953286 – SELinux causes 'realm join' to fail

Bug 953286 - SELinux causes 'realm join' to fail

Summary: SELinux causes 'realm join' to fail

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	19
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Duplicates (2):	953537 953936 (view as bug list)
Depends On:
Blocks:	918092
TreeView+	depends on / blocked

Reported:	2013-04-17 20:39 UTC by Patrik Kis
Modified:	2013-05-13 15:17 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2013-05-13 15:17:20 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Patrik Kis 2013-04-17 20:39:25 UTC

Description of problem:
When raalmd is trying to join to IPA server it traceback at the end.
This is not the case when selinux is in permissive mode. There is not AVC logged, btw.

Version-Release number of selected component (if applicable):

$ rpm -qa selinux-policy* realmd
selinux-policy-3.12.1-32.fc19.noarch
selinux-policy-targeted-3.12.1-32.fc19.noarch
realmd-0.13.3-2.fc19.x86_64

How reproducible:
90%

Steps to Reproduce:

# realm join -v --user=admin skynet.com
 * Searching for kerberos SRV records for domain: _kerberos._udp.skynet.com
 * Searching for MSDCS SRV records on domain: _kerberos._tcp.dc._msdcs.skynet.com
 * f19.skynet.com:88 
 * Trying to retrieve IPA certificate from f19.skynet.com
 * Retrieved IPA CA certificate verifies the HTTPS connection
 ! Couldn't discover IPA KDC
 * Found kerberos DNS records for: skynet.com
 * Found IPA style certificate for: skynet.com
 * Successfully discovered: skynet.com
Password for admin: 
 * Required files: /usr/sbin/ipa-client-install, /usr/sbin/sss_cache, /usr/sbin/sssd
 * LANG=C /usr/sbin/ipa-client-install --domain skynet.com --realm SKYNET.COM --principal admin -W --mkhomedir --no-ntp --enable-dns-updates --unattended
Discovery was successful!
Hostname: fcb.skynet.com
Realm: SKYNET.COM
DNS Domain: skynet.com
IPA Server: f19.skynet.com
BaseDN: dc=skynet,dc=com
Synchronizing time with KDC...
Enrolled in IPA realm SKYNET.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm SKYNET.COM
trying https://f19.skynet.com/ipa/xml
Forwarding 'env' to server u'https://f19.skynet.com/ipa/xml'
DNS server record set to: fcb.skynet.com -> 192.168.100.85


certmonger request for host certificate failed
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Forwarding 'host_mod' to server u'https://f19.skynet.com/ipa/xml'

Traceback (most recent call last):
  File "/usr/sbin/ipa-client-install", line 2455, in <module>
    sys.exit(main())
  File "/usr/sbin/ipa-client-install", line 2441, in main
    rval = install(options, env, fstore, statestore)
  File "/usr/sbin/ipa-client-install", line 2321, in install
    auth_config.execute()
  File "/usr/lib/python2.7/site-packages/ipapython/platform/redhat/auth.py", line 49, in execute
    ipautil.run(["/usr/sbin/authconfig"]+args)
  File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 300, in run
    close_fds=True, env=env, cwd=cwd)
  File "/usr/lib64/python2.7/subprocess.py", line 711, in __init__
    errread, errwrite)
  File "/usr/lib64/python2.7/subprocess.py", line 1308, in _execute_child
    raise child_exception
OSError: [Errno 13] Permission denied
 ! Running ipa-client-install failed
realm: Couldn't join realm: Running ipa-client-install failed

Comment 1 Stef Walter 2013-04-17 21:13:49 UTC

Can you reproduce by running the exact ipa-client-install command included in the verbose output:

LANG=C /usr/sbin/ipa-client-install --domain skynet.com --realm SKYNET.COM --principal admin -W --mkhomedir --no-ntp --enable-dns-updates --unattended

Obviously, if not 100% reproducible you would need to try repeatedly to get the failure to happen here.

Comment 2 Stef Walter 2013-04-17 21:15:59 UTC

Could you also try running the following as root in a second terminal:

# killall realmd
# /usr/lib64/realmd/realmd

That will let us know if it really is a SELinux issue or not (or something to do with the context in which dbus normally spawns realmd). Since SELinux hides some of its AVC's

Comment 3 Miroslav Grepl 2013-04-18 06:52:55 UTC

selinux-policy should not be a problem. We have realmd_t as unconfined now. 

You can re-test it in permissive mode to be sur.

Comment 4 Stef Walter 2013-04-18 12:01:38 UTC

*** Bug 953537 has been marked as a duplicate of this bug. ***

Comment 5 Stef Walter 2013-04-18 12:04:01 UTC

Bug 953537 has backtraces and so on.

Comment 6 Stef Walter 2013-04-18 12:11:02 UTC

Miroslav, I can pretty much confirm that this is SELinux related. We've only ever seen this on the i686 platform. 

I tried hard to duplicate this SELinux is permissive, doing the join/leave about 8 or 9 times in a row. Right after a 'setenforce 1' and doing the join again, the failure occurs.

 * There is no other output in /var/log/messages related to the failure.
 * There is no AVC related to the failure.

This is on a system that was F18 updated to F19. Was that also the same for you Patrik?

Comment 7 Stef Walter 2013-04-18 12:15:17 UTC

Output of restore con does not seem related: 

