[Freeipa-devel] [PATCH] 0069 renew_ca_cert: bootstrap api with in_server=True
Petr Vobornik
pvoborni at redhat.com
Tue Jun 21 07:50:30 UTC 2016
On 06/21/2016 09:40 AM, Jan Cholasta wrote:
> On 21.6.2016 09:35, Petr Vobornik wrote:
>> On 06/21/2016 08:31 AM, Jan Cholasta wrote:
>>> On 17.6.2016 16:30, Petr Vobornik wrote:
>>>>
>>>> I'm not sure if following is related to thin client or other work, but
>>>> it should be looked at. Feel free to open different ticket for it.
>>>>
>>>> I was doing some testing yesterday and this was in audit:
>>>>
>>>> time->Thu Jun 16 22:11:32 2016
>>>> type=AVC msg=audit(1466107892.404:662): avc: denied { write } for
>>>> pid=26289 comm="dogtag-ipa-ca-r" name="ipa_memcached" dev="tmpfs"
>>>> ino=183080 scontext=system_u:system_r:certmonger_t:s0
>>>> tcontext=system_u:object_r:memcached_var_run_t:s0 tclass=sock_file
>>>> permissive=0
>>>>
>>>> I did not investigate further, but couldn't it be caused by initialing
>>>> api with api.bootstrap(in_server=True.. which then initializes session
>>>> plugin which then initializes MemcacheSessionManager?
>>>>
>>>> Similar issue could be in other usages.
>>>
>>> AFAIK this is trigerred by importing ipalib.session and can happen even
>>> with client API.
>>>
>>
>> True, but it would have to be explicit, which won't probably happen.
>>
>> In ipaserver/plugins/session.py it is done automatically:
>>
>> if api.env.in_server:
>> from ipalib.session import session_mgr
>
> IMHO that doesn't really matter, it should be fixed not to connect on
> import, because that's just plain wrong.
>
True, new ticket: https://fedorahosted.org/freeipa/ticket/5988
--
Petr Vobornik
More information about the Freeipa-devel
mailing list