Hide Forgot
Description of problem: When running ipa-server-install it hang when setting up the directory server. Version-Release number of selected component (if applicable): freeipa-server-2.0.0-1.fc15.x86_64 How reproducible: Always Steps to Reproduce: 1. Minimal install of devel F-15 2. Install freeipa-server 3. Call ipa-server-install Actual results: Installation hangs. Expected results: Installation succeeds. Additional info: Unfortunately I do not have the debug install logs anymore, it hang in setup-dl.pl or similar. audit2allow -a outputs: #============= dirsrv_t ============== allow dirsrv_t var_t:lnk_file read;
How long did you wait? There are some very strange delays that we have observed in systemd trying to restart different services. It might be that it looked like it hanged but was in the long timeout. Why do you think it is a SELinux problem?
You need a newer SELinux policy. selinux-policy-3.9.16-15.fc15 is the latest.
I run into the same problem, just the AVC was different. Attaching IPA installation output, ipa server installation logfile and relevant AVCs. I was informed that a fixed was checked in to F-16 and will be backported to relevant repos.
Created attachment 493206 [details] IPA server installation output
Created attachment 493207 [details] IPA server installation log setup-ds.pl complains here that it could not create a directory.
Created attachment 493208 [details] Relevant AVCs from audit.log
Not sure why dirsrv_t would be changing the permissions on a var_lock directory but we are adding this to the next policy.
I can confirm, that when I loaded a custom SELinux module allowing a rule mentioned in the reported AVC the reported hang no longer occured. My selinux-policy version: selinux-policy-3.9.16-15.fc15.noarch
Tracking upstream ticket: https://fedorahosted.org/freeipa/ticket/1185
selinux-policy-3.9.16-18.fc15 fixes the issue. Closing the upstream ticket.
The selinux problem was not solved completely, originally reported AVC reoccurred. ipa-replica-install will fail again. selinux-policy version: selinux-policy-3.9.16-26.fc15.noarch audit.log: type=AVC msg=audit(1307533596.416:1211): avc: denied { read } for pid=17544 comm="ns-slapd" name="lock" dev=dm-0 ino=1681 audit2allow: # cat /var/log/audit/audit.log | audit2allow #============= dirsrv_t ============== allow dirsrv_t var_t:lnk_file read;
Opening a new upstream ticket: https://fedorahosted.org/freeipa/ticket/1306
well, the problem is /var/lock is mislabeled. # restorecon -R -v /var
Yes, you are right, I see it now. Thanks for reply.