Hide Forgot
Description of problem: # ipa dnszone-show atkac.brq.redhat.com ipa: ERROR: cannot connect to u'https://ipa.atkac.brq.redhat.com/ipa/xml': Internal Server Error Version-Release number of selected component (if applicable): # rpm -q freeipa-server selinux-policy-targeted freeipa-server-2.1.3-5.fc16.x86_64 selinux-policy-targeted-3.10.0-61.fc16.noarch How reproducible: always Steps to Reproduce: 1. Install FreeIPA server with DNS support 2. run `ipa dnszone-show <freeipa_zonename> Actual results: ipa utility fails to show the zone Expected results: ipa utility shows the zone Additional info: With `setenforce 0` everything is OK. seaudit-report /var/log/audit/audit.log shows: ... Dec 02 17:18:16 (null) (null): audit(1322842696.534:99): avc: denied { name_connect } for pid=857 comm=httpd dest=389 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket ... I'm not sure if we want to allow httpd_t to connect to ldap_port_t by default. Please consider to add this rule to the freeipa-server-selinux pkg or reassign it to selinux-policy-targeted pkg.
I'm not entirely sure what is trying to contact ldap, we use ldapi internally. Adam, what is the value of ldap_uri n /etc/ipa/default.conf?
I have been unable to reproduce this.
Adam, can you please provide more details? It seems Rob can't reproduce this issue. May be you have a wrong or broken SELinux policy?
Now I tried to reproduce this issue again and it wasn't reproducible, not sure why. Closing as notabug, will reopen when I get more info.