# restorecon -R -v -n / 
restorecon reset /var/gdm context system_u:object_r:auth_cache_t:s0->system_u:object_r:xserver_log_t:s0
restorecon reset /home/stef/.cache/mozilla context unconfined_u:object_r:mozilla_home_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/stef/.cache/mozilla/firefox context unconfined_u:object_r:mozilla_home_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/stef/.cache/mozilla/firefox/zahujn0e.default context unconfined_u:object_r:mozilla_home_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/stef/.cache/mozilla/firefox/zahujn0e.default/startupCache context unconfined_u:object_r:mozilla_home_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/stef/.cache/mozilla/firefox/zahujn0e.default/startupCache/startupCache.4.little context unconfined_u:object_r:mozilla_home_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/stef/.cache/mozilla/firefox/zahujn0e.default/safebrowsing context unconfined_u:object_r:mozilla_home_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/stef/.cache/mozilla/firefox/zahujn0e.default/safebrowsing/test-malware-simple.cache context unconfined_u:object_r:mozilla_home_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/stef/.cache/mozilla/firefox/zahujn0e.default/safebrowsing/test-malware-simple.pset context unconfined_u:object_r:mozilla_home_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/stef/.cache/mozilla/firefox/zahujn0e.default/safebrowsing/goog-phish-shavar.cache context unconfined_u:object_r:mozilla_home_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/stef/.cache/mozilla/firefox/zahujn0e.default/safebrowsing/test-phish-simple.sbstore context unconfined_u:object_r:mozilla_home_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/stef/.cache/mozilla/firefox/zahujn0e.default/safebrowsing/goog-malware-shavar.pset context unconfined_u:object_r:mozilla_home_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/stef/.cache/mozilla/firefox/zahujn0e.default/safebrowsing/goog-malware-shavar.cache context unconfined_u:object_r:mozilla_home_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/stef/.cache/mozilla/firefox/zahujn0e.default/safebrowsing/test-phish-simple.cache context unconfined_u:object_r:mozilla_home_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/stef/.cache/mozilla/firefox/zahujn0e.default/safebrowsing/goog-phish-shavar.sbstore context unconfined_u:object_r:mozilla_home_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/stef/.cache/mozilla/firefox/zahujn0e.default/safebrowsing/goog-phish-shavar.pset context unconfined_u:object_r:mozilla_home_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/stef/.cache/mozilla/firefox/zahujn0e.default/safebrowsing/test-phish-simple.pset context unconfined_u:object_r:mozilla_home_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/stef/.cache/mozilla/firefox/zahujn0e.default/safebrowsing/classifier.hashkey context unconfined_u:object_r:mozilla_home_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/stef/.cache/mozilla/firefox/zahujn0e.default/safebrowsing/test-malware-simple.sbstore context unconfined_u:object_r:mozilla_home_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/stef/.cache/mozilla/firefox/zahujn0e.default/safebrowsing/goog-malware-shavar.sbstore context unconfined_u:object_r:mozilla_home_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/stef/.cache/mozilla/firefox/zahujn0e.default/_CACHE_CLEAN_ context unconfined_u:object_r:mozilla_home_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/stef/.cache/mozilla/firefox/zahujn0e.default/thumbnails context unconfined_u:object_r:mozilla_home_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/stef/.cache/mozilla/firefox/zahujn0e.default/thumbnails/522080098835c56e045ab53b0cfc3385.png context unconfined_u:object_r:mozilla_home_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/stef/.cache/mozilla/firefox/zahujn0e.default/thumbnails/be454687f7b5cb730bf79cc8dc1db9fe.png context unconfined_u:object_r:mozilla_home_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/stef/.cache/mozilla/firefox/zahujn0e.default/Cache context unconfined_u:object_r:mozilla_home_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/stef/.cache/mozilla/firefox/zahujn0e.default/Cache/_CACHE_002_ context unconfined_u:object_r:mozilla_home_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/stef/.cache/mozilla/firefox/zahujn0e.default/Cache/B context unconfined_u:object_r:mozilla_home_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/stef/.cache/mozilla/firefox/zahujn0e.default/Cache/6 context unconfined_u:object_r:mozilla_home_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/stef/.cache/mozilla/firefox/zahujn0e.default/Cache/_CACHE_001_ context unconfined_u:object_r:mozilla_home_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/stef/.cache/mozilla/firefox/zahujn0e.default/Cache/3 context unconfined_u:object_r:mozilla_home_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/stef/.cache/mozilla/firefox/zahujn0e.default/Cache/7 context unconfined_u:object_r:mozilla_home_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/stef/.cache/mozilla/firefox/zahujn0e.default/Cache/5 context unconfined_u:object_r:mozilla_home_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/stef/.cache/mozilla/firefox/zahujn0e.default/Cache/9 context unconfined_u:object_r:mozilla_home_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/stef/.cache/mozilla/firefox/zahujn0e.default/Cache/_CACHE_MAP_ context unconfined_u:object_r:mozilla_home_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/stef/.cache/mozilla/firefox/zahujn0e.default/Cache/4 context unconfined_u:object_r:mozilla_home_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/stef/.cache/mozilla/firefox/zahujn0e.default/Cache/1 context unconfined_u:object_r:mozilla_home_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/stef/.cache/mozilla/firefox/zahujn0e.default/Cache/E context unconfined_u:object_r:mozilla_home_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/stef/.cache/mozilla/firefox/zahujn0e.default/Cache/8 context unconfined_u:object_r:mozilla_home_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/stef/.cache/mozilla/firefox/zahujn0e.default/Cache/8/40 context unconfined_u:object_r:mozilla_home_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/stef/.cache/mozilla/firefox/zahujn0e.default/Cache/8/40/55BCCd01 context unconfined_u:object_r:mozilla_home_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/stef/.cache/mozilla/firefox/zahujn0e.default/Cache/_CACHE_003_ context unconfined_u:object_r:mozilla_home_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/stef/.cache/mozilla/firefox/zahujn0e.default/Cache/F context unconfined_u:object_r:mozilla_home_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/stef/.cache/mozilla/firefox/zahujn0e.default/Cache/F/67 context unconfined_u:object_r:mozilla_home_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/stef/.cache/mozilla/firefox/zahujn0e.default/Cache/F/67/8B3FBd01 context unconfined_u:object_r:mozilla_home_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/stef/.cache/mozilla/firefox/zahujn0e.default/Cache/0 context unconfined_u:object_r:mozilla_home_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/stef/.cache/mozilla/firefox/zahujn0e.default/Cache/0/78 context unconfined_u:object_r:mozilla_home_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/stef/.cache/mozilla/firefox/zahujn0e.default/Cache/0/78/07056d01 context unconfined_u:object_r:mozilla_home_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/stef/.cache/mozilla/firefox/zahujn0e.default/Cache/C context unconfined_u:object_r:mozilla_home_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/stef/.cache/mozilla/firefox/zahujn0e.default/Cache/A context unconfined_u:object_r:mozilla_home_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/stef/.cache/mozilla/firefox/zahujn0e.default/Cache/A/20 context unconfined_u:object_r:mozilla_home_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/stef/.cache/mozilla/firefox/zahujn0e.default/Cache/A/20/9FC6Fd01 context unconfined_u:object_r:mozilla_home_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/stef/.cache/mozilla/firefox/zahujn0e.default/Cache/D context unconfined_u:object_r:mozilla_home_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/stef/.cache/mozilla/firefox/zahujn0e.default/Cache/D/78 context unconfined_u:object_r:mozilla_home_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/stef/.cache/mozilla/firefox/zahujn0e.default/Cache/D/78/A016Fd01 context unconfined_u:object_r:mozilla_home_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /home/stef/.cache/mozilla/firefox/zahujn0e.default/Cache/2 context unconfined_u:object_r:mozilla_home_t:s0->unconfined_u:object_r:cache_home_t:s0
restorecon reset /etc/udev/hwdb.bin context unconfined_u:object_r:net_conf_t:s0->unconfined_u:object_r:etc_t:s0

Comment 8 Stef Walter 2013-04-18 12:32:03 UTC

David has also seen this issue.

Comment 9 David Spurek 2013-04-18 12:37:50 UTC

realm join pass in permissive mode for me, fails in enforcing, but 'ausearch -m avc -ts recent' shows me nothing

Comment 10 Stef Walter 2013-04-18 12:38:44 UTC

There are lots of Dontaudit hidden AVCs:

[stef@localhost ~]$ sudo yum install setools-console
[sudo] password for stef: 
...
[stef@localhost ~]$ sudo seinfo --stats | grep audit
   Auditallow:        122    Dontaudit:        7191

Comment 11 Stef Walter 2013-04-18 12:42:16 UTC

Saw a similar error with 'realm leave':

[stef@localhost ~]$ realm leave --verbose
 * LANG=C /usr/sbin/ipa-client-install --uninstall --unattended
Unenrolling client from IPA server
Unenrolling host failed: Error obtaining initial credentials: Key table entry not found.

Removing Kerberos service principals from /etc/krb5.keytab
Failed to remove Kerberos service principals: Command '/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r IPA.THEWALTER.LAN' returned non-zero exit status 5
Disabling client Kerberos and LDAP configurations
Failed to remove krb5/LDAP configuration: [Errno 13] Permission denied
 ! Running ipa-client-install failed
realm: Couldn't leave realm: Running ipa-client-install failed

Comment 12 David Spurek 2013-04-18 12:46:59 UTC

I tried semodule --disable_dontaudit --build, then run realm join again

enforcing mode, now ausearch shows me this avc messages:

    ----
    time->Thu Apr 18 14:40:49 2013
    type=SYSCALL msg=audit(1366288849.577:875): arch=c000003e syscall=59 success=yes exit=0 a0=115d7e0 a1=115d6e0 a2=115c010 a3=0 items=0 ppid=9615 pid=9616 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="setroubleshootd" exe="/usr/bin/python2.7" subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
    type=AVC msg=audit(1366288849.577:875): avc: denied { noatsecure } for pid=9616 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
    type=AVC msg=audit(1366288849.577:875): avc: denied { siginh } for pid=9616 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
    type=AVC msg=audit(1366288849.577:875): avc: denied { rlimitinh } for pid=9616 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
    ----
    time->Thu Apr 18 14:40:49 2013
    type=SYSCALL msg=audit(1366288849.511:874): arch=c000003e syscall=59 success=yes exit=0 a0=18d3630 a1=18d2700 a2=18d2010 a3=0 items=0 ppid=9613 pid=9614 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="realmd" exe="/usr/lib64/realmd/realmd" subj=system_u:system_r:realmd_t:s0-s0:c0.c1023 key=(null)
    type=AVC msg=audit(1366288849.511:874): avc: denied { noatsecure } for pid=9614 comm="realmd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tclass=process
    type=AVC msg=audit(1366288849.511:874): avc: denied { siginh } for pid=9614 comm="realmd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tclass=process
    type=AVC msg=audit(1366288849.511:874): avc: denied { rlimitinh } for pid=9614 comm="realmd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tclass=process
    ----
    time->Thu Apr 18 14:40:54 2013
    type=SYSCALL msg=audit(1366288854.939:876): arch=c000003e syscall=2 success=no exit=-13 a0=3f6c6d0 a1=2 a2=0 a3=1 items=0 ppid=9615 pid=9616 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="setroubleshootd" exe="/usr/bin/python2.7" subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
    type=AVC msg=audit(1366288854.939:876): avc: denied { write } for pid=9616 comm="setroubleshootd" name="__db.001" dev="dm-1" ino=274470 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_var_lib_t:s0 tclass=file
    ----
    time->Thu Apr 18 14:41:46 2013
    type=SYSCALL msg=audit(1366288906.166:885): arch=c000003e syscall=2 success=no exit=-13 a0=19e7890 a1=2 a2=0 a3=0 items=0 ppid=9690 pid=9691 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="abrt-action-sav" exe="/usr/bin/abrt-action-save-package-data" subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)
    type=AVC msg=audit(1366288906.166:885): avc: denied { write } for pid=9691 comm="abrt-action-sav" name="__db.001" dev="dm-1" ino=274470 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_var_lib_t:s0 tclass=file
    ----
    time->Thu Apr 18 14:41:46 2013
    type=SYSCALL msg=audit(1366288906.179:886): arch=c000003e syscall=2 success=no exit=-13 a0=1a32000 a1=2 a2=0 a3=3 items=0 ppid=9690 pid=9691 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="abrt-action-sav" exe="/usr/bin/abrt-action-save-package-data" subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)
    type=AVC msg=audit(1366288906.179:886): avc: denied { write } for pid=9691 comm="abrt-action-sav" name="__db.001" dev="dm-1" ino=274470 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_var_lib_t:s0 tclass=file

