[Freeipa-users] Server installation problem

Dan Scott danieljamesscott at gmail.com
Fri Jun 24 18:18:38 UTC 2011 

Hi,

On Fri, Jun 24, 2011 at 14:00, Rob Crittenden <rcritten at redhat.com> wrote:
> Dan Scott wrote:
>> I've just installed Fedora 15 onto a VM, configured networking and run
>> the ipa-server-install script - the installation fails with the error:
>>
>> Configuring ntpd
>>   [1/4]: stopping ntpd
>>   [2/4]: writing configuration
>>   [3/4]: configuring ntpd to start on boot
>>   [4/4]: starting ntpd
>> done configuring ntpd.
>> Configuring directory server for the CA: Estimated time 30 seconds
>>   [1/3]: creating directory server user
>>   [2/3]: creating directory server instance
>> root        : CRITICAL failed to restart ds instance Command
>> '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmplNsX1T'
>> returned non-zero exit status 1
>>   [3/3]: restarting directory server
>> root        : CRITICAL Failed to restart the directory server. See the
>> installation log for details.
>>
>> Logfile is attached.
>>
>> Can anyone help with this? It looks like it's failing to
>> start/configure the dirsrv service. Is it possible that it's
>> conflicting with my existing FreeIPA 1.2.x servers elsewhere on the
>> network?
>>
>> Thanks,
>>
>> Dan Scott
>
> There has recently been an SELinux problem on F-15 that has affected 389-ds
> installation. Can you see if there are any AVCS for ns-slapd in
> /var/log/audit/audit.log?
>
> rob
>

That seems to be the problem, thanks.

[root at pc51 ~]# grep denied /var/log/audit/audit.log
type=AVC msg=audit(1308936867.797:102): avc:  denied  { read } for
pid=8274 comm="ns-slapd" name="lock" dev=dm-1 ino=1307
scontext=unconfined_u:system_r:dirsrv_t:s0
tcontext=system_u:object_r:var_t:s0 tclass=lnk_file
type=AVC msg=audit(1308937468.228:103): avc:  denied  { read } for
pid=8323 comm="ns-slapd" name="lock" dev=dm-1 ino=1307
scontext=unconfined_u:system_r:dirsrv_t:s0
tcontext=system_u:object_r:var_t:s0 tclass=lnk_file
[root at pc51 ~]# grep denied /var/log/audit/audit.log|audit2allow


#============= dirsrv_t ==============
allow dirsrv_t var_t:lnk_file read;
[root at pc51 ~]#

I had a quick look through bugzilla, and didn't find a bug related to
this. Do I need to file one? Or is it all OK?

Thanks,

Dan

More information about the Freeipa-users mailing list