[Freeipa-users] certmonger selinux issue and freeipa dns database error problem
Rob Crittenden
rcritten at redhat.com
Mon Nov 8 21:52:13 UTC 2010
Uzor Ide wrote:
>
> We have a network that relies on kerberos, 389-ds, bind and nfs4. I am
> currently testing out the freeipa version 2 to see if we can use it to
> consolidate the various configuration into one interface. For the most
> part it works great apart from the obvious area where it has not been
> completed. However there are somethings that I have noticed.
Hey, sorry we didn't forget about you. Ticket
https://fedorahosted.org/freeipa/ticket/409 was opened for your DNS problem.
Do you get this query error frequently? Do you know what triggers it? I
haven't been able to reproduce it myself yet. I wonder if this happens
when logs roll.
For the certmonger problem this looks like a new one to me, I'll file a bug.
regards
rob
> 1.) The DNS logging always logs database error every time it access the
> ldap. even though the query returns okay and the dns reply is fine.
>
> here is an excerpt of the log named.run
>
> 24-Oct-2010 10:32:33.025 edns-disabled: info: success resolving
> 'www.mailscanner.tv/A <http://www.mailscanner.tv/A>' (in 'mailscanner.tv
> <http://mailscanner.tv>'?) after reducing the advertised EDNS UDP packet
> size to 512 octets
> 24-Oct-2010 10:34:41.137 database: error: querying 'idnsName=wpad,
> idnsname=uzdomain.ca <http://uzdomain.ca>,cn=dns,dc=uzdomain,dc=ca' with
> '(objectClass=idnsRecord)'
> 24-Oct-2010 10:34:41.140 database: error: querying 'idnsname=uzdomain.ca
> <http://uzdomain.ca>,cn=dns,dc=uzdomain,dc=ca' with
> '(objectClass=idnsRecord)'
> 24-Oct-2010 10:34:41.143 database: error: entry count: 1
> 24-Oct-2010 10:34:41.146 database: error: querying 'idnsName=wpad,
> idnsname=uzdomain.ca <http://uzdomain.ca>,cn=dns,dc=uzdomain,dc=ca' with
> '(objectClass=idnsRecord)'
> 24-Oct-2010 10:39:43.581 database: error: querying 'idnsName=wpad,
> idnsname=uzdomain.ca <http://uzdomain.ca>,cn=dns,dc=uzdomain,dc=ca' with
> '(objectClass=idnsRecord)'
> 24-Oct-2010 10:39:43.583 database: error: querying 'idnsname=uzdomain.ca
> <http://uzdomain.ca>,cn=dns,dc=uzdomain,dc=ca' with
> '(objectClass=idnsRecord)'
> 24-Oct-2010 10:39:43.586 database: error: entry count: 1
> 24-Oct-2010 10:39:43.589 database: error: querying 'idnsName=wpad,
> idnsname=uzdomain.ca <http://uzdomain.ca>,cn=dns,dc=uzdomain,dc=ca' with
> '(objectClass=idnsRecord)'
>
> here is our logging configuration
>
> // *******************
> // Logging definitions
> // *******************
>
> // Logging
> logging {
> channel "named_log" {
> file "data/log/named.run" versions 5 size 4m;
> severity dynamic;
> print-category yes;
> print-severity yes;
> print-time yes;
> };
>
> channel "security_log" {
> file "data/log/security.log" versions 5 size 10m;
> severity dynamic;
> print-category yes;
> print-severity yes;
> print-time yes;
> };
>
> channel "query_log" {
> file "data/log/query.log" versions 5 size 50m;
> #severity dynamic;
> severity debug;
> print-category yes;
> print-severity yes;
> print-time yes;
> };
>
> channel "transfer_log" {
> file "data/log/transfer.log" versions 5 size 10m;
> severity dynamic;
> print-category yes;
> print-severity yes;
> };
>
> category "default" {
> "named_log";
> "default_syslog";
> "default_debug";
> };
>
> category "general" {
> "named_log";
> };
>
> category "queries" {
> "query_log";
> };
>
> category "lame-servers" {
> null;
> };
>
> category "security" {
> "security_log";
> };
>
> category "config" {
> "named_log";
> };
>
> category "resolver" {
> "query_log";
> };
>
> category "xfer-in" {
> "transfer_log";
> };
>
> category "xfer-out" {
> "transfer_log";
> };
>
> category "notify" {
> "transfer_log";
> };
>
> category "client" {
> "query_log";
> };
>
> category "network" {
> "named_log";
> };
>
> category "update" {
> "transfer_log";
> };
>
> category "dnssec" {
> "security_log";
> };
>
> category "dispatch" {
> "security_log";
> };
> };
>
> This error message keeps triggering our monitoring systems.
