Bug 984169
Summary: | SELinux is preventing /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.i386/jre/bin/java from write access on the directory /var/lib/ipa/pki-ca/publish. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Niki Guldbrand <niki.guldbrand> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | rawhide | CC: | dominick.grift, dwalsh, mgrepl |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-07-15 13:26:43 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Niki Guldbrand
2013-07-13 07:53:22 UTC
Since this started there has been no updates to the published CRL's in that directory. I tried to use audit2allow to make a local policy for this, but when trying to load it I get this message: [root@ipa Policy]# semodule -i net.guldbrand.ipa_dogtag.pp /etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /var/lib/ipa/pki-ca/publish(/.*)?. /etc/selinux/targeted/contexts/files/file_contexts: Invalid argument libsemanage.semanage_install_active: setfiles returned error code 1. semodule: Failed! The policy module I'm trying to load atm. is: module net.guldbrand.ipa_dogtag 1.0; require { type cert_t; type pki_tomcat_t; class dir write; } #============= pki_tomcat_t ============== allow pki_tomcat_t cert_t:dir write; I have tried to relabel on boot, but that didn't fix anything. After some digging, I found this comment in the freeipa.spec file: # With FreeIPA 3.3, package freeipa-server-selinux was obsoleted as the # entire SELinux policy is stored in the system policy Obsoletes: freeipa-server-selinux < 3.3.0 With that in mind, I tried to disable the ipa_dogtag and ipa_httpd modules from that package and the error has disappeared, so it seems like a conflict between the normal policy and the freeipa provided one. *** This bug has been marked as a duplicate of bug 979379 *** |