[Freeipa-users] SELinux error during ipa-server-install

Dale Macartney dale at themacartneyclan.com
Fri Feb 10 12:50:05 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Marco

I had a very similar issue trying to do the same thing a while back on
the day RHEL 6.2 went GA..

My situation was

SElinux enforcing, then run ipa-server-install.. it gets half way
through the process and it fails

then I tried

SELinux permissive, to get the exact same issue

I then completely disabled SElinux in /etc/sysconfig/selinux, rebooted
and ran the setup again, and I was able to install successfully.

In my situation, it was related to the selinux pki policy. When this was
loaded, it caused the ipa setup to fail... an update was made available
in rhel which allowed me to move forward with selinux in enforcing mode.

Have you patched Fedora 16 with the latest updates? my situation was
quite a while ago so I would have imagined that there would be an update
to that issue with Fedora as well if this is actually the same issue I
encountered. ..

Do you get the same issue with selinux disabled at all?

Dale



On 02/10/2012 12:30 PM, Marco Pizzoli wrote:
> Hi guys,
> I'm working on Fedora16 and FreeIPA 2.1.4.
> I executed the command ipa-server-install and during the setup digging
in the logs i can find this error, related to SELinux.
> I'm running in Permissive mode, so nothing prevented me to successfully
complete my setup.
>
> Is this an error in the policy?
>
> Thanks in advance
> Marco
>
> [root at freeipa01 ~]# sealert -l 885f3218-de29-4254-b095-0439320b3a50
> SELinux is preventing
/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/java from
name_connect access on the None .
>
> ***** Plugin catchall (100. confidence) suggests
***************************
>
> If you believe that java should be allowed name_connect access on the
<Unknown> by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # grep java /var/log/audit/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp
>
>
> Additional Information:
> Source Context system_u:system_r:pki_ca_t:s0
> Target Context system_u:object_r:ephemeral_port_t:s0
> Target Objects [ None ]
> Source java
> Source Path /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre
> /bin/java
> Port 59940
> Host freeipa01.unix.mydomain.it <http://freeipa01.unix.mydomain.it>
> Source RPM Packages java-1.6.0-openjdk-1.6.0.0-61.1.10.4.fc16.x86_64
> Target RPM Packages
> Policy RPM selinux-policy-3.10.0-75.fc16.noarch
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Permissive
> Host Name freeipa01.unix.mydomain.it <http://freeipa01.unix.mydomain.it>
> Platform Linux freeipa01.unix.mydomain.it
<http://freeipa01.unix.mydomain.it> 3.2.3-2.fc16.x86_64
> #1 SMP Fri Feb 3 20:08:08 UTC 2012 x86_64 x86_64
> Alert Count 2
> First Seen Fri 10 Feb 2012 01:16:43 PM CET
> Last Seen Fri 10 Feb 2012 01:17:29 PM CET
> Local ID 885f3218-de29-4254-b095-0439320b3a50
>
> Raw Audit Messages
> type=AVC msg=audit(1328876249.581:170): avc: denied { name_connect }
for pid=2663 comm="java" dest=59940
scontext=system_u:system_r:pki_ca_t:s0
tcontext=system_u:object_r:ephemeral_port_t:s0
tclass=tcp_socketnode=freeipa01.unix.mydomain.it
<http://freeipa01.unix.mydomain.it> type=SYSCALL
msg=audit(1328876249.581:170): arch=c000003e syscall=42 success=yes
exit=0 a0=29 a1=7fc00b462680 a2=1c a3=7fc00b462410 items=0 ppid=1
pid=2663 auid=4294967295 uid=993 gid=990 euid=993 suid=993 fsuid=993
egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="java"
exe="/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/java"
subj=system_u:system_r:pki_ca_t:s0 key=(null)
>
>
> Hash: java,pki_ca_t,ephemeral_port_t,None,name_connect
>
> audit2allow
>
>
> audit2allow -R
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPNRJxAAoJEAJsWS61tB+qfxwP/0NwjnWGYw0VjKJmKcob73a+
9Ei7VSj8byE0Aa5VnPtYqvKn0ug082JlwL1g/Ojq0A3d6vJVEHBda+vGoCDafh0z
Vko6pxXBqBmYbafvhB+AABr03xKUQV6ttbKvDUHt1miWq3F8qKJKCeHywNf5TOW4
Tnf3f9b6yWLsh89LbBqGWvtTSMdnuHXNleNmPjgInfY3Y3NvYVcmBTIUG6kWVMus
YmKrhAK31gaTlj+iGfwIojayhUbplW3whYiCn38USMoVxNYfUYlyYN2WaAjHFNhT
iapFpZ5ScYsA1Ki3OjA27JHvswZXVjIRqjfD+LZdQRhjbaUqCVB0IUIhFW+D+Qqf
ydsDgtYzMaSOSmCiwHiFql6wczK8BplCVeeCKca8z6FEjkDLoGYCAMqE294VPA5e
0lB/ltVxzFGWMLuFyLsdn2RuzTE6pP5BT/Wd0nIvUxHkOTusI7P7Ir4Yg6uyLEP0
3rgIz//nxxI/udBmBjgD8E/At7VpV/gKa4CA0o3qLKtLU8tMvdFtnCFGv9Z7yZzW
igfZYPeCINZk8WkwEio2R5Sqkt88ldr4JNQ4yGnoiEMTcxMYqQjeeo615bovHix6
07CjXjIBlNYSDPW1pFyDc2O+AOq5jhF2A36bHRHFNATNDv/tpjw3AZGjxpOCWqAV
HPn/clZOVTamNdkXPRiC
=iR+/
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120210/b4b1186f/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xB5B41FAA.asc
Type: application/pgp-keys
Size: 5790 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120210/b4b1186f/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xB5B41FAA.asc.sig
Type: application/pgp-signature
Size: 543 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120210/b4b1186f/attachment.sig>

More information about the Freeipa-users mailing list