On Wednesday, August 07, 2013 05:38:22 PM Rob Crittenden wrote:
> Anthony Messina wrote:
> > On Tuesday, August 06, 2013 02:44:57 PM Martin Kosek wrote:
> >> I see there are some SELinux issues for accessing /tmp/hsperfdata_root,
> >> they look strange.
> > 
> > I was running into the same SELinux issue when installing two FreeIPA
> > servers in virtual machines yesterday:
> > 
> > SELinux is preventing /usr/lib/jvm/java-1.7.0-
> > openjdk-1.7.0.25-2.3.12.3.fc19.x86_64/jre/bin/java from read access on the
> > directory hsperfdata_root.
> > 
> > For me, the problem was two-fold:
> > 1. When creating a new VM, I typically issue 'systemctl mask tmp.mount'
> > and
> > reboot as a first rule, since I don't have the availability to have a huge
> > chunk of the VM's allocated RAM used up for /tmp.
> > 
> > 2. Beccause of 1., the /tmp directory persists across reboots, and after
> > initial FreeIPA installation, the /tmp/hsperfdata_root diretctory and
> > files
> > have the system_u:object_r:rpm_script_tmp_t:s0 SELinux label, when they
> > should have system_u:object_r:pki_tomcat_tmp_t:s0.
> > 
> > I resolved this issue by stopping IPA, removing /tmp/hsperfdata_root, and
> > rebooting the machine, where I was able to observe the directory and files
> > created with the proper context.
> > 
> > Without knowing the proper context beforehand, there was no way to issue a
> > restorecon, since there is no default label for /tmp/hsperfdata_root.
> 
> There is a bug open against selinux-policy on this from F-18 using a 
> standard configuration,
> https://bugzilla.redhat.com/show_bug.cgi?id=917843
> 
> You may want to either add your own use-case here, or open a new bug and 
> reference this one.

Thanks, Rob.  I've added this information there.  -A

-- 
Anthony - http://messinet.com - http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E

Attachment: signature.asc
Description: This is a digitally signed message part.

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to