Hi guys,
I'm working on Fedora16 and FreeIPA 2.1.4.
I executed the command ipa-server-install and during the setup digging in
the logs i can find this error, related to SELinux.
I'm running in Permissive mode, so nothing prevented me to successfully
complete my setup.

Is this an error in the policy?

Thanks in advance

[root@freeipa01 ~]# sealert -l 885f3218-de29-4254-b095-0439320b3a50
SELinux is preventing
/usr/lib/jvm/java-1.6.0-openjdk- from
name_connect access on the None .

*****  Plugin catchall (100. confidence) suggests

If you believe that java should be allowed name_connect access on the
<Unknown> by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# grep java /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:pki_ca_t:s0
Target Context                system_u:object_r:ephemeral_port_t:s0
Target Objects                 [ None ]
Source                        java
Source Path
Port                          59940
Host                          freeipa01.unix.mydomain.it
Source RPM Packages
Target RPM Packages
Policy RPM                    selinux-policy-3.10.0-75.fc16.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     freeipa01.unix.mydomain.it
Platform                      Linux
                              #1 SMP Fri Feb 3 20:08:08 UTC 2012 x86_64
Alert Count                   2
First Seen                    Fri 10 Feb 2012 01:16:43 PM CET
Last Seen                     Fri 10 Feb 2012 01:17:29 PM CET
Local ID                      885f3218-de29-4254-b095-0439320b3a50

Raw Audit Messages
type=AVC msg=audit(1328876249.581:170): avc:  denied  { name_connect } for
pid=2663 comm="java" dest=59940 scontext=system_u:system_r:pki_ca_t:s0
tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socketnode=
freeipa01.unix.mydomain.it type=SYSCALL msg=audit(1328876249.581:170):
arch=c000003e syscall=42 success=yes exit=0 a0=29 a1=7fc00b462680 a2=1c
a3=7fc00b462410 items=0 ppid=1 pid=2663 auid=4294967295 uid=993 gid=990
euid=993 suid=993 fsuid=993 egid=990 sgid=990 fsgid=990 tty=(none)
ses=4294967295 comm="java"
subj=system_u:system_r:pki_ca_t:s0 key=(null)

Hash: java,pki_ca_t,ephemeral_port_t,None,name_connect


audit2allow -R
Freeipa-users mailing list

Reply via email to