I'm using the default version on RHEL7. I think that's 4.1.x. This was a replica server. Selinux was disabled when the replica was installed. I enabled in in enforcing mode yesterday, and saw those issues. On the main server, selinux is (and has always been) enabled in enforcing mode, and everything works fine. I also compared the bools between the main server and the replica, and the bools on the main server were correctly setup, whereas the ones you mentioned weren't set up properly on the replica. So from the limited information I have at hand, I think that setting up a replica server in the selinux disabled state didn't set up the selinux related stuff properly, which manifested later when i set it to enforcing mode.
On Sat, Oct 24, 2015 at 9:13 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > Prasun Gera wrote: > > I've done that now in addition to the few fixes that I made manually > > earlier. These were the messages: > > SELinux is preventing /usr/sbin/ns-slapd from write access on the file > > ldap_988 > > SELinux is preventing /usr/sbin/httpd from read access on the lnk_file > > /etc/httpd/logs > > And a few others. I also had to do sudo setsebool -P httpd_manage_ipa 1 > > It would help to know what version you're using. > > The installer will skip setting the booleans if SELinux disabled. The > installer won't disable SELinux itself. > > A default install will enable these booleans: > > httpd_can_network_connect > httpd_manage_ipa > httpd_run_ipa > > AD trust will enable samba_portmapper > > rob > > > > > On Sat, Oct 24, 2015 at 10:51 AM, Lukas Slebodnik <lsleb...@redhat.com > > <mailto:lsleb...@redhat.com>> wrote: > > > > On (23/10/15 20:57), Prasun Gera wrote: > > >selinux was disabled for some reason when the ipa server(replica) > was > > >installed. I enabled it, and see that there are a lot of selinux > > related > > >permissions problems in syslog. Is this a known issue ? I tried > > fixing some > > >of them manually, but i would like a better approach. > > FreeIPA should work fine with SELinux in enforcing mode. > > > > I would recommend to restore SELinux context of files on that > machine. > > > > restorecon -Rv / > > > > LS > > > > > > > > > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project