In Fedora 32 OpenDNSSEC was updated from 1.4 to 2.1. In Pagure ticket #8214 the majority of issues were solved. There are still some problems left when FreeIPA with DNSSEC is installed in SELinux enforcing mode. FreeIPA's test suite runs in permissive mode.
RHBZ #1825812 and OpenDNSSEC update 2.1.6-5.fc32 fixed AVC avc: denied { dac_override } for comm="ods-enforcerd by running ods-enforcer as user ods:ods instead of root:root.
AVC avc: denied { dac_override } for comm="ods-enforcerd
ods:ods
root:root
ipa-dns-install --dnssec-master --no-dnssec-validation --auto-reverse --auto-forwarders -U
ipa-dnskeysyncd is no longer able to access the enforcer.sock.
ipa-dnskeysyncd
Apr 21 02:56:52 host-10-0-137-156.ipa.example ipa-dnskeysyncd[28721]: ipapython.ipautil.CalledProcessError: CalledProcessError(Command ['/usr/sbin/ods-enforcer', 'zonelist', 'export'] returned non-zero exit status 201: 'Unable to connect to engine. connect() failed: Permission denied ("/var/run/opendnssec/enforcer.sock")\n')
time->Tue Apr 21 02:57:28 2020 type=AVC msg=audit(1587452248.373:2433): avc: denied { write } for pid=28759 comm="ods-enforcer" name="enforcer.sock" dev="tmpfs" ino=157861 scontext=system_u:system_r:ipa_dnskey_t:s0 tcontext=system_u:object_r:opendnssec_var_run_t:s0 tclass=sock_file permissive=1 ---- time->Tue Apr 21 02:57:28 2020 type=AVC msg=audit(1587452248.373:2434): avc: denied { connectto } for pid=28759 comm="ods-enforcer" path="/run/opendnssec/enforcer.sock" scontext=system_u:system_r:ipa_dnskey_t:s0 tcontext=system_u:system_r:opendnssec_t:s0 tclass=unix_stream_socket permissive=1
no error
freeipa-server-4.8.6-1.fc32.x86_64 opendnssec-2.1.6-5.fc32.x86_64
Metadata Update from @cheimes: - Issue assigned to cheimes
master:
ipa-4-8:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.