https://bugzilla.redhat.com/show_bug.cgi?id=2088481
Bug ID: 2088481
Summary: selinux_child: Cannot beign SELinux transaction
Product: Fedora
Version: 34
Status: NEW
Component: sssd
Assignee: sssd-maintainers(a)lists.fedoraproject.org
Reporter: rcritten(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: abokovoy(a)redhat.com, atikhono(a)redhat.com,
jhrozek(a)redhat.com, lslebodn(a)redhat.com,
luk.claes(a)gmail.com, mzidek(a)redhat.com,
pbrezina(a)redhat.com, sbose(a)redhat.com,
ssorce(a)redhat.com,
sssd-maintainers(a)lists.fedoraproject.org
Target Milestone: ---
Classification: Fedora
Description of problem:
Some logins fail under load due to contention over the SELinux transaction lock
in libsemanage.
I'm trying to gather scalability information on IPA. The test revolves around
bringing up a number of client VMs, enrolling as IPA clients and running a
forking client that does a PAM transaction with the login service. Each client
has a set of unique users with non-expired passwords to authenticate with. No
pre-loading of the cache is done.
In this particular case I brought up 10 clients and ran the test tool do to 10
logins. All of these 100 logins happen more or less simultaneously (time is
synced). 30 of the authentications failed due to the transaction locking.
IPA should be able to handle 100 authentications without breaking a sweat and
the server-side logs don't show any issues but it may be somewhat load related.
If I re-run the test tool after the fact, even clearing the SSSD cache I can't
reproduce the transaction failure.
I wonder if a retry could be implemented.
The selinux_child log contains the following. It is consistent across all the
clients (log level 3):
(2022-05-19 13:42:01): [selinux_child[11668]] [libsemanage] (0x0020): Could not
get direct transaction lock at /var/lib/selinux/targeted/semanage.trans.LOCK.
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING
BACKTRACE:
* (2022-05-19 13:41:56): [selinux_child[11668]] [main] (0x0400):
selinux_child started.
* (2022-05-19 13:41:56): [selinux_child[11668]] [main] (0x2000): Running
with effective IDs: [0][0].
* (2022-05-19 13:41:56): [selinux_child[11668]] [main] (0x2000): Running
with real IDs [0][0].
* (2022-05-19 13:41:56): [selinux_child[11668]] [main] (0x0400): context
initialized
* (2022-05-19 13:41:56): [selinux_child[11668]] [unpack_buffer] (0x2000):
seuser length: 12
* (2022-05-19 13:41:56): [selinux_child[11668]] [unpack_buffer] (0x2000):
seuser: unconfined_u
* (2022-05-19 13:41:56): [selinux_child[11668]] [unpack_buffer] (0x2000):
mls_range length: 14
* (2022-05-19 13:41:56): [selinux_child[11668]] [unpack_buffer] (0x2000):
mls_range: s0-s0:c0.c1023
* (2022-05-19 13:41:56): [selinux_child[11668]] [unpack_buffer] (0x2000):
username length: 23
* (2022-05-19 13:41:56): [selinux_child[11668]] [unpack_buffer] (0x2000):
username: user6client000.ipa.test
* (2022-05-19 13:41:56): [selinux_child[11668]] [main] (0x0400): performing
selinux operations
* (2022-05-19 13:41:56): [selinux_child[11668]] [seuser_needs_update]
(0x2000): sss_get_seuser: ret: 0 seuser: unconfined_u mls: s0-s0:c0.c1023
* (2022-05-19 13:41:56): [selinux_child[11668]] [sss_seuser_exists]
(0x0400): seuser exists: no
* (2022-05-19 13:41:56): [selinux_child[11668]] [seuser_needs_update]
(0x0400): The SELinux user does need an update
* (2022-05-19 13:42:01): [selinux_child[11668]] [libsemanage] (0x0020):
Could not get direct transaction lock at
/var/lib/selinux/targeted/semanage.trans.LOCK.
********************** BACKTRACE DUMP ENDS HERE
*********************************
(2022-05-19 13:42:01): [selinux_child[11668]] [sss_set_seuser] (0x0020): Cannot
begin SELinux transaction
(2022-05-19 13:42:01): [selinux_child[11668]] [main] (0x0020): Cannot set
SELinux login context.
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING
BACKTRACE:
* (2022-05-19 13:42:01): [selinux_child[11668]] [sss_set_seuser] (0x0020):
Cannot begin SELinux transaction
* (2022-05-19 13:42:01): [selinux_child[11668]] [main] (0x0020): Cannot set
SELinux login context.
