[Freeipa-users] SELinux Denial when installing IPA 2.1.3 on F15
Sounds sort of related to the bug you mentioned in your release notes but
this was a clean install not an upgrade.
Regards
Charlie
--
FYI
SELinux is preventing /usr/sbin/ns-slapd from read access on the lnk_file
/var/lock.
* Plugin restorecon (94.8 confidence) suggests
*
If you want to fix the label.
/var/lock default label should be var_lock_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /var/lock
* Plugin catchall_labels (5.21 confidence) suggests
If you want to allow ns-slapd to have read access on the lock lnk_file
Then you need to change the label on /var/lock
Do
# semanage fcontext -a -t FILE_TYPE '/var/lock'
where FILE_TYPE is one of the following: abrt_t, lib_t, root_t, device_t,
ld_so_t, proc_t, textrel_shlib_t, rpm_script_tmp_t, dirsrv_t, var_lock_t,
cert_t, usr_t, device_t, devlog_t, var_run_t, locale_t, etc_t, proc_t,
dirsrv_config_t, var_run_t, var_run_t.
Then execute:
restorecon -v '/var/lock'
* Plugin catchall (1.44 confidence) suggests
***
If you believe that ns-slapd should be allowed read access on the lock
lnk_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep ns-slapd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Contextunconfined_u:system_r:dirsrv_t:s0
Target Contextsystem_u:object_r:var_t:s0
Target Objects/var/lock [ lnk_file ]
Sourcens-slapd
Source Path /usr/sbin/ns-slapd
Port
Host f15.test.net
Source RPM Packages 389-ds-base-1.2.10-0.4.a4.fc15
Target RPM Packages filesystem-2.4.41-1.fc15
Policy RPMselinux-policy-3.9.16-24.fc15
Selinux Enabled True
Policy Type targeted
Enforcing ModeEnforcing
Host Name f15.test.net
Platform Linux f15.test.net 2.6.38.6-27.fc15.x86_64 #1
SMP
Sun May 15 17:23:28 UTC 2011 x86_64 x86_64
Alert Count 3
First SeenFri 21 Oct 2011 01:28:21 AM BST
Last Seen Fri 21 Oct 2011 07:29:38 AM BST
Local ID
Raw Audit Messages
type=AVC msg=audit(1319178578.723:176): avc: denied { read } for
pid=26931 comm="ns-slapd" name="lock" dev=dm-1 ino=1281
scontext=unconfined_u:system_r:dirsrv_t:s0
tcontext=system_u:object_r:var_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1319178578.723:176): arch=x86_64 syscall=open
success=no exit=EACCES a0=7fff9b184460 a1=c2 a2=1a4 a3=0 items=0 ppid=1
pid=26931 auid=500 uid=492 gid=490 euid=492 suid=492 fsuid=492 egid=490
sgid=490 fsgid=490 tty=(none) ses=4 comm=ns-slapd exe=/usr/sbin/ns-slapd
subj=unconfined_u:system_r:dirsrv_t:s0 key=(null)
Hash: ns-slapd,dirsrv_t,var_t,lnk_file,read
audit2allow
#= dirsrv_t ==
allow dirsrv_t var_t:lnk_file read;
audit2allow -R
#= dirsrv_t ==
allow dirsrv_t var_t:lnk_file read;
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] GUI backto CLI/LDAP syntax.
On 10/20/2011 04:32 PM, Steven Jones wrote: > Hi, > > Just looking at the GUI and then trying to connect a Sun/Oracle Soalr storage > array to it Im struggling to match up what the Sun is asking v what I see in > the GUI. > > I know it might clutter up the GUI, possibly too much but I'd like to see the > I suppose "raw" info... > > So If I have a user such as Steven who's in group admin-users and domain > unix.vuw.ac.nz I'd like to see the lDAP syntax reflected in the GUI as I set > it up..so a single line on the page saying steven ou=admin-users, > cn=unix,cn=vuw,cn=ac,cn=nz (or whatever its meant to be) would be hugely > useful for meand I suspect others.Its like trying to learn another > language really, I need a gui to ldap "dictionary" > > Hopefully Ive explained what I am trying to get across/ask for. You can use CLI with the --raw argument. Like: ipa user-show stephen --raw It will give you what you are looking for. Feel free to file an RFE for having a special place in UI to see raw LDAP data. > :/ > > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] GUI backto CLI/LDAP syntax.
