[Freeipa-users] SELinux Denial when installing IPA 2.1.3 on F15
Sounds sort of related to the bug you mentioned in your release notes but
this was a clean install not an upgrade.
Regards
Charlie
--
FYI
SELinux is preventing /usr/sbin/ns-slapd from read access on the lnk_file
/var/lock.
* Plugin restorecon (94.8 confidence) suggests
*
If you want to fix the label.
/var/lock default label should be var_lock_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /var/lock
* Plugin catchall_labels (5.21 confidence) suggests
If you want to allow ns-slapd to have read access on the lock lnk_file
Then you need to change the label on /var/lock
Do
# semanage fcontext -a -t FILE_TYPE '/var/lock'
where FILE_TYPE is one of the following: abrt_t, lib_t, root_t, device_t,
ld_so_t, proc_t, textrel_shlib_t, rpm_script_tmp_t, dirsrv_t, var_lock_t,
cert_t, usr_t, device_t, devlog_t, var_run_t, locale_t, etc_t, proc_t,
dirsrv_config_t, var_run_t, var_run_t.
Then execute:
restorecon -v '/var/lock'
* Plugin catchall (1.44 confidence) suggests
***
If you believe that ns-slapd should be allowed read access on the lock
lnk_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep ns-slapd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Contextunconfined_u:system_r:dirsrv_t:s0
Target Contextsystem_u:object_r:var_t:s0
Target Objects/var/lock [ lnk_file ]
Sourcens-slapd
Source Path /usr/sbin/ns-slapd
Port Unknown
Host f15.test.net
Source RPM Packages 389-ds-base-1.2.10-0.4.a4.fc15
Target RPM Packages filesystem-2.4.41-1.fc15
Policy RPMselinux-policy-3.9.16-24.fc15
Selinux Enabled True
Policy Type targeted
Enforcing ModeEnforcing
Host Name f15.test.net
Platform Linux f15.test.net 2.6.38.6-27.fc15.x86_64 #1
SMP
Sun May 15 17:23:28 UTC 2011 x86_64 x86_64
Alert Count 3
First SeenFri 21 Oct 2011 01:28:21 AM BST
Last Seen Fri 21 Oct 2011 07:29:38 AM BST
Local ID
Raw Audit Messages
type=AVC msg=audit(1319178578.723:176): avc: denied { read } for
pid=26931 comm=ns-slapd name=lock dev=dm-1 ino=1281
scontext=unconfined_u:system_r:dirsrv_t:s0
tcontext=system_u:object_r:var_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1319178578.723:176): arch=x86_64 syscall=open
success=no exit=EACCES a0=7fff9b184460 a1=c2 a2=1a4 a3=0 items=0 ppid=1
pid=26931 auid=500 uid=492 gid=490 euid=492 suid=492 fsuid=492 egid=490
sgid=490 fsgid=490 tty=(none) ses=4 comm=ns-slapd exe=/usr/sbin/ns-slapd
subj=unconfined_u:system_r:dirsrv_t:s0 key=(null)
Hash: ns-slapd,dirsrv_t,var_t,lnk_file,read
audit2allow
#= dirsrv_t ==
allow dirsrv_t var_t:lnk_file read;
audit2allow -R
#= dirsrv_t ==
allow dirsrv_t var_t:lnk_file read;
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] SELinux Denial when installing IPA 2.1.3 on F15
Charlie Derwent wrote:
Sounds sort of related to the bug you mentioned in your release notes
but this was a clean install not an upgrade.
It looks like we need to update the minimum version of selinux-policy
required. I believe this was fixed in 3.9.16-29 and it looks like you
are running -24.
thanks
rob
Regards
Charlie
--
FYI
SELinux is preventing /usr/sbin/ns-slapd from read access on the
lnk_file /var/lock.
* Plugin restorecon (94.8 confidence) suggests
*
If you want to fix the label.
