"SSSD binaries missing capabilities" like in Bazzite issue #1818

[ABotelho23]

Describe the bug

Bluefin appears to still have the following issue which presented on Bazzite a few weeks ago: ublue-os/bazzite#1818

What did you expect to happen?

Successful FreeIPA client initialization.

Output of bootc status

❯ bootc status
No staged image present
Current booted image: ghcr.io/ublue-os/bluefin-dx:latest
    Image version: latest-41.20241208.5 (2024-12-08 18:05:42 UTC)
    Image digest: sha256:d551f46eb78b33fc931afc774480f88bdd0f71b498b061e2e7bd0b0c38b57a93
Current rollback image: ghcr.io/ublue-os/bluefin-dx:latest
    Image version: latest-41.20241208 (2024-12-08 01:04:54 UTC)
    Image digest: sha256:af3bd2326be1e0b62c293faf9db2f8d24e5c621a3633fad6d18cc8bb94c93403

Output of groups

❯ groups
root

Extra information or context

❯ ipa-client-install --mkhomedir --force-join --domain example.com
This program will set up IPA client.
Version 4.12.2

Discovery was successful!
Do you want to configure chrony with NTP server or pool address? [no]: yes
Enter NTP source server addresses separated by comma, or press Enter to skip: 
Enter a NTP source pool address, or press Enter to skip: pool.ntp.org
Client hostname: alexlaptop.ipa.example.com
Realm: IPA.EXAMPLE.COM
DNS Domain: ipa.example.com
IPA Server: dc1.ipa.example.com
BaseDN: dc=ipa,dc=example,dc=com
NTP pool: pool.ntp.org

Continue to configure the system with these values? [no]: yes
[Errno 2] No such file or directory: '/var/lib/ipa-client/sysrestore/sysrestore.state'
The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information

I then created /var/lib/ipa-client/sysrestore/sysrestore.state (which should be automatic), but still:

❯ ipa-client-install --mkhomedir --force-join --domain ipa.example.com
This program will set up IPA client.
Version 4.12.2

Discovery was successful!
Do you want to configure chrony with NTP server or pool address? [no]: yes
Enter NTP source server addresses separated by comma, or press Enter to skip: 
Enter a NTP source pool address, or press Enter to skip: pool.ntp.org
Client hostname: alexlaptop.ipa.example.com
Realm: IPA.EXAMPLE.COM
DNS Domain: ipa.example.com
IPA Server: dc3.ipa.example.com
BaseDN: dc=ipa,dc=example,dc=com
NTP pool: pool.ntp.org

Continue to configure the system with these values? [no]: yes
Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1
Synchronizing time
Configuration of chrony was changed by installer.
Attempting to sync time with chronyc.
Time synchronization was successful.
User authorized to enroll computers: admin
Password for [email protected]: 
Please make sure the following ports are opened in the firewall settings:
     TCP: 80, 88, 389
     UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly after enrollment:
     TCP: 464
     UDP: 464, 123 (if NTP enabled)
Installation failed. Rolling back changes.
Failed to start certmonger: CalledProcessError(Command ['/bin/systemctl', 'start', 'certmonger.service'] returned non-zero exit status 1: 'Job for certmonger.service failed because the control process exited with error code.\nSee "systemctl status certmonger.service" and "journalctl -xeu certmonger.service" for details.\n')
CalledProcessError(Command ['/bin/systemctl', 'start', 'certmonger.service'] returned non-zero exit status 1: 'Job for certmonger.service failed because the control process exited with error code.\nSee "systemctl status certmonger.service" and "journalctl -xeu certmonger.service" for details.\n')
Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library

The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information

[ABotelho23]

@karypid was still having problems too last time they checked into the Bazzite issue.

[castrojo]

From reading the parent issue it looks like I have all the capabilities that are supposed to be there?

bash-5.2# pwd
/usr/libexec/sssd
bash-5.2# getcap *
krb5_child cap_chown,cap_dac_override,cap_setgid,cap_setuid=ep
ldap_child cap_chown,cap_dac_override,cap_setgid,cap_setuid=ep
selinux_child cap_chown,cap_dac_override,cap_setgid,cap_setuid=ep
sssd_pam cap_dac_read_search=p

[karypid]

@karypid was still having problems too last time they checked into the Bazzite issue.

AFAIK realm only supports adcli and samba for membership software, as per the following:

  --client-software=xxx
 Only join realms for which we can use the given client software. Possible values include sssd or winbind. Not all values are supported
 for all realms. By default the client software is automatically selected.

  --server-software=xxx
 Only join realms for run the given server software. Possible values include active-directory or ipa.

  --membership-software=xxx
 The software to use when joining to the realm. Possible values include **samba or adcli**. Not all values are supported for all realms. By
 default the membership software is automatically selected.

I am not familiar with the IPA client, but could you not use sssd/adcli and sssd/samba on the client side? It should work fine with a FreeIPA domain as that is supported.

The problems you linked to have to do with the Fedora 40 (gts) channel. Stable and latest should work fine (as long as you are using supported client-side software options).

[ABotelho23]

To be clear, I have a similar setup on Bazzite 41 authenticating against the same FreeIPA system/realm and it works fine. My desktop is on Bazzite, and my laptop is on Bluefin. Bazzite works, Bluefin does not.

I use the FreeIPA client because it integrates with FreeIPA more deeply.

I tried with SELinux set to permissive, but still seem to get this:

Dec 08 21:05:41 alexlaptop.ipa.example.com systemd[1]: Started sssd-kcm.service - SSSD Kerberos Cache Manager.
Dec 08 21:05:41 alexlaptop.ipa.example.com audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sssd-kcm comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Dec 08 21:05:41 alexlaptop.ipa.example.com sssd_kcm[10731]: KCM couldn't load the configuration [5]: Input/output error
Dec 08 21:05:41 alexlaptop.ipa.example.com systemd[1]: sssd-kcm.service: Main process exited, code=exited, status=4/NOPERMISSION
Dec 08 21:05:41 alexlaptop.ipa.example.com systemd[1]: sssd-kcm.service: Failed with result 'exit-code'.
Dec 08 21:05:41 alexlaptop.ipa.example.com audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sssd-kcm comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Dec 08 21:05:41 alexlaptop.ipa.example.com systemd[1]: Starting sssd-kcm.service - SSSD Kerberos Cache Manager...
Dec 08 21:05:41 alexlaptop.ipa.example.com systemd[1]: Started sssd-kcm.service - SSSD Kerberos Cache Manager.
Dec 08 21:05:41 alexlaptop.ipa.example.com audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sssd-kcm comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Dec 08 21:05:41 alexlaptop.ipa.example.com sssd_kcm[10763]: KCM couldn't load the configuration [5]: Input/output error
Dec 08 21:05:41 alexlaptop.ipa.example.com systemd[1]: sssd-kcm.service: Main process exited, code=exited, status=4/NOPERMISSION
Dec 08 21:05:41 alexlaptop.ipa.example.com systemd[1]: sssd-kcm.service: Failed with result 'exit-code'.
Dec 08 21:05:41 alexlaptop.ipa.example.com audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sssd-kcm comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Dec 08 21:05:41 alexlaptop.ipa.example.com systemd[1]: Starting sssd-kcm.service - SSSD Kerberos Cache Manager...
Dec 08 21:05:41 alexlaptop.ipa.example.com systemd[1]: Started sssd-kcm.service - SSSD Kerberos Cache Manager.
Dec 08 21:05:41 alexlaptop.ipa.example.com audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sssd-kcm comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Dec 08 21:05:41 alexlaptop.ipa.example.com setroubleshoot[10202]: could not write /var/lib/setroubleshoot/setroubleshoot_database.xml: [Errno 2] No such file or directory: '/var/lib/setroubleshoot/setroubleshoot_database.xml'
Dec 08 21:05:41 alexlaptop.ipa.example.com setroubleshoot[10202]: SELinux is preventing certmonger from create access on the file lock. For complete SELinux messages run: sealert -l d5360ce7-0f7c-41b5-b731-fca81bb7676e
Dec 08 21:05:41 alexlaptop.ipa.example.com setroubleshoot[10202]: SELinux is preventing certmonger from create access on the file lock.
                                                                   
