On 21.6.2016 09:35, Petr Vobornik wrote:
On 06/21/2016 08:31 AM, Jan Cholasta wrote:
On 17.6.2016 16:30, Petr Vobornik wrote:


I'm not sure if following is related to thin client or other work, but
it should be looked at. Feel free to open different ticket for it.

I was doing some testing yesterday and this was in audit:

time->Thu Jun 16 22:11:32 2016
type=AVC msg=audit(1466107892.404:662): avc:  denied  { write } for
pid=26289 comm="dogtag-ipa-ca-r" name="ipa_memcached" dev="tmpfs"
ino=183080 scontext=system_u:system_r:certmonger_t:s0
tcontext=system_u:object_r:memcached_var_run_t:s0 tclass=sock_file
permissive=0

I did not investigate further, but couldn't it be caused by initialing
api with api.bootstrap(in_server=True.. which then initializes session
plugin which then initializes MemcacheSessionManager?

Similar issue could be in other usages.

AFAIK this is trigerred by importing ipalib.session and can happen even
with client API.


True, but it would have to be explicit, which won't probably happen.

In ipaserver/plugins/session.py it is done automatically:

if api.env.in_server:
    from ipalib.session import session_mgr

IMHO that doesn't really matter, it should be fixed not to connect on import, because that's just plain wrong.

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to