_u:object_r:admin_home_t:s0 sourcehost.db
unconfined_u:object_r:admin_home_t:s0 sn.db
unconfined_u:object_r:admin_home_t:s0 serverhostname.db
unconfined_u:object_r:admin_home_t:s0 seealso.db
unconfined_u:object_r:admin_home_t:s0 secretary.db
unconfined_u:object_r:admin_home_t:s0 parentid.db
unconfined_u:object_r:admin_home_t:s0 owner.db
unconfined_u:object_r:admin_home_t:s0 ou.db
unconfined_u:object_r:admin_home_t:s0 objectclass.db
unconfined_u:object_r:admin_home_t:s0 numsubordinates.db
unconfined_u:object_r:admin_home_t:s0 nsuniqueid.db
unconfined_u:object_r:admin_home_t:s0 nscpEntryDN.db
unconfined_u:object_r:admin_home_t:s0 memberUser.db
unconfined_u:object_r:admin_home_t:s0 memberservice.db
unconfined_u:object_r:admin_home_t:s0 memberPrincipal.db
unconfined_u:object_r:admin_home_t:s0 memberOf.db
unconfined_u:object_r:admin_home_t:s0 memberManager.db
unconfined_u:object_r:admin_home_t:s0 memberHost.db
unconfined_u:object_r:admin_home_t:s0 memberdenycmd.db
unconfined_u:object_r:admin_home_t:s0 member.db
unconfined_u:object_r:admin_home_t:s0 memberallowcmd.db
unconfined_u:object_r:admin_home_t:s0 manager.db
unconfined_u:object_r:admin_home_t:s0 managedby.db
unconfined_u:object_r:admin_home_t:s0 mail.db
unconfined_u:object_r:admin_home_t:s0 macAddress.db
unconfined_u:object_r:admin_home_t:s0 krbPrincipalName.db
unconfined_u:object_r:admin_home_t:s0 krbPasswordExpiration.db
unconfined_u:object_r:admin_home_t:s0 krbCanonicalName.db
unconfined_u:object_r:admin_home_t:s0 ipauniqueid.db
unconfined_u:object_r:admin_home_t:s0 ipatokenradiusconfiglink.db
unconfined_u:object_r:admin_home_t:s0 ipasudorunasgroup.db
unconfined_u:object_r:admin_home_t:s0 ipasudorunas.db
unconfined_u:object_r:admin_home_t:s0 ipaOwner.db
unconfined_u:object_r:admin_home_t:s0 ipaNTSecurityIdentifier.db
unconfined_u:object_r:admin_home_t:s0 ipaMemberCertProfile.db
unconfined_u:object_r:admin_home_t:s0 ipaMemberCa.db
unconfined_u:object_r:admin_home_t:s0 ipalocation.db
unconfined_u:object_r:admin_home_t:s0 ipakrbprincipalalias.db
unconfined_u:object_r:admin_home_t:s0 ipaKrbAuthzData.db
unconfined_u:object_r:admin_home_t:s0 ipaEnabledFlag.db
unconfined_u:object_r:admin_home_t:s0 ipaConfigString.db
unconfined_u:object_r:admin_home_t:s0 ipaCASubjectDN.db
unconfined_u:object_r:admin_home_t:s0 ipaassignedidview.db
unconfined_u:object_r:admin_home_t:s0 ipaallowedtarget.db
unconfined_u:object_r:admin_home_t:s0 idnsName.db
unconfined_u:object_r:admin_home_t:s0 id2entry.db
unconfined_u:object_r:admin_home_t:s0 hostCategory.db
unconfined_u:object_r:admin_home_t:s0 givenName.db
unconfined_u:object_r:admin_home_t:s0 gidnumber.db
unconfined_u:object_r:admin_home_t:s0 fqdn.db
unconfined_u:object_r:admin_home_t:s0 entryUUID.db
unconfined_u:object_r:admin_home_t:s0 entryusn.db
unconfined_u:object_r:admin_home_t:s0 entryrdn.db
unconfined_u:object_r:admin_home_t:s0 displayname.db
unconfined_u:object_r:admin_home_t:s0 description.db
unconfined_u:object_r:admin_home_t:s0 DBVERSION
unconfined_u:object_r:admin_home_t:s0 cn.db
unconfined_u:object_r:admin_home_t:s0 automountMapName.db
unconfined_u:object_r:admin_home_t:s0 automountkey.db
unconfined_u:object_r:admin_home_t:s0 ancestorid.db
unconfined_u:object_r:admin_home_t:s0 aci.db
unconfined_u:object_r:admin_home_t:s0 accessRuleType.db