                                                                   *****  Plugin catchall_labels (83.8 confidence) suggests   *******************
                                                                   
                                                                   If you want to allow certmonger to have create access on the lock file
                                                                   Then you need to change the label on lock
                                                                   Do
                                                                   # semanage fcontext -a -t FILE_TYPE 'lock'
                                                                   where FILE_TYPE is one of the following: NetworkManager_unit_file_t, abrt_unit_file_t, accountsd_unit_file_t, afterburn_unit_file_t, alsa_unit_file_t, amanda_unit_file_t, anaconda_unit_file_t, antivirus_unit_file_t, apcupsd_unit_file_t, apmd_unit_file_t, arpwatch_unit_file_t, auditd_unit_file_t, automount_unit_file_t, avahi_unit_file_t, bluetooth_unit_file_t, boinc_unit_file_t, boothd_unit_file_t, bootupd_unit_file_t, brltty_unit_file_t, cert_t, certmonger_tmp_t, certmonger_unit_file_t, certmonger_var_lib_t, certmonger_var_run_t, chronyd_unit_file_t, cinder_api_unit_file_t, cinder_backup_unit_file_t, cinder_scheduler_unit_file_t, cinder_volume_unit_file_t, cloud_init_unit_file_t, cluster_unit_file_t, cluster_var_lib_t, collectd_unit_file_t, colord_unit_file_t, condor_unit_file_t, conman_unit_file_t, conntrackd_unit_file_t, consolekit_unit_file_t, container_unit_file_t, coreos_boot_mount_generator_unit_file_t, coreos_installer_unit_file_t, couchdb_unit_file_t, crond_unit_file_t, cupsd_unit_file_t, dbusd_unit_file_t, dhcpd_unit_file_t, dirsrv_config_t, dirsrv_unit_file_t, dnsmasq_unit_file_t, dnssec_trigger_unit_file_t, dovecot_cert_t, fdo_unit_file_t, firewalld_unit_file_t, freeipmi_bmc_watchdog_unit_file_t, freeipmi_ipmidetectd_unit_file_t, freeipmi_ipmiseld_unit_file_t, ftpd_unit_file_t, fwupd_cert_t, fwupd_unit_file_t, getty_unit_file_t, glance_api_unit_file_t, glance_registry_unit_file_t, glance_scrubber_unit_file_t, gssproxy_unit_file_t, haproxy_unit_file_t, home_cert_t, hostapd_unit_file_t, hsqldb_unit_file_t, httpd_unit_file_t, hwloc_dhwd_unit_t, hypervkvp_unit_file_t, hypervvssd_unit_file_t, ica_tmpfs_t, innd_unit_file_t, insights_client_unit_file_t, iodined_unit_file_t, ipa_cert_t, ipa_dnskey_unit_file_t, ipa_log_t, ipa_ods_exporter_unit_file_t, ipa_otpd_unit_file_t, ipa_var_lib_t, ipa_var_run_t, ipmievd_unit_file_t, ipsec_mgmt_unit_file_t, iptables_unit_file_t, iscsi_unit_file_t, jetty_unit_file_t, kdump_dep_unit_file_t, kdump_unit_file_t, keepalived_unit_file_t, keystone_unit_file_t, krb5_host_rcache_t, krb5_keytab_t, krb5kdc_conf_t, ksm_unit_file_t, ksmtuned_unit_file_t, ktalkd_unit_file_t, lsmd_unit_file_t, lttng_sessiond_unit_file_t, lvm_unit_file_t, mdadm_unit_file_t, modemmanager_unit_file_t, mongod_unit_file_t, motion_unit_file_t, mysqld_unit_file_t, named_cache_t, named_unit_file_t, nbdkit_unit_file_t, netlabel_mgmt_unit_file_t, neutron_unit_file_t, nfsd_unit_file_t, ninfod_unit_file_t, nis_unit_file_t, nova_unit_file_t, nscd_unit_file_t, ntpd_unit_file_t, numad_unit_file_t, nut_unit_file_t, nvme_stas_unit_file_t, oddjob_unit_file_t, opendnssec_unit_file_t, opensm_unit_file_t, openvswitch_unit_file_t, openwsman_unit_file_t, pdns_unit_file_t, pesign_unit_file_t, pkcs_slotd_lock_t, pkcs_slotd_tmpfs_t, pkcs_slotd_unit_file_t, pkcs_slotd_var_lib_t, pki_tomcat_cert_t, pki_tomcat_unit_file_t, polipo_unit_file_t, postgresql_unit_file_t, power_unit_file_t, pppd_unit_file_t, prosody_unit_file_t, qatlib_unit_file_t, rabbitmq_unit_file_t, radiusd_unit_file_t, rasdaemon_unit_file_t, rdisc_unit_file_t, redis_unit_file_t, rhcd_unit_file_t, rhnsd_unit_file_t, rngd_unit_file_t, rpcbind_unit_file_t, rpcd_unit_file_t, rshim_unit_file_t, rtas_errd_unit_file_t, samba_cert_t, samba_unit_file_t, sanlk_resetd_unit_file_t, sanlock_unit_file_t, sbd_unit_file_t, selinux_autorelabel_generator_unit_file_t, sensord_unit_file_t, slapd_cert_t, slapd_unit_file_t, spamd_unit_file_t, spamd_update_unit_file_t, speech_dispatcher_unit_file_t, sshd_keygen_unit_file_t, sshd_unit_file_t, sslh_unit_file_t, sssd_unit_file_t, stalld_unit_file_t, svnserve_unit_file_t, swift_unit_file_t, syslogd_unit_file_t, systemd_bless_boot_generator_unit_file_t, systemd_bootchart_unit_file_t, systemd_cryptsetup_generator_unit_file_t, systemd_debug_generator_unit_file_t, systemd_fstab_generator_unit_file_t, systemd_generic_generator_unit_file_t, systemd_getty_generator_unit_file_t, systemd_gpt_generator_unit_file_t, systemd_homed_unit_file_t, systemd_hwdb_unit_file_t, systemd_machined_unit_file_t, systemd_modules_load_unit_file_t, systemd_networkd_unit_file_t, systemd_passwd_var_run_t, systemd_rc_local_generator_unit_file_t, systemd_resolved_unit_file_t, systemd_rfkill_unit_file_t, systemd_runtime_unit_file_t, systemd_socket_proxyd_unit_file_t, systemd_ssh_generator_unit_file_t, systemd_sysv_generator_unit_file_t, systemd_timedated_unit_file_t, systemd_tpm2_generator_unit_file_t, systemd_unit_file_t, systemd_userdbd_unit_file_t, systemd_vconsole_unit_file_t, systemd_zram_generator_unit_file_t, tangd_unit_file_t, targetclid_unit_file_t, targetd_unit_file_t, tlp_unit_file_t, tomcat_unit_file_t, tor_unit_file_t, usbmuxd_unit_file_t, virtd_unit_file_t, virtlogd_unit_file_t, vmtools_unit_file_t, wireguard_unit_file_t, xdm_unit_file_t, ypbind_unit_file_t, zebra_unit_file_t, zoneminder_unit_file_t.
                                                                   Then execute:
                                                                   restorecon -v 'lock'
                                                                   
                                                                   
                                                                   *****  Plugin catchall (17.1 confidence) suggests   **************************
                                                                   
                                                                   If you believe that certmonger should be allowed create access on the lock file by default.
                                                                   Then you should report this as a bug.
                                                                   You can generate a local policy module to allow this access.
                                                                   Do
                                                                   allow this access for now by executing:
                                                                   # ausearch -c 'certmonger' --raw | audit2allow -M my-certmonger
                                                                   # semodule -X 300 -i my-certmonger.pp
                                                                   