********************** BACKTRACE DUMP ENDS HERE
*********************************
(2022-05-19 13:42:01): [selinux_child[11668]] [main] (0x0020): selinux_child
failed!
(2022-05-19 13:42:01): [selinux_child[11671]] [libsemanage] (0x0020): Could not
get direct transaction lock at /var/lib/selinux/targeted/semanage.trans.LOCK.
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING
BACKTRACE:
* (2022-05-19 13:41:56): [selinux_child[11671]] [main] (0x0400):
selinux_child started.
* (2022-05-19 13:41:56): [selinux_child[11671]] [main] (0x2000): Running
with effective IDs: [0][0].
* (2022-05-19 13:41:56): [selinux_child[11671]] [main] (0x2000): Running
with real IDs [0][0].
* (2022-05-19 13:41:56): [selinux_child[11671]] [main] (0x0400): context
initialized
* (2022-05-19 13:41:56): [selinux_child[11671]] [unpack_buffer] (0x2000):
seuser length: 12
* (2022-05-19 13:41:56): [selinux_child[11671]] [unpack_buffer] (0x2000):
seuser: unconfined_u
* (2022-05-19 13:41:56): [selinux_child[11671]] [unpack_buffer] (0x2000):
mls_range length: 14
* (2022-05-19 13:41:56): [selinux_child[11671]] [unpack_buffer] (0x2000):
mls_range: s0-s0:c0.c1023
* (2022-05-19 13:41:56): [selinux_child[11671]] [unpack_buffer] (0x2000):
username length: 23
* (2022-05-19 13:41:56): [selinux_child[11671]] [unpack_buffer] (0x2000):
username: user1client000.ipa.test
* (2022-05-19 13:41:56): [selinux_child[11671]] [main] (0x0400): performing
selinux operations
* (2022-05-19 13:41:56): [selinux_child[11671]] [seuser_needs_update]
(0x2000): sss_get_seuser: ret: 0 seuser: unconfined_u mls: s0-s0:c0.c1023
* (2022-05-19 13:41:56): [selinux_child[11671]] [sss_seuser_exists]
(0x0400): seuser exists: no
* (2022-05-19 13:41:56): [selinux_child[11671]] [seuser_needs_update]
(0x0400): The SELinux user does need an update
* (2022-05-19 13:42:01): [selinux_child[11671]] [libsemanage] (0x0020):
Could not get direct transaction lock at
/var/lib/selinux/targeted/semanage.trans.LOCK.
********************** BACKTRACE DUMP ENDS HERE
*********************************
(2022-05-19 13:42:01): [selinux_child[11671]] [sss_set_seuser] (0x0020): Cannot
begin SELinux transaction
(2022-05-19 13:42:01): [selinux_child[11671]] [main] (0x0020): Cannot set
SELinux login context.
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING
BACKTRACE:
* (2022-05-19 13:42:01): [selinux_child[11671]] [sss_set_seuser] (0x0020):
Cannot begin SELinux transaction
* (2022-05-19 13:42:01): [selinux_child[11671]] [main] (0x0020): Cannot set
SELinux login context.
********************** BACKTRACE DUMP ENDS HERE
*********************************
(2022-05-19 13:42:01): [selinux_child[11671]] [main] (0x0020): selinux_child
failed!
Version-Release number of selected component (if applicable):
sssd-common-2.5.2-2.fc34
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2088481
https://bugzilla.redhat.com/show_bug.cgi?id=1965818
Bug ID: 1965818
Summary: sssd - failing on "dotted"languages (Example turkish
language)
Product: Fedora
Version: 34
Hardware: x86_64
OS: Linux
Status: NEW
Component: sssd
Severity: high
Assignee: sssd-maintainers(a)lists.fedoraproject.org
Reporter: thunderbirdtr(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: abokovoy(a)redhat.com, atikhono(a)redhat.com,
jhrozek(a)redhat.com, lslebodn(a)redhat.com,
luk.claes(a)gmail.com, mzidek(a)redhat.com,
pbrezina(a)redhat.com, sbose(a)redhat.com,
ssorce(a)redhat.com,
sssd-maintainers(a)lists.fedoraproject.org
Target Milestone: ---
Classification: Fedora
Description of problem:
Hello,
SSSD Service isn't starting If we use dotted language in our system. For
example, adding "LANG=tr_TR" into "/etc/sysconfig/sssd" makes sssd fails on
start. If anyone install Fedora with "turkish" or other dotted language in
their pc/laptop, that makes sssd fails on start.
