[Freeipa-users] Configuring httpd error when selinux is permissive

Umarzuki Mochlis umarzuki at gmail.com
Tue Nov 8 08:42:27 UTC 2016 

2016-11-08 16:33 GMT+08:00 郑磊 <zhenglei at kylinos.cn>:
> Hello everyone,
> I have been setting up freeipa(its version is 4.3.1) on Ubuntu. Selinux is
> enable, and its mode is permissive. I met a problem at configuring the httpd
> process, but the process won't be interrupted. The configuration information
> is as follows:
> Configuring the web interface (httpd). Estimated time: 1 minute
>   [1/20]: setting mod_nss port to 443
>   [2/20]: setting mod_nss cipher suite
>   [3/20]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
>   [4/20]: setting mod_nss password file
>   [5/20]: enabling mod_nss renegotiate
>   [6/20]: adding URL rewriting rules
>   [7/20]: configuring httpd
>   [8/20]: configure certmonger for renewals
>   [9/20]: setting up httpd keytab
>   [10/20]: setting up ssl
>   [11/20]: importing CA certificates from LDAP
>   [12/20]: publish CA cert
>   [13/20]: clean up any existing httpd ccache
>   [14/20]: configuring SELinux for httpd
> ipa.ipaplatform.redhat.tasks: ERROR    Cannot get SELinux boolean
> 'httpd_run_ipa': Command '/usr/sbin/getsebool httpd_run_ipa' returned
> non-zero exit status 255
> WARNING: Could not set SELinux booleans: httpd_can_network_connect=on
> httpd_run_ipa=on httpd_manage_ipa=on
>
> The web interface may not function correctly until
> the booleans are successfully changed with the command:
>     /usr/sbin/setsebool -P httpd_can_network_connect=on httpd_run_ipa=on
> httpd_manage_ipa=on
> Try updating the policycoreutils and selinux-policy packages.
>   [15/20]: create KDC proxy user
>   [16/20]: create KDC proxy config
>   [17/20]: enable KDC proxy
>   [18/20]: restarting httpd
>   [19/20]: configuring httpd to start on boot
>   [20/20]: enabling oddjobd
> Done configuring the web interface (httpd).
> Is there anyone can help me?
>
> Thanks!

> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project


Hi,

Have you tried the suggested setsebool command?

More information about the Freeipa-users mailing list