Hi, Just looking at the GUI and then trying to connect a Sun/Oracle Soalr storage array to it Im struggling to match up what the Sun is asking v what I see in the GUI. I know it might clutter up the GUI, possibly too much but I'd like to see the I suppose "raw" info... So If I have a user such as Steven who's in group admin-users and domain unix.vuw.ac.nz I'd like to see the lDAP syntax reflected in the GUI as I set it up..so a single line on the page saying steven ou=admin-users, cn=unix,cn=vuw,cn=ac,cn=nz (or whatever its meant to be) would be hugely useful for meand I suspect others.Its like trying to learn another language really, I need a gui to ldap "dictionary" Hopefully Ive explained what I am trying to get across/ask for. :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Replicating 2.1.3 from 2.0.0.rc3
Hi Really simple question, is it possible to create a F15 2.1.3 replica from my F14 2.0.0.rc3 IPA Server and then could I rebuild that 2.0.0.rc3 IPA server as a 2.1.3 server based on the new 2.1.3 replica? I would've thought it should be but I seem to remember hearing that something changed in the schema that would prevent this from happening? Thanks Charlie ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] The concept of sites...
Hi Siggi, I see and agree fully - we need something like this... Ondrej On 10/20/2011 11:55 AM, Sigbjorn Lie wrote: Hi Ondrej, Thanks. That RFE is for SSSD client only. I would like to see the management of sites within the IPA webui/cli. Regards, Siggi On Thu, October 20, 2011 09:02, Ondrej Valousek wrote: I have come across this already, BZ already created: https://fedorahosted.org/sssd/ticket/1032 On 10/19/2011 10:25 PM, Sigbjorn Lie wrote: The London/newyork dns sub-domains would be used for looking up srv records for the local kerberos/ldap servers only. The actual domain configured on the client and the kerberos and LDAP base would still be the ipa.domain.com. Sync with AD would still be done between ipa.domain.com<-> ad.domain.com. Rgds, Siggi On Wed, October 19, 2011 22:15, Steven Jones wrote: Ah right, yes, one realm. However how would you password sync with AD? So sayLondon.ad.ms.com and Newyork.ad.ms.com With NY as the "head" So with london.ipa.unix.com and newyork.ipa.unix.com Is there still only one winsync agreement? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, 20 October 2011 9:11 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: RE: [Freeipa-users] The concept of sites... I see your point with a messy dns infrastructure, however this would happen in the background. You would still only have one kerberos realm per IPA instance. Rgds, Siggi On Wed, October 19, 2011 21:30, Steven Jones wrote: Hi, I think AD sort of does this which they have now backed away from? From my very limited understanding having sub-domains/realms seems to be counter-productivein that trying to do cross-realm trusts/passwords/user info becomes a nightmare? I know somehow I have to get unix.vuw.ac.nz to talk to staff.vuw.ac.nz and student.vuw.ac.nz in a winsync (password) agreement, I dont know even if that's possible? Yet with a flat domain to flat domain its easy? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, 20 October 2011 8:14 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] The concept of sites... Hi, Has there been given any thought to the concept of sites within IPA to improve cross-site implementations? This should be easy to implement as you are already using DNS SRV records to locate the ldap/kerberos servers. E.g. Site: Boston Site: London Create a subdomain of the IPA dns domain named _sites, and a subdomain of _sites for each site. Boston._sites.ipa.domain.com would contain the srv entries for IPA servers in Boston: _ldap._tcpinsrv0 100 389 boston-ipa-server1 _ldap._tcp in srv0 100 389 boston-ipa-server2 . London._sites.ipa.domain.com would contain the srv entries for IPA serers in London: _ldap._tcpinsrv0 100 389 london-ipa-server1 _ldap._tcp in srv0 100 389 london-ipa-server2 Now point the client's DNS "search" entry to point to the local site first, then search the full name space: Boston client's /etc/resolv.conf: search Boston._sites.ipa.domain.com ipa.domain.com London client's /etc/resolv.conf: search London._sites.ipa.domain.com ipa.domain.com The main ipa.domain.com could still contain srv records for all IPA servers, or selected IPA servers at the central hub. I know I can do this manually within the DNS managment in IPA today, however it would be a lot easier to maintain "Sites" within the IPA webui/cli. *blink* ;) What's your thoughts on this? Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18_
Re: [Freeipa-users] The concept of sites...