Dec 08 21:05:41 alexlaptop.ipa.example.com audit[10777]: AVC avc:  denied  { execute } for  pid=10777 comm="rpm" name="rpm-ostree" dev="dm-0" ino=1243096 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:install_exec_t:s0 tclass=file permissive=1
Dec 08 21:05:41 alexlaptop.ipa.example.com audit[10777]: AVC avc:  denied  { execute_no_trans } for  pid=10777 comm="rpm" path="/usr/bin/rpm-ostree" dev="dm-0" ino=1243096 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:install_exec_t:s0 tclass=file permissive=1
Dec 08 21:05:41 alexlaptop.ipa.example.com audit[10777]: AVC avc:  denied  { map } for  pid=10777 comm="rpm-ostree" path="/usr/bin/rpm-ostree" dev="dm-0" ino=1243096 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:install_exec_t:s0 tclass=file permissive=1
Dec 08 21:05:41 alexlaptop.ipa.example.com sssd_kcm[10776]: KCM couldn't load the configuration [5]: Input/output error
Dec 08 21:05:41 alexlaptop.ipa.example.com audit[10777]: AVC avc:  denied  { read } for  pid=10777 comm="tokio-runtime-w" name="config" dev="dm-0" ino=241520 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=1
Dec 08 21:05:41 alexlaptop.ipa.example.com audit[10777]: AVC avc:  denied  { open } for  pid=10777 comm="tokio-runtime-w" path="/sysroot/ostree/repo/config" dev="dm-0" ino=241520 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=1
Dec 08 21:05:41 alexlaptop.ipa.example.com audit[10777]: AVC avc:  denied  { getattr } for  pid=10777 comm="tokio-runtime-w" name="/" dev="dm-0" ino=256 scontext=system_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1
Dec 08 21:05:41 alexlaptop.ipa.example.com systemd[1]: sssd-kcm.service: Main process exited, code=exited, status=4/NOPERMISSION
Dec 08 21:05:41 alexlaptop.ipa.example.com systemd[1]: sssd-kcm.service: Failed with result 'exit-code'.
Dec 08 21:05:41 alexlaptop.ipa.example.com audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sssd-kcm comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Dec 08 21:05:41 alexlaptop.ipa.example.com systemd[1]: Starting sssd-kcm.service - SSSD Kerberos Cache Manager...
Dec 08 21:05:41 alexlaptop.ipa.example.com systemd[1]: Started sssd-kcm.service - SSSD Kerberos Cache Manager.
Dec 08 21:05:41 alexlaptop.ipa.example.com audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sssd-kcm comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Dec 08 21:05:41 alexlaptop.ipa.example.com setroubleshoot[10202]: failed to retrieve rpm info for path '/var/lib/certmonger/lock':
Dec 08 21:05:41 alexlaptop.ipa.example.com sssd_kcm[10792]: KCM couldn't load the configuration [5]: Input/output error
Dec 08 21:05:41 alexlaptop.ipa.example.com systemd[1]: sssd-kcm.service: Main process exited, code=exited, status=4/NOPERMISSION
Dec 08 21:05:41 alexlaptop.ipa.example.com systemd[1]: sssd-kcm.service: Failed with result 'exit-code'.
Dec 08 21:05:41 alexlaptop.ipa.example.com audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sssd-kcm comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Dec 08 21:05:41 alexlaptop.ipa.example.com systemd[1]: Starting sssd-kcm.service - SSSD Kerberos Cache Manager...
Dec 08 21:05:41 alexlaptop.ipa.example.com systemd[1]: Started sssd-kcm.service - SSSD Kerberos Cache Manager.
Dec 08 21:05:41 alexlaptop.ipa.example.com audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sssd-kcm comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Dec 08 21:05:41 alexlaptop.ipa.example.com sssd_kcm[10806]: KCM couldn't load the configuration [5]: Input/output error
Dec 08 21:05:41 alexlaptop.ipa.example.com systemd[1]: sssd-kcm.service: Main process exited, code=exited, status=4/NOPERMISSION
Dec 08 21:05:41 alexlaptop.ipa.example.com systemd[1]: sssd-kcm.service: Failed with result 'exit-code'.
Dec 08 21:05:41 alexlaptop.ipa.example.com audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sssd-kcm comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Dec 08 21:05:41 alexlaptop.ipa.example.com systemd[1]: sssd-kcm.service: Start request repeated too quickly.
Dec 08 21:05:41 alexlaptop.ipa.example.com systemd[1]: sssd-kcm.service: Failed with result 'exit-code'.
Dec 08 21:05:41 alexlaptop.ipa.example.com systemd[1]: Failed to start sssd-kcm.service - SSSD Kerberos Cache Manager.
Dec 08 21:05:41 alexlaptop.ipa.example.com systemd[1]: sssd-kcm.socket: Failed with result 'service-start-limit-hit'.
Dec 08 21:05:43 alexlaptop.ipa.example.com sedispatch[1264]: AVC Message regarding setroubleshoot, ignoring message
Dec 08 21:05:43 alexlaptop.ipa.example.com sedispatch[1264]: AVC Message regarding setroubleshoot, ignoring message
Dec 08 21:05:43 alexlaptop.ipa.example.com sedispatch[1264]: AVC Message regarding setroubleshoot, ignoring message
Dec 08 21:05:43 alexlaptop.ipa.example.com sedispatch[1264]: AVC Message regarding setroubleshoot, ignoring message
Dec 08 21:05:43 alexlaptop.ipa.example.com sedispatch[1264]: AVC Message regarding setroubleshoot, ignoring message
Dec 08 21:05:43 alexlaptop.ipa.example.com sedispatch[1264]: AVC Message regarding setroubleshoot, ignoring message
Dec 08 21:05:44 alexlaptop.ipa.example.com setroubleshoot[10202]: SELinux is preventing certmonger from 'read, write, open' accesses on the file /var/lib/certmonger/lock. For complete SELinux messages run: sealert -l 1d69bd2c-e77f-4a1d-995f-676adb92c881
Dec 08 21:05:44 alexlaptop.ipa.example.com setroubleshoot[10202]: SELinux is preventing certmonger from 'read, write, open' accesses on the file /var/lib/certmonger/lock.
                                                                   
                                                                   *****  Plugin restorecon (94.8 confidence) suggests   ************************
                                                                   
                                                                   If you want to fix the label. 
                                                                   /var/lib/certmonger/lock default label should be certmonger_var_lib_t.
                                                                   Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
                                                                   Do
                                                                   # /sbin/restorecon -v /var/lib/certmonger/lock
                                                                   
