Uzor Ide wrote:

  We have a network that relies on kerberos, 389-ds, bind and nfs4. I am
currently testing out the freeipa version 2 to see if we can use it to
consolidate the various configuration into one interface. For the most
part it works great apart from the obvious area where it has not been
completed. However there are somethings that I have noticed.

Hey, sorry we didn't forget about you. Ticket https://fedorahosted.org/freeipa/ticket/409 was opened for your DNS problem.

Do you get this query error frequently? Do you know what triggers it? I haven't been able to reproduce it myself yet. I wonder if this happens when logs roll.

For the certmonger problem this looks like a new one to me, I'll file a bug.

regards

rob

1.) The DNS logging always logs database error every time it access the
ldap. even though the query returns okay and the dns reply is fine.

here is an excerpt of the log  named.run

24-Oct-2010 10:32:33.025 edns-disabled: info: success resolving
'www.mailscanner.tv/A <http://www.mailscanner.tv/A>' (in 'mailscanner.tv
<http://mailscanner.tv>'?) after reducing the advertised EDNS UDP packet
size to 512 octets
24-Oct-2010 10:34:41.137 database: error: querying 'idnsName=wpad,
idnsname=uzdomain.ca <http://uzdomain.ca>,cn=dns,dc=uzdomain,dc=ca' with
'(objectClass=idnsRecord)'
24-Oct-2010 10:34:41.140 database: error: querying 'idnsname=uzdomain.ca
<http://uzdomain.ca>,cn=dns,dc=uzdomain,dc=ca' with
'(objectClass=idnsRecord)'
24-Oct-2010 10:34:41.143 database: error: entry count: 1
24-Oct-2010 10:34:41.146 database: error: querying 'idnsName=wpad,
idnsname=uzdomain.ca <http://uzdomain.ca>,cn=dns,dc=uzdomain,dc=ca' with
'(objectClass=idnsRecord)'
24-Oct-2010 10:39:43.581 database: error: querying 'idnsName=wpad,
idnsname=uzdomain.ca <http://uzdomain.ca>,cn=dns,dc=uzdomain,dc=ca' with
'(objectClass=idnsRecord)'
24-Oct-2010 10:39:43.583 database: error: querying 'idnsname=uzdomain.ca
<http://uzdomain.ca>,cn=dns,dc=uzdomain,dc=ca' with
'(objectClass=idnsRecord)'
24-Oct-2010 10:39:43.586 database: error: entry count: 1
24-Oct-2010 10:39:43.589 database: error: querying 'idnsName=wpad,
idnsname=uzdomain.ca <http://uzdomain.ca>,cn=dns,dc=uzdomain,dc=ca' with
'(objectClass=idnsRecord)'

  here is our logging configuration

// *******************
// Logging definitions
// *******************

// Logging
logging {
    channel "named_log" {
       file "data/log/named.run" versions 5 size 4m;
       severity dynamic;
       print-category yes;
       print-severity yes;
       print-time yes;
    };

    channel "security_log" {
       file "data/log/security.log" versions 5 size 10m;
       severity dynamic;
       print-category yes;
       print-severity yes;
       print-time yes;
    };

    channel "query_log" {
       file "data/log/query.log" versions 5 size 50m;
       #severity dynamic;
       severity debug;
       print-category yes;
       print-severity yes;
       print-time yes;
    };

    channel "transfer_log" {
       file "data/log/transfer.log" versions 5 size 10m;
       severity dynamic;
       print-category yes;
       print-severity yes;
   };

    category "default" {
"named_log";
"default_syslog";
"default_debug";
    };

    category "general" {
"named_log";
    };

   category "queries" {
"query_log";
    };

    category "lame-servers" {
       null;
    };

    category "security" {
"security_log";
    };

    category "config" {
"named_log";
    };

    category "resolver" {
"query_log";
    };

    category "xfer-in" {
"transfer_log";
    };

    category "xfer-out" {
"transfer_log";
    };

    category "notify" {
"transfer_log";
    };

    category "client" {
"query_log";
    };

    category "network" {
"named_log";
    };

    category "update" {
"transfer_log";
    };

    category "dnssec" {
"security_log";
    };

  category "dispatch" {
"security_log";
    };
};

This error message keeps triggering our monitoring systems.

