<br> We have a network that relies on kerberos, 389-ds, bind and nfs4. I am currently testing out the freeipa version 2 to see if we can use it to consolidate the various configuration into one interface. For the most part it works great apart from the obvious area where it has not been completed. However there are somethings that I have noticed.<br>
<br>1.) The DNS logging always logs database error every time it access the ldap. even though the query returns okay and the dns reply is fine.<br><br>here is an excerpt of the log named.run<br><br>24-Oct-2010 10:32:33.025 edns-disabled: info: success resolving '<a href="http://www.mailscanner.tv/A">www.mailscanner.tv/A</a>' (in '<a href="http://mailscanner.tv">mailscanner.tv</a>'?) after reducing the advertised EDNS UDP packet size to 512 octets<br>
24-Oct-2010 10:34:41.137 database: error: querying 'idnsName=wpad, idnsname=<a href="http://uzdomain.ca">uzdomain.ca</a>,cn=dns,dc=uzdomain,dc=ca' with '(objectClass=idnsRecord)'<br>24-Oct-2010 10:34:41.140 database: error: querying 'idnsname=<a href="http://uzdomain.ca">uzdomain.ca</a>,cn=dns,dc=uzdomain,dc=ca' with '(objectClass=idnsRecord)'<br>
24-Oct-2010 10:34:41.143 database: error: entry count: 1<br>24-Oct-2010 10:34:41.146 database: error: querying 'idnsName=wpad, idnsname=<a href="http://uzdomain.ca">uzdomain.ca</a>,cn=dns,dc=uzdomain,dc=ca' with '(objectClass=idnsRecord)'<br>
24-Oct-2010 10:39:43.581 database: error: querying 'idnsName=wpad, idnsname=<a href="http://uzdomain.ca">uzdomain.ca</a>,cn=dns,dc=uzdomain,dc=ca' with '(objectClass=idnsRecord)'<br>24-Oct-2010 10:39:43.583 database: error: querying 'idnsname=<a href="http://uzdomain.ca">uzdomain.ca</a>,cn=dns,dc=uzdomain,dc=ca' with '(objectClass=idnsRecord)'<br>
24-Oct-2010 10:39:43.586 database: error: entry count: 1<br>24-Oct-2010 10:39:43.589 database: error: querying 'idnsName=wpad, idnsname=<a href="http://uzdomain.ca">uzdomain.ca</a>,cn=dns,dc=uzdomain,dc=ca' with '(objectClass=idnsRecord)'<br>
<br> here is our logging configuration<br><br>// *******************<br>// Logging definitions<br>// *******************<br><br>// Logging<br>logging {<br> channel "named_log" {<br> file "data/log/named.run" versions 5 size 4m;<br>
severity dynamic;<br> print-category yes;<br> print-severity yes;<br> print-time yes;<br> };<br><br> channel "security_log" {<br> file "data/log/security.log" versions 5 size 10m;<br>
severity dynamic;<br> print-category yes;<br> print-severity yes;<br> print-time yes;<br> };<br><br> channel "query_log" {<br> file "data/log/query.log" versions 5 size 50m;<br>
#severity dynamic;<br> severity debug;<br> print-category yes;<br> print-severity yes;<br> print-time yes;<br> };<br><br> channel "transfer_log" {<br> file "data/log/transfer.log" versions 5 size 10m;<br>
severity dynamic;<br> print-category yes;<br> print-severity yes;<br> };<br><br> category "default" {<br> "named_log";<br> "default_syslog";<br> "default_debug";<br>
};<br><br> category "general" {<br> "named_log";<br> };<br><br> category "queries" {<br> "query_log";<br> };<br><br> category "lame-servers" {<br> null;<br>
};<br><br> category "security" {<br> "security_log";<br> };<br><br> category "config" {<br> "named_log";<br> };<br><br> category "resolver" {<br> "query_log";<br>
};<br><br> category "xfer-in" {<br> "transfer_log";<br> };<br><br> category "xfer-out" {<br> "transfer_log";<br> };<br><br> category "notify" {<br> "transfer_log";<br>
};<br><br> category "client" {<br> "query_log";<br> };<br><br> category "network" {<br> "named_log";<br> };<br><br> category "update" {<br> "transfer_log";<br>
};<br><br> category "dnssec" {<br> "security_log";<br> };<br><br> category "dispatch" {<br> "security_log";<br> };<br>};<br><br>This error message keeps triggering our monitoring systems.<br>