                                                                   *****  Plugin catchall_labels (5.21 confidence) suggests   *******************
                                                                   
                                                                   If you want to allow certmonger to have read write open access on the lock file
                                                                   Then you need to change the label on /var/lib/certmonger/lock
                                                                   Do
                                                                   # semanage fcontext -a -t FILE_TYPE '/var/lib/certmonger/lock'
                                                                   where FILE_TYPE is one of the following: NetworkManager_tmp_t, NetworkManager_unit_file_t, abrt_helper_exec_t, abrt_tmp_t, abrt_unit_file_t, abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_run_t, accountsd_unit_file_t, admin_crontab_tmp_t, afs_cache_t, afterburn_unit_file_t, alsa_tmp_t, alsa_unit_file_t, amanda_tmp_t, amanda_unit_file_t, anaconda_unit_file_t, antivirus_tmp_t, antivirus_unit_file_t, apcupsd_tmp_t, apcupsd_unit_file_t, apmd_tmp_t, apmd_unit_file_t, arpwatch_tmp_t, arpwatch_unit_file_t, asterisk_tmp_t, auditadm_sudo_tmp_t, auditd_tmp_t, auditd_unit_file_t, auth_cache_t, automount_tmp_t, automount_unit_file_t, avahi_unit_file_t, awstats_tmp_t, bacula_tmp_t, bin_t, bitlbee_tmp_t, blueman_tmp_t, bluetooth_helper_tmp_t, bluetooth_helper_tmpfs_t, bluetooth_tmp_t, bluetooth_unit_file_t, boinc_project_tmp_t, boinc_tmp_t, boinc_unit_file_t, boot_t, boothd_unit_file_t, bootloader_tmp_t, bootupd_unit_file_t, brltty_unit_file_t, bugzilla_tmp_t, cardmgr_dev_t, ccs_tmp_t, cdcc_tmp_t, cert_t, certmonger_exec_t, certmonger_tmp_t, certmonger_unconfined_exec_t, certmonger_unit_file_t, certmonger_var_lib_t, certmonger_var_run_t, cgroup_memory_pressure_t, cgroup_t, chrome_sandbox_tmp_t, chronyd_tmp_t, chronyd_unit_file_t, cinder_api_tmp_t, cinder_api_unit_file_t, cinder_backup_tmp_t, cinder_backup_unit_file_t, cinder_scheduler_tmp_t, cinder_scheduler_unit_file_t, cinder_volume_tmp_t, cinder_volume_unit_file_t, cloud_init_tmp_t, cloud_init_unit_file_t, cluster_conf_t, cluster_tmp_t, cluster_unit_file_t, cluster_var_lib_t, cluster_var_run_t, cobbler_tmp_t, collectd_script_tmp_t, collectd_unit_file_t, colord_tmp_t, colord_unit_file_t, comsat_tmp_t, condor_master_tmp_t, condor_schedd_tmp_t, condor_startd_tmp_t, condor_unit_file_t, conman_tmp_t, conman_unit_file_t, conntrackd_unit_file_t, consolekit_unit_file_t, container_runtime_tmp_t, container_unit_file_t, coreos_boot_mount_generator_unit_file_t, coreos_installer_unit_file_t, couchdb_tmp_t, couchdb_unit_file_t, courier_exec_t, cpu_online_t, crack_tmp_t, crond_tmp_t, crond_unit_file_t, crontab_tmp_t, ctdbd_tmp_t, cups_pdf_tmp_t, cupsd_lpd_tmp_t, cupsd_tmp_t, cupsd_unit_file_t, cvs_tmp_t, cyphesis_tmp_t, cyrus_tmp_t, dbadm_sudo_tmp_t, dbskkd_tmp_t, dbusd_etc_t, dbusd_unit_file_t, dcc_client_tmp_t, dcc_dbclean_tmp_t, dccd_tmp_t, dccifd_tmp_t, dccm_tmp_t, ddclient_tmp_t, deltacloudd_tmp_t, devicekit_tmp_t, dhcpc_tmp_t, dhcpd_tmp_t, dhcpd_unit_file_t, dirsrv_config_t, dirsrv_tmp_t, dirsrv_unit_file_t, disk_munin_plugin_tmp_t, distccd_tmp_t, dkim_milter_tmp_t, dnsmasq_tmp_t, dnsmasq_unit_file_t, dnssec_trigger_tmp_t, dnssec_trigger_unit_file_t, dovecot_auth_tmp_t, dovecot_cert_t, dovecot_deliver_tmp_t, dovecot_tmp_t, drbd_tmp_t, efivarfs_t, etc_runtime_t, etc_t, exim_exec_t, exim_tmp_t, fdo_tmp_t, fdo_unit_file_t, fenced_tmp_t, file_context_t, firewalld_tmp_t, firewalld_unit_file_t, firewallgui_tmp_t, fonts_cache_t, fonts_t, fprintd_tmp_t, freeipmi_bmc_watchdog_unit_file_t, freeipmi_ipmidetectd_unit_file_t, freeipmi_ipmiseld_unit_file_t, fsadm_tmp_t, fsdaemon_tmp_t, ftpd_tmp_t, ftpd_unit_file_t, ftpdctl_tmp_t, fwupd_cert_t, fwupd_unit_file_t, games_tmp_t, games_tmpfs_t, gconf_tmp_t, geoclue_tmp_t, getty_tmp_t, getty_unit_file_t, git_script_tmp_t, gkeyringd_tmp_t, glance_api_unit_file_t, glance_registry_tmp_t, glance_registry_unit_file_t, glance_scrubber_unit_file_t, glance_tmp_t, glusterd_tmp_t, gnome_initial_setup_tmp_t, gpg_agent_tmp_t, gpg_agent_tmpfs_t, gpg_pinentry_tmp_t, gpg_pinentry_tmpfs_t, gpm_tmp_t, gpsd_tmp_t, gssd_tmp_t, gssproxy_unit_file_t, haproxy_unit_file_t, home_cert_t, hostapd_unit_file_t, hostname_etc_t, hsqldb_tmp_t, hsqldb_unit_file_t, httpd_config_t, httpd_php_tmp_t, httpd_suexec_tmp_t, httpd_tmp_t, httpd_unit_file_t, hwloc_dhwd_unit_t, hypervkvp_unit_file_t, hypervvssd_unit_file_t, ica_tmpfs_t, inetd_child_tmp_t, inetd_tmp_t, init_tmp_t, initrc_tmp_t, innd_unit_file_t, insights_client_tmp_t, insights_client_unit_file_t, iodined_unit_file_t, ipa_cert_t, ipa_custodia_tmp_t, ipa_dnskey_unit_file_t, ipa_log_t, ipa_ods_exporter_unit_file_t, ipa_otpd_unit_file_t, ipa_tmp_t, ipa_var_lib_t, ipa_var_run_t, ipmievd_unit_file_t, ipsec_mgmt_unit_file_t, ipsec_tmp_t, iptables_tmp_t, iptables_unit_file_t, iscsi_tmp_t, iscsi_unit_file_t, jetty_tmp_t, jetty_unit_file_t, kadmind_tmp_t, kdump_dep_unit_file_t, kdump_unit_file_t, kdumpctl_tmp_t, kdumpgui_tmp_t, keepalived_tmp_t, keepalived_unit_file_t, keystone_tmp_t, keystone_unit_file_t, kismet_tmp_t, kismet_tmpfs_t, klogd_tmp_t, kmod_tmp_t, krb5_conf_t, krb5_host_rcache_t, krb5_keytab_t, krb5kdc_conf_t, krb5kdc_tmp_t, ksm_unit_file_t, ksmtuned_unit_file_t, ktalkd_tmp_t, ktalkd_unit_file_t, l2tpd_tmp_t, ld_so_cache_t, ld_so_t, ldconfig_exec_t, ldconfig_tmp_t, lib_t, livecd_tmp_t, locale_t, logrotate_mail_tmp_t, logrotate_tmp_t, logwatch_mail_tmp_t, logwatch_tmp_t, lpd_tmp_t, lpr_tmp_t, lsassd_tmp_t, lsmd_plugin_tmp_t, lsmd_unit_file_t, lttng_sessiond_unit_file_t, lvm_tmp_t, lvm_unit_file_t, machineid_t, mail_munin_plugin_tmp_t, mailman_cgi_tmp_t, mailman_mail_tmp_t, mailman_queue_tmp_t, man_cache_t, man_t, mandb_cache_t, mdadm_tmp_t, mdadm_unit_file_t, mediawiki_tmp_t, mock_tmp_t, modemmanager_unit_file_t, mojomojo_tmp_t, mongod_tmp_t, mongod_unit_file_t, motion_unit_file_t, mount_tmp_t, mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mozilla_tmp_t, mozilla_tmpfs_t, mpd_tmp_t, mplayer_tmpfs_t, mrtg_tmp_t, mscan_tmp_t, munin_script_tmp_t, munin_tmp_t, mysqld_tmp_t, mysqld_unit_file_t, nagios_eventhandler_plugin_tmp_t, nagios_openshift_plugin_tmp_t, nagios_system_plugin_tmp_t, nagios_tmp_t, named_cache_t, named_tmp_t, named_unit_file_t, nbdkit_tmp_t, nbdkit_unit_file_t, net_conf_t, netlabel_mgmt_unit_file_t, netutils_tmp_t, neutron_tmp_t, neutron_unit_file_t, nfsd_tmp_t, nfsd_unit_file_t, ninfod_unit_file_t, nis_unit_file_t, nova_tmp_t, nova_unit_file_t, nscd_unit_file_t, nsd_tmp_t, ntop_tmp_t, ntpd_tmp_t, ntpd_unit_file_t, numad_unit_file_t, nut_unit_file_t, nut_upsd_tmp_t, nut_upsdrvctl_tmp_t, nut_upsmon_tmp_t, nvme_stas_tmpfs_t, nvme_stas_unit_file_t, nx_server_tmp_t, oddjob_unit_file_t, opendnssec_tmp_t, opendnssec_unit_file_t, openshift_app_tmp_t, openshift_cgroup_read_tmp_t, openshift_cron_tmp_t, openshift_initrc_tmp_t, openshift_tmp_t, opensm_unit_file_t, openvpn_tmp_t, openvswitch_tmp_t, openvswitch_unit_file_t, openwsman_tmp_t, openwsman_unit_file_t, oracleasm_tmp_t, pam_timestamp_tmp_t, passenger_tmp_t, passwd_file_t, pcp_tmp_t, pcscd_var_run_t, pdns_unit_file_t, pegasus_openlmi_storage_tmp_t, pegasus_tmp_t, pesign_tmp_t, pesign_unit_file_t, pkcs11_modules_conf_t, pkcs_slotd_lock_t, pkcs_slotd_tmp_t, pkcs_slotd_tmpfs_t, pkcs_slotd_unit_file_t, pkcs_slotd_var_lib_t, pki_tomcat_cert_t, pki_tomcat_etc_rw_t, pki_tomcat_tmp_t, pki_tomcat_unit_file_t, pki_tomcat_var_lib_t, podsleuth_tmp_t, podsleuth_tmpfs_t, policykit_tmp_t, polipo_unit_file_t, portmap_tmp_t, postfix_bounce_tmp_t, postfix_cleanup_tmp_t, postfix_local_tmp_t, postfix_map_tmp_t, postfix_pickup_tmp_t, postfix_pipe_tmp_t, postfix_qmgr_tmp_t, postfix_smtp_tmp_t, postfix_smtpd_tmp_t, postfix_virtual_tmp_t, postgresql_tmp_t, postgresql_unit_file_t, power_unit_file_t, pppd_tmp_t, pppd_unit_file_t, prelink_exec_t, prelink_tmp_t, prelude_lml_tmp_t, proc_t, procmail_tmp_t, prosody_tmp_t, prosody_unit_file_t, psad_tmp_t, pulseaudio_tmpfs_t, puppet_tmp_t, puppetmaster_tmp_t, qatlib_unit_file_t, qpidd_tmp_t, rabbitmq_tmp_t, rabbitmq_unit_file_t, racoon_tmp_t, radiusd_unit_file_t, rasdaemon_unit_file_t, rdisc_unit_file_t, realmd_tmp_t, redis_tmp_t, redis_unit_file_t, rhcd_tmp_t, rhcd_unit_file_t, rhnsd_unit_file_t, rhsmcertd_tmp_t, ricci_tmp_t, rkhunter_var_lib_t, rlogind_tmp_t, rngd_unit_file_t, rpcbind_tmp_t, rpcbind_unit_file_t, rpcd_unit_file_t, rpm_script_tmp_t, rpm_tmp_t, rpmdb_tmp_t, rrdcached_tmp_t, rshim_unit_file_t, rsync_tmp_t, rtas_errd_tmp_t, rtas_errd_unit_file_t, samba_cert_t, samba_etc_t, samba_net_tmp_t, samba_unit_file_t, samba_var_t, sanlk_resetd_unit_file_t, sanlock_unit_file_t, sbd_tmpfs_t, sbd_unit_file_t, sblim_tmp_t, secadm_sudo_tmp_t, sectool_tmp_t, selinux_autorelabel_generator_unit_file_t, selinux_munin_plugin_tmp_t, semanage_tmp_t, sendmail_exec_t, sendmail_tmp_t, sensord_unit_file_t, services_munin_plugin_tmp_t, session_dbusd_tmp_t, setroubleshoot_fixit_tmp_t, setroubleshoot_tmp_t, shell_exec_t, shorewall_tmp_t, slapd_cert_t, slapd_tmp_t, slapd_unit_file_t, smbd_tmp_t, smoltclient_tmp_t, snort_tmp_t, sosreport_tmp_t, soundd_tmp_t, spamc_tmp_t, spamd_tmp_t, spamd_unit_file_t, spamd_update_unit_file_t, speech_dispatcher_tmp_t, speech_dispatcher_unit_file_t, squid_tmp_t, squirrelmail_spool_t, src_t, ssh_agent_tmp_t, ssh_keygen_tmp_t, ssh_tmpfs_t, sshd_keygen_unit_file_t, sshd_unit_file_t, sslh_unit_file_t, sssd_public_t, sssd_unit_file_t, sssd_var_lib_t, staff_sudo_tmp_t, stalld_unit_file_t, stapserver_tmp_t, stapserver_tmpfs_t, stunnel_tmp_t, svirt_tmp_t, svnserve_tmp_t, svnserve_unit_file_t, swat_tmp_t, swift_tmp_t, swift_unit_file_t, sysadm_passwd_tmp_t, sysadm_sudo_tmp_t, sysfs_t, syslogd_tmp_t, syslogd_unit_file_t, system_conf_t, system_cronjob_tmp_t, system_db_t, system_dbusd_tmp_t, system_dbusd_var_lib_t, system_mail_tmp_t, system_munin_plugin_tmp_t, systemd_bless_boot_generator_unit_file_t, systemd_bootchart_unit_file_t, systemd_cryptsetup_generator_unit_file_t, systemd_debug_generator_unit_file_t, systemd_fstab_generator_unit_file_t, systemd_generic_generator_unit_file_t, systemd_getty_generator_unit_file_t, systemd_gpt_generator_unit_file_t, systemd_homed_unit_file_t, systemd_hwdb_unit_file_t, systemd_importd_tmp_t, systemd_logind_var_run_t, systemd_machined_unit_file_t, systemd_modules_load_unit_file_t, systemd_networkd_unit_file_t, systemd_notify_exec_t, systemd_passwd_agent_exec_t, systemd_passwd_var_run_t, systemd_rc_local_generator_unit_file_t, systemd_resolved_unit_file_t, systemd_rfkill_unit_file_t, systemd_runtime_unit_file_t, systemd_socket_proxyd_unit_file_t, systemd_ssh_generator_unit_file_t, systemd_systemctl_exec_t, systemd_sysv_generator_unit_file_t, systemd_timedated_unit_file_t, systemd_tpm2_generator_unit_file_t, systemd_unit_file_t, systemd_userdbd_unit_file_t, systemd_vconsole_unit_file_t, systemd_zram_generator_unit_file_t, tangd_unit_file_t, targetclid_tmp_t, targetclid_unit_file_t, targetd_tmp_t, targetd_unit_file_t, tcpd_tmp_t, telepathy_gabble_tmp_t, telepathy_idle_tmp_t, telepathy_logger_tmp_t, telepathy_mission_control_tmp_t, telepathy_msn_tmp_t, telepathy_salut_tmp_t, telepathy_sofiasip_tmp_t, telepathy_stream_engine_tmp_t, telepathy_sunshine_tmp_t, telnetd_tmp_t, tetex_data_t, textrel_shlib_t, tgtd_tmp_t, thumb_tmp_t, tlp_unit_file_t, tmp_t, tomcat_tmp_t, tomcat_unit_file_t, tor_unit_file_t, tuned_tmp_t, tvtime_tmp_t, tvtime_tmpfs_t, udev_tmp_t, uml_tmp_t, uml_tmpfs_t, unconfined_munin_plugin_tmp_t, usbmuxd_unit_file_t, user_cron_spool_t, user_fonts_t, user_mail_tmp_t, user_tmp_t, usr_t, uucpd_tmp_t, var_spool_t, varnishd_tmp_t, virt_qemu_ga_tmp_t, virt_tmp_t, virt_var_lib_t, virtd_unit_file_t, virtlogd_unit_file_t, virtproxyd_tmp_t, virtqemud_tmp_t, virtstoraged_tmp_t, vmtools_tmp_t, vmtools_unit_file_t, vmware_host_tmp_t, vmware_tmp_t, vmware_tmpfs_t, vpnc_tmp_t, w3c_validator_tmp_t, webadm_tmp_t, webalizer_tmp_t, winbind_rpcd_tmp_t, wireguard_unit_file_t, wireshark_tmp_t, wireshark_tmpfs_t, xauth_tmp_t, xdm_unit_file_t, xend_tmp_t, xenstored_tmp_t, xserver_tmpfs_t, ypbind_tmp_t, ypbind_unit_file_t, ypserv_tmp_t, zabbix_tmp_t, zarafa_deliver_tmp_t, zarafa_indexer_tmp_t, zarafa_server_tmp_t, zarafa_var_lib_t, zebra_tmp_t, zebra_unit_file_t, zoneminder_unit_file_t.
                                                                   Then execute:
                                                                   restorecon -v '/var/lib/certmonger/lock'
                                                                   
