Tony Brian Albers wrote: > On Thu, 2020-07-09 at 16:14 -0400, Rob Crittenden wrote: >> >> >> I guess I'd start with looking to see if 389-ds is dropping core or >> hanging in some way, both of which would be surprising if it has >> virtually no data in it. >> >> I'd suggest doing some ldapsearch's to see if the LDAP server is up. >> Some simple ipa cli commands can be used instead: ipa user-find, etc. >> >> For a hanging server see: >> https://directory.fedoraproject.org/docs/389ds/FAQ/faq.html#debugging-hangs >> >> To debug a core: >> https://directory.fedoraproject.org/docs/389ds/FAQ/faq.html#debugging-crashes >> >> rob >> > > Hi Rob, > > So, I decided to reinstall and redeploy FreeIPA. The issue is still > there. > > I looked closer at the java traces, and thought it looked like > something was preventing tomcat from accessing resources. SELinux is in > enforcing mode, so that's the first place I checked. > > And lo and behold, /var/log/audit/audit.log was full of SELinux > denials: > > type=AVC msg=audit(1594398227.752:942): avc: denied { remove_name } > for pid=10241 comm="java" name="10241" dev="dm-0" ino=3448 > 7066 scontext=system_u:system_r:tomcat_t:s0 > tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=0 > > type=AVC msg=audit(1594398227.752:942): avc: denied { unlink } > for pid=10241 comm="java" name="10241" dev="dm-0" ino=34487066 > scontext=system_u:system_r:tomcat_t:s0 > tcontext=system_u:object_r:user_tmp_t:s0 tclass=file permissive=0 > > And so on.. > > audit2why -b shows: > > [root@fipa001 log]# audit2why -b > type=AVC msg=audit(1594398139.436:901): avc: denied { read } > for pid=8351 comm="java" name="hsperfdata_pkiuser" dev="dm-0" > ino=34487069 scontext=system_u:system_r:tomcat_t:s0 > tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=0 > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module > to allow this access. > > type=AVC msg=audit(1594398139.436:902): avc: denied { create } > for pid=8351 comm="java" name="8351" > scontext=system_u:system_r:tomcat_t:s0 > tcontext=system_u:object_r:user_tmp_t:s0 tclass=file permissive=0 > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module > to allow this access. > > type=AVC msg=audit(1594398139.436:902): avc: denied { add_name } > for pid=8351 comm="java" name="8351" > scontext=system_u:system_r:tomcat_t:s0 > tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=0 > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module > to allow this access. > > type=AVC msg=audit(1594398139.436:902): avc: denied { write } > for pid=8351 comm="java" name="hsperfdata_pkiuser" dev="dm-0" > ino=34487069 scontext=system_u:system_r:tomcat_t:s0 > tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=0 > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module > to allow this access. > > type=AVC msg=audit(1594398139.437:903): avc: denied { map } > for pid=8351 comm="java" path="/tmp/hsperfdata_pkiuser/8351" dev="dm- > 0" ino=34487070 scontext=system_u:system_r:tomcat_t:s0 > tcontext=system_u:object_r:user_tmp_t:s0 tclass=file permissive=0 > Was caused by: > The boolean domain_can_mmap_files was set incorrectly. > Description: > Allow domain to can mmap files > > Allow access by executing: > # setsebool -P domain_can_mmap_files 1 > type=AVC msg=audit(1594398156.219:904): avc: denied { read } > for pid=8578 comm="java" name="hsperfdata_pkiuser" dev="dm-0" > ino=34487069 scontext=system_u:system_r:tomcat_t:s0 > tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=0 > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module > to allow this access. > > type=AVC msg=audit(1594398156.219:905): avc: denied { create } > for pid=8578 comm="java" name="8578" > scontext=system_u:system_r:tomcat_t:s0 > tcontext=system_u:object_r:user_tmp_t:s0 tclass=file permissive=0 > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module > to allow this access. > > etc. etc... > > > So, I reinstalled the OS, set SELinux to permissive and tried again. > > It still complains in the audit log of course, but it seems that the > java errors are only in the /var/log/pki/pki-tomcat/ca/debug log file > for the first few minutes during and after install. > > It's been running for 10 minutes now without anything reported in the > pki-tomcat debug log. All IPA commands I've tried work as expected. > > The cause of this is a mystery to me, but it looks like something might > be missing in the installation procedure. The error is there regardless > of install method (by hand or ansible). > > I can put the log files on our nextcloud server if you'd like to have a > look at them.
I don't think this is the problem. hsperfdata is the JDK performance counter. It won't affect operations. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