>
> 2.) I currently have only one ipa-client; and certmonger keeps getting
> seliux AVC denials
>
> Oct 24 10:57:24 ulasi setroubleshoot: SELinux is preventing
> /usr/sbin/certmonger "execute" access on
> /usr/libexec/certmonger/ipa-submit. For complete SELinux messages. run
> sealert -l 8db766a3-6100-4be5-aec6-2a3a713290e2
> Oct 24 10:57:56 ulasi setroubleshoot: SELinux is preventing
> /usr/sbin/certmonger "execute" access on
> /usr/libexec/certmonger/ipa-submit. For complete SELinux messages. run
> sealert -l 8db766a3-6100-4be5-aec6-2a3a713290e2
> Oct 24 10:58:26 ulasi setroubleshoot: SELinux is preventing
> /usr/sbin/certmonger "execute" access on
> /usr/libexec/certmonger/ipa-submit. For complete SELinux messages. run
> sealert -l 8db766a3-6100-4be5-aec6-2a3a713290e2
> Oct 24 10:58:57 ulasi setroubleshoot: SELinux is preventing
> /usr/sbin/certmonger "execute" access on
> /usr/libexec/certmonger/ipa-submit. For complete SELinux messages. run
> sealert -l 8db766a3-6100-4be5-aec6-2a3a713290e2
>
>
> Summary:
>
> SELinux is preventing /usr/sbin/certmonger "execute" access on
> /usr/libexec/certmonger/ipa-submit.
>
> Detailed Description:
>
> SELinux denied access requested by certmonger. It is not expected that this
> access is required by certmonger and this access may signal an intrusion
> attempt. It is also possible that the specific version or configuration
> of the
> application is causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
> report.
>
> Additional Information:
>
> Source Context system_u:system_r:certmonger_t:s0
> Target Context system_u:object_r:bin_t:s0
> Target Objects /usr/libexec/certmonger/ipa-submit [ file ]
> Source certmonger
> Source Path /usr/sbin/certmonger
> Port <Unknown>
> Host ulasi.uzdomain.ca <http://ulasi.uzdomain.ca>
> Source RPM Packages certmonger-0.32-0.2010101515git5920eca.fc13
> Target RPM Packages certmonger-0.32-0.2010101515git5920eca.fc13
> Policy RPM selinux-policy-3.7.19-65.fc13
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Enforcing
> Plugin Name catchall
> Host Name ulasi.uzdomain.ca <http://ulasi.uzdomain.ca>
> Platform Linux ulasi.uzdomain.ca
> <http://ulasi.uzdomain.ca> 2.6.34.7-61.fc13.i686.PAE
> #1 SMP Tue Oct 19 04:24:06 UTC 2010 i686 i686
> Alert Count 1646
> First Seen Sat Oct 23 15:48:48 2010
> Last Seen Sun Oct 24 10:59:52 2010
> Local ID 8db766a3-6100-4be5-aec6-2a3a713290e2
> Line Numbers
>
> Raw Audit Messages
>
> node=ulasi.uzdomain.ca <http://ulasi.uzdomain.ca> type=AVC
> msg=audit(1287932392.282:21690): avc: denied { execute } for pid=3472
> comm="certmonger" name="ipa-submit" dev=dm-0 ino=790251
> scontext=system_u:system_r:certmonger_t:s0
> tcontext=system_u:object_r:bin_t:s0 tclass=file
>
> node=ulasi.uzdomain.ca <http://ulasi.uzdomain.ca> type=SYSCALL
> msg=audit(1287932392.282:21690): arch=40000003 syscall=11 success=no
> exit=-13 a0=9f99490 a1=9f99450 a2=9f98e60 a3=9f99450 items=0 ppid=1555
> pid=3472 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=4294967295 comm="certmonger"
> exe="/usr/sbin/certmonger" subj=system_u:system_r:certmonger_t:s0 key=(null)
>
> I was using certmonger-0.30-1.fc13.i686 from source [ freeipa-devel ]
> because of the problem I updated to the nightly build
> certmonger-0.32-0.2010101515git5920eca.fc13 but the problem continues.
>
> These are the selinux rpms
> selinux-policy-targeted-3.7.19-65.fc13.noarch
> selinux-policy-3.7.19-65.fc13.noarch
> libselinux-python-2.0.94-2.fc13.i686
> libselinux-utils-2.0.94-2.fc13.i686
>
> Thanks
>
> Ide
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list