                                                                   
                                                                   *****  Plugin catchall (1.44 confidence) suggests   **************************
                                                                   
                                                                   If you believe that certmonger should be allowed read write open access on the lock file by default.
                                                                   Then you should report this as a bug.
                                                                   You can generate a local policy module to allow this access.
                                                                   Do
                                                                   allow this access for now by executing:
                                                                   # ausearch -c 'certmonger' --raw | audit2allow -M my-certmonger
                                                                   # semodule -X 300 -i my-certmonger.pp
                                                                   
Dec 08 21:05:46 alexlaptop.ipa.example.com setroubleshoot[10202]: could not write /var/lib/setroubleshoot/setroubleshoot_database.xml: [Errno 2] No such file or directory: '/var/lib/setroubleshoot/setroubleshoot_database.xml'
Dec 08 21:05:46 alexlaptop.ipa.example.com setroubleshoot[10202]: SELinux is preventing certmonger from lock access on the file /var/lib/certmonger/lock. For complete SELinux messages run: sealert -l 9f6313b3-ff3d-466f-a696-83bd3ba88586
Dec 08 21:05:46 alexlaptop.ipa.example.com setroubleshoot[10202]: SELinux is preventing certmonger from lock access on the file /var/lib/certmonger/lock.
                                                                   
                                                                   *****  Plugin restorecon (94.8 confidence) suggests   ************************
                                                                   
                                                                   If you want to fix the label. 
                                                                   /var/lib/certmonger/lock default label should be certmonger_var_lib_t.
                                                                   Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
                                                                   Do
                                                                   # /sbin/restorecon -v /var/lib/certmonger/lock
                                                                   