Hi Ondrej, Thanks. That RFE is for SSSD client only. I would like to see the management of sites within the IPA webui/cli. Regards, Siggi On Thu, October 20, 2011 09:02, Ondrej Valousek wrote: > I have come across this already, BZ already created: > > > https://fedorahosted.org/sssd/ticket/1032 > > > On 10/19/2011 10:25 PM, Sigbjorn Lie wrote: > >> The London/newyork dns sub-domains would be used for looking up srv records >> for the local >> kerberos/ldap servers only. The actual domain configured on the client and >> the kerberos and LDAP >> base would still be the ipa.domain.com. >> >> Sync with AD would still be done between ipa.domain.com<-> ad.domain.com. >> >> >> >> Rgds, >> Siggi >> >> >> >> On Wed, October 19, 2011 22:15, Steven Jones wrote: >> >>> Ah right, yes, one realm. >>> >>> >>> >>> However how would you password sync with AD? >>> >>> >>> >>> So sayLondon.ad.ms.com and Newyork.ad.ms.com >>> >>> >>> >>> With NY as the "head" >>> >>> >>> >>> So with london.ipa.unix.com and newyork.ipa.unix.com >>> >>> >>> >>> Is there still only one winsync agreement? >>> >>> >>> >>> >>> >>> regards >>> >>> Steven Jones >>> >>> >>> >>> Technical Specialist - Linux RHCE >>> >>> >>> >>> Victoria University, Wellington, NZ >>> >>> >>> >>> 0064 4 463 6272 >>> >>> >>> >>> >>> From: Sigbjorn Lie [sigbj...@nixtra.com] >>> Sent: Thursday, 20 October 2011 9:11 a.m. >>> To: Steven Jones >>> Cc: freeipa-users@redhat.com >>> Subject: RE: [Freeipa-users] The concept of sites... >>> >>> >>> >>> I see your point with a messy dns infrastructure, however this would happen >>> in the >>> background. >>> >>> >>> You would still only have one kerberos realm per IPA instance. >>> >>> >>> >>> >>> Rgds, >>> Siggi >>> >>> >>> >>> >>> >>> >>> On Wed, October 19, 2011 21:30, Steven Jones wrote: >>> >>> Hi, I think AD sort of does this which they have now backed away from? From my very limited understanding having sub-domains/realms seems to be counter-productivein that trying to do cross-realm trusts/passwords/user info becomes a nightmare? I know somehow I have to get unix.vuw.ac.nz to talk to staff.vuw.ac.nz and student.vuw.ac.nz in a winsync (password) agreement, I dont know even if that's possible? Yet with a flat domain to flat domain its easy? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, 20 October 2011 8:14 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] The concept of sites... Hi, Has there been given any thought to the concept of sites within IPA to improve cross-site implementations? This should be easy to implement as you are already using DNS SRV records to locate the ldap/kerberos servers. E.g. Site: Boston Site: London Create a subdomain of the IPA dns domain named _sites, and a subdomain of _sites for each site. Boston._sites.ipa.domain.com would contain the srv entries for IPA servers in Boston: _ldap._tcpinsrv0 100 389 boston-ipa-server1 _ldap._tcp in srv0 100 389 boston-ipa-server2 . London._sites.ipa.domain.com would contain the srv entries for IPA serers in London: _ldap._tcpinsrv0 100 389 london-ipa-server1 _ldap._tcp in srv0 100 389 london-ipa-server2 Now point the client's DNS "search" entry to point to the local site first, then search the full name space: Boston client's /etc/resolv.conf: search Boston._sites.ipa.domain.com ipa.domain.com London client's /etc/resolv.conf: search London._sites.ipa.domain.com ipa.domain.com The main ipa.domain.com could still contain srv records for all IPA servers, or selected IPA servers at the central hub. I know I can do this manually within the DNS managment in IPA today, however it would be a lot easier to maintain "Sites" within the IPA webui/cli. *blink* ;) What's your thoughts on this? Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >> >> ___ >> Freeipa-users mailing list >
Re: [Freeipa-users] The concept of sites...