Comment 13 Stef Walter 2013-04-18 12:49:36 UTC

Same here, with dontaudit disabled. This is all with selinux-policy-3.12.1-32

time->Thu Apr 18 14:40:18 2013
type=AVC msg=audit(1366288818.174:2481): avc:  denied  { siginh } for  pid=29537 comm="realmd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tclass=process
----
time->Thu Apr 18 14:40:18 2013
type=AVC msg=audit(1366288818.174:2480): avc:  denied  { rlimitinh } for  pid=29537 comm="realmd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tclass=process
----
time->Thu Apr 18 14:40:18 2013
type=AVC msg=audit(1366288818.198:2482): avc:  denied  { noatsecure } for  pid=29537 comm="realmd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tclass=process
----
time->Thu Apr 18 14:41:40 2013
type=AVC msg=audit(1366288900.738:2498): avc:  denied  { siginh } for  pid=29624 comm="nm-dispatcher.a" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=process
----
time->Thu Apr 18 14:41:40 2013
type=AVC msg=audit(1366288900.738:2497): avc:  denied  { rlimitinh } for  pid=29624 comm="nm-dispatcher.a" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=process
----
time->Thu Apr 18 14:41:40 2013
type=AVC msg=audit(1366288900.750:2499): avc:  denied  { noatsecure } for  pid=29624 comm="nm-dispatcher.a" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=process
----
time->Thu Apr 18 14:42:26 2013
type=AVC msg=audit(1366288946.659:2507): avc:  denied  { siginh } for  pid=29650 comm="realmd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tclass=process
----
time->Thu Apr 18 14:42:26 2013
type=AVC msg=audit(1366288946.659:2506): avc:  denied  { rlimitinh } for  pid=29650 comm="realmd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tclass=process
----
time->Thu Apr 18 14:42:26 2013
type=AVC msg=audit(1366288946.685:2508): avc:  denied  { noatsecure } for  pid=29650 comm="realmd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tclass=process
----
time->Thu Apr 18 14:44:52 2013
type=AVC msg=audit(1366289092.738:2592): avc:  denied  { write } for  pid=29800 comm="abrt-action-sav" name="__db.001" dev="sda3" ino=3989 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_var_lib_t:s0 tclass=file
----
time->Thu Apr 18 14:44:52 2013
type=AVC msg=audit(1366289092.795:2593): avc:  denied  { write } for  pid=29800 comm="abrt-action-sav" name="__db.001" dev="sda3" ino=3989 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_var_lib_t:s0 tclass=file
----
time->Thu Apr 18 14:45:24 2013
type=AVC msg=audit(1366289124.246:2602): avc:  denied  { rlimitinh } for  pid=29838 comm="packagekitd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s0:c0.c1023 tclass=process
----
time->Thu Apr 18 14:45:24 2013
type=AVC msg=audit(1366289124.246:2603): avc:  denied  { siginh } for  pid=29838 comm="packagekitd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s0:c0.c1023 tclass=process
----
time->Thu Apr 18 14:45:24 2013
type=AVC msg=audit(1366289124.292:2606): avc:  denied  { noatsecure } for  pid=29838 comm="packagekitd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s0:c0.c1023 tclass=process
----
time->Thu Apr 18 14:45:41 2013
type=AVC msg=audit(1366289141.240:2610): avc:  denied  { rlimitinh } for  pid=29847 comm="packagekitd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s0:c0.c1023 tclass=process
----
time->Thu Apr 18 14:45:41 2013
type=AVC msg=audit(1366289141.240:2611): avc:  denied  { siginh } for  pid=29847 comm="packagekitd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s0:c0.c1023 tclass=process
----
time->Thu Apr 18 14:45:41 2013
type=AVC msg=audit(1366289141.269:2612): avc:  denied  { noatsecure } for  pid=29847 comm="packagekitd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s0:c0.c1023 tclass=process

Comment 14 David Spurek 2013-04-18 12:50:15 UTC

(In reply to comment #11)
> Saw a similar error with 'realm leave':
> 
> [stef@localhost ~]$ realm leave --verbose
>  * LANG=C /usr/sbin/ipa-client-install --uninstall --unattended
> Unenrolling client from IPA server
> Unenrolling host failed: Error obtaining initial credentials: Key table
> entry not found.
> 
> Removing Kerberos service principals from /etc/krb5.keytab
> Failed to remove Kerberos service principals: Command
> '/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r IPA.THEWALTER.LAN' returned
> non-zero exit status 5
> Disabling client Kerberos and LDAP configurations
> Failed to remove krb5/LDAP configuration: [Errno 13] Permission denied
>  ! Running ipa-client-install failed
> realm: Couldn't leave realm: Running ipa-client-install failed

I see this problem too, leave fails in enforcign again, but in permissive works.

Comment 15 Daniel Walsh 2013-04-18 13:01:21 UTC

Weird non of those seem related.

Any thing in /var/log/messages

Comment 16 Miroslav Grepl 2013-04-18 13:07:39 UTC

Also

# ausearch -m user_avc

Comment 17 Stef Walter 2013-04-18 13:18:36 UTC

(In reply to comment #15)
> Any thing in /var/log/messages

Not that I can tell. Here is an entire block of /var/log/messages surrounding a 'realm join' that fails. The GDM JS ERRORs have been filed elsewhere:

pr 18 14:43:00 localhost dbus-daemon[255]: dbus[255]: avc:  received setenforce notice (enforcing=1)
Apr 18 14:43:00 localhost dbus-daemon[255]: dbus[255]: [system] Reloaded configuration
Apr 18 14:43:52 localhost realmd[29650]:  * Searching for kerberos SRV records for domain: _kerberos._udp.ipa.thewalter.lan
Apr 18 14:43:52 localhost realmd[29650]:  * Searching for MSDCS SRV records on domain: _kerberos._tcp.dc._msdcs.ipa.thewalter.lan
Apr 18 14:43:52 localhost realmd[29650]:  * dc.ipa.thewalter.lan:88 
Apr 18 14:43:52 localhost realmd[29650]:  * Trying to retrieve IPA certificate from dc.ipa.thewalter.lan
Apr 18 14:43:52 localhost realmd[29650]:  * Retrieved IPA CA certificate verifies the HTTPS connection
Apr 18 14:43:52 localhost realmd[29650]:  ! Couldn't discover IPA KDC
Apr 18 14:43:52 localhost realmd[29650]:  * Found kerberos DNS records for: ipa.thewalter.lan
Apr 18 14:43:52 localhost realmd[29650]:  * Found IPA style certificate for: ipa.thewalter.lan
Apr 18 14:43:52 localhost realmd[29650]:  * Successfully discovered: ipa.thewalter.lan
Apr 18 14:43:56 localhost dbus-daemon[255]: dbus[255]: [system] Activating via systemd: service name='net.reactivated.Fprint' unit='fprintd.service'
Apr 18 14:43:56 localhost dbus[255]: [system] Activating via systemd: service name='net.reactivated.Fprint' unit='fprintd.service'
Apr 18 14:43:56 localhost systemd[1]: Expecting device dev-disk-by\x2duuid-89146d09\x2d02a4\x2d49b7\x2da7b2\x2dc25527c4a64a.device...
Apr 18 14:43:56 localhost systemd[1]: Starting Fingerprint Authentication Daemon...
Apr 18 14:43:56 localhost dbus-daemon[255]: dbus[255]: [system] Successfully activated service 'net.reactivated.Fprint'
Apr 18 14:43:56 localhost dbus[255]: [system] Successfully activated service 'net.reactivated.Fprint'
Apr 18 14:43:56 localhost systemd[1]: Started Fingerprint Authentication Daemon.
Apr 18 14:43:56 localhost fprintd[29742]: Launching FprintObject
Apr 18 14:43:56 localhost fprintd[29742]: ** Message: D-Bus service launched with name: net.reactivated.Fprint
Apr 18 14:43:56 localhost fprintd[29742]: ** Message: entering main loop
Apr 18 14:43:59 localhost /etc/gdm/Xsession[1095]: Window manager warning: Log level 16: GChildWatchSource: Exit status of a child process was requested but ECHILD was received by waitpid(). Most likely the process is ignoring SIGCHLD, or some other thread is invoking waitpid() with a nonpositive first argument; either behavior can break applications that use g_child_watch_add()/g_spawn_sync() either directly or indirectly.
Apr 18 14:43:59 localhost realmd[29650]:  * Required files: /usr/sbin/ipa-client-install, /usr/sbin/sss_cache, /usr/sbin/sssd
Apr 18 14:44:00 localhost realmd[29650]:  * LANG=C /usr/sbin/ipa-client-install --domain ipa.thewalter.lan --realm IPA.THEWALTER.LAN --principal admin -W --mkhomedir --no-ntp --enable-dns-updates --unattended
Apr 18 14:44:01 localhost realmd[29650]: Discovery was successful!
Apr 18 14:44:01 localhost realmd[29650]: Hostname: f19.ipa.thewalter.lan
Apr 18 14:44:01 localhost realmd[29650]: Realm: IPA.THEWALTER.LAN
Apr 18 14:44:01 localhost realmd[29650]: DNS Domain: ipa.thewalter.lan
Apr 18 14:44:01 localhost realmd[29650]: IPA Server: dc.ipa.thewalter.lan
Apr 18 14:44:01 localhost realmd[29650]: BaseDN: dc=ipa,dc=thewalter,dc=lan
Apr 18 14:44:01 localhost realmd[29650]: Synchronizing time with KDC...
Apr 18 14:44:01 localhost ntpdate[29750]: ntpdate 4.2.6p5 Tue Apr  2 17:47:12 UTC 2013 (1)
Apr 18 14:44:08 localhost systemd[1]: Time has been changed
Apr 18 14:44:08 localhost ntpdate[29750]: step time server 192.168.12.11 offset 0.365946 sec
Apr 18 14:44:08 localhost realmd[29650]: Successfully retrieved CA cert
Apr 18 14:44:09 localhost realmd[29650]:     Subject:     CN=Certificate Authority,O=IPA.THEWALTER.LAN
Apr 18 14:44:09 localhost realmd[29650]:     Issuer:      CN=Certificate Authority,O=IPA.THEWALTER.LAN
Apr 18 14:44:09 localhost realmd[29650]:     Valid From:  Wed Apr 17 12:45:40 2013 UTC
Apr 18 14:44:09 localhost realmd[29650]:     Valid Until: Sun Apr 17 12:45:40 2033 UTC
Apr 18 14:44:09 localhost realmd[29650]: 
Apr 18 14:44:10 localhost realmd[29650]: Enrolled in IPA realm IPA.THEWALTER.LAN
Apr 18 14:44:10 localhost realmd[29650]: Created /etc/ipa/default.conf
Apr 18 14:44:12 localhost realmd[29650]: New SSSD config will be created
Apr 18 14:44:12 localhost realmd[29650]: Configured /etc/sssd/sssd.conf
Apr 18 14:44:12 localhost realmd[29650]: Configured /etc/krb5.conf for IPA realm IPA.THEWALTER.LAN
Apr 18 14:44:13 localhost realmd[29650]: trying https://dc.ipa.thewalter.lan/ipa/xml
Apr 18 14:44:13 localhost realmd[29650]: Forwarding 'env' to server u'https://dc.ipa.thewalter.lan/ipa/xml'
Apr 18 14:44:13 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!   Exception was: TypeError: realm is undefined
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     message = '"realm is undefined"'
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     fileName = '"/usr/share/gnome-shell/js/gdm/realmd.js"'
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     lineNumber = '88'
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     stack = '"()@/usr/share/gnome-shell/js/gdm/realmd.js:88
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: wrapper()@/usr/share/gjs-1.0/lang.js:213
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: ([object GObject_Object],[object GObject_Boxed],[object Array])@/usr/share/gnome-shell/js/gdm/realmd.js:109
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: "'
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!   Exception was: TypeError: realm is undefined
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     message = '"realm is undefined"'
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     fileName = '"/usr/share/gnome-shell/js/gdm/realmd.js"'
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     lineNumber = '88'
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     stack = '"()@/usr/share/gnome-shell/js/gdm/realmd.js:88
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: wrapper()@/usr/share/gjs-1.0/lang.js:213
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: ([object GObject_Object],[object GObject_Boxed],[object Array])@/usr/share/gnome-shell/js/gdm/realmd.js:109
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: "'
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!   Exception was: TypeError: realm is undefined
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     message = '"realm is undefined"'
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     fileName = '"/usr/share/gnome-shell/js/gdm/realmd.js"'
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     lineNumber = '88'
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     stack = '"()@/usr/share/gnome-shell/js/gdm/realmd.js:88
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: wrapper()@/usr/share/gjs-1.0/lang.js:213
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: ([object GObject_Object],[object GObject_Boxed],[object Array])@/usr/share/gnome-shell/js/gdm/realmd.js:109
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: "'
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!   Exception was: TypeError: realm is undefined
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     message = '"realm is undefined"'
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     fileName = '"/usr/share/gnome-shell/js/gdm/realmd.js"'
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     lineNumber = '88'
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     stack = '"()@/usr/share/gnome-shell/js/gdm/realmd.js:88
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: wrapper()@/usr/share/gjs-1.0/lang.js:213
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: ([object GObject_Object],[object GObject_Boxed],[object Array])@/usr/share/gnome-shell/js/gdm/realmd.js:109
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: "'
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!   Exception was: TypeError: realm is undefined
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     message = '"realm is undefined"'
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     fileName = '"/usr/share/gnome-shell/js/gdm/realmd.js"'
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     lineNumber = '88'
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     stack = '"()@/usr/share/gnome-shell/js/gdm/realmd.js:88
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: wrapper()@/usr/share/gjs-1.0/lang.js:213
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: ([object GObject_Object],[object GObject_Boxed],[object Array])@/usr/share/gnome-shell/js/gdm/realmd.js:109
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: "'
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!   Exception was: TypeError: realm is undefined
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     message = '"realm is undefined"'
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     fileName = '"/usr/share/gnome-shell/js/gdm/realmd.js"'
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     lineNumber = '88'
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     stack = '"()@/usr/share/gnome-shell/js/gdm/realmd.js:88
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: wrapper()@/usr/share/gjs-1.0/lang.js:213
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: ([object GObject_Object],[object GObject_Boxed],[object Array])@/usr/share/gnome-shell/js/gdm/realmd.js:109
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: "'
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!   Exception was: TypeError: realm is undefined
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     message = '"realm is undefined"'
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     fileName = '"/usr/share/gnome-shell/js/gdm/realmd.js"'
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     lineNumber = '88'
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     stack = '"()@/usr/share/gnome-shell/js/gdm/realmd.js:88
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: wrapper()@/usr/share/gjs-1.0/lang.js:213
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: ([object GObject_Object],[object GObject_Boxed],[object Array])@/usr/share/gnome-shell/js/gdm/realmd.js:109
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: "'
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!   Exception was: TypeError: realm is undefined
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     message = '"realm is undefined"'
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     fileName = '"/usr/share/gnome-shell/js/gdm/realmd.js"'
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     lineNumber = '88'
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     stack = '"()@/usr/share/gnome-shell/js/gdm/realmd.js:88
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: wrapper()@/usr/share/gjs-1.0/lang.js:213
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: ([object GObject_Object],[object GObject_Boxed],[object Array])@/usr/share/gnome-shell/js/gdm/realmd.js:109
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: "'
