[Freeipa-devel] [PATCH] 0069 renew_ca_cert: bootstrap api with in_server=True
Jan Cholasta
jcholast at redhat.com
Tue Jun 21 06:31:26 UTC 2016
On 17.6.2016 16:30, Petr Vobornik wrote:
> On 17.6.2016 08:53, Fraser Tweedale wrote:
>> On Fri, Jun 17, 2016 at 08:35:45AM +0200, Jan Cholasta wrote:
>>> Hi,
>>>
>>> On 17.6.2016 06:55, Fraser Tweedale wrote:
>>>> Attached patch fixes https://fedorahosted.org/freeipa/ticket/5968
>>>
>>> This should be fixed for all the restart scripts, not just renew_ca_cert.
>>>
>> Updated patch attached.
Thanks, ACK.
Pushed to master: 3edf13cd8ab541908d7e2011a54e31edf1844ea2
>>
>
> I'm not sure if following is related to thin client or other work, but
> it should be looked at. Feel free to open different ticket for it.
>
> I was doing some testing yesterday and this was in audit:
>
> time->Thu Jun 16 22:11:32 2016
> type=AVC msg=audit(1466107892.404:662): avc: denied { write } for
> pid=26289 comm="dogtag-ipa-ca-r" name="ipa_memcached" dev="tmpfs"
> ino=183080 scontext=system_u:system_r:certmonger_t:s0
> tcontext=system_u:object_r:memcached_var_run_t:s0 tclass=sock_file
> permissive=0
>
> I did not investigate further, but couldn't it be caused by initialing
> api with api.bootstrap(in_server=True.. which then initializes session
> plugin which then initializes MemcacheSessionManager?
>
> Similar issue could be in other usages.
AFAIK this is trigerred by importing ipalib.session and can happen even
with client API.
--
Jan Cholasta
More information about the Freeipa-devel
mailing list