Directory Server is not allowed to create a directory in /var/lock. This leads to installation failure:
# ipa-server-install -p secret123 -a secret123 [snip] Configuring directory server for the CA: Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance root : CRITICAL failed to restart ds instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmp15By1u' returned non-zero exit status 1 [3/3]: restarting directory server root : CRITICAL Failed to restart the directory server. See the installation log for details.
AVC:
type=AVC msg=audit(1303219404.726:66): avc: denied { setattr } for pid=1205 comm="ns-slapd" name="slapd-PKI-IPA" dev=tmpfs ino=14702 scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=dir
This is a tracking ticket and will be closed when new selinux-policy is pushed to F-15.
https://bugzilla.redhat.com/show_bug.cgi?id=696819
selinux-policy-3.9.16-18.fc15 fixes the issue.
The problem has not been resolved completely, original reported AVC reoccurred.
selinux-policy version:
selinux-policy-3.9.16-26.fc15.noarch
audit.log:
... type=AVC msg=audit(1307533596.416:1211): avc: denied { read } for pid=17544 comm="ns-slapd" name="lock" dev=dm-0 ino=1681 ...
audit2allow:
# cat /var/log/audit/audit.log | audit2allow #============= dirsrv_t ============== allow dirsrv_t var_t:lnk_file read;
I chosed to rather open a new ticket for this problem: #1306.
Metadata Update from @mkosek: - Issue assigned to mkosek - Issue set to the milestone: FreeIPA 2.1 - 2011/08 (Final)
Login to comment on this ticket.