2.)  I currently have only one ipa-client; and certmonger keeps getting
seliux AVC denials

Oct 24 10:57:24 ulasi setroubleshoot: SELinux is preventing
/usr/sbin/certmonger "execute" access on
/usr/libexec/certmonger/ipa-submit. For complete SELinux messages. run
sealert -l 8db766a3-6100-4be5-aec6-2a3a713290e2
Oct 24 10:57:56 ulasi setroubleshoot: SELinux is preventing
/usr/sbin/certmonger "execute" access on
/usr/libexec/certmonger/ipa-submit. For complete SELinux messages. run
sealert -l 8db766a3-6100-4be5-aec6-2a3a713290e2
Oct 24 10:58:26 ulasi setroubleshoot: SELinux is preventing
/usr/sbin/certmonger "execute" access on
/usr/libexec/certmonger/ipa-submit. For complete SELinux messages. run
sealert -l 8db766a3-6100-4be5-aec6-2a3a713290e2
Oct 24 10:58:57 ulasi setroubleshoot: SELinux is preventing
/usr/sbin/certmonger "execute" access on
/usr/libexec/certmonger/ipa-submit. For complete SELinux messages. run
sealert -l 8db766a3-6100-4be5-aec6-2a3a713290e2


Summary:

SELinux is preventing /usr/sbin/certmonger "execute" access on
/usr/libexec/certmonger/ipa-submit.

Detailed Description:

SELinux denied access requested by certmonger. It is not expected that this
access is required by certmonger and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration
of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:certmonger_t:s0
Target Context                system_u:object_r:bin_t:s0
Target Objects                /usr/libexec/certmonger/ipa-submit [ file ]
Source                        certmonger
Source Path                   /usr/sbin/certmonger
Port <Unknown>
Host ulasi.uzdomain.ca <http://ulasi.uzdomain.ca>
Source RPM Packages           certmonger-0.32-0.2010101515git5920eca.fc13
Target RPM Packages           certmonger-0.32-0.2010101515git5920eca.fc13
Policy RPM                    selinux-policy-3.7.19-65.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name ulasi.uzdomain.ca <http://ulasi.uzdomain.ca>
Platform                      Linux ulasi.uzdomain.ca
<http://ulasi.uzdomain.ca> 2.6.34.7-61.fc13.i686.PAE
                               #1 SMP Tue Oct 19 04:24:06 UTC 2010 i686 i686
Alert Count                   1646
First Seen                    Sat Oct 23 15:48:48 2010
Last Seen                     Sun Oct 24 10:59:52 2010
Local ID                      8db766a3-6100-4be5-aec6-2a3a713290e2
Line Numbers

Raw Audit Messages

node=ulasi.uzdomain.ca <http://ulasi.uzdomain.ca> type=AVC
msg=audit(1287932392.282:21690): avc:  denied  { execute } for  pid=3472
comm="certmonger" name="ipa-submit" dev=dm-0 ino=790251
scontext=system_u:system_r:certmonger_t:s0
tcontext=system_u:object_r:bin_t:s0 tclass=file

node=ulasi.uzdomain.ca <http://ulasi.uzdomain.ca> type=SYSCALL
msg=audit(1287932392.282:21690): arch=40000003 syscall=11 success=no
exit=-13 a0=9f99490 a1=9f99450 a2=9f98e60 a3=9f99450 items=0 ppid=1555
pid=3472 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="certmonger"
exe="/usr/sbin/certmonger" subj=system_u:system_r:certmonger_t:s0 key=(null)

I was using certmonger-0.30-1.fc13.i686 from source [ freeipa-devel ]
because of the problem I updated to the nightly build
certmonger-0.32-0.2010101515git5920eca.fc13 but the problem continues.

These are the selinux rpms
selinux-policy-targeted-3.7.19-65.fc13.noarch
selinux-policy-3.7.19-65.fc13.noarch
libselinux-python-2.0.94-2.fc13.i686
libselinux-utils-2.0.94-2.fc13.i686

Thanks

Ide



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to