I have come across this already, BZ already created: https://fedorahosted.org/sssd/ticket/1032 On 10/19/2011 10:25 PM, Sigbjorn Lie wrote: The London/newyork dns sub-domains would be used for looking up srv records for the local kerberos/ldap servers only. The actual domain configured on the client and the kerberos and LDAP base would still be the ipa.domain.com. Sync with AD would still be done between ipa.domain.com<-> ad.domain.com. Rgds, Siggi On Wed, October 19, 2011 22:15, Steven Jones wrote: Ah right, yes, one realm. However how would you password sync with AD? So sayLondon.ad.ms.com and Newyork.ad.ms.com With NY as the "head" So with london.ipa.unix.com and newyork.ipa.unix.com Is there still only one winsync agreement? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, 20 October 2011 9:11 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: RE: [Freeipa-users] The concept of sites... I see your point with a messy dns infrastructure, however this would happen in the background. You would still only have one kerberos realm per IPA instance. Rgds, Siggi On Wed, October 19, 2011 21:30, Steven Jones wrote: Hi, I think AD sort of does this which they have now backed away from? From my very limited understanding having sub-domains/realms seems to be counter-productivein that trying to do cross-realm trusts/passwords/user info becomes a nightmare? I know somehow I have to get unix.vuw.ac.nz to talk to staff.vuw.ac.nz and student.vuw.ac.nz in a winsync (password) agreement, I dont know even if that's possible? Yet with a flat domain to flat domain its easy? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, 20 October 2011 8:14 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] The concept of sites... Hi, Has there been given any thought to the concept of sites within IPA to improve cross-site implementations? This should be easy to implement as you are already using DNS SRV records to locate the ldap/kerberos servers. E.g. Site: Boston Site: London Create a subdomain of the IPA dns domain named _sites, and a subdomain of _sites for each site. Boston._sites.ipa.domain.com would contain the srv entries for IPA servers in Boston: _ldap._tcpinsrv0 100 389 boston-ipa-server1 _ldap._tcp insrv0 100 389 boston-ipa-server2 . London._sites.ipa.domain.com would contain the srv entries for IPA serers in London: _ldap._tcpinsrv0 100 389 london-ipa-server1 _ldap._tcp insrv0 100 389 london-ipa-server2 Now point the client's DNS "search" entry to point to the local site first, then search the full name space: Boston client's /etc/resolv.conf: search Boston._sites.ipa.domain.com ipa.domain.com London client's /etc/resolv.conf: search London._sites.ipa.domain.com ipa.domain.com The main ipa.domain.com could still contain srv records for all IPA servers, or selected IPA servers at the central hub. I know I can do this manually within the DNS managment in IPA today, however it would be a lot easier to maintain "Sites" within the IPA webui/cli. *blink* ;) What's your thoughts on this? Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