                                                                   *****  Plugin catchall_labels (5.21 confidence) suggests   *******************
                                                                   
                                                                   If you want to allow certmonger to have lock access on the lock file
                                                                   Then you need to change the label on /var/lib/certmonger/lock
                                                                   Do
                                                                   # semanage fcontext -a -t FILE_TYPE '/var/lib/certmonger/lock'
                                                                   where FILE_TYPE is one of the following: NetworkManager_log_t, NetworkManager_tmp_t, NetworkManager_unit_file_t, abrt_tmp_t, abrt_unit_file_t, abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_log_t, abrt_var_run_t, accountsd_unit_file_t, acct_data_t, admin_crontab_tmp_t, afs_logfile_t, afterburn_unit_file_t, aide_log_t, alsa_tmp_t, alsa_unit_file_t, amanda_log_t, amanda_tmp_t, amanda_unit_file_t, anaconda_unit_file_t, antivirus_log_t, antivirus_tmp_t, antivirus_unit_file_t, apcupsd_log_t, apcupsd_tmp_t, apcupsd_unit_file_t, apmd_log_t, apmd_tmp_t, apmd_unit_file_t, arpwatch_tmp_t, arpwatch_unit_file_t, asterisk_log_t, asterisk_tmp_t, auditadm_sudo_tmp_t, auditd_tmp_t, auditd_unit_file_t, auth_cache_t, automount_tmp_t, automount_unit_file_t, avahi_unit_file_t, awstats_tmp_t, bacula_log_t, bacula_tmp_t, bin_t, bitlbee_log_t, bitlbee_tmp_t, blueman_tmp_t, bluetooth_helper_tmp_t, bluetooth_helper_tmpfs_t, bluetooth_tmp_t, bluetooth_unit_file_t, boinc_log_t, boinc_project_tmp_t, boinc_tmp_t, boinc_unit_file_t, boot_t, boothd_unit_file_t, bootloader_tmp_t, bootupd_unit_file_t, brltty_log_t, brltty_unit_file_t, bugzilla_tmp_t, calamaris_log_t, callweaver_log_t, canna_log_t, cardmgr_dev_t, ccs_tmp_t, ccs_var_lib_t, ccs_var_log_t, cdcc_tmp_t, cert_t, certmaster_var_log_t, certmonger_exec_t, certmonger_tmp_t, certmonger_unit_file_t, certmonger_var_lib_t, certmonger_var_run_t, cfengine_log_t, cgred_log_t, cgroup_memory_pressure_t, cgroup_t, checkpc_log_t, chrome_sandbox_tmp_t, chronyd_tmp_t, chronyd_unit_file_t, chronyd_var_log_t, cinder_api_tmp_t, cinder_api_unit_file_t, cinder_backup_tmp_t, cinder_backup_unit_file_t, cinder_log_t, cinder_scheduler_tmp_t, cinder_scheduler_unit_file_t, cinder_volume_tmp_t, cinder_volume_unit_file_t, cloud_init_tmp_t, cloud_init_unit_file_t, cloud_log_t, cluster_conf_t, cluster_tmp_t, cluster_unit_file_t, cluster_var_lib_t, cluster_var_log_t, cluster_var_run_t, cobbler_tmp_t, cobbler_var_log_t, collectd_log_t, collectd_script_tmp_t, collectd_unit_file_t, colord_tmp_t, colord_unit_file_t, comsat_tmp_t, condor_log_t, condor_master_tmp_t, condor_schedd_tmp_t, condor_startd_tmp_t, condor_unit_file_t, conman_log_t, conman_tmp_t, conman_unit_file_t, conntrackd_log_t, conntrackd_unit_file_t, consolekit_log_t, consolekit_unit_file_t, container_file_t, container_log_t, container_runtime_tmp_t, container_unit_file_t, coreos_boot_mount_generator_unit_file_t, coreos_installer_unit_file_t, couchdb_log_t, couchdb_tmp_t, couchdb_unit_file_t, cpu_online_t, crack_tmp_t, cron_log_t, crond_tmp_t, crond_unit_file_t, crontab_tmp_t, ctdbd_log_t, ctdbd_tmp_t, cups_pdf_tmp_t, cupsd_log_t, cupsd_lpd_tmp_t, cupsd_tmp_t, cupsd_unit_file_t, cvs_tmp_t, cyphesis_log_t, cyphesis_tmp_t, cyrus_tmp_t, dbadm_sudo_tmp_t, dbskkd_tmp_t, dbusd_etc_t, dbusd_unit_file_t, dcc_client_tmp_t, dcc_dbclean_tmp_t, dccd_tmp_t, dccifd_tmp_t, dccm_tmp_t, ddclient_log_t, ddclient_tmp_t, deltacloudd_log_t, deltacloudd_tmp_t, denyhosts_var_log_t, devicekit_tmp_t, devicekit_var_log_t, dhcpc_tmp_t, dhcpd_tmp_t, dhcpd_unit_file_t, dirsrv_config_t, dirsrv_snmp_var_log_t, dirsrv_tmp_t, dirsrv_unit_file_t, dirsrv_var_log_t, disk_munin_plugin_tmp_t, distccd_log_t, distccd_tmp_t, dkim_milter_tmp_t, dlm_controld_var_log_t, dnsmasq_tmp_t, dnsmasq_unit_file_t, dnsmasq_var_log_t, dnssec_trigger_tmp_t, dnssec_trigger_unit_file_t, dovecot_auth_tmp_t, dovecot_cert_t, dovecot_deliver_tmp_t, dovecot_tmp_t, dovecot_var_log_t, drbd_tmp_t, dspam_log_t, efivarfs_t, etc_runtime_t, etc_t, evtchnd_var_log_t, exim_log_t, exim_tmp_t, faillog_t, fdo_tmp_t, fdo_unit_file_t, fenced_tmp_t, fenced_var_log_t, fetchmail_log_t, file_context_t, fingerd_log_t, firewalld_tmp_t, firewalld_unit_file_t, firewalld_var_log_t, firewallgui_tmp_t, foghorn_var_log_t, fonts_cache_t, fonts_t, fprintd_tmp_t, freeipmi_bmc_watchdog_unit_file_t, freeipmi_ipmidetectd_unit_file_t, freeipmi_ipmiseld_unit_file_t, fsadm_log_t, fsadm_tmp_t, fsdaemon_tmp_t, ftpd_tmp_t, ftpd_unit_file_t, ftpdctl_tmp_t, fwupd_cert_t, fwupd_unit_file_t, games_tmp_t, games_tmpfs_t, gconf_tmp_t, geoclue_tmp_t, getty_log_t, getty_tmp_t, getty_unit_file_t, gfs_controld_var_log_t, git_script_tmp_t, gkeyringd_tmp_t, glance_api_unit_file_t, glance_log_t, glance_registry_tmp_t, glance_registry_unit_file_t, glance_scrubber_unit_file_t, glance_tmp_t, glusterd_log_t, glusterd_tmp_t, gnome_initial_setup_tmp_t, gpg_agent_tmp_t, gpg_agent_tmpfs_t, gpg_pinentry_tmp_t, gpg_pinentry_tmpfs_t, gpm_tmp_t, gpsd_tmp_t, groupd_var_log_t, gssd_tmp_t, gssproxy_unit_file_t, haproxy_unit_file_t, haproxy_var_log_t, home_cert_t, hostapd_unit_file_t, hostname_etc_t, hsqldb_tmp_t, hsqldb_unit_file_t, httpd_config_t, httpd_log_t, httpd_php_tmp_t, httpd_suexec_tmp_t, httpd_tmp_t, httpd_unit_file_t, hwloc_dhwd_unit_t, hypervkvp_unit_file_t, hypervvssd_unit_file_t, ibacm_log_t, icecast_log_t, inetd_child_tmp_t, inetd_log_t, inetd_tmp_t, init_tmp_t, initrc_tmp_t, initrc_var_log_t, innd_log_t, innd_unit_file_t, insights_client_tmp_t, insights_client_unit_file_t, insights_client_var_log_t, iodined_unit_file_t, ipa_cert_t, ipa_custodia_log_t, ipa_custodia_tmp_t, ipa_dnskey_unit_file_t, ipa_log_t, ipa_ods_exporter_unit_file_t, ipa_otpd_unit_file_t, ipa_tmp_t, ipa_var_lib_t, ipa_var_run_t, ipmievd_unit_file_t, ipsec_log_t, ipsec_mgmt_unit_file_t, ipsec_tmp_t, iptables_tmp_t, iptables_unit_file_t, iscsi_log_t, iscsi_tmp_t, iscsi_unit_file_t, iwhd_log_t, jetty_log_t, jetty_tmp_t, jetty_unit_file_t, jockey_var_log_t, kadmind_log_t, kadmind_tmp_t, kdump_dep_unit_file_t, kdump_log_t, kdump_unit_file_t, kdumpctl_tmp_t, kdumpgui_tmp_t, keepalived_tmp_t, keepalived_unit_file_t, keystone_log_t, keystone_tmp_t, keystone_unit_file_t, kismet_log_t, kismet_tmp_t, kismet_tmpfs_t, klogd_tmp_t, kmod_tmp_t, krb5_conf_t, krb5_host_rcache_t, krb5_keytab_t, krb5kdc_conf_t, krb5kdc_log_t, krb5kdc_tmp_t, ksm_unit_file_t, ksmtuned_log_t, ksmtuned_unit_file_t, ktalkd_log_t, ktalkd_tmp_t, ktalkd_unit_file_t, l2tpd_tmp_t, lastlog_t, ld_so_cache_t, ldconfig_exec_t, ldconfig_tmp_t, lib_t, livecd_tmp_t, locale_t, logrotate_mail_tmp_t, logrotate_tmp_t, logwatch_mail_tmp_t, logwatch_tmp_t, lpd_tmp_t, lpr_tmp_t, lsassd_tmp_t, lsmd_plugin_tmp_t, lsmd_unit_file_t, lttng_sessiond_unit_file_t, lvm_tmp_t, lvm_unit_file_t, machineid_t, mail_munin_plugin_tmp_t, mailman_cgi_tmp_t, mailman_log_t, mailman_mail_tmp_t, mailman_queue_tmp_t, man_cache_t, man_t, mandb_cache_t, mcelog_log_t, mdadm_log_t, mdadm_tmp_t, mdadm_unit_file_t, mediawiki_tmp_t, minidlna_log_t, mock_tmp_t, modemmanager_unit_file_t, mojomojo_tmp_t, mongod_log_t, mongod_tmp_t, mongod_unit_file_t, motion_log_t, motion_unit_file_t, mount_tmp_t, mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mozilla_tmp_t, mozilla_tmpfs_t, mpd_log_t, mpd_tmp_t, mplayer_tmpfs_t, mrtg_log_t, mrtg_tmp_t, mscan_tmp_t, munin_log_t, munin_script_tmp_t, munin_tmp_t, mysqld_log_t, mysqld_tmp_t, mysqld_unit_file_t, mythtv_var_log_t, nagios_eventhandler_plugin_tmp_t, nagios_log_t, nagios_openshift_plugin_tmp_t, nagios_system_plugin_tmp_t, nagios_tmp_t, named_cache