Re: [Freeipa-users] enabling selinux on ipa server

[Prasun Gera]

I'm using the default version on RHEL7. I think that's 4.1.x. This was a
replica server. Selinux was disabled when the replica was installed. I
enabled in in enforcing mode yesterday, and saw those issues. On the main
server, selinux is (and has always been) enabled in enforcing mode, and
everything works fine. I also compared the bools between the main server
and the replica, and the bools on the main server were correctly setup,
whereas the ones you mentioned weren't set up properly on the replica. So
from the limited information I have at hand, I think that setting up a
replica server in the selinux disabled state didn't set up the selinux
related stuff properly, which manifested later when i set it to enforcing
mode.

On Sat, Oct 24, 2015 at 9:13 PM, Rob Crittenden  wrote:

> Prasun Gera wrote:
> > I've done that now in addition to the few fixes that I made manually
> > earlier. These were the messages:
> > SELinux is preventing /usr/sbin/ns-slapd from write access on the file
> > ldap_988
> > SELinux is preventing /usr/sbin/httpd from read access on the lnk_file
> > /etc/httpd/logs
> > And a few others. I also had to do sudo setsebool -P httpd_manage_ipa 1
>
> It would help to know what version you're using.
>
> The installer will skip setting the booleans if SELinux disabled. The
> installer won't disable SELinux itself.
>
> A default install will enable these booleans:
>
> httpd_can_network_connect
> httpd_manage_ipa
> httpd_run_ipa
>
> AD trust will enable samba_portmapper
>
> rob
>
> >
> > On Sat, Oct 24, 2015 at 10:51 AM, Lukas Slebodnik  > > wrote:
> >
> > On (23/10/15 20:57), Prasun Gera wrote:
> > >selinux was disabled for some reason when the ipa server(replica)
> was
> > >installed. I enabled it, and see that there are a lot of selinux
> > related
> > >permissions problems in syslog. Is this a known issue ? I tried
> > fixing some
> > >of them manually, but i would like a better approach.
> > FreeIPA should work fine with SELinux in enforcing mode.
> >
> > I would recommend to restore SELinux context of files on that
> machine.
> >
> > restorecon -Rv /
> >
> > LS
> >
> >
> >
> >
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] enabling selinux on ipa server

[Lukas Slebodnik]

On (23/10/15 20:57), Prasun Gera wrote:
>selinux was disabled for some reason when the ipa server(replica) was
>installed. I enabled it, and see that there are a lot of selinux related
>permissions problems in syslog. Is this a known issue ? I tried fixing some
>of them manually, but i would like a better approach.
FreeIPA should work fine with SELinux in enforcing mode.

I would recommend to restore SELinux context of files on that machine.

restorecon -Rv /

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] enabling selinux on ipa server

[Prasun Gera]

I've done that now in addition to the few fixes that I made manually
earlier. These were the messages:
SELinux is preventing /usr/sbin/ns-slapd from write access on the file
ldap_988
SELinux is preventing /usr/sbin/httpd from read access on the lnk_file
/etc/httpd/logs
And a few others. I also had to do sudo setsebool -P httpd_manage_ipa 1

On Sat, Oct 24, 2015 at 10:51 AM, Lukas Slebodnik 
wrote:

> On (23/10/15 20:57), Prasun Gera wrote:
> >selinux was disabled for some reason when the ipa server(replica) was
> >installed. I enabled it, and see that there are a lot of selinux related
> >permissions problems in syslog. Is this a known issue ? I tried fixing
> some
> >of them manually, but i would like a better approach.
> FreeIPA should work fine with SELinux in enforcing mode.
>
> I would recommend to restore SELinux context of files on that machine.
>
> restorecon -Rv /
>
> LS
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] enabling selinux on ipa server

[Rob Crittenden]

Prasun Gera wrote:
> I've done that now in addition to the few fixes that I made manually
> earlier. These were the messages:
> SELinux is preventing /usr/sbin/ns-slapd from write access on the file
> ldap_988
> SELinux is preventing /usr/sbin/httpd from read access on the lnk_file
> /etc/httpd/logs
> And a few others. I also had to do sudo setsebool -P httpd_manage_ipa 1

It would help to know what version you're using.

The installer will skip setting the booleans if SELinux disabled. The
installer won't disable SELinux itself.

A default install will enable these booleans:

httpd_can_network_connect
httpd_manage_ipa
httpd_run_ipa

AD trust will enable samba_portmapper

rob

> 
> On Sat, Oct 24, 2015 at 10:51 AM, Lukas Slebodnik  > wrote:
> 
> On (23/10/15 20:57), Prasun Gera wrote:
> >selinux was disabled for some reason when the ipa server(replica) was
> >installed. I enabled it, and see that there are a lot of selinux
> related
> >permissions problems in syslog. Is this a known issue ? I tried
> fixing some
> >of them manually, but i would like a better approach.
> FreeIPA should work fine with SELinux in enforcing mode.
> 
> I would recommend to restore SELinux context of files on that machine.
> 
> restorecon -Rv /
> 
> LS
> 
> 
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] enabling selinux on ipa server

[Prasun Gera]

selinux was disabled for some reason when the ipa server(replica) was
installed. I enabled it, and see that there are a lot of selinux related
permissions problems in syslog. Is this a known issue ? I tried fixing some
of them manually, but i would like a better approach.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project