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!   Exception was: TypeError: realm is undefined
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     message = '"realm is undefined"'
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     fileName = '"/usr/share/gnome-shell/js/gdm/realmd.js"'
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     lineNumber = '88'
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     stack = '"()@/usr/share/gnome-shell/js/gdm/realmd.js:88
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: wrapper()@/usr/share/gjs-1.0/lang.js:213
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: ([object GObject_Object],[object GObject_Boxed],[object Array])@/usr/share/gnome-shell/js/gdm/realmd.js:109
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: "'
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!   Exception was: TypeError: realm is undefined
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     message = '"realm is undefined"'
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     fileName = '"/usr/share/gnome-shell/js/gdm/realmd.js"'
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     lineNumber = '88'
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     stack = '"()@/usr/share/gnome-shell/js/gdm/realmd.js:88
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: wrapper()@/usr/share/gjs-1.0/lang.js:213
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: ([object GObject_Object],[object GObject_Boxed],[object Array])@/usr/share/gnome-shell/js/gdm/realmd.js:109
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: "'
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!   Exception was: TypeError: realm is undefined
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     message = '"realm is undefined"'
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     fileName = '"/usr/share/gnome-shell/js/gdm/realmd.js"'
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     lineNumber = '88'
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     stack = '"()@/usr/share/gnome-shell/js/gdm/realmd.js:88
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: wrapper()@/usr/share/gjs-1.0/lang.js:213
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: ([object GObject_Object],[object GObject_Boxed],[object Array])@/usr/share/gnome-shell/js/gdm/realmd.js:109
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: "'
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!   Exception was: TypeError: realm is undefined
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     message = '"realm is undefined"'
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     fileName = '"/usr/share/gnome-shell/js/gdm/realmd.js"'
Apr 18 14:44:14 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     lineNumber = '88'
Apr 18 14:44:15 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     stack = '"()@/usr/share/gnome-shell/js/gdm/realmd.js:88
Apr 18 14:44:15 localhost /etc/gdm/Xsession[1095]: wrapper()@/usr/share/gjs-1.0/lang.js:213
Apr 18 14:44:15 localhost /etc/gdm/Xsession[1095]: ([object GObject_Object],[object GObject_Boxed],[object Array])@/usr/share/gnome-shell/js/gdm/realmd.js:109
Apr 18 14:44:15 localhost /etc/gdm/Xsession[1095]: "'
Apr 18 14:44:15 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!   Exception was: TypeError: realm is undefined
Apr 18 14:44:15 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     message = '"realm is undefined"'
Apr 18 14:44:15 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     fileName = '"/usr/share/gnome-shell/js/gdm/realmd.js"'
Apr 18 14:44:15 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     lineNumber = '88'
Apr 18 14:44:15 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     stack = '"()@/usr/share/gnome-shell/js/gdm/realmd.js:88
Apr 18 14:44:15 localhost /etc/gdm/Xsession[1095]: wrapper()@/usr/share/gjs-1.0/lang.js:213
Apr 18 14:44:15 localhost /etc/gdm/Xsession[1095]: ([object GObject_Object],[object GObject_Boxed],[object Array])@/usr/share/gnome-shell/js/gdm/realmd.js:109
Apr 18 14:44:15 localhost /etc/gdm/Xsession[1095]: "'
Apr 18 14:44:15 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!   Exception was: TypeError: realm is undefined
Apr 18 14:44:15 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     message = '"realm is undefined"'
Apr 18 14:44:15 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     fileName = '"/usr/share/gnome-shell/js/gdm/realmd.js"'
Apr 18 14:44:15 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     lineNumber = '88'
Apr 18 14:44:15 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     stack = '"()@/usr/share/gnome-shell/js/gdm/realmd.js:88
Apr 18 14:44:15 localhost /etc/gdm/Xsession[1095]: wrapper()@/usr/share/gjs-1.0/lang.js:213
Apr 18 14:44:15 localhost /etc/gdm/Xsession[1095]: ([object GObject_Object],[object GObject_Boxed],[object Array])@/usr/share/gnome-shell/js/gdm/realmd.js:109
Apr 18 14:44:15 localhost /etc/gdm/Xsession[1095]: "'
Apr 18 14:44:15 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!   Exception was: TypeError: realm is undefined
Apr 18 14:44:15 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     message = '"realm is undefined"'
Apr 18 14:44:15 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     fileName = '"/usr/share/gnome-shell/js/gdm/realmd.js"'
Apr 18 14:44:15 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     lineNumber = '88'
Apr 18 14:44:15 localhost /etc/gdm/Xsession[1095]: JS ERROR: !!!     stack = '"()@/usr/share/gnome-shell/js/gdm/realmd.js:88
Apr 18 14:44:15 localhost /etc/gdm/Xsession[1095]: wrapper()@/usr/share/gjs-1.0/lang.js:213
Apr 18 14:44:15 localhost /etc/gdm/Xsession[1095]: ([object GObject_Object],[object GObject_Boxed],[object Array])@/usr/share/gnome-shell/js/gdm/realmd.js:109
Apr 18 14:44:15 localhost /etc/gdm/Xsession[1095]: "'
Apr 18 14:44:15 localhost realmd[29650]: DNS server record set to: f19.ipa.thewalter.lan -> 192.168.12.249
Apr 18 14:44:15 localhost systemd[1]: Started D-Bus System Message Bus.
Apr 18 14:44:15 localhost systemd[1]: Starting Certificate monitoring and PKI enrollment...
Apr 18 14:44:15 localhost systemd[1]: Started Certificate monitoring and PKI enrollment.
Apr 18 14:44:16 localhost systemd[1]: Stopping Certificate monitoring and PKI enrollment...
Apr 18 14:44:16 localhost systemd[1]: Starting Certificate monitoring and PKI enrollment...
Apr 18 14:44:16 localhost systemd[1]: Started Certificate monitoring and PKI enrollment.
Apr 18 14:44:16 localhost systemd[1]: Reloading.
Apr 18 14:44:17 localhost chronyd[324]: Can't synchronise: no majority
Apr 18 14:44:19 localhost chronyd[324]: Selected source 85.25.154.183
Apr 18 14:44:27 localhost fprintd[29742]: ** Message: No devices in use, exit
Apr 18 14:44:47 localhost realmd[29650]: certmonger request for host certificate failed
Apr 18 14:44:47 localhost realmd[29650]: Forwarding 'host_mod' to server u'https://dc.ipa.thewalter.lan/ipa/xml'
Apr 18 14:44:47 localhost realmd[29650]: host_mod: 2.57 client incompatible with 2.47 server at u'https://dc.ipa.thewalter.lan/ipa/xml'
Apr 18 14:44:47 localhost realmd[29650]: Failed to upload host SSH public keys.
Apr 18 14:44:51 localhost abrt: detected unhandled Python exception in '/usr/sbin/ipa-client-install'
Apr 18 14:44:51 localhost abrtd: New client connected
Apr 18 14:44:51 localhost abrtd: Directory 'pyhook-2013-04-18-14:44:51-29747' creation detected
Apr 18 14:44:51 localhost abrt-server[29798]: Saved problem directory of pid 29747 to '/var/tmp/abrt/pyhook-2013-04-18-14:44:51-29747'
Apr 18 14:44:52 localhost realmd[29650]: 
Apr 18 14:44:52 localhost realmd[29650]: Traceback (most recent call last):
Apr 18 14:44:52 localhost realmd[29650]:   File "/usr/sbin/ipa-client-install", line 2464, in <module>
Apr 18 14:44:52 localhost realmd[29650]:     sys.exit(main())
Apr 18 14:44:52 localhost realmd[29650]:   File "/usr/sbin/ipa-client-install", line 2450, in main
Apr 18 14:44:52 localhost realmd[29650]:     rval = install(options, env, fstore, statestore)
Apr 18 14:44:52 localhost realmd[29650]:   File "/usr/sbin/ipa-client-install", line 2330, in install
Apr 18 14:44:52 localhost realmd[29650]:     auth_config.execute()
Apr 18 14:44:52 localhost realmd[29650]:   File "/usr/lib/python2.7/site-packages/ipapython/platform/redhat/auth.py", line 49, in execute
Apr 18 14:44:52 localhost realmd[29650]:     ipautil.run(["/usr/sbin/authconfig"]+args)
Apr 18 14:44:52 localhost realmd[29650]:   File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 300, in run
Apr 18 14:44:52 localhost realmd[29650]:     close_fds=True, env=env, cwd=cwd)
Apr 18 14:44:52 localhost realmd[29650]:   File "/usr/lib/python2.7/subprocess.py", line 711, in __init__
Apr 18 14:44:52 localhost realmd[29650]:     errread, errwrite)
Apr 18 14:44:52 localhost realmd[29650]:   File "/usr/lib/python2.7/subprocess.py", line 1308, in _execute_child
Apr 18 14:44:52 localhost realmd[29650]:     raise child_exception
Apr 18 14:44:52 localhost realmd[29650]: OSError: [Errno 13] Permission denied
Apr 18 14:44:53 localhost realmd[29650]:  ! Running ipa-client-install failed
Apr 18 14:44:53 localhost setroubleshoot: Unable to add audit event: node=localhost.localdomain type=AVC msg=audit(1366289092.738:2592): avc:  denied  { write } for  pid=29800 comm="abrt-action-sav" name="__db.001" dev="sda3" ino=3989 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_var_lib_t:s0 tclass=file
Apr 18 14:44:53 localhost abrtd: Core backtrace is generated and saved, 674 bytes
Apr 18 14:44:53 localhost abrtd: Duplicate: core backtrace
Apr 18 14:44:53 localhost abrtd: DUP_OF_DIR: /var/tmp/abrt/pyhook-2013-04-18-13:22:16-3562
Apr 18 14:44:53 localhost abrtd: Deleting problem directory pyhook-2013-04-18-14:44:51-29747 (dup of pyhook-2013-04-18-13:22:16-3562)
Apr 18 14:44:53 localhost /etc/gdm/Xsession[1095]: abrt-applet: repeated problem in freeipa-client-3.2.0-0.2.beta1.fc19, not showing the notification
Apr 18 14:45:00 localhost setroubleshoot: Unable to add audit event: node=localhost.localdomain type=AVC msg=audit(1366289092.795:2593): avc:  denied  { write } for  pid=29800 comm="abrt-action-sav" name="__db.001" dev="sda3" ino=3989 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_var_lib_t:s0 tclass=file
Apr 18 14:45:15 localhost chronyd[324]: Selected source 88.198.244.104
Apr 18 14:45:24 localhost dbus-daemon[255]: dbus[255]: [system] Activating service name='org.freedesktop.PackageKit' (using servicehelper)
Apr 18 14:45:24 localhost dbus[255]: [system] Activating service name='org.freedesktop.PackageKit' (using servicehelper)
Apr 18 14:45:24 localhost dbus-daemon[255]: dbus[255]: [system] Successfully activated service 'org.freedesktop.PackageKit'
Apr 18 14:45:24 localhost dbus[255]: [system] Successfully activated service 'org.freedesktop.PackageKit'
Apr 18 14:45:24 localhost setroubleshoot: Unable to add audit event: node=localhost.localdomain type=AVC msg=audit(1366289124.246:2602): avc:  denied  { rlimitinh } for  pid=29838 comm="packagekitd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rpm_t:s0-s0:c0.c1023 tclass=process
...