/var/lock default label should be var_lock_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /var/lock
* Plugin catchall_labels (5.21 confidence) suggests
If you want to allow ns-slapd to have read access on the lock lnk_file
Then you need to change the label on /var/lock
Do
# semanage fcontext -a -t FILE_TYPE '/var/lock'
where FILE_TYPE is one of the following: abrt_t, lib_t, root_t,
device_t, ld_so_t, proc_t, textrel_shlib_t, rpm_script_tmp_t, dirsrv_t,
var_lock_t, cert_t, usr_t, device_t, devlog_t, var_run_t, locale_t,
etc_t, proc_t, dirsrv_config_t, var_run_t, var_run_t.
Then execute:
restorecon -v '/var/lock'
* Plugin catchall (1.44 confidence) suggests
***
If you believe that ns-slapd should be allowed read access on the lock
lnk_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep ns-slapd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Contextunconfined_u:system_r:dirsrv_t:s0
Target Contextsystem_u:object_r:var_t:s0
Target Objects/var/lock [ lnk_file ]
Sourcens-slapd
Source Path /usr/sbin/ns-slapd
Port Unknown
Host f15.test.net http://f15.test.net
Source RPM Packages 389-ds-base-1.2.10-0.4.a4.fc15
Target RPM Packages filesystem-2.4.41-1.fc15
Policy RPMselinux-policy-3.9.16-24.fc15
Selinux Enabled True
Policy Type targeted
Enforcing ModeEnforcing
Host Name f15.test.net http://f15.test.net
Platform Linux f15.test.net http://f15.test.net
2.6.38.6-27.fc15.x86_64 #1 SMP
Sun May 15 17:23:28 UTC 2011 x86_64 x86_64
Alert Count 3
First SeenFri 21 Oct 2011 01:28:21 AM BST
Last Seen Fri 21 Oct 2011 07:29:38 AM BST
Local ID
Raw Audit Messages
type=AVC msg=audit(1319178578.723:176): avc: denied { read } for
pid=26931 comm=ns-slapd name=lock dev=dm-1 ino=1281
scontext=unconfined_u:system_r:dirsrv_t:s0
tcontext=system_u:object_r:var_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1319178578.723:176): arch=x86_64 syscall=open
success=no exit=EACCES a0=7fff9b184460 a1=c2 a2=1a4 a3=0 items=0 ppid=1
pid=26931 auid=500 uid=492 gid=490 euid=492 suid=492 fsuid=492 egid=490
sgid=490 fsgid=490 tty=(none) ses=4 comm=ns-slapd exe=/usr/sbin/ns-slapd
subj=unconfined_u:system_r:dirsrv_t:s0 key=(null)
Hash: ns-slapd,dirsrv_t,var_t,lnk_file,read
audit2allow
#= dirsrv_t ==
allow dirsrv_t var_t:lnk_file read;
audit2allow -R
#= dirsrv_t ==
allow dirsrv_t var_t:lnk_file read;
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] GUI backto CLI/LDAP syntax.
Steven Jones wrote: Hi, Just looking at the GUI and then trying to connect a Sun/Oracle Soalr storage array to it Im struggling to match up what the Sun is asking v what I see in the GUI. I know it might clutter up the GUI, possibly too much but I'd like to see the I suppose raw info... So If I have a user such as Steven who's in group admin-users and domain unix.vuw.ac.nz I'd like to see the lDAP syntax reflected in the GUI as I set it up..so a single line on the page saying steven ou=admin-users, cn=unix,cn=vuw,cn=ac,cn=nz (or whatever its meant to be) would be hugely useful for meand I suspect others.Its like trying to learn another language really, I need a gui to ldap dictionary Hopefully Ive explained what I am trying to get across/ask for. I'm not sure we'd add this to the UI for clutter reasons, as you suggest. We've talked about per-user config in the past so maybe an 'advanced' option could be added. Feel free to file an RFE if you'd like. The command-line can do this now: ipa user-show --raw --all Steven The --raw option should be available in all commands. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] No hosts showing as enrolled
Hi, I've updated to freeipa-server-2.1.3-2.fc15.x86_64. There is no hosts showing as enrolled in the webui. In the CLI hosts are reported to have a keytab. Is this a known issue? Rgds, Siggi PS. KUDOS on the speed of lookups! MASSIVE improvement both in the CLI and in the WEBUI!!! ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] No hosts showing as enrolled
On 10/21/2011 02:04 PM, Sigbjorn Lie wrote: Hi, I've updated to freeipa-server-2.1.3-2.fc15.x86_64. There is no hosts showing as enrolled in the webui. In the CLI hosts are reported to have a keytab. Is this a known issue? Rgds, Siggi PS. KUDOS on the speed of lookups! MASSIVE improvement both in the CLI and in the WEBUI!!! ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users They use exactly the same API. The only difference between the webUI and the CLI is that the WebUI is marshalled via JSON, and the CLI uses XML RPC. So you should see exactly the same results in both. Have you typed something into your filter field that is hiding the hosts? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] No hosts showing as enrolled
