Good news!

To clarify on the selinux-policy side. By not maintaining it for the CentOS I meant that FreeIPA Copr should not maintain system policy for any system, not just SELinux.

Ideally, it should have a SELinux policy module that would be compiled for SELinux only and that would only contain the additional policy required by IPA on top of 7.0.

But this is not a priority for now & we do not have enough capacity for it ATM. But if anyone wishes to contribute that part, doors are open :-)

Martin

On 11/19/2014 05:56 PM, Bill Peck wrote:

Hi Martin,

Yes, setting selinux to permissive allowed me to install and configure IPA 4.1
on CentOS 7.

:-)

On Wed, Nov 19, 2014 at 11:41 AM, Martin Kosek <mko...@redhat.com
<mailto:mko...@redhat.com>> wrote:

    It is highly probable the issue is caused by SELinux (check for AVCs in
    /var/log/audit/audit.log).

    Can you try with SELinux permissive? We specifically did not build
    selinux-policy as we do not think we should be the ones maintaining it for
    CentOS.

    HTH,
    Martin

    ----- Original Message -----
     > From: "Bill Peck" <b...@pecknet.com <mailto:b...@pecknet.com>>
     > To: "Martin Kosek" <mko...@redhat.com <mailto:mko...@redhat.com>>
     > Cc: "Tamas Papp" <tom...@martos.bme.hu <mailto:tom...@martos.bme.hu>>,
    freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>
     > Sent: Wednesday, November 19, 2014 5:34:10 PM
     > Subject: Re: [Freeipa-users] freeipa-server from copr repo
     >
     > Hi Marin,
     >
     > I was able to install from the copr repo now as well.  Thank you!
     >
     > However I wasn't able to finish the install:
     >
     >   [23/27]: configure certmonger for renewals
     >   [24/27]: configure certificate renewals
     >   [error] DBusException: org.fedorahosted.certmonger.bad_arg: The 
location
     > "/etc/pki/pki-tomcat/alias" could not be accessed due to insufficient
     > permissions.
     >
     >
     > Don't know if you need the command for how I was installing ipa.  But 
here
     > is the line from my anseible playbook.
     > shell: ipa-server-install -a {{ adminpassword }} --hostname={{ servername
     > }} -r {{ realm }} -p {{ directorypassword }} -n {{ domain }} --setup-dns
     > --forwarder={{ dnsforwarder }} -U creates={{ slapd }}
     >
     > On Wed, Nov 19, 2014 at 11:23 AM, Martin Kosek <mko...@redhat.com
    <mailto:mko...@redhat.com>> wrote:
     >
     > > On 11/19/2014 11:57 AM, Tamas Papp wrote:
     > > > I am good in waiting;)
     > > >
     > > > Thanks for the prompt reply.
     > >
     > > Ok Tamas, I think we *finally* got somewhere. Can you please try the
     > > mkosek/freeipa Copr repo now?
     > >
     > > I was able to install upstream "freeipa-server" 4.1.1 package on my
     > > RHEL-7.0
     > > machine (should be the same for CentOS) and run ipa-server-install:
     > >
     > > # yum install freeipa-server --enablerepo=mkosek-freeipa
     > > ...
     > > Resolving Dependencies
     > > --> Running transaction check
     > > ---> Package freeipa-server.x86_64 0:4.1.1-1.2.el7.centos will be
    installed
     > > ...
     > > Transaction Summary
     > >
     > >
    
========================================================================================================
     > > Install  1 Package  (+338 Dependent packages)
     > > Upgrade             (  11 Dependent packages)
     > >
     > > Total download size: 146 M
     > > ...
     > >
     > > # rpm -q freeipa-server
     > > freeipa-server-4.1.1-1.2.el7.centos.x86_64
     > >
     > > # ipa-server-install --setup-dns
     > >
     > > # kinit admin
     > > Password for ad...@example.com <mailto:ad...@example.com>:
     > >
     > > Thanks,
     > > Martin
     > >
     > > --
     > > Manage your subscription for the Freeipa-users mailing list:
     > > https://www.redhat.com/mailman/listinfo/freeipa-users
     > > Go To http://freeipa.org for more info on the project
     > >
     >



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to