<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
Hi Marco<br>
<br>
I had a very similar issue trying to do the same thing a while back
on the day RHEL 6.2 went GA..<br>
<br>
My situation was<br>
<br>
SElinux enforcing, then run ipa-server-install.. it gets half way
through the process and it fails<br>
<br>
then I tried<br>
<br>
SELinux permissive, to get the exact same issue<br>
<br>
I then completely disabled SElinux in /etc/sysconfig/selinux,
rebooted and ran the setup again, and I was able to install
successfully.<br>
<br>
In my situation, it was related to the selinux pki policy. When this
was loaded, it caused the ipa setup to fail... an update was made
available in rhel which allowed me to move forward with selinux in
enforcing mode.<br>
<br>
Have you patched Fedora 16 with the latest updates? my situation was
quite a while ago so I would have imagined that there would be an
update to that issue with Fedora as well if this is actually the
same issue I encountered. ..<br>
<br>
Do you get the same issue with selinux disabled at all?<br>
<br>
Dale<br>
<br>
<br>
<br>
On 02/10/2012 12:30 PM, Marco Pizzoli wrote:<br>
<span style="white-space: pre;">> Hi guys,<br>
> I'm working on Fedora16 and FreeIPA 2.1.4.<br>
> I executed the command ipa-server-install and during the
setup digging in the logs i can find this error, related to
SELinux.<br>
> I'm running in Permissive mode, so nothing prevented me to
successfully complete my setup.<br>
><br>
> Is this an error in the policy?<br>
><br>
> Thanks in advance<br>
> Marco<br>
><br>
> [root@freeipa01 ~]# sealert -l
885f3218-de29-4254-b095-0439320b3a50<br>
> SELinux is preventing
/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/java from
name_connect access on the None .<br>
><br>
> ***** Plugin catchall (100. confidence) suggests
***************************<br>
><br>
> If you believe that java should be allowed name_connect
access on the <Unknown> by default.<br>
> Then you should report this as a bug.<br>
> You can generate a local policy module to allow this access.<br>
> Do<br>
> allow this access for now by executing:<br>
> # grep java /var/log/audit/audit.log | audit2allow -M mypol<br>
> # semodule -i mypol.pp<br>
><br>
><br>
> Additional Information:<br>
> Source Context system_u:system_r:pki_ca_t:s0<br>
> Target Context system_u:object_r:ephemeral_port_t:s0<br>
> Target Objects [ None ]<br>
> Source java<br>
> Source Path
/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre<br>
> /bin/java<br>
> Port 59940<br>
> Host freeipa01.unix.mydomain.it
<a class="moz-txt-link-rfc2396E" href="http://freeipa01.unix.mydomain.it"><http://freeipa01.unix.mydomain.it></a><br>
> Source RPM Packages
java-1.6.0-openjdk-1.6.0.0-61.1.10.4.fc16.x86_64<br>
> Target RPM Packages<br>
> Policy RPM selinux-policy-3.10.0-75.fc16.noarch<br>
> Selinux Enabled True<br>
> Policy Type targeted<br>
> Enforcing Mode Permissive<br>
> Host Name freeipa01.unix.mydomain.it
<a class="moz-txt-link-rfc2396E" href="http://freeipa01.unix.mydomain.it"><http://freeipa01.unix.mydomain.it></a><br>
> Platform Linux freeipa01.unix.mydomain.it
<a class="moz-txt-link-rfc2396E" href="http://freeipa01.unix.mydomain.it"><http://freeipa01.unix.mydomain.it></a> 3.2.3-2.fc16.x86_64<br>
> #1 SMP Fri Feb 3 20:08:08 UTC 2012 x86_64 x86_64<br>
> Alert Count 2<br>
> First Seen Fri 10 Feb 2012 01:16:43 PM CET<br>
> Last Seen Fri 10 Feb 2012 01:17:29 PM CET<br>
> Local ID 885f3218-de29-4254-b095-0439320b3a50<br>
><br>
> Raw Audit Messages<br>
> type=AVC msg=audit(1328876249.581:170): avc: denied {
name_connect } for pid=2663 comm="java" dest=59940
scontext=system_u:system_r:pki_ca_t:s0
tcontext=system_u:object_r:ephemeral_port_t:s0
tclass=tcp_socketnode=freeipa01.unix.mydomain.it
<a class="moz-txt-link-rfc2396E" href="http://freeipa01.unix.mydomain.it"><http://freeipa01.unix.mydomain.it></a> type=SYSCALL
msg=audit(1328876249.581:170): arch=c000003e syscall=42
success=yes exit=0 a0=29 a1=7fc00b462680 a2=1c a3=7fc00b462410
items=0 ppid=1 pid=2663 auid=4294967295 uid=993 gid=990 euid=993
suid=993 fsuid=993 egid=990 sgid=990 fsgid=990 tty=(none)
ses=4294967295 comm="java"
exe="/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/java"
subj=system_u:system_r:pki_ca_t:s0 key=(null)<br>
><br>
><br>
> Hash: java,pki_ca_t,ephemeral_port_t,None,name_connect<br>
><br>
> audit2allow<br>
><br>
><br>
> audit2allow -R<br>
><br>
><br>
><br>
><br>
><br>
> _______________________________________________<br>
> Freeipa-users mailing list<br>
> <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></span><br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v1.4.11 (GNU/Linux)<br>
Comment: Using GnuPG with Mozilla - <a class="moz-txt-link-freetext" href="http://enigmail.mozdev.org/">http://enigmail.mozdev.org/</a><br>
<br>
iQIcBAEBAgAGBQJPNRJxAAoJEAJsWS61tB+qfxwP/0NwjnWGYw0VjKJmKcob73a+<br>
9Ei7VSj8byE0Aa5VnPtYqvKn0ug082JlwL1g/Ojq0A3d6vJVEHBda+vGoCDafh0z<br>
Vko6pxXBqBmYbafvhB+AABr03xKUQV6ttbKvDUHt1miWq3F8qKJKCeHywNf5TOW4<br>
Tnf3f9b6yWLsh89LbBqGWvtTSMdnuHXNleNmPjgInfY3Y3NvYVcmBTIUG6kWVMus<br>
YmKrhAK31gaTlj+iGfwIojayhUbplW3whYiCn38USMoVxNYfUYlyYN2WaAjHFNhT<br>
iapFpZ5ScYsA1Ki3OjA27JHvswZXVjIRqjfD+LZdQRhjbaUqCVB0IUIhFW+D+Qqf<br>
ydsDgtYzMaSOSmCiwHiFql6wczK8BplCVeeCKca8z6FEjkDLoGYCAMqE294VPA5e<br>
0lB/ltVxzFGWMLuFyLsdn2RuzTE6pP5BT/Wd0nIvUxHkOTusI7P7Ir4Yg6uyLEP0<br>
3rgIz//nxxI/udBmBjgD8E/At7VpV/gKa4CA0o3qLKtLU8tMvdFtnCFGv9Z7yZzW<br>
igfZYPeCINZk8WkwEio2R5Sqkt88ldr4JNQ4yGnoiEMTcxMYqQjeeo615bovHix6<br>
07CjXjIBlNYSDPW1pFyDc2O+AOq5jhF2A36bHRHFNATNDv/tpjw3AZGjxpOCWqAV<br>
HPn/clZOVTamNdkXPRiC<br>
=iR+/<br>
-----END PGP SIGNATURE-----<br>
<br>
</body>
</html>