[Freeipa-users] SELinux error during ipa-server-install
Dan Scott
danieljamesscott at gmail.com
Fri Feb 10 14:27:07 UTC 2012
Hi,
On Fri, Feb 10, 2012 at 07:50, Dale Macartney <dale at themacartneyclan.com> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Marco
>
> I had a very similar issue trying to do the same thing a while back on the
> day RHEL 6.2 went GA..
>
> My situation was
>
> SElinux enforcing, then run ipa-server-install.. it gets half way through
> the process and it fails
>
> then I tried
>
> SELinux permissive, to get the exact same issue
>
> I then completely disabled SElinux in /etc/sysconfig/selinux, rebooted and
> ran the setup again, and I was able to install successfully.
>
> In my situation, it was related to the selinux pki policy. When this was
> loaded, it caused the ipa setup to fail... an update was made available in
> rhel which allowed me to move forward with selinux in enforcing mode.
>
> Have you patched Fedora 16 with the latest updates? my situation was quite a
> while ago so I would have imagined that there would be an update to that
> issue with Fedora as well if this is actually the same issue I encountered.
> ..
>
> Do you get the same issue with selinux disabled at all?
>
> Dale
I've also had big problems with FreeIPA replication on Fedora 15 and
16. A few issues were related to Fedora 15-16 upgrades and others were
related to SELinux. Disabling SELinux has considerably reduced the
problems that I've been seeing.
Thanks,
Dan
> On 02/10/2012 12:30 PM, Marco Pizzoli wrote:
>> Hi guys,
>> I'm working on Fedora16 and FreeIPA 2.1.4.
>> I executed the command ipa-server-install and during the setup digging in
>> the logs i can find this error, related to SELinux.
>> I'm running in Permissive mode, so nothing prevented me to successfully
>> complete my setup.
>>
>> Is this an error in the policy?
>>
>> Thanks in advance
>> Marco
>>
>> [root at freeipa01 ~]# sealert -l 885f3218-de29-4254-b095-0439320b3a50
>> SELinux is preventing
>> /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/java from
>> name_connect access on the None .
>>
>> ***** Plugin catchall (100. confidence) suggests
>> ***************************
>>
>> If you believe that java should be allowed name_connect access on the
>> <Unknown> by default.
>> Then you should report this as a bug.
>> You can generate a local policy module to allow this access.
>> Do
>> allow this access for now by executing:
>> # grep java /var/log/audit/audit.log | audit2allow -M mypol
>> # semodule -i mypol.pp
>>
>>
>> Additional Information:
>> Source Context system_u:system_r:pki_ca_t:s0
>> Target Context system_u:object_r:ephemeral_port_t:s0
>> Target Objects [ None ]
>> Source java
>> Source Path /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre
>> /bin/java
>> Port 59940
>> Host freeipa01.unix.mydomain.it <http://freeipa01.unix.mydomain.it>
>
>> Source RPM Packages java-1.6.0-openjdk-1.6.0.0-61.1.10.4.fc16.x86_64
>> Target RPM Packages
>> Policy RPM selinux-policy-3.10.0-75.fc16.noarch
>> Selinux Enabled True
>> Policy Type targeted
>> Enforcing Mode Permissive
>> Host Name freeipa01.unix.mydomain.it <http://freeipa01.unix.mydomain.it>
>> Platform Linux freeipa01.unix.mydomain.it
>> <http://freeipa01.unix.mydomain.it> 3.2.3-2.fc16.x86_64
>
>> #1 SMP Fri Feb 3 20:08:08 UTC 2012 x86_64 x86_64
>> Alert Count 2
>> First Seen Fri 10 Feb 2012 01:16:43 PM CET
>> Last Seen Fri 10 Feb 2012 01:17:29 PM CET
>> Local ID 885f3218-de29-4254-b095-0439320b3a50
>>
>> Raw Audit Messages
>> type=AVC msg=audit(1328876249.581:170): avc: denied { name_connect } for
>> pid=2663 comm="java" dest=59940 scontext=system_u:system_r:pki_ca_t:s0
>> tcontext=system_u:object_r:ephemeral_port_t:s0
>> tclass=tcp_socketnode=freeipa01.unix.mydomain.it
>> <http://freeipa01.unix.mydomain.it> type=SYSCALL
>> msg=audit(1328876249.581:170): arch=c000003e syscall=42 success=yes exit=0
>> a0=29 a1=7fc00b462680 a2=1c a3=7fc00b462410 items=0 ppid=1 pid=2663
>> auid=4294967295 uid=993 gid=990 euid=993 suid=993 fsuid=993 egid=990
>> sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="java"
>> exe="/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/java"
>> subj=system_u:system_r:pki_ca_t:s0 key=(null)
>
>>
>>
>> Hash: java,pki_ca_t,ephemeral_port_t,None,name_connect
>>
>> audit2allow
>>
>>
>> audit2allow -R
>>
>>
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQIcBAEBAgAGBQJPNRJxAAoJEAJsWS61tB+qfxwP/0NwjnWGYw0VjKJmKcob73a+
> 9Ei7VSj8byE0Aa5VnPtYqvKn0ug082JlwL1g/Ojq0A3d6vJVEHBda+vGoCDafh0z
> Vko6pxXBqBmYbafvhB+AABr03xKUQV6ttbKvDUHt1miWq3F8qKJKCeHywNf5TOW4
> Tnf3f9b6yWLsh89LbBqGWvtTSMdnuHXNleNmPjgInfY3Y3NvYVcmBTIUG6kWVMus
> YmKrhAK31gaTlj+iGfwIojayhUbplW3whYiCn38USMoVxNYfUYlyYN2WaAjHFNhT
> iapFpZ5ScYsA1Ki3OjA27JHvswZXVjIRqjfD+LZdQRhjbaUqCVB0IUIhFW+D+Qqf
> ydsDgtYzMaSOSmCiwHiFql6wczK8BplCVeeCKca8z6FEjkDLoGYCAMqE294VPA5e
> 0lB/ltVxzFGWMLuFyLsdn2RuzTE6pP5BT/Wd0nIvUxHkOTusI7P7Ir4Yg6uyLEP0
> 3rgIz//nxxI/udBmBjgD8E/At7VpV/gKa4CA0o3qLKtLU8tMvdFtnCFGv9Z7yZzW
> igfZYPeCINZk8WkwEio2R5Sqkt88ldr4JNQ4yGnoiEMTcxMYqQjeeo615bovHix6
> 07CjXjIBlNYSDPW1pFyDc2O+AOq5jhF2A36bHRHFNATNDv/tpjw3AZGjxpOCWqAV
> HPn/clZOVTamNdkXPRiC
> =iR+/
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list