After I made little bit research, I notice this issue has been addressed
multiple times around RHEL[0] and samba[1] and github[2] as well. So for that
reason at least can we add "english" locale setting into rpm spec with
"language" check as a workaround has been suggest in github link.That is at
least gives us "working" package in dotted languge, and If anyone wants change
setting, they can change it. At least for normal users, we can have working
sssd service and not complain about fails all the times. I know this isn't the
cleanest solution (proper solution is patching libldb package which causing
this issue, but at least we can have a "quick&dirty" solution avoid on new
installs.
Thank you.
[0] : https://bugzilla.redhat.com/show_bug.cgi?id=1743531
[1] : https://lists.samba.org/archive/samba-technical/2019-December/134659.html
[2] : https://github.com/SSSD/sssd/issues/5285
Version-Release number of selected component (if applicable):
sssd-2.5.0-2.fc34.x86_64
libldb-2.3.0-2.fc34.x86_64
How reproducible:
Steps to Reproduce:
1. Install Fedora or change language into dotted or change "LANG" env into
dotted langauge
2. reset sssd counter
3. start sssd
Actual results:
sssd fails
Expected results:
sssd should start clean in default config.
Additional info:
SSSD Systemctl errors
systemd[1]: Starting System Security Services Daemon...
sssd[760632]: Starting up
systemd[1]: sssd.service: Main process exited,
code=exited, status=4/NOPERMISSION
systemd[1]: sssd.service: Failed with result
'exit-code'.
systemd[1]: Failed to start System Security Services
Daemon.
audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sssd comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
systemd[1]: sssd.service: Scheduled restart job,
restart counter is at 1.
systemd[1]: Stopped System Security Services Daemon.
audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sssd comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sssd comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
systemd[1]: Starting System Security Services Daemon...
sssd[760633]: Starting up
systemd[1]: sssd.service: Main process exited,
code=exited, status=4/NOPERMISSION
systemd[1]: sssd.service: Failed with result
'exit-code'.
systemd[1]: Failed to start System Security Services
Daemon.
audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sssd comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
systemd[1]: sssd.service: Scheduled restart job,
restart counter is at 2.
audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sssd comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sssd comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
systemd[1]: Stopped System Security Services Daemon.
systemd[1]: Starting System Security Services Daemon...
sssd[760636]: Starting up
systemd[1]: sssd.service: Main process exited,
code=exited, status=4/NOPERMISSION
systemd[1]: sssd.service: Failed with result
'exit-code'.
systemd[1]: Failed to start System Security Services
Daemon.
audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sssd comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
systemd[1]: sssd.service: Scheduled restart job,
restart counter is at 3.
systemd[1]: Stopped System Security Services Daemon.
audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sssd comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sssd comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
systemd[1]: Starting System Security Services Daemon...
sssd[760637]: Starting up
systemd[1]: sssd.service: Main process exited,
code=exited, status=4/NOPERMISSION
systemd[1]: sssd.service: Failed with result
'exit-code'.
systemd[1]: Failed to start System Security Services
Daemon.
audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sssd comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
systemd[1]: sssd.service: Scheduled restart job,
restart counter is at 4.
systemd[1]: Stopped System Security Services Daemon.
audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sssd comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sssd comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
systemd[1]: Starting System Security Services Daemon...
sssd[760639]: Starting up
systemd[1]: sssd.service: Main process exited,
code=exited, status=4/NOPERMISSION
systemd[1]: sssd.service: Failed with result
'exit-code'.
systemd[1]: Failed to start System Security Services
Daemon.
audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sssd comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
-----------
/var/log/sssd/sssd.log (last error with LANG setting is tr_TR (LANG=tr_TR) )
-----------
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING
BACKTRACE:
* (2021-05-30 15:46:52): [sssd] [check_file] (0x0400): lstat for
[/run/sssd.pid] failed: [2][No such file or directory].
* (2021-05-30 15:46:52): [sssd] [check_file] (0x0400): lstat for
[/var/run/nscd/socket] failed: [2][No such file or directory].
* (2021-05-30 15:46:52): [sssd] [ldb] (0x0400): server_sort:Unable to
register control with rootdse!
* (2021-05-30 15:46:52): [sssd] [sss_ini_open] (0x0400): No
/etc/sssd/sssd.conf.
* (2021-05-30 15:46:52): [sssd] [sss_ini_read_sssd_conf] (0x0100): File
/etc/sssd/sssd.conf does not exist.
