[Freeipa-users] Install error pkispawn

[Rob Crittenden]

Anthony Messina wrote:
> On Tuesday, August 06, 2013 02:44:57 PM Martin Kosek wrote:
>> I see there are some SELinux issues for accessing /tmp/hsperfdata_root, they
>> look strange.
>
> I was running into the same SELinux issue when installing two FreeIPA servers
> in virtual machines yesterday:
>
> SELinux is preventing /usr/lib/jvm/java-1.7.0-
> openjdk-1.7.0.25-2.3.12.3.fc19.x86_64/jre/bin/java from read access on the
> directory hsperfdata_root.
>
> For me, the problem was two-fold:
> 1. When creating a new VM, I typically issue 'systemctl mask tmp.mount' and
> reboot as a first rule, since I don't have the availability to have a huge
> chunk of the VM's allocated RAM used up for /tmp.
>
> 2. Beccause of 1., the /tmp directory persists across reboots, and after
> initial FreeIPA installation, the /tmp/hsperfdata_root diretctory and files
> have the system_u:object_r:rpm_script_tmp_t:s0 SELinux label, when they should
> have system_u:object_r:pki_tomcat_tmp_t:s0.
>
> I resolved this issue by stopping IPA, removing /tmp/hsperfdata_root, and
> rebooting the machine, where I was able to observe the directory and files
> created with the proper context.
>
> Without knowing the proper context beforehand, there was no way to issue a
> restorecon, since there is no default label for /tmp/hsperfdata_root.
>

There is a bug open against selinux-policy on this from F-18 using a 
standard configuration,
https://bugzilla.redhat.com/show_bug.cgi?id=917843

You may want to either add your own use-case here, or open a new bug and 
reference this one.

rob