<br>2.) I currently have only one ipa-client; and certmonger keeps getting seliux AVC denials<br><br>Oct 24 10:57:24 ulasi setroubleshoot: SELinux is preventing /usr/sbin/certmonger "execute" access on /usr/libexec/certmonger/ipa-submit. For complete SELinux messages. run sealert -l 8db766a3-6100-4be5-aec6-2a3a713290e2<br>
Oct 24 10:57:56 ulasi setroubleshoot: SELinux is preventing /usr/sbin/certmonger "execute" access on /usr/libexec/certmonger/ipa-submit. For complete SELinux messages. run sealert -l 8db766a3-6100-4be5-aec6-2a3a713290e2<br>
Oct 24 10:58:26 ulasi setroubleshoot: SELinux is preventing /usr/sbin/certmonger "execute" access on /usr/libexec/certmonger/ipa-submit. For complete SELinux messages. run sealert -l 8db766a3-6100-4be5-aec6-2a3a713290e2<br>
Oct 24 10:58:57 ulasi setroubleshoot: SELinux is preventing /usr/sbin/certmonger "execute" access on /usr/libexec/certmonger/ipa-submit. For complete SELinux messages. run sealert -l 8db766a3-6100-4be5-aec6-2a3a713290e2<br>
<br><br>Summary:<br><br>SELinux is preventing /usr/sbin/certmonger "execute" access on<br>/usr/libexec/certmonger/ipa-submit.<br><br>Detailed Description:<br><br>SELinux denied access requested by certmonger. It is not expected that this<br>
access is required by certmonger and this access may signal an intrusion<br>attempt. It is also possible that the specific version or configuration of the<br>application is causing it to require additional access.<br><br>
Allowing Access:<br><br>You can generate a local policy module to allow this access - see FAQ<br>(<a href="http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385">http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385</a>) Please file a bug<br>
report.<br><br>Additional Information:<br><br>Source Context system_u:system_r:certmonger_t:s0<br>Target Context system_u:object_r:bin_t:s0<br>Target Objects /usr/libexec/certmonger/ipa-submit [ file ]<br>
Source certmonger<br>Source Path /usr/sbin/certmonger<br>Port <Unknown><br>Host <a href="http://ulasi.uzdomain.ca">ulasi.uzdomain.ca</a><br>
Source RPM Packages certmonger-0.32-0.2010101515git5920eca.fc13<br>Target RPM Packages certmonger-0.32-0.2010101515git5920eca.fc13<br>Policy RPM selinux-policy-3.7.19-65.fc13<br>Selinux Enabled True<br>
Policy Type targeted<br>Enforcing Mode Enforcing<br>Plugin Name catchall<br>Host Name <a href="http://ulasi.uzdomain.ca">ulasi.uzdomain.ca</a><br>Platform Linux <a href="http://ulasi.uzdomain.ca">ulasi.uzdomain.ca</a> 2.6.34.7-61.fc13.i686.PAE<br>
#1 SMP Tue Oct 19 04:24:06 UTC 2010 i686 i686<br>Alert Count 1646<br>First Seen Sat Oct 23 15:48:48 2010<br>Last Seen Sun Oct 24 10:59:52 2010<br>
Local ID 8db766a3-6100-4be5-aec6-2a3a713290e2<br>Line Numbers <br><br>Raw Audit Messages <br><br>node=<a href="http://ulasi.uzdomain.ca">ulasi.uzdomain.ca</a> type=AVC msg=audit(1287932392.282:21690): avc: denied { execute } for pid=3472 comm="certmonger" name="ipa-submit" dev=dm-0 ino=790251 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file<br>
<br>node=<a href="http://ulasi.uzdomain.ca">ulasi.uzdomain.ca</a> type=SYSCALL msg=audit(1287932392.282:21690): arch=40000003 syscall=11 success=no exit=-13 a0=9f99490 a1=9f99450 a2=9f98e60 a3=9f99450 items=0 ppid=1555 pid=3472 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="certmonger" exe="/usr/sbin/certmonger" subj=system_u:system_r:certmonger_t:s0 key=(null)<br>
<br>I was using certmonger-0.30-1.fc13.i686 from source [ freeipa-devel ] because of the problem I updated to the nightly build certmonger-0.32-0.2010101515git5920eca.fc13 but the problem continues.<br><br>These are the selinux rpms<br>
selinux-policy-targeted-3.7.19-65.fc13.noarch<br>selinux-policy-3.7.19-65.fc13.noarch<br>libselinux-python-2.0.94-2.fc13.i686<br>libselinux-utils-2.0.94-2.fc13.i686<br><br>Thanks<br><br>Ide<br>