[Freeipa-users] SELinux error during ipa-server-install

Marco Pizzoli marco.pizzoli at gmail.com
Fri Feb 10 12:30:41 UTC 2012 

Hi guys,
I'm working on Fedora16 and FreeIPA 2.1.4.
I executed the command ipa-server-install and during the setup digging in
the logs i can find this error, related to SELinux.
I'm running in Permissive mode, so nothing prevented me to successfully
complete my setup.

Is this an error in the policy?

Thanks in advance
Marco

[root at freeipa01 ~]# sealert -l 885f3218-de29-4254-b095-0439320b3a50
SELinux is preventing
/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/java from
name_connect access on the None .

*****  Plugin catchall (100. confidence) suggests
***************************

If you believe that java should be allowed name_connect access on the
<Unknown> by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep java /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:pki_ca_t:s0
Target Context                system_u:object_r:ephemeral_port_t:s0
Target Objects                 [ None ]
Source                        java
Source Path
/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre
                              /bin/java
Port                          59940
Host                          freeipa01.unix.mydomain.it
Source RPM Packages
java-1.6.0-openjdk-1.6.0.0-61.1.10.4.fc16.x86_64
Target RPM Packages
Policy RPM                    selinux-policy-3.10.0-75.fc16.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     freeipa01.unix.mydomain.it
Platform                      Linux
freeipa01.unix.mydomain.it3.2.3-2.fc16.x86_64
                              #1 SMP Fri Feb 3 20:08:08 UTC 2012 x86_64
x86_64
Alert Count                   2
First Seen                    Fri 10 Feb 2012 01:16:43 PM CET
Last Seen                     Fri 10 Feb 2012 01:17:29 PM CET
Local ID                      885f3218-de29-4254-b095-0439320b3a50

Raw Audit Messages
type=AVC msg=audit(1328876249.581:170): avc:  denied  { name_connect } for
pid=2663 comm="java" dest=59940 scontext=system_u:system_r:pki_ca_t:s0
tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socketnode=
freeipa01.unix.mydomain.it type=SYSCALL msg=audit(1328876249.581:170):
arch=c000003e syscall=42 success=yes exit=0 a0=29 a1=7fc00b462680 a2=1c
a3=7fc00b462410 items=0 ppid=1 pid=2663 auid=4294967295 uid=993 gid=990
euid=993 suid=993 fsuid=993 egid=990 sgid=990 fsgid=990 tty=(none)
ses=4294967295 comm="java"
exe="/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/java"
subj=system_u:system_r:pki_ca_t:s0 key=(null)


Hash: java,pki_ca_t,ephemeral_port_t,None,name_connect

audit2allow


audit2allow -R
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120210/c928b8f2/attachment.htm>

More information about the Freeipa-users mailing list