[Freeipa-users] SELinux error during ipa-server-install
Marco Pizzoli
marco.pizzoli at gmail.com
Fri Feb 10 12:30:41 UTC 2012
Hi guys,
I'm working on Fedora16 and FreeIPA 2.1.4.
I executed the command ipa-server-install and during the setup digging in
the logs i can find this error, related to SELinux.
I'm running in Permissive mode, so nothing prevented me to successfully
complete my setup.
Is this an error in the policy?
Thanks in advance
Marco
[root at freeipa01 ~]# sealert -l 885f3218-de29-4254-b095-0439320b3a50
SELinux is preventing
/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/java from
name_connect access on the None .
***** Plugin catchall (100. confidence) suggests
***************************
If you believe that java should be allowed name_connect access on the
<Unknown> by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep java /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:pki_ca_t:s0
Target Context system_u:object_r:ephemeral_port_t:s0
Target Objects [ None ]
Source java
Source Path
/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre
/bin/java
Port 59940
Host freeipa01.unix.mydomain.it
Source RPM Packages
java-1.6.0-openjdk-1.6.0.0-61.1.10.4.fc16.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.10.0-75.fc16.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name freeipa01.unix.mydomain.it
Platform Linux
freeipa01.unix.mydomain.it3.2.3-2.fc16.x86_64
#1 SMP Fri Feb 3 20:08:08 UTC 2012 x86_64
x86_64
Alert Count 2
First Seen Fri 10 Feb 2012 01:16:43 PM CET
Last Seen Fri 10 Feb 2012 01:17:29 PM CET
Local ID 885f3218-de29-4254-b095-0439320b3a50
Raw Audit Messages
type=AVC msg=audit(1328876249.581:170): avc: denied { name_connect } for
pid=2663 comm="java" dest=59940 scontext=system_u:system_r:pki_ca_t:s0
tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socketnode=
freeipa01.unix.mydomain.it type=SYSCALL msg=audit(1328876249.581:170):
arch=c000003e syscall=42 success=yes exit=0 a0=29 a1=7fc00b462680 a2=1c
a3=7fc00b462410 items=0 ppid=1 pid=2663 auid=4294967295 uid=993 gid=990
euid=993 suid=993 fsuid=993 egid=990 sgid=990 fsgid=990 tty=(none)
ses=4294967295 comm="java"
exe="/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/java"
subj=system_u:system_r:pki_ca_t:s0 key=(null)
Hash: java,pki_ca_t,ephemeral_port_t,None,name_connect
audit2allow
audit2allow -R
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120210/c928b8f2/attachment.htm>
More information about the Freeipa-users
mailing list