[Freeipa-users] Server installation problem

Rob Crittenden rcritten at redhat.com
Mon Jun 27 14:53:27 UTC 2011 

Dan Scott wrote:
> Hi,
>
> On Fri, Jun 24, 2011 at 14:00, Rob Crittenden<rcritten at redhat.com>  wrote:
>> Dan Scott wrote:
>>> I've just installed Fedora 15 onto a VM, configured networking and run
>>> the ipa-server-install script - the installation fails with the error:
>>>
>>> Configuring ntpd
>>>    [1/4]: stopping ntpd
>>>    [2/4]: writing configuration
>>>    [3/4]: configuring ntpd to start on boot
>>>    [4/4]: starting ntpd
>>> done configuring ntpd.
>>> Configuring directory server for the CA: Estimated time 30 seconds
>>>    [1/3]: creating directory server user
>>>    [2/3]: creating directory server instance
>>> root        : CRITICAL failed to restart ds instance Command
>>> '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmplNsX1T'
>>> returned non-zero exit status 1
>>>    [3/3]: restarting directory server
>>> root        : CRITICAL Failed to restart the directory server. See the
>>> installation log for details.
>>>
>>> Logfile is attached.
>>>
>>> Can anyone help with this? It looks like it's failing to
>>> start/configure the dirsrv service. Is it possible that it's
>>> conflicting with my existing FreeIPA 1.2.x servers elsewhere on the
>>> network?
>>>
>>> Thanks,
>>>
>>> Dan Scott
>>
>> There has recently been an SELinux problem on F-15 that has affected 389-ds
>> installation. Can you see if there are any AVCS for ns-slapd in
>> /var/log/audit/audit.log?
>>
>> rob
>>
>
> That seems to be the problem, thanks.
>
> [root at pc51 ~]# grep denied /var/log/audit/audit.log
> type=AVC msg=audit(1308936867.797:102): avc:  denied  { read } for
> pid=8274 comm="ns-slapd" name="lock" dev=dm-1 ino=1307
> scontext=unconfined_u:system_r:dirsrv_t:s0
> tcontext=system_u:object_r:var_t:s0 tclass=lnk_file
> type=AVC msg=audit(1308937468.228:103): avc:  denied  { read } for
> pid=8323 comm="ns-slapd" name="lock" dev=dm-1 ino=1307
> scontext=unconfined_u:system_r:dirsrv_t:s0
> tcontext=system_u:object_r:var_t:s0 tclass=lnk_file
> [root at pc51 ~]# grep denied /var/log/audit/audit.log|audit2allow
>
>
> #============= dirsrv_t ==============
> allow dirsrv_t var_t:lnk_file read;
> [root at pc51 ~]#
>
> I had a quick look through bugzilla, and didn't find a bug related to
> this. Do I need to file one? Or is it all OK?
>
> Thanks,
>
> Dan

The bug is https://bugzilla.redhat.com/show_bug.cgi?id=696819 which is 
modified, you may want to see if there is a pending fix in updates-testing.

rob

More information about the Freeipa-users mailing list