TESTRELM-TEST/ipaca:
unconfined_u:object_r:admin_home_t:s0 vlv#capendingpkitomcatindex.db
unconfined_u:object_r:admin_home_t:s0 vlv#capendingenrollmentpkitomcatindex.db
unconfined_u:object_r:admin_home_t:s0 vlv#caenrollmentpkitomcatindex.db
unconfined_u:object_r:admin_home_t:s0 vlv#cacompletepkitomcatindex.db
unconfined_u:object_r:admin_home_t:s0 vlv#cacompleteenrollmentpkitomcatindex.db
unconfined_u:object_r:admin_home_t:s0 vlv#caallpkitomcatindex.db
unconfined_u:object_r:admin_home_t:s0 vlv#allvalidorrevokedcertspkitomcatindex.db
unconfined_u:object_r:admin_home_t:s0 vlv#allvalidcertspkitomcatindex.db
unconfined_u:object_r:admin_home_t:s0 vlv#allvalidcertsnotafterpkitomcatindex.db
unconfined_u:object_r:admin_home_t:s0 vlv#allnonrevokedcertspkitomcatindex.db
unconfined_u:object_r:admin_home_t:s0 vlv#allcertspkitomcatindex.db
unconfined_u:object_r:admin_home_t:s0 uniquemember.db
unconfined_u:object_r:admin_home_t:s0 uid.db
unconfined_u:object_r:admin_home_t:s0 subjectname.db
unconfined_u:object_r:admin_home_t:s0 sn.db
unconfined_u:object_r:admin_home_t:s0 serialno.db
unconfined_u:object_r:admin_home_t:s0 seeAlso.db
unconfined_u:object_r:admin_home_t:s0 requesttype.db
unconfined_u:object_r:admin_home_t:s0 requeststate.db
unconfined_u:object_r:admin_home_t:s0 requestid.db
unconfined_u:object_r:admin_home_t:s0 publicKeyData.db
unconfined_u:object_r:admin_home_t:s0 parentid.db
unconfined_u:object_r:admin_home_t:s0 owner.db
unconfined_u:object_r:admin_home_t:s0 objectclass.db
unconfined_u:object_r:admin_home_t:s0 numsubordinates.db
unconfined_u:object_r:admin_home_t:s0 nsuniqueid.db
unconfined_u:object_r:admin_home_t:s0 notbefore.db
unconfined_u:object_r:admin_home_t:s0 notafter.db
unconfined_u:object_r:admin_home_t:s0 metaInfo.db
unconfined_u:object_r:admin_home_t:s0 member.db
unconfined_u:object_r:admin_home_t:s0 mail.db
unconfined_u:object_r:admin_home_t:s0 issuername.db
unconfined_u:object_r:admin_home_t:s0 issuedby.db
unconfined_u:object_r:admin_home_t:s0 id2entry.db
unconfined_u:object_r:admin_home_t:s0 extension.db
unconfined_u:object_r:admin_home_t:s0 entryUUID.db
unconfined_u:object_r:admin_home_t:s0 entryusn.db
unconfined_u:object_r:admin_home_t:s0 entryrdn.db
unconfined_u:object_r:admin_home_t:s0 duration.db
unconfined_u:object_r:admin_home_t:s0 description.db
unconfined_u:object_r:admin_home_t:s0 DBVERSION
unconfined_u:object_r:admin_home_t:s0 dateOfCreate.db
unconfined_u:object_r:admin_home_t:s0 cn.db
unconfined_u:object_r:admin_home_t:s0 certstatus.db
unconfined_u:object_r:admin_home_t:s0 ancestorid.db
unconfined_u:object_r:admin_home_t:s0 acmeExpires.db
unconfined_u:object_r:admin_home_t:s0 aci.db

TESTRELM-TEST/changelog:
unconfined_u:object_r:admin_home_t:s0 targetuniqueid.db   unconfined_u:object_r:admin_home_t:s0 entryusn.db
unconfined_u:object_r:admin_home_t:s0 seeAlso.db          unconfined_u:object_r:admin_home_t:s0 entryrdn.db
unconfined_u:object_r:admin_home_t:s0 parentid.db         unconfined_u:object_r:admin_home_t:s0 DBVERSION
unconfined_u:object_r:admin_home_t:s0 objectclass.db      unconfined_u:object_r:admin_home_t:s0 cn.db
unconfined_u:object_r:admin_home_t:s0 numsubordinates.db  unconfined_u:object_r:admin_home_t:s0 changenumber.db
unconfined_u:object_r:admin_home_t:s0 nsuniqueid.db       unconfined_u:object_r:admin_home_t:s0 ancestorid.db
unconfined_u:object_r:admin_home_t:s0 id2entry.db         unconfined_u:object_r:admin_home_t:s0 aci.db
unconfined_u:object_r:admin_home_t:s0 entryUUID.db
[root@master backp]#

Comment 20 Mohammad Rizwan 2022-02-10 07:44:30 UTC

version:
389-ds-base-2.0.14-1.el9.x86_64
ipa-server-4.9.8-2.el9.x86_64

Automation passed, hence marking the bug verified.

https://ci-jenkins-csb-idmops.apps.ocp-c1.prod.psi.redhat.com/job/ipa-RHEL9.0/job/Nightly/job/tier-2-RHEL9.0-Nightly-upstream-backup-and-restore-testbackupandrestorewithdnssec/24/
https://ci-jenkins-csb-idmops.apps.ocp-c1.prod.psi.redhat.com/job/ipa-RHEL9.0/job/Nightly/job/tier-2-RHEL9.0-Nightly-upstream-backup-and-restore-testbackupandrestorewithreplica/18/

Comment 22 errata-xmlrpc 2022-05-17 12:31:11 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: 389-ds-base), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:2327