On 10/21/2011 08:15 PM, Adam Young wrote: On 10/21/2011 02:04 PM, Sigbjorn Lie wrote: Hi, I've updated to freeipa-server-2.1.3-2.fc15.x86_64. There is no hosts showing as enrolled in the webui. In the CLI hosts are reported to have a keytab. Is this a known issue? Rgds, Siggi PS. KUDOS on the speed of lookups! MASSIVE improvement both in the CLI and in the WEBUI!!! ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users They use exactly the same API. The only difference between the webUI and the CLI is that the WebUI is marshalled via JSON, and the CLI uses XML RPC. So you should see exactly the same results in both. Have you typed something into your filter field that is hiding the hosts? No search filter, that I know of. I assume you're referring to the top right hand corner field? That field is empty, I'm displaying all hosts. Still noting in the Enrolled? field. Rgds, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] No hosts showing as enrolled
On 10/21/2011 02:29 PM, Sigbjorn Lie wrote: On 10/21/2011 08:15 PM, Adam Young wrote: On 10/21/2011 02:04 PM, Sigbjorn Lie wrote: Hi, I've updated to freeipa-server-2.1.3-2.fc15.x86_64. There is no hosts showing as enrolled in the webui. In the CLI hosts are reported to have a keytab. Is this a known issue? Rgds, Siggi PS. KUDOS on the speed of lookups! MASSIVE improvement both in the CLI and in the WEBUI!!! ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users They use exactly the same API. The only difference between the webUI and the CLI is that the WebUI is marshalled via JSON, and the CLI uses XML RPC. So you should see exactly the same results in both. Have you typed something into your filter field that is hiding the hosts? No search filter, that I know of. I assume you're referring to the top right hand corner field? That field is empty, I'm displaying all hosts. Still noting in the Enrolled? field. Just realized that you are referring to the enrolle? column. I think that is a bug. I just opened this ticket: https://fedorahosted.org/freeipa/ticket/2020 The field that populates that column is actually krblastpwdchange, which should show when the password for the host principal was last changed. The intention is that this column should show when the host was enrolled, But is defaulting to blank. Rgds, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] No hosts showing as enrolled
On 10/21/2011 10:02 PM, Adam Young wrote: On 10/21/2011 02:29 PM, Sigbjorn Lie wrote: On 10/21/2011 08:15 PM, Adam Young wrote: On 10/21/2011 02:04 PM, Sigbjorn Lie wrote: Hi, I've updated to freeipa-server-2.1.3-2.fc15.x86_64. There is no hosts showing as enrolled in the webui. In the CLI hosts are reported to have a keytab. Is this a known issue? Rgds, Siggi PS. KUDOS on the speed of lookups! MASSIVE improvement both in the CLI and in the WEBUI!!! ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users They use exactly the same API. The only difference between the webUI and the CLI is that the WebUI is marshalled via JSON, and the CLI uses XML RPC. So you should see exactly the same results in both. Have you typed something into your filter field that is hiding the hosts? No search filter, that I know of. I assume you're referring to the top right hand corner field? That field is empty, I'm displaying all hosts. Still noting in the Enrolled? field. Just realized that you are referring to the enrolle? column. I think that is a bug. I just opened this ticket: https://fedorahosted.org/freeipa/ticket/2020 The field that populates that column is actually krblastpwdchange, which should show when the password for the host principal was last changed. The intention is that this column should show when the host was enrolled, But is defaulting to blank. Thanks. I got several hosts joined to IPA, and they have a krbLastPwdChange value if I look for them using ldapsarch and ipa host-show fqdn --all. Please let me know if I can assist in further troubleshooting of the issue. Rgds, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
