Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1464115
Summary: | ipa-dnskeysyncd AVCs during openqa freeipa tests | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Menanteau Guy <menantea> | ||||||||||
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||||||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||||
Severity: | unspecified | Docs Contact: | |||||||||||
Priority: | unspecified | ||||||||||||
Version: | 26 | CC: | abokovoy, dan, dominick.grift, dwalsh, hannsj_uhl, ipa-maint, jcholast, jhrozek, lsm5, lvrabec, mbasti, menantea, mgrepl, normand, plautrba, pmoore, pvoborni, rcritten, slaznick, ssekidde, ssorce, tkrizek | ||||||||||
Target Milestone: | --- | Keywords: | Reopened | ||||||||||
Target Release: | --- | ||||||||||||
Hardware: | ppc64le | ||||||||||||
OS: | Unspecified | ||||||||||||
Whiteboard: | |||||||||||||
Fixed In Version: | selinux-policy-3.13.1-260.14.fc26 | Doc Type: | If docs needed, set a value | ||||||||||
Doc Text: | Story Points: | --- | |||||||||||
Clone Of: | Environment: | ||||||||||||
Last Closed: | 2017-11-15 20:11:27 UTC | Type: | Bug | ||||||||||
Regression: | --- | Mount Type: | --- | ||||||||||
Documentation: | --- | CRM: | |||||||||||
Verified Versions: | Category: | --- | |||||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||||
Embargoed: | |||||||||||||
Bug Depends On: | |||||||||||||
Bug Blocks: | 1071880, 1430830 | ||||||||||||
Attachments: |
|
Description
Menanteau Guy
2017-06-22 12:57:00 UTC
Created attachment 1290704 [details]
summary of audit log
Created attachment 1290705 [details]
audit log line analysing thru sealert
Hello, ipa-dnskeysyncd is unrelated to kinit, please provide more information about failing kinit in separate BZ (try KRB5_TRACE=/dev/stderr kinit) when issue occurs. changing component to SELinux as this BZ is related only to AVCs Thank you I ran tests with enforcing enabled and got the problem again. kerberos traces are as follow: KRB5_TRACE=/dev/stderr kinit admin [9981] 14982122358.540844: Getting initial credentials for admin [9981] 14982122358.542648: Sending request (173 bytes) to DOMAIN.LOCAL [9981] 14982122358.542910: Initiating TCP connection to stream 10.0.2.100:88 [9981] 14982122358.543224: Sending TCP request to stream 10.0.2.100:88 [9981] 14982122368.553502: Sending initial UDP request to dgram 10.0.2.100:88 [9981] 14982122371.556012: Sending retry UDP request to dgram 10.0.2.100:88 [9981] 14982122376.559790: Sending retry UDP request to dgram 10.0.2.100:88 [9981] 14982122385.566022: Terminating TCP connection to stream 10.0.2.100:88 kinit: Cannot contact any KDC for realm 'DOMAIN.LOCAL' while getting initial credentials note that this kinit run on the server itself, means that TCP and UDP traffic try to be established on the machine itself (ipadd 10.0.2.100) but there is no answer... Do you have any KDC errors on server? : less /var/log/krb5kdc.log journalctl -u krb5kdc systemctl status krb5kdc Created attachment 1291985 [details]
krb4kdc log when kinit problem
journalctl -u krb5kdc -- Logs begin at Sun 2017-06-25 14:22:00 EDT, end at Mon 2017-06-26 09:31:44 EDT. -- Jun 26 09:25:16 ipa001.domain.local systemd[1]: Starting Kerberos 5 KDC... Jun 26 09:25:16 ipa001.domain.local systemd[1]: krb5kdc.service: PID file /var/run/krb5kdc.pid not readable (yet?) after start: No such file or directory Jun 26 09:25:16 ipa001.domain.local systemd[1]: Started Kerberos 5 KDC. Jun 26 09:27:35 ipa001.domain.local systemd[1]: Stopping Kerberos 5 KDC... Jun 26 09:27:35 ipa001.domain.local systemd[1]: Stopped Kerberos 5 KDC. Jun 26 09:27:35 ipa001.domain.local systemd[1]: Starting Kerberos 5 KDC... Jun 26 09:27:35 ipa001.domain.local systemd[1]: krb5kdc.service: PID file /var/run/krb5kdc.pid not readable (yet?) after start: No such file or directory Jun 26 09:27:35 ipa001.domain.local systemd[1]: Started Kerberos 5 KDC. systemctl status krb5kdc krb5dc.service - Kerberos 5 KDC Loaded: loaded (/usr/lib/systemd/krb5kdc.service; disabled; vendor preset: disabled) Active: active (running) since Mon 2017-06-26 09:27:35 EDT; 2min 44s ago Main PID: 9142 (krb5kdc) Tasks: 1 (limit: 4915) CGroup: /system.slice/krb5kdc.service 9142 /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid Jun 26 09:27:35 ipa001.domain.local systemd[1]: Stopped Kerberos 5 KDC. Jun 26 09:27:35 ipa001.domain.local systemd[1]: Starting Kerberos 5 KDC. Jun 26 09:27:35 ipa001.domain.local systemd[1]: krb5kdc.service: PID file /var/run/krb5kdc.pid not readable (yet?) after...rectory Jun 26 09:27:35 ipa001.domain.local systemd[1]: Started Kerberos 5 KDC. I don't see explicit traces pointing on a problem for krb5kdc. Traces about krb5kdc.pid file not readable are still there when the problem does not occur ("enforcing" disabled). Menanteau, You mean SELinux is in permissive mode? Attach output: # sestatus Thanks, Lukas. Yes, as I said in the description of the bug, I never had problem when I run "setenforce 0" before running ipa or kerberos commands. Moving to FreeIPA.This is issue is not related to SELinux. It consists of two bugs 1) This is SELinux type=AVC msg=audit(1497726952.793:735): avc: denied { execute_no_trans } for pid=9992 comm="ipa-dnskeysyncd" path="/usr/libexec/ipa/ipa-dnskeysync-replica" dev="dm-0" ino=5833743 scontext=system_u:system_r:ipa_dnskey_t:s0 tcontext=system_u:object_r:ipa_dnskey_exec_t:s0 tclass=file permissive=0 2) The kinit issues are not selinux. Hum, perhaps I didn't try enough, but so far, I didn't see the kinit problem when selinux is disabled. I will run a longer serie of tests with selinux disable to see if kinit fails sometime. Comment 13 shows it is actually a SELinux issue. no more failure with last compose 20170903. (In reply to Michel Normand from comment #15) > no more failure with last compose 20170903. oups I closed the wrong bug, sorry, I re-open it selinux-policy-3.13.1-260.14.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-d312739a4e selinux-policy-3.13.1-260.14.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report. comment to clear the needinfo flag |