* (2021-05-30 15:46:52): [sssd] [confdb_ldif_from_ini_file] (0x0100): Value
of config_file_version option not found. Assumed to be version 2.
* (2021-05-30 15:46:52): [sssd] [sss_confdb_create_ldif] (0x0400):
Processing config section [sssd]
* (2021-05-30 15:46:52): [sssd] [sss_confdb_create_ldif] (0x0400):
Processing attribute [services]
* (2021-05-30 15:46:52): [sssd] [sss_confdb_create_ldif] (0x4000):
services:
nss
* (2021-05-30 15:46:52): [sssd] [sss_confdb_create_ldif] (0x4000): Section
dn
dn: cn=sssd,cn=config
cn: sssd
services: nss
* (2021-05-30 15:46:52): [sssd] [confdb_init_db] (0x0100): LDIF file to
import:
dn: cn=config
version: 2
dn: cn=sssd,cn=config
cn: sssd
services: nss
* (2021-05-30 15:46:52): [sssd] [add_implicit_services] (0x0040): No
domains
configured!
* (2021-05-30 15:46:52): [sssd] [get_monitor_config] (0x0040): Failed to
add
implicit configured services. Some functionality might be missing
* (2021-05-30 15:46:53): [sssd] [confdb_expand_app_domains] (0x2000):
implicit_files is not an app domain
* (2021-05-30 15:46:53): [sssd] [confdb_get_domain_internal] (0x0400): No
enumeration for [implicit_files]!
* (2021-05-30 15:46:53): [sssd] [confdb_get_domain_internal] (0x0400):
Please note that when enumeration is disabled `getent passwd` does not return
all users by design. See sssd.conf man page for more detailed information
* (2021-05-30 15:46:53): [sssd] [confdb_get_domain_internal] (0x1000):
pwd_expiration_warning is -1
* (2021-05-30 15:46:53): [sssd] [server_setup] (0x0080): Failed setting
process group: Operation not permitted[1]. We might leak processes in case of
failure
* (2021-05-30 15:46:53): [sssd] [become_user] (0x0200): Trying to become
user [0][0].
* (2021-05-30 15:46:53): [sssd] [become_user] (0x0200): Already user [0].
* (2021-05-30 15:46:53): [sssd] [ldb] (0x0400): server_sort:Unable to
register control with rootdse!
* (2021-05-30 15:46:53): [sssd] [server_setup] (0x0400): CONFDB:
/var/lib/sss/db/config.ldb
* (2021-05-30 15:46:53): [sssd] [confdb_get_enabled_domain_list] (0x0040):
Failed to get [domains] from [sssd], error [2] (Böyle bir dosya ya da dizin
yok)
********************** BACKTRACE DUMP ENDS HERE
*********************************
(2021-05-30 15:46:53): [sssd] [main] (0x0010): No domains configured.
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING
BACKTRACE:
* (2021-05-30 15:46:53): [sssd] [confdb_get_domains] (0x0080): No domains
configured, fatal error!
* (2021-05-30 15:46:53): [sssd] [main] (0x0010): No domains configured.
********************** BACKTRACE DUMP ENDS HERE
*********************************
--
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2077856
Bug ID: 2077856
Summary: package sssd-idp-2.7.0-1.fc35.x86_64 requires
sssd-common = 2.7.0-1.fc35, but none of the providers
can be installed
Product: Fedora
Version: 36
Status: NEW
Component: sssd
Assignee: sssd-maintainers(a)lists.fedoraproject.org
Reporter: kparal(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: abokovoy(a)redhat.com, atikhono(a)redhat.com,
jhrozek(a)redhat.com, lslebodn(a)redhat.com,
luk.claes(a)gmail.com, mzidek(a)redhat.com,
pbrezina(a)redhat.com, sbose(a)redhat.com,
ssorce(a)redhat.com,
sssd-maintainers(a)lists.fedoraproject.org
Target Milestone: ---
Classification: Fedora
Description of problem:
When trying to upgrade from F35 to F36:
Error:
Problem: package sssd-idp-2.7.0-1.fc35.x86_64 requires sssd-common =
2.7.0-1.fc35, but none of the providers can be installed
- sssd-common-2.7.0-1.fc35.x86_64 does not belong to a distupgrade repository
- problem with installed package sssd-idp-2.7.0-1.fc35.x86_64
I believe that is resolved by pushing this update stable:
https://bodhi.fedoraproject.org/updates/FEDORA-2022-cdc3365ffc
Requesting for a Freeze Exception.
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2077856