Hi, On Fri, Feb 10, 2012 at 07:50, Dale Macartney <[email protected]> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi Marco > > I had a very similar issue trying to do the same thing a while back on the > day RHEL 6.2 went GA.. > > My situation was > > SElinux enforcing, then run ipa-server-install.. it gets half way through > the process and it fails > > then I tried > > SELinux permissive, to get the exact same issue > > I then completely disabled SElinux in /etc/sysconfig/selinux, rebooted and > ran the setup again, and I was able to install successfully. > > In my situation, it was related to the selinux pki policy. When this was > loaded, it caused the ipa setup to fail... an update was made available in > rhel which allowed me to move forward with selinux in enforcing mode. > > Have you patched Fedora 16 with the latest updates? my situation was quite a > while ago so I would have imagined that there would be an update to that > issue with Fedora as well if this is actually the same issue I encountered. > .. > > Do you get the same issue with selinux disabled at all? > > Dale
I've also had big problems with FreeIPA replication on Fedora 15 and 16. A few issues were related to Fedora 15-16 upgrades and others were related to SELinux. Disabling SELinux has considerably reduced the problems that I've been seeing. Thanks, Dan > On 02/10/2012 12:30 PM, Marco Pizzoli wrote: >> Hi guys, >> I'm working on Fedora16 and FreeIPA 2.1.4. >> I executed the command ipa-server-install and during the setup digging in >> the logs i can find this error, related to SELinux. >> I'm running in Permissive mode, so nothing prevented me to successfully >> complete my setup. >> >> Is this an error in the policy? >> >> Thanks in advance >> Marco >> >> [root@freeipa01 ~]# sealert -l 885f3218-de29-4254-b095-0439320b3a50 >> SELinux is preventing >> /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/java from >> name_connect access on the None . >> >> ***** Plugin catchall (100. confidence) suggests >> *************************** >> >> If you believe that java should be allowed name_connect access on the >> <Unknown> by default. >> Then you should report this as a bug. >> You can generate a local policy module to allow this access. >> Do >> allow this access for now by executing: >> # grep java /var/log/audit/audit.log | audit2allow -M mypol >> # semodule -i mypol.pp >> >> >> Additional Information: >> Source Context system_u:system_r:pki_ca_t:s0 >> Target Context system_u:object_r:ephemeral_port_t:s0 >> Target Objects [ None ] >> Source java >> Source Path /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre >> /bin/java >> Port 59940 >> Host freeipa01.unix.mydomain.it <http://freeipa01.unix.mydomain.it> > >> Source RPM Packages java-1.6.0-openjdk-1.6.0.0-61.1.10.4.fc16.x86_64 >> Target RPM Packages >> Policy RPM selinux-policy-3.10.0-75.fc16.noarch >> Selinux Enabled True >> Policy Type targeted >> Enforcing Mode Permissive >> Host Name freeipa01.unix.mydomain.it <http://freeipa01.unix.mydomain.it> >> Platform Linux freeipa01.unix.mydomain.it >> <http://freeipa01.unix.mydomain.it> 3.2.3-2.fc16.x86_64 > >> #1 SMP Fri Feb 3 20:08:08 UTC 2012 x86_64 x86_64 >> Alert Count 2 >> First Seen Fri 10 Feb 2012 01:16:43 PM CET >> Last Seen Fri 10 Feb 2012 01:17:29 PM CET >> Local ID 885f3218-de29-4254-b095-0439320b3a50 >> >> Raw Audit Messages >> type=AVC msg=audit(1328876249.581:170): avc: denied { name_connect } for >> pid=2663 comm="java" dest=59940 scontext=system_u:system_r:pki_ca_t:s0 >> tcontext=system_u:object_r:ephemeral_port_t:s0 >> tclass=tcp_socketnode=freeipa01.unix.mydomain.it >> <http://freeipa01.unix.mydomain.it> type=SYSCALL >> msg=audit(1328876249.581:170): arch=c000003e syscall=42 success=yes exit=0 >> a0=29 a1=7fc00b462680 a2=1c a3=7fc00b462410 items=0 ppid=1 pid=2663 >> auid=4294967295 uid=993 gid=990 euid=993 suid=993 fsuid=993 egid=990 >> sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="java" >> exe="/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/java" >> subj=system_u:system_r:pki_ca_t:s0 key=(null) > >> >> >> Hash: java,pki_ca_t,ephemeral_port_t,None,name_connect >> >> audit2allow >> >> >> audit2allow -R >> >> >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/freeipa-users > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iQIcBAEBAgAGBQJPNRJxAAoJEAJsWS61tB+qfxwP/0NwjnWGYw0VjKJmKcob73a+ > 9Ei7VSj8byE0Aa5VnPtYqvKn0ug082JlwL1g/Ojq0A3d6vJVEHBda+vGoCDafh0z > Vko6pxXBqBmYbafvhB+AABr03xKUQV6ttbKvDUHt1miWq3F8qKJKCeHywNf5TOW4 > Tnf3f9b6yWLsh89LbBqGWvtTSMdnuHXNleNmPjgInfY3Y3NvYVcmBTIUG6kWVMus > YmKrhAK31gaTlj+iGfwIojayhUbplW3whYiCn38USMoVxNYfUYlyYN2WaAjHFNhT > iapFpZ5ScYsA1Ki3OjA27JHvswZXVjIRqjfD+LZdQRhjbaUqCVB0IUIhFW+D+Qqf > ydsDgtYzMaSOSmCiwHiFql6wczK8BplCVeeCKca8z6FEjkDLoGYCAMqE294VPA5e > 0lB/ltVxzFGWMLuFyLsdn2RuzTE6pP5BT/Wd0nIvUxHkOTusI7P7Ir4Yg6uyLEP0 > 3rgIz//nxxI/udBmBjgD8E/At7VpV/gKa4CA0o3qLKtLU8tMvdFtnCFGv9Z7yZzW > igfZYPeCINZk8WkwEio2R5Sqkt88ldr4JNQ4yGnoiEMTcxMYqQjeeo615bovHix6 > 07CjXjIBlNYSDPW1pFyDc2O+AOq5jhF2A36bHRHFNATNDv/tpjw3AZGjxpOCWqAV > HPn/clZOVTamNdkXPRiC > =iR+/ > -----END PGP SIGNATURE----- > > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