Comment 18 Stef Walter 2013-04-18 13:19:17 UTC

(In reply to comment #16)
> Also
> 
> # ausearch -m user_avc

[root@f19 stef]# ausearch -m user_avc
----
time->Wed Apr 17 20:28:10 2013
type=USER_AVC msg=audit(1366223290.292:362): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=2)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Wed Apr 17 21:36:20 2013
type=USER_AVC msg=audit(1366227380.550:615): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=3)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Thu Apr 18 13:21:42 2013
type=USER_AVC msg=audit(1366284102.359:873): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=2)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Thu Apr 18 13:21:43 2013
type=USER_AVC msg=audit(1366284103.371:877): pid=255 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.148 spid=3590 tpid=3600 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
----
time->Thu Apr 18 13:28:59 2013
type=USER_AVC msg=audit(1366284539.664:897): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Thu Apr 18 13:29:50 2013
type=USER_AVC msg=audit(1366284590.174:966): pid=255 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.167 spid=3817 tpid=3827 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
----
time->Thu Apr 18 14:05:18 2013
type=USER_AVC msg=audit(1366286718.745:2011): pid=255 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.244 spid=28565 tpid=28575 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tclass=dbus  exe=2F7573722F62696E2F646275732D6461656D6F6E202864656C6574656429 sauid=81 hostname=? addr=? terminal=?'
----
time->Thu Apr 18 14:17:01 2013
type=USER_AVC msg=audit(1366287421.893:2043): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Thu Apr 18 14:25:57 2013
type=USER_AVC msg=audit(1366287957.487:2112): pid=255 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.263 spid=28994 tpid=29004 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tclass=dbus  exe=2F7573722F62696E2F646275732D6461656D6F6E202864656C6574656429 sauid=81 hostname=? addr=? terminal=?'
----
time->Thu Apr 18 14:30:20 2013
type=USER_AVC msg=audit(1366288220.805:2454): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=1)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Thu Apr 18 14:30:22 2013
type=USER_AVC msg=audit(1366288222.540:2458): pid=255 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.284 spid=29380 tpid=29390 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tclass=dbus  exe=2F7573722F62696E2F646275732D6461656D6F6E202864656C6574656429 sauid=81 hostname=? addr=? terminal=?'
----
time->Thu Apr 18 14:40:27 2013
type=USER_AVC msg=audit(1366288827.879:2486): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=3)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Thu Apr 18 14:42:36 2013
type=USER_AVC msg=audit(1366288956.325:2512): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Thu Apr 18 14:44:15 2013
type=USER_AVC msg=audit(1366289055.447:2584): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=1)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Thu Apr 18 14:44:17 2013
type=USER_AVC msg=audit(1366289057.148:2588): pid=255 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.323 spid=29781 tpid=29791 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tclass=dbus  exe=2F7573722F62696E2F646275732D6461656D6F6E202864656C6574656429 sauid=81 hostname=? addr=? terminal=?'

Comment 19 Miroslav Grepl 2013-04-18 13:29:54 UTC

Ok, try to run

# ausearch -m user_avc |audit2allow -R -M mypol
# semodule -i mypol.pp


and re-test it.

Comment 20 Patrik Kis 2013-04-18 13:38:19 UTC

(In reply to comment #19)
> Ok, try to run
> 
> # ausearch -m user_avc |audit2allow -R -M mypol
> # semodule -i mypol.pp
> 
> 
> and re-test it.

I've tried that and it still failing:

[root@client ~]# ausearch -m user_avc
----
time->Thu Apr 18 10:07:56 2013
type=USER_AVC msg=audit(1366272476.326:500): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=2)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Thu Apr 18 10:21:30 2013
type=USER_AVC msg=audit(1366273290.954:930): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=3)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Thu Apr 18 13:09:31 2013
type=USER_AVC msg=audit(1366283371.498:111): pid=378 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.43 spid=1311 tpid=1321 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
----
time->Thu Apr 18 14:55:57 2013
type=USER_AVC msg=audit(1366289757.492:144): pid=373 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.42 spid=1430 tpid=1440 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
----
time->Thu Apr 18 14:56:52 2013
type=USER_AVC msg=audit(1366289812.792:147): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Thu Apr 18 14:57:58 2013
type=USER_AVC msg=audit(1366289878.790:204): pid=373 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.48 spid=1607 tpid=1617 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
----
time->Thu Apr 18 15:15:25 2013
type=USER_AVC msg=audit(1366290925.712:387): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=1)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Thu Apr 18 15:15:29 2013
type=USER_AVC msg=audit(1366290929.333:388): pid=373 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.55 spid=1607 tpid=1977 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
----
time->Thu Apr 18 15:17:14 2013
type=USER_AVC msg=audit(1366291034.252:396): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Thu Apr 18 15:17:17 2013
type=USER_AVC msg=audit(1366291037.412:398): pid=373 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.59 spid=2024 tpid=2028 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
----
time->Thu Apr 18 15:26:08 2013
type=USER_AVC msg=audit(1366291568.182:1019): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=1)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Thu Apr 18 15:26:08 2013
type=USER_AVC msg=audit(1366291568.858:1023): pid=373 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.79 spid=3002 tpid=3012 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
----
time->Thu Apr 18 15:27:07 2013
type=USER_AVC msg=audit(1366291627.517:1026): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Thu Apr 18 15:27:33 2013
type=USER_AVC msg=audit(1366291653.691:1080): pid=373 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.86 spid=3178 tpid=3188 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
----
time->Thu Apr 18 15:28:00 2013
type=USER_AVC msg=audit(1366291680.599:1245): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=1)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Thu Apr 18 15:28:03 2013
type=USER_AVC msg=audit(1366291683.713:1246): pid=373 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.89 spid=3178 tpid=3391 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

[root@client ~]# ausearch -m user_avc |audit2allow -R -M mypol
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i mypol.pp

[root@client ~]# semodule -i mypol.pp
[root@client ~]# 

[root@client ~]# realm join -v --user=admin skynet.com
 * Searching for kerberos SRV records for domain: _kerberos._udp.skynet.com
 * Searching for MSDCS SRV records on domain: _kerberos._tcp.dc._msdcs.skynet.com
 * f19.skynet.com:88 
 * Trying to retrieve IPA certificate from f19.skynet.com
 * Retrieved IPA CA certificate verifies the HTTPS connection
 ! Couldn't discover IPA KDC
 * Found kerberos DNS records for: skynet.com
 * Found IPA style certificate for: skynet.com
 * Successfully discovered: skynet.com
Password for admin: 
 * Required files: /usr/sbin/ipa-client-install, /usr/sbin/sss_cache, /usr/sbin/sssd
 * LANG=C /usr/sbin/ipa-client-install --domain skynet.com --realm SKYNET.COM --principal admin -W --mkhomedir --no-ntp --enable-dns-updates --unattended
Discovery was successful!
Hostname: client.skynet.com
Realm: SKYNET.COM
DNS Domain: skynet.com
IPA Server: f19.skynet.com
BaseDN: dc=skynet,dc=com
Synchronizing time with KDC...
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=SKYNET.COM
    Issuer:      CN=Certificate Authority,O=SKYNET.COM
    Valid From:  Tue Apr 16 15:52:24 2013 UTC
    Valid Until: Sat Apr 16 15:52:24 2033 UTC

Enrolled in IPA realm SKYNET.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm SKYNET.COM
trying https://f19.skynet.com/ipa/xml
Forwarding 'env' to server u'https://f19.skynet.com/ipa/xml'
DNS server record set to: client.skynet.com -> 192.168.100.31
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Forwarding 'host_mod' to server u'https://f19.skynet.com/ipa/xml'

Traceback (most recent call last):
  File "/usr/sbin/ipa-client-install", line 2464, in <module>
    sys.exit(main())
  File "/usr/sbin/ipa-client-install", line 2450, in main
    rval = install(options, env, fstore, statestore)
  File "/usr/sbin/ipa-client-install", line 2330, in install
    auth_config.execute()
  File "/usr/lib/python2.7/site-packages/ipapython/platform/redhat/auth.py", line 49, in execute
    ipautil.run(["/usr/sbin/authconfig"]+args)
  File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 300, in run
    close_fds=True, env=env, cwd=cwd)
  File "/usr/lib64/python2.7/subprocess.py", line 711, in __init__
    errread, errwrite)
  File "/usr/lib64/python2.7/subprocess.py", line 1308, in _execute_child
    raise child_exception
OSError: [Errno 13] Permission denied
 ! Running ipa-client-install failed
realm: Couldn't join realm: Running ipa-client-install failed
[root@client ~]# 


-----
/var/log/audit/audit.log:

type=USER_AVC msg=audit(1366292102.904:1351): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=1)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