_t, named_log_t, named_tmp_t, named_unit_file_t, nbdkit_tmp_t, nbdkit_unit_file_t, net_conf_t, netlabel_mgmt_unit_file_t, netutils_tmp_t, neutron_log_t, neutron_tmp_t, neutron_unit_file_t, nfsd_tmp_t, nfsd_unit_file_t, ninfod_unit_file_t, nis_unit_file_t, nova_log_t, nova_tmp_t, nova_unit_file_t, nscd_log_t, nscd_unit_file_t, nsd_log_t, nsd_tmp_t, ntop_tmp_t, ntpd_log_t, ntpd_tmp_t, ntpd_unit_file_t, numad_unit_file_t, numad_var_log_t, nut_unit_file_t, nut_upsd_tmp_t, nut_upsdrvctl_tmp_t, nut_upsmon_tmp_t, nvme_stas_tmpfs_t, nvme_stas_unit_file_t, nx_server_tmp_t, oddjob_unit_file_t, opendnssec_tmp_t, opendnssec_unit_file_t, openhpid_log_t, openshift_app_tmp_t, openshift_cgroup_read_tmp_t, openshift_cron_tmp_t, openshift_initrc_tmp_t, openshift_log_t, openshift_tmp_t, opensm_log_t, opensm_unit_file_t, openvpn_status_t, openvpn_tmp_t, openvpn_var_log_t, openvswitch_log_t, openvswitch_tmp_t, openvswitch_unit_file_t, openwsman_log_t, openwsman_tmp_t, openwsman_unit_file_t, oracleasm_tmp_t, osad_log_t, pam_timestamp_tmp_t, passenger_log_t, passenger_tmp_t, passt_log_t, passwd_file_t, pasta_log_t, pcp_log_t, pcp_tmp_t, pcscd_var_run_t, pdns_unit_file_t, pegasus_openlmi_storage_tmp_t, pegasus_tmp_t, pesign_tmp_t, pesign_unit_file_t, pkcs11_modules_conf_t, pkcs_slotd_lock_t, pkcs_slotd_log_t, pkcs_slotd_tmp_t, pkcs_slotd_tmpfs_t, pkcs_slotd_unit_file_t, pkcs_slotd_var_lib_t, pki_log_t, pki_ra_log_t, pki_tomcat_cert_t, pki_tomcat_log_t, pki_tomcat_tmp_t, pki_tomcat_unit_file_t, pki_tomcat_var_lib_t, pki_tps_log_t, plymouthd_var_log_t, podsleuth_tmp_t, podsleuth_tmpfs_t, policykit_tmp_t, polipo_log_t, polipo_unit_file_t, portmap_tmp_t, postfix_bounce_tmp_t, postfix_cleanup_tmp_t, postfix_local_tmp_t, postfix_map_tmp_t, postfix_pickup_tmp_t, postfix_pipe_tmp_t, postfix_qmgr_tmp_t, postfix_smtp_tmp_t, postfix_smtpd_tmp_t, postfix_virtual_tmp_t, postgresql_log_t, postgresql_tmp_t, postgresql_unit_file_t, power_unit_file_t, pppd_log_t, pppd_tmp_t, pppd_unit_file_t, pptp_log_t, prelink_exec_t, prelink_log_t, prelink_tmp_t, prelude_lml_tmp_t, prelude_log_t, privoxy_log_t, proc_t, procmail_log_t, procmail_tmp_t, prosody_log_t, prosody_tmp_t, prosody_unit_file_t, psad_tmp_t, psad_var_log_t, pulseaudio_tmpfs_t, puppet_log_t, puppet_tmp_t, puppetmaster_tmp_t, pyicqt_log_t, qatlib_unit_file_t, qdiskd_var_log_t, qpidd_tmp_t, rabbitmq_tmp_t, rabbitmq_unit_file_t, rabbitmq_var_log_t, racoon_tmp_t, radiusd_log_t, radiusd_unit_file_t, rasdaemon_unit_file_t, rdisc_unit_file_t, realmd_tmp_t, redis_log_t, redis_tmp_t, redis_unit_file_t, rhcd_tmp_t, rhcd_unit_file_t, rhcd_var_log_t, rhnsd_unit_file_t, rhsmcertd_log_t, rhsmcertd_tmp_t, ricci_modcluster_var_log_t, ricci_tmp_t, ricci_var_log_t, rkhunter_var_lib_t, rlogind_tmp_t, rngd_unit_file_t, rpcbind_tmp_t, rpcbind_unit_file_t, rpcd_unit_file_t, rpm_log_t, rpm_script_tmp_t, rpm_tmp_t, rpmdb_tmp_t, rrdcached_tmp_t, rshim_unit_file_t, rsync_log_t, rsync_tmp_t, rtas_errd_log_t, rtas_errd_tmp_t, rtas_errd_unit_file_t, samba_cert_t, samba_etc_t, samba_log_t, samba_net_tmp_t, samba_unit_file_t, samba_var_t, sanlk_resetd_unit_file_t, sanlock_log_t, sanlock_unit_file_t, sbd_tmpfs_t, sbd_unit_file_t, sblim_tmp_t, secadm_sudo_tmp_t, sectool_tmp_t, sectool_var_log_t, selinux_autorelabel_generator_unit_file_t, selinux_munin_plugin_tmp_t, semanage_tmp_t, sendmail_log_t, sendmail_tmp_t, sensord_log_t, sensord_unit_file_t, services_munin_plugin_tmp_t, session_dbusd_tmp_t, setroubleshoot_fixit_tmp_t, setroubleshoot_tmp_t, setroubleshoot_var_log_t, shell_exec_t, shorewall_log_t, shorewall_tmp_t, slapd_cert_t, slapd_log_t, slapd_tmp_t, slapd_unit_file_t, slpd_log_t, smbd_tmp_t, smoltclient_tmp_t, snapperd_log_t, snmpd_log_t, snort_log_t, snort_tmp_t, sosreport_tmp_t, soundd_tmp_t, spamc_tmp_t, spamd_log_t, spamd_tmp_t, spamd_unit_file_t, spamd_update_unit_file_t, speech_dispatcher_log_t, speech_dispatcher_tmp_t, speech_dispatcher_unit_file_t, squid_log_t, squid_tmp_t, squirrelmail_spool_t, src_t, ssh_agent_tmp_t, ssh_keygen_tmp_t, ssh_tmpfs_t, sshd_keygen_unit_file_t, sshd_unit_file_t, sslh_unit_file_t, sssd_public_t, sssd_unit_file_t, sssd_var_lib_t, sssd_var_log_t, staff_sudo_tmp_t, stalld_unit_file_t, stapserver_log_t, stapserver_tmp_t, stapserver_tmpfs_t, stunnel_log_t, stunnel_tmp_t, sudo_log_t, svirt_tmp_t, svnserve_log_t, svnserve_tmp_t, svnserve_unit_file_t, swat_tmp_t, swift_tmp_t, swift_unit_file_t, sysadm_passwd_tmp_t, sysadm_sudo_tmp_t, sysfs_t, syslogd_tmp_t, syslogd_unit_file_t, sysstat_log_t, system_conf_t, system_cronjob_tmp_t, system_db_t, system_dbusd_tmp_t, system_dbusd_var_lib_t, system_mail_tmp_t, system_munin_plugin_tmp_t, systemd_bless_boot_generator_unit_file_t, systemd_bootchart_unit_file_t, systemd_cryptsetup_generator_unit_file_t, systemd_debug_generator_unit_file_t, systemd_fstab_generator_unit_file_t, systemd_generic_generator_unit_file_t, systemd_getty_generator_unit_file_t, systemd_gpt_generator_unit_file_t, systemd_homed_unit_file_t, systemd_hwdb_unit_file_t, systemd_importd_tmp_t, systemd_logind_var_run_t, systemd_machined_unit_file_t, systemd_modules_load_unit_file_t, systemd_networkd_unit_file_t, systemd_notify_exec_t, systemd_passwd_agent_exec_t, systemd_passwd_var_run_t, systemd_rc_local_generator_unit_file_t, systemd_resolved_unit_file_t, systemd_rfkill_unit_file_t, systemd_runtime_unit_file_t, systemd_socket_proxyd_unit_file_t, systemd_ssh_generator_unit_file_t, systemd_systemctl_exec_t, systemd_sysv_generator_unit_file_t, systemd_timedated_unit_file_t, systemd_tpm2_generator_unit_file_t, systemd_unit_file_t, systemd_userdbd_unit_file_t, systemd_vconsole_unit_file_t, systemd_zram_generator_unit_file_t, tangd_unit_file_t, targetclid_tmp_t, targetclid_unit_file_t, targetd_tmp_t, targetd_unit_file_t, tcpd_tmp_t, telepathy_gabble_tmp_t, telepathy_idle_tmp_t, telepathy_logger_tmp_t, telepathy_mission_control_tmp_t, telepathy_msn_tmp_t, telepathy_salut_tmp_t, telepathy_sofiasip_tmp_t, telepathy_stream_engine_tmp_t, telepathy_sunshine_tmp_t, telnetd_tmp_t, tetex_data_t, textrel_shlib_t, tgtd_tmp_t, thin_aeolus_configserver_log_t, thin_log_t, thumb_tmp_t, tlp_unit_file_t, tmp_t, tomcat_log_t, tomcat_tmp_t, tomcat_unit_file_t, tor_unit_file_t, tor_var_log_t, tuned_log_t, tuned_tmp_t, tvtime_tmp_t, tvtime_tmpfs_t, udev_tmp_t, ulogd_var_log_t, uml_tmp_t, uml_tmpfs_t, unconfined_munin_plugin_tmp_t, usbmuxd_unit_file_t, user_cron_spool_t, user_fonts_t, user_mail_tmp_t, user_tmp_t, usr_t, uucpd_log_t, uucpd_tmp_t, var_log_t, var_spool_t, varnishd_tmp_t, varnishlog_log_t, vdagent_log_t, virt_log_t, virt_qemu_ga_log_t, virt_qemu_ga_tmp_t, virt_tmp_t, virt_var_lib_t, virtd_unit_file_t, virtlogd_unit_file_t, virtproxyd_tmp_t, virtqemud_tmp_t, virtstoraged_tmp_t, vmtools_tmp_t, vmtools_unit_file_t, vmware_host_tmp_t, vmware_log_t, vmware_tmp_t, vmware_tmpfs_t, vpnc_tmp_t, w3c_validator_tmp_t, watchdog_log_t, webadm_tmp_t, webalizer_tmp_t, winbind_log_t, winbind_rpcd_tmp_t, wireguard_unit_file_t, wireshark_tmp_t, wireshark_tmpfs_t, wtmp_t, xauth_tmp_t, xdm_log_t, xdm_unit_file_t, xend_tmp_t, xend_var_log_t, xenstored_tmp_t, xenstored_var_log_t, xferlog_t, xserver_log_t, xserver_tmpfs_t, ypbind_tmp_t, ypbind_unit_file_t, ypserv_tmp_t, zabbix_log_t, zabbix_tmp_t, zarafa_deliver_log_t, zarafa_deliver_tmp_t, zarafa_gateway_log_t, zarafa_ical_log_t, zarafa_indexer_log_t, zarafa_indexer_tmp_t, zarafa_monitor_log_t, zarafa_server_log_t, zarafa_server_tmp_t, zarafa_spooler_log_t, zarafa_var_lib_t, zebra_log_t, zebra_tmp_t, zebra_unit_file_t, zoneminder_log_t, zoneminder_unit_file_t.
                                                                   Then execute:
                                                                   restorecon -v '/var/lib/certmonger/lock'
                                                                   
