This is another SELinux denial encountered when deploying FreeIPA via rolekit in Fedora 21 Beta TC4, following https://fedorahosted.org/rolekit/wiki/DomainController . SELinux is preventing httpd from read access on the key Unknown. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that httpd should be allowed read access on the Unknown key by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep httpd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:system_r:unconfined_service_t:s0 Target Objects Unknown [ key ] Source httpd Source Path httpd Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-85.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name ipa001.domain.local Platform Linux ipa001.domain.local 3.17.0-301.fc21.x86_64 #1 SMP Wed Oct 8 20:10:50 UTC 2014 x86_64 x86_64 Alert Count 1 First Seen 2014-10-21 13:34:48 PDT Last Seen 2014-10-21 13:34:48 PDT Local ID 9c444489-fd41-4345-a831-0aedca4e1cd1 Raw Audit Messages type=AVC msg=audit(1413923688.483:574): avc: denied { read } for pid=6382 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=key permissive=1 There is a matching denial for { write }: SELinux is preventing httpd from write access on the key Unknown. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that httpd should be allowed write access on the Unknown key by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep httpd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:system_r:unconfined_service_t:s0 Target Objects Unknown [ key ] Source httpd Source Path httpd Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-85.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name ipa001.domain.local Platform Linux ipa001.domain.local 3.17.0-301.fc21.x86_64 #1 SMP Wed Oct 8 20:10:50 UTC 2014 x86_64 x86_64 Alert Count 1 First Seen 2014-10-21 13:34:48 PDT Last Seen 2014-10-21 13:34:48 PDT Local ID f302b7c6-17b2-416e-9ceb-c02b53280093 Raw Audit Messages type=AVC msg=audit(1413923688.508:575): avc: denied { write } for pid=6382 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=key permissive=1 Hash: httpd,httpd_t,unconfined_service_t,key,write Log messages around this time: Oct 21 13:34:45 ipa001.domain.local roled[3817]: 2014-10-21 13:34:45 ERROR: ipa : DEBUG args='/usr/sbin/ipa-client-install' '--on-master' '--unattended' '--domain' 'domain.local' '--server' 'ipa001.domain.local' '--realm' 'DOMAIN.LOCAL' '--hostname' 'ipa001.domain.local' Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00000000 utils.c:87:GetDaemonPid() Can't open /var/run/pcscd/pcscd.pid: No such file or directory Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00027921 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00003571 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00003844 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00003981 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00057417 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00003654 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00005025 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00006426 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00004724 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00004551 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00005456 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00004838 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found Oct 21 13:34:49 ipa001.domain.local httpd[6377]: GSSAPI client step 1 Oct 21 13:34:49 ipa001.domain.local httpd[6377]: GSSAPI client step 1 Oct 21 13:34:49 ipa001.domain.local ns-slapd[5961]: GSSAPI server step 1 Oct 21 13:34:49 ipa001.domain.local httpd[6377]: GSSAPI client step 1 Oct 21 13:34:50 ipa001.domain.local ns-slapd[5961]: GSSAPI server step 2 Oct 21 13:34:50 ipa001.domain.local httpd[6377]: GSSAPI client step 2 Oct 21 13:34:50 ipa001.domain.local ns-slapd[5961]: GSSAPI server step 3 Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 01913391 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 00007573 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 00006100 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 00005847 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 00005779 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found Oct 21 13:34:50 ipa001.domain.local httpd[6376]: GSSAPI client step 1 Oct 21 13:34:50 ipa001.domain.local httpd[6376]: GSSAPI client step 1 Oct 21 13:34:50 ipa001.domain.local ns-slapd[5961]: GSSAPI server step 1 Oct 21 13:34:50 ipa001.domain.local httpd[6376]: GSSAPI client step 1 Oct 21 13:34:50 ipa001.domain.local ns-slapd[5961]: GSSAPI server step 2 Oct 21 13:34:50 ipa001.domain.local httpd[6376]: GSSAPI client step 2 Oct 21 13:34:50 ipa001.domain.local ns-slapd[5961]: GSSAPI server step 3 Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 00081112 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 00004950 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 00004485 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 00004236 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 00004164 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found Oct 21 13:34:50 ipa001.domain.local httpd[6377]: GSSAPI client step 1 Oct 21 13:34:50 ipa001.domain.local httpd[6377]: GSSAPI client step 1 Oct 21 13:34:50 ipa001.domain.local ns-slapd[5961]: GSSAPI server step 1 Oct 21 13:34:50 ipa001.domain.local httpd[6377]: GSSAPI client step 1 Oct 21 13:34:50 ipa001.domain.local ns-slapd[5961]: GSSAPI server step 2 Oct 21 13:34:50 ipa001.domain.local httpd[6377]: GSSAPI client step 2 Oct 21 13:34:50 ipa001.domain.local ns-slapd[5961]: GSSAPI server step 3 Oct 21 13:34:51 ipa001.domain.local kernel: traps: nsupdate[6430] trap stack segment ip:7f4f28fbb64f sp:7f4f246fe0d0 error:0 Oct 21 13:34:52 ipa001.domain.local abrt-hook-ccpp[6431]: Saved core dump of pid 6427 (/usr/bin/nsupdate) to /var/tmp/abrt/ccpp-2014-10-21-13:34:51-6427 (44654592 bytes) I'm not sure of the exact consequences of this denial: I hit it in Permissive mode, and can't test in Enforcing because the deployment will fail earlier due to #1155301 . Nominating as a Beta blocker on the possibility that it may cause deployment to fail: "Release-blocking roles and the supported role configuration interfaces must meet the core functional Role Definition Requirements to the extent that supported roles can be successfully started, stopped, brought to a working configuration, and queried." https://fedoraproject.org/wiki/Fedora_21_Beta_Release_Criteria#Roles
*** This bug has been marked as a duplicate of bug 1155301 ***