----

/var/log/messages:

Apr 18 15:34:48 client realmd[3486]:  * Searching for kerberos SRV records for domain: _kerberos._udp.skynet.com
Apr 18 15:34:48 client realmd[3486]:  * Searching for MSDCS SRV records on domain: _kerberos._tcp.dc._msdcs.skynet.com
Apr 18 15:34:48 client realmd[3486]:  * f19.skynet.com:88 
Apr 18 15:34:48 client realmd[3486]:  * Trying to retrieve IPA certificate from f19.skynet.com
Apr 18 15:34:49 client realmd[3486]:  * Retrieved IPA CA certificate verifies the HTTPS connection
Apr 18 15:34:49 client realmd[3486]:  ! Couldn't discover IPA KDC
Apr 18 15:34:49 client realmd[3486]:  * Found kerberos DNS records for: skynet.com
Apr 18 15:34:49 client realmd[3486]:  * Found IPA style certificate for: skynet.com
Apr 18 15:34:49 client realmd[3486]:  * Successfully discovered: skynet.com
Apr 18 15:34:51 client realmd[3486]:  * Required files: /usr/sbin/ipa-client-install, /usr/sbin/sss_cache, /usr/sbin/sssd
Apr 18 15:34:51 client realmd[3486]:  * LANG=C /usr/sbin/ipa-client-install --domain skynet.com --realm SKYNET.COM --principal admin -W --mkhomedir --no-ntp --enable-dns-updates --unattended
Apr 18 15:34:52 client realmd[3486]: Discovery was successful!
Apr 18 15:34:52 client realmd[3486]: Hostname: client.skynet.com
Apr 18 15:34:52 client realmd[3486]: Realm: SKYNET.COM
Apr 18 15:34:52 client realmd[3486]: DNS Domain: skynet.com
Apr 18 15:34:52 client realmd[3486]: IPA Server: f19.skynet.com
Apr 18 15:34:52 client realmd[3486]: BaseDN: dc=skynet,dc=com
Apr 18 15:34:52 client realmd[3486]: Synchronizing time with KDC...
Apr 18 15:34:52 client ntpdate[3661]: ntpdate 4.2.6p5 Tue Apr  2 17:47:01 UTC 2013 (1)
Apr 18 15:34:58 client systemd[1]: Time has been changed
Apr 18 15:34:58 client ntpdate[3661]: step time server 192.168.100.83 offset 0.000301 sec
Apr 18 15:34:59 client realmd[3486]: Successfully retrieved CA cert
Apr 18 15:34:59 client realmd[3486]:     Subject:     CN=Certificate Authority,O=SKYNET.COM
Apr 18 15:34:59 client realmd[3486]:     Issuer:      CN=Certificate Authority,O=SKYNET.COM
Apr 18 15:34:59 client realmd[3486]:     Valid From:  Tue Apr 16 15:52:24 2013 UTC
Apr 18 15:34:59 client realmd[3486]:     Valid Until: Sat Apr 16 15:52:24 2033 UTC
Apr 18 15:34:59 client realmd[3486]: 
Apr 18 15:35:00 client realmd[3486]: Enrolled in IPA realm SKYNET.COM
Apr 18 15:35:00 client realmd[3486]: Created /etc/ipa/default.conf
Apr 18 15:35:01 client realmd[3486]: New SSSD config will be created
Apr 18 15:35:01 client realmd[3486]: Configured /etc/sssd/sssd.conf
Apr 18 15:35:01 client systemd[1]: Starting PC/SC Smart Card Daemon...
Apr 18 15:35:01 client systemd[1]: Started PC/SC Smart Card Daemon.
Apr 18 15:35:01 client pcscd[3671]: 00000000 utils.c:53:GetDaemonPid() Can't open /var/run/pcscd/pcscd.pid: No such file or directory
Apr 18 15:35:01 client pcscd[3671]: 00008650 winscard.c:240:SCardConnect() Reader E-Gate 0 0 Not Found
Apr 18 15:35:01 client pcscd[3671]: 00002277 winscard.c:240:SCardConnect() Reader E-Gate 0 0 Not Found
Apr 18 15:35:01 client pcscd[3671]: 00002061 winscard.c:240:SCardConnect() Reader E-Gate 0 0 Not Found
Apr 18 15:35:01 client pcscd[3671]: 00001194 winscard.c:240:SCardConnect() Reader E-Gate 0 0 Not Found
Apr 18 15:35:01 client realmd[3486]: Configured /etc/krb5.conf for IPA realm SKYNET.COM
Apr 18 15:35:01 client realmd[3486]: trying https://f19.skynet.com/ipa/xml
Apr 18 15:35:01 client realmd[3486]: Forwarding 'env' to server u'https://f19.skynet.com/ipa/xml'
Apr 18 15:35:01 client pcscd[3671]: 00198272 winscard.c:240:SCardConnect() Reader E-Gate 0 0 Not Found
Apr 18 15:35:01 client pcscd[3671]: 00002448 winscard.c:240:SCardConnect() Reader E-Gate 0 0 Not Found
Apr 18 15:35:01 client pcscd[3671]: 00002265 winscard.c:240:SCardConnect() Reader E-Gate 0 0 Not Found
Apr 18 15:35:01 client pcscd[3671]: 00000230 winscard.c:240:SCardConnect() Reader E-Gate 0 0 Not Found
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!   Exception was: TypeError: realm is undefined
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     message = '"realm is undefined"'
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     fileName = '"/usr/share/gnome-shell/js/gdm/realmd.js"'
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     lineNumber = '88'
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     stack = '"()@/usr/share/gnome-shell/js/gdm/realmd.js:88
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: wrapper()@/usr/share/gjs-1.0/lang.js:213
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: ([object GObject_Object],[object GObject_Boxed],[object Array])@/usr/share/gnome-shell/js/gdm/realmd.js:109
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: "'
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!   Exception was: TypeError: realm is undefined
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     message = '"realm is undefined"'
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     fileName = '"/usr/share/gnome-shell/js/gdm/realmd.js"'
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     lineNumber = '88'
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     stack = '"()@/usr/share/gnome-shell/js/gdm/realmd.js:88
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: wrapper()@/usr/share/gjs-1.0/lang.js:213
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: ([object GObject_Object],[object GObject_Boxed],[object Array])@/usr/share/gnome-shell/js/gdm/realmd.js:109
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: "'
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!   Exception was: TypeError: realm is undefined
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     message = '"realm is undefined"'
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     fileName = '"/usr/share/gnome-shell/js/gdm/realmd.js"'
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     lineNumber = '88'
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     stack = '"()@/usr/share/gnome-shell/js/gdm/realmd.js:88
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: wrapper()@/usr/share/gjs-1.0/lang.js:213
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: ([object GObject_Object],[object GObject_Boxed],[object Array])@/usr/share/gnome-shell/js/gdm/realmd.js:109
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: "'
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!   Exception was: TypeError: realm is undefined
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     message = '"realm is undefined"'
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     fileName = '"/usr/share/gnome-shell/js/gdm/realmd.js"'
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     lineNumber = '88'
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     stack = '"()@/usr/share/gnome-shell/js/gdm/realmd.js:88
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: wrapper()@/usr/share/gjs-1.0/lang.js:213
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: ([object GObject_Object],[object GObject_Boxed],[object Array])@/usr/share/gnome-shell/js/gdm/realmd.js:109
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: "'
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!   Exception was: TypeError: realm is undefined
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     message = '"realm is undefined"'
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     fileName = '"/usr/share/gnome-shell/js/gdm/realmd.js"'
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     lineNumber = '88'
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     stack = '"()@/usr/share/gnome-shell/js/gdm/realmd.js:88
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: wrapper()@/usr/share/gjs-1.0/lang.js:213
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: ([object GObject_Object],[object GObject_Boxed],[object Array])@/usr/share/gnome-shell/js/gdm/realmd.js:109
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: "'
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!   Exception was: TypeError: realm is undefined
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     message = '"realm is undefined"'
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     fileName = '"/usr/share/gnome-shell/js/gdm/realmd.js"'
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     lineNumber = '88'
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     stack = '"()@/usr/share/gnome-shell/js/gdm/realmd.js:88
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: wrapper()@/usr/share/gjs-1.0/lang.js:213
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: ([object GObject_Object],[object GObject_Boxed],[object Array])@/usr/share/gnome-shell/js/gdm/realmd.js:109
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: "'
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!   Exception was: TypeError: realm is undefined
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     message = '"realm is undefined"'
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     fileName = '"/usr/share/gnome-shell/js/gdm/realmd.js"'
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     lineNumber = '88'
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     stack = '"()@/usr/share/gnome-shell/js/gdm/realmd.js:88
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: wrapper()@/usr/share/gjs-1.0/lang.js:213
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: ([object GObject_Object],[object GObject_Boxed],[object Array])@/usr/share/gnome-shell/js/gdm/realmd.js:109
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: "'
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!   Exception was: TypeError: realm is undefined
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     message = '"realm is undefined"'
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     fileName = '"/usr/share/gnome-shell/js/gdm/realmd.js"'
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     lineNumber = '88'
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     stack = '"()@/usr/share/gnome-shell/js/gdm/realmd.js:88
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: wrapper()@/usr/share/gjs-1.0/lang.js:213
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: ([object GObject_Object],[object GObject_Boxed],[object Array])@/usr/share/gnome-shell/js/gdm/realmd.js:109
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: "'
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!   Exception was: TypeError: realm is undefined
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     message = '"realm is undefined"'
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     fileName = '"/usr/share/gnome-shell/js/gdm/realmd.js"'
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     lineNumber = '88'
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     stack = '"()@/usr/share/gnome-shell/js/gdm/realmd.js:88
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: wrapper()@/usr/share/gjs-1.0/lang.js:213
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: ([object GObject_Object],[object GObject_Boxed],[object Array])@/usr/share/gnome-shell/js/gdm/realmd.js:109
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: "'
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!   Exception was: TypeError: realm is undefined
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     message = '"realm is undefined"'
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     fileName = '"/usr/share/gnome-shell/js/gdm/realmd.js"'
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     lineNumber = '88'
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     stack = '"()@/usr/share/gnome-shell/js/gdm/realmd.js:88
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: wrapper()@/usr/share/gjs-1.0/lang.js:213
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: ([object GObject_Object],[object GObject_Boxed],[object Array])@/usr/share/gnome-shell/js/gdm/realmd.js:109
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: "'
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!   Exception was: TypeError: realm is undefined
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     message = '"realm is undefined"'
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     fileName = '"/usr/share/gnome-shell/js/gdm/realmd.js"'
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     lineNumber = '88'
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     stack = '"()@/usr/share/gnome-shell/js/gdm/realmd.js:88
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: wrapper()@/usr/share/gjs-1.0/lang.js:213
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: ([object GObject_Object],[object GObject_Boxed],[object Array])@/usr/share/gnome-shell/js/gdm/realmd.js:109
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: "'
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!   Exception was: TypeError: realm is undefined
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     message = '"realm is undefined"'
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     fileName = '"/usr/share/gnome-shell/js/gdm/realmd.js"'
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     lineNumber = '88'
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     stack = '"()@/usr/share/gnome-shell/js/gdm/realmd.js:88
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: wrapper()@/usr/share/gjs-1.0/lang.js:213
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: ([object GObject_Object],[object GObject_Boxed],[object Array])@/usr/share/gnome-shell/js/gdm/realmd.js:109
Apr 18 15:35:02 client /usr/bin/dbus-launch[606]: "'
Apr 18 15:35:02 client realmd[3486]: DNS server record set to: client.skynet.com -> 192.168.100.31
Apr 18 15:35:02 client systemd[1]: Started D-Bus System Message Bus.
Apr 18 15:35:02 client systemd[1]: Starting Certificate monitoring and PKI enrollment...
Apr 18 15:35:02 client systemd[1]: Started Certificate monitoring and PKI enrollment.
Apr 18 15:35:03 client systemd[1]: Stopping Certificate monitoring and PKI enrollment...
Apr 18 15:35:03 client systemd[1]: Starting Certificate monitoring and PKI enrollment...
Apr 18 15:35:03 client systemd[1]: Started Certificate monitoring and PKI enrollment.
Apr 18 15:35:03 client systemd[1]: Reloading.
Apr 18 15:35:03 client realmd[3486]: Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Apr 18 15:35:03 client realmd[3486]: Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Apr 18 15:35:03 client realmd[3486]: Forwarding 'host_mod' to server u'https://f19.skynet.com/ipa/xml'
Apr 18 15:35:03 client pcscd[3671]: 01726369 winscard.c:240:SCardConnect() Reader E-Gate 0 0 Not Found
Apr 18 15:35:04 client certmonger: Certificate named "IPA Machine Certificate - client.skynet.com" in token "NSS Certificate DB" in database "/etc/pki/nssdb" issued by CA and saved.
Apr 18 15:35:06 client abrt: detected unhandled Python exception in '/usr/sbin/ipa-client-install'
Apr 18 15:35:08 client pcscd[3671]: 04965243 winscard.c:240:SCardConnect() Reader E-Gate 0 0 Not Found
Apr 18 15:35:08 client abrtd: New client connected
Apr 18 15:35:09 client abrtd: Directory 'pyhook-2013-04-18-15:35:09-3658' creation detected
Apr 18 15:35:09 client abrt-server[3721]: Saved problem directory of pid 3658 to '/var/tmp/abrt/pyhook-2013-04-18-15:35:09-3658'
Apr 18 15:35:09 client realmd[3486]: 
Apr 18 15:35:09 client realmd[3486]: Traceback (most recent call last):
Apr 18 15:35:09 client realmd[3486]:   File "/usr/sbin/ipa-client-install", line 2464, in <module>
Apr 18 15:35:09 client realmd[3486]:     sys.exit(main())
Apr 18 15:35:09 client realmd[3486]:   File "/usr/sbin/ipa-client-install", line 2450, in main
Apr 18 15:35:09 client realmd[3486]:     rval = install(options, env, fstore, statestore)
Apr 18 15:35:09 client realmd[3486]:   File "/usr/sbin/ipa-client-install", line 2330, in install
Apr 18 15:35:09 client realmd[3486]:     auth_config.execute()
Apr 18 15:35:09 client realmd[3486]:   File "/usr/lib/python2.7/site-packages/ipapython/platform/redhat/auth.py", line 49, in execute
Apr 18 15:35:09 client realmd[3486]:     ipautil.run(["/usr/sbin/authconfig"]+args)
Apr 18 15:35:09 client realmd[3486]:   File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 300, in run
Apr 18 15:35:09 client realmd[3486]:     close_fds=True, env=env, cwd=cwd)
Apr 18 15:35:10 client realmd[3486]:   File "/usr/lib64/python2.7/subprocess.py", line 711, in __init__
Apr 18 15:35:10 client realmd[3486]:     errread, errwrite)
Apr 18 15:35:10 client realmd[3486]:   File "/usr/lib64/python2.7/subprocess.py", line 1308, in _execute_child
Apr 18 15:35:10 client realmd[3486]:     raise child_exception
Apr 18 15:35:10 client realmd[3486]: OSError: [Errno 13] Permission denied
Apr 18 15:35:10 client realmd[3486]:  ! Running ipa-client-install failed
Apr 18 15:35:10 client abrtd: Core backtrace is generated and saved, 678 bytes
Apr 18 15:35:10 client abrtd: Duplicate: core backtrace
Apr 18 15:35:10 client abrtd: DUP_OF_DIR: /var/tmp/abrt/pyhook-2013-04-18-13:10:06-1279
Apr 18 15:35:10 client abrtd: Deleting problem directory pyhook-2013-04-18-15:35:09-3658 (dup of pyhook-2013-04-18-13:10:06-1279)