                                                                   
                                                                   *****  Plugin catchall (1.44 confidence) suggests   **************************
                                                                   
                                                                   If you believe that certmonger should be allowed lock access on the lock file by default.
                                                                   Then you should report this as a bug.
                                                                   You can generate a local policy module to allow this access.
                                                                   Do
                                                                   allow this access for now by executing:
                                                                   # ausearch -c 'certmonger' --raw | audit2allow -M my-certmonger
                                                                   # semodule -X 300 -i my-certmonger.pp
                                                                   
Dec 08 21:05:51 alexlaptop.ipa.example.com setroubleshoot[10202]: could not write /var/lib/setroubleshoot/setroubleshoot_database.xml: [Errno 2] No such file or directory: '/var/lib/setroubleshoot/setroubleshoot_database.xml'
Dec 08 21:05:54 alexlaptop.ipa.example.com systemd[1]: dbus-:[email protected]: Deactivated successfully.
Dec 08 21:05:54 alexlaptop.ipa.example.com audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged@0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Dec 08 21:05:54 alexlaptop.ipa.example.com systemd[1]: dbus-:[email protected]: Consumed 1.674s CPU time, 49.1M memory peak.
Dec 08 21:05:56 alexlaptop.ipa.example.com setroubleshoot[10202]: could not write /var/lib/setroubleshoot/setroubleshoot_database.xml: [Errno 2] No such file or directory: '/var/lib/setroubleshoot/setroubleshoot_database.xml'
Dec 08 21:05:56 alexlaptop.ipa.example.com systemd[1]: setroubleshootd.service: Deactivated successfully.
Dec 08 21:05:56 alexlaptop.ipa.example.com systemd[1]: setroubleshootd.service: Consumed 8.911s CPU time, 82.1M memory peak.

[karypid]

Does /var/lib/certmonger even exist?

One of the issues in the gts version was that /var/lib/sss/pubconf was missing (I had to create manually). I think the new "rechunk" utility might be causing this.

[ABotelho23]

Nope, and if I create it, FreeIPA returns the same error, but SELinux still screams. Even after creating lock, so /var/lib/certmonger/lock, the SELinux error is: SELinux is preventing certmonger from open access on the file /var/lib/certmonger/lock

kinit/Kerberos just seems broken in general.

You can see it in the OP error:
Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1

Reading the rechunk documentation, it seems to imply that SELinux can get really mangled by the rechunk process. I'm not really sure what information I can provide to assist with this case. Resolving SELinux cases broken by rechunk on a per case basis doesn't really seem sustainable/scalable.

While some of the errors seem like they could be resolved upstream by tmpfiles entries, I'm not sure SELinux blocking access to files is something upstream can fix.

[karypid]

Can you compare selinux packages between your working Bazzite and Bluefin?

❯ rpm -qa | grep -i selinux
libselinux-3.7-5.fc41.x86_64
libselinux-utils-3.7-5.fc41.x86_64
selinux-policy-41.26-1.fc41.noarch
selinux-policy-targeted-41.26-1.fc41.noarch
container-selinux-2.234.2-1.fc41.noarch
passt-selinux-0^20241127.gc0fbc7e-1.fc41.noarch
python3-libselinux-3.7-5.fc41.x86_64
flatpak-selinux-1.15.12-1.fc41.noarch
rpm-plugin-selinux-4.20.0-1.fc41.x86_64
smartmontools-selinux-7.4-6.fc41.noarch
freeipa-selinux-4.12.2-5.fc41.noarch                          <--- version mismatch here would be of interest
swtpm-selinux-0.9.0-4.fc41.noarch
osbuild-selinux-135-1.fc41.noarch
nbdkit-selinux-1.40.4-1.fc41.noarch
incus-selinux-6.7-0.1.fc41.noarch
cockpit-selinux-330-1.fc41.noarch

If this is indeed related to SELinux, surely there are different policies in effect?

Also does it work with SELinux in permissive mode?

[ABotelho23]

So, I learned how bootc works, installed vanilla SilverBlue in a VM, rebased to this image: quay.io/fedora-ostree-desktops/silverblue:41

Then added freeipa-client to it with a really simple Containerfile:

FROM quay.io/fedora-ostree-desktops/silverblue:41

RUN dnf install freeipa-client --assumeyes

Built it: sudo podman build -t freeipa-bootc -f Containerfile
Switched to it: sudo bootc switch --transport containers-storage localhost/freeipa-bootc
Rebooted
Created the following directories: /var/lib/freeipa-client, /var/lib/freeipa-client/sysrestore, and /var/lib/freeipa-client/pki (I will see about adding tmpfiles entries upstream!)
And confirmed that the FreeIPA client initialization works!

root@ipatest:/var/lib/ipa-client# ipa-client-install --mkhomedir --force-join --domain ipa.example.com
This program will set up IPA client.
Version 4.12.2

Using existing certificate '/etc/ipa/ca.crt'.
Discovery was successful!
Do you want to configure chrony with NTP server or pool address? [no]: yes
Enter NTP source server addresses separated by comma, or press Enter to skip: 
Enter a NTP source pool address, or press Enter to skip: pool.ntp.org
Client hostname: ipatest.ipa.example.com
Realm: IPA.EXAMPLE.COM
DNS Domain: ipa.example.com
IPA Server: dc1.ipa.example.com
BaseDN: dc=ipa,dc=example,dc=com
NTP pool: pool.ntp.org

Continue to configure the system with these values? [no]: yes
Removed old keys for realm IPA.EXAMPLE.COM from /etc/krb5.keytab
Synchronizing time
Configuration of chrony was changed by installer.
Attempting to sync time with chronyc.
Time synchronization was successful.
User authorized to enroll computers: admin
Password for [email protected]: 
Enrolled in IPA realm IPA.EXAMPLE.COM
Created /etc/ipa/default.conf
Domain ipa.example.com is already configured in existing SSSD config, creating a new one.
The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall.
Configured /etc/sssd/sssd.conf
Systemwide CA database updated.
Hostname (ipatest.ipa.example.com) does not have A/AAAA record.
Missing reverse record(s) for address(es): [IP address link removed for safety reasons], fec0::5054:ff:fe2a:21ae.
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config.d/04-ipa.conf
Configuring ipa.example.com as NIS domain.
Configured /etc/krb5.conf for IPA realm IPA.EXAMPLE.COM
Client configuration complete.
The ipa-client-install command was successful

So the rechunk process (which SilverBlue isn't using?) breaks FreeIPA. It really sounds like the "gotchas" described in the rechunk git repository need to be evaluated more seriously. IMO it sounds like the choice to use rechunk should be reverted until that can be solved.

[karypid]

Created the following directories: /var/lib/freeipa-client, /var/lib/freeipa-client/sysrestore, and /var/lib/freeipa-client/pki
...
So the rechunk process (which SilverBlue isn't using?) breaks FreeIPA. It really sounds like the "gotchas" described in the rechunk git repository need to be evaluated more seriously. IMO it sounds like the choice to use rechunk should be reverted until that can be solved.

So, as far as I can tell, this new version is trying to save space and among other things seems to "remove empty directories" from the image. This causes issues with programs that expect a folder to exist (with some selinux context) but otherwise be empty.

This is why in my testing instructions here I mention:

Fix missing folder with mkdir -p /var/lib/sss/pubconf/krb5.include.d

I will let the developers/maintainers decide on what to do, but yes - something fishy seems to be happening with the new rechunk, but it is beyond my knowledge.

The good news is that it seems one only needs to manually create missing folders for things to work....

[m2Giles]

/var is supposed to be basically empty on an image.

What happens if you add a tmpfiles.d conf file to auto create the directory.

Per packaging guidelines, you are not supposed to create files in /var

[ABotelho23]

I'm collecting information about all these directories and seeing if I can come up with a systemd-tmpfiles config for ipa-client and certmonger. I can already see properties that are different between working, partially working, and not working at all.

dnf provides /var/lib/certmonger definitely has the certmonger package owning it. I'm not sure how SELinux contexts and tmpfiles works, but I'll try and figure it out.

[ABotelho23]

Hi all,

I posted an upstream bug: https://bugzilla.redhat.com/show_bug.cgi?id=2332433

The response is ultimately that FreeIPA bundled in a rpm-ostree/bootc image cannot work in its current state.

Please remove freeipa-client from the standard Bluefin image, it is broken if included. People who want to use it can layer it, like required for Bazzite.

[castrojo]

Thanks for doing the legwork on this! I'll keep the issue open to so we check it regularly!