[Freeipa-users] FreeIPA 2.1.0 - SELinux

[Rob Crittenden]

Sigbjorn Lie wrote:
> Hi,
>
> I've just updated to FreeIPA 2.1.0. I disabled SELinux on this machine
> (Fedora 15) when I installed IPA, as there was a bug with IPA's SELinux
> ruleset, which made the ipa-server-install script fail.
>
> That decision seem to be biting my ass now, I get the following error
> message: "/usr/bin/runcon: /usr/bin/runcon may be used only on a SELinux
> kernel" whenever I attempt to start IPA. See below for output.
>
> After configuring SELinux to be permissive the error disappears, and IPA
> starts normally.
>
> I have opened a bug here:
> https://bugzilla.redhat.com/show_bug.cgi?id=732064
>
> Other than that - thank you for an excellent product! I've been waiting
> for the automount option in the GUI, makes editing automount rules a
> whole lot easier!! :)
>
>
>
>
> Regards,
> Siggi
>
>
>
>
>
> [root at ipa03 ~]# ipactl restart
> Restarting Directory Service
> Shutting down dirsrv:
> IX-TEST-COM... server already stopped [FAILED]
> PKI-IPA... server already stopped [FAILED]
> *** Error: 2 instance(s) unsuccessfully stopped [FAILED]
> Starting dirsrv:
> IX-TEST-COM... [ OK ]
> PKI-IPA... [ OK ]
> Restarting KDC Service
> Restarting krb5kdc (via systemctl): [ OK ]
> Restarting KPASSWD Service
> Restarting ipa_kpasswd (via systemctl): [ OK ]
> Restarting HTTP Service
> Restarting httpd (via systemctl): [ OK ]
> Restarting CA Service
> Stopping pki-ca: [ OK ]
> /usr/bin/runcon: /usr/bin/runcon may be used only on a SELinux kernel
> Failed to restart CA Service
> Shutting down
> Stopping krb5kdc (via systemctl): [ OK ]
> Stopping ipa_kpasswd (via systemctl): [ OK ]
> Stopping httpd (via systemctl): [ OK ]
> Stopping pki-ca: [ OK ]
> Shutting down dirsrv:
> IX-TEST-COM... [ OK ]
> PKI-IPA... [ OK ]
> Aborting ipactl
> [root at ipa03 ~]# getenforce
> Disabled
>

What is/was the bug in the SELinux ruleset that caused you to disable 
SELinux in the first place?

rob