On 17.6.2016 08:53, Fraser Tweedale wrote:
> On Fri, Jun 17, 2016 at 08:35:45AM +0200, Jan Cholasta wrote:
>> Hi,
>>
>> On 17.6.2016 06:55, Fraser Tweedale wrote:
>>> Attached patch fixes https://fedorahosted.org/freeipa/ticket/5968
>>
>> This should be fixed for all the restart scripts, not just renew_ca_cert.
>>
> Updated patch attached.
> 

I'm not sure if following is related to thin client or other work, but
it should be looked at. Feel free to open different ticket for it.

I was doing some testing yesterday and this was in audit:

time->Thu Jun 16 22:11:32 2016
type=AVC msg=audit(1466107892.404:662): avc:  denied  { write } for
pid=26289 comm="dogtag-ipa-ca-r" name="ipa_memcached" dev="tmpfs"
ino=183080 scontext=system_u:system_r:certmonger_t:s0
tcontext=system_u:object_r:memcached_var_run_t:s0 tclass=sock_file
permissive=0

I did not investigate further, but couldn't it be caused by initialing
api with api.bootstrap(in_server=True.. which then initializes session
plugin which then initializes MemcacheSessionManager?

Similar issue could be in other usages.

-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to