On 17.8.2016 09:52, Arthur Fayzullin wrote:
> any news?
Not really, we are waiting for SELinux policy maintainers to pick this up.
For the time being, you can try this:
1. Switch to permissive mode
$ setenforce 0
2. Watch audit log for new AVCs:
$ tail -f /var/log/audit.log | grep AVC >
any news? I've tried to make selinux permissive and write new policy,
that didn't help.
require {
type ipa_var_lib_t;
type named_t;
class dir read;
class file { write open lock read getattr };
}
#= named_t ==
allow named_t ipa_var_lib_t:dir
Ben and Petr,
Thanks for your inputs, I'll keep an eye on those bug reports.
Roberto
On 22 July 2016 at 09:51, Petr Spacek wrote:
> On 22.7.2016 04:43, Ben Lipton wrote:
> > I'm not familiar enough with Fedora release engineering to know how this
> gets
> > fixed
On 22.7.2016 04:43, Ben Lipton wrote:
> I'm not familiar enough with Fedora release engineering to know how this gets
> fixed permanently, but I'll share some investigation I've done.
>
> This appears to be due to a change in the selinux-policy-targeted package that
> happened recently. As of the
I'm not familiar enough with Fedora release engineering to know how this
gets fixed permanently, but I'll share some investigation I've done.
This appears to be due to a change in the selinux-policy-targeted
package that happened recently. As of the latest version, named-pkcs11
tries to run
UPDATE:
Tried again the whole procedure with ipa-dns-install, and it DOES work with
SElinux disable, and still fails with SElinux enabled.
So the error "Failed to enumerate object store in /var/lib/softhsm/tokens/"
makes sense.
Can someone help me fix it?
$ ll -Z /var/lib/ipa/dnssec/
total 12
- FC23
- IPA 4.2.4
After a dnf update, bind was updated (no ipa updates), and named-pkcs11
doesn't start anymore.
$ /usr/sbin/named-pkcs11 -d 9 -g
21-Jul-2016 23:08:50.332 starting BIND 9.10.3-P4-RedHat-9.10.3-13.P4.fc23
-d 9 -g
21-Jul-2016 23:08:50.332 built with