Bug 759544

Summary: ipa dnszone-show <zone> fails
Product: [Fedora] Fedora Reporter: Adam Tkac <atkac>
Component: freeipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: abokovoy, dpal, mkosek, ovasik, rcritten, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-06 11:14:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Adam Tkac 2011-12-02 16:25:18 UTC 
Description of problem:
# ipa dnszone-show atkac.brq.redhat.com
ipa: ERROR: cannot connect to u'https://ipa.atkac.brq.redhat.com/ipa/xml': Internal Server Error

Version-Release number of selected component (if applicable):
# rpm -q freeipa-server selinux-policy-targeted
freeipa-server-2.1.3-5.fc16.x86_64
selinux-policy-targeted-3.10.0-61.fc16.noarch


How reproducible:
always

Steps to Reproduce:
1. Install FreeIPA server with DNS support
2. run `ipa dnszone-show <freeipa_zonename>
  
Actual results:
ipa utility fails to show the zone

Expected results:
ipa utility shows the zone

Additional info:
With `setenforce 0` everything is OK.

seaudit-report /var/log/audit/audit.log shows:

...
Dec 02 17:18:16 (null) (null): audit(1322842696.534:99): avc: denied { name_connect } for pid=857 comm=httpd dest=389 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket 
...

I'm not sure if we want to allow httpd_t to connect to ldap_port_t by default. Please consider to add this rule to the freeipa-server-selinux pkg or reassign it to selinux-policy-targeted pkg.
Comment 1 Rob Crittenden 2011-12-02 20:24:52 UTC 
I'm not entirely sure what is trying to contact ldap, we use ldapi internally.

Adam, what is the value of ldap_uri n /etc/ipa/default.conf?
Comment 2 Rob Crittenden 2011-12-02 22:55:54 UTC 
I have been unable to reproduce this.
Comment 3 Dmitri Pal 2011-12-03 18:15:15 UTC 
Adam, can you please provide more details? It seems Rob can't reproduce this issue. May be you have a wrong or broken SELinux policy?
Comment 4 Adam Tkac 2011-12-06 11:14:20 UTC 
Now I tried to reproduce this issue again and it wasn't reproducible, not sure why. Closing as notabug, will reopen when I get more info.