On 17.6.2016 16:30, Petr Vobornik wrote:
On 17.6.2016 08:53, Fraser Tweedale wrote:
On Fri, Jun 17, 2016 at 08:35:45AM +0200, Jan Cholasta wrote:

On 17.6.2016 06:55, Fraser Tweedale wrote:
Attached patch fixes https://fedorahosted.org/freeipa/ticket/5968

This should be fixed for all the restart scripts, not just renew_ca_cert.

Updated patch attached.

Thanks, ACK.

Pushed to master: 3edf13cd8ab541908d7e2011a54e31edf1844ea2

I'm not sure if following is related to thin client or other work, but
it should be looked at. Feel free to open different ticket for it.

I was doing some testing yesterday and this was in audit:

time->Thu Jun 16 22:11:32 2016
type=AVC msg=audit(1466107892.404:662): avc:  denied  { write } for
pid=26289 comm="dogtag-ipa-ca-r" name="ipa_memcached" dev="tmpfs"
ino=183080 scontext=system_u:system_r:certmonger_t:s0
tcontext=system_u:object_r:memcached_var_run_t:s0 tclass=sock_file

I did not investigate further, but couldn't it be caused by initialing
api with api.bootstrap(in_server=True.. which then initializes session
plugin which then initializes MemcacheSessionManager?

Similar issue could be in other usages.

AFAIK this is trigerred by importing ipalib.session and can happen even with client API.

Jan Cholasta

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to