Comment 21 Patrik Kis 2013-04-18 13:53:30 UTC

with new policy it still fails:

[root@client ~]# rpm -qa selinux-policy*
selinux-policy-targeted-3.12.1-33.fc19.noarch
selinux-policy-doc-3.12.1-33.fc19.noarch
selinux-policy-devel-3.12.1-33.fc19.noarch
selinux-policy-3.12.1-33.fc19.noarch
[root@client ~]# 
[root@client ~]#  semodule -l | grep mypol
[root@client ~]# 

type=USER_AVC msg=audit(1366293068.487:1417): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=3)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1366293068.490:1418): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=1)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1366293068.491:1419): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=4)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1366293071.476:1423): pid=373 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.112 spid=4596 tpid=4606 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:realmd_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'



/var/log/messages:

pr 18 15:50:11 client kernel: [ 7224.812379] SELinux:  Context system_u:system_r:authconfig_t:s0-s0:c0.c1023 became invalid (unmapped).
Apr 18 15:50:16 client dbus[664]: avc:  received policyload notice (seqno=4)
Apr 18 15:50:19 client dbus[373]: avc:  received policyload notice (seqno=4)
Apr 18 15:50:21 client dbus[644]: avc:  received policyload notice (seqno=4)
Apr 18 15:50:22 client dbus[373]: [system] Reloaded configuration
Apr 18 15:50:22 client dbus-daemon[373]: dbus[373]: avc:  received policyload notice (seqno=4)
Apr 18 15:50:22 client dbus-daemon[373]: dbus[373]: [system] Reloaded configuration
Apr 18 15:50:43 client dbus-daemon[373]: dbus[373]: [system] Activating service name='org.freedesktop.realmd' (using servicehelper)
Apr 18 15:50:43 client dbus[373]: [system] Activating service name='org.freedesktop.realmd' (using servicehelper)
Apr 18 15:50:45 client realmd[4556]:  * Searching for kerberos SRV records for domain: _kerberos._udp.skynet.com
Apr 18 15:50:45 client realmd[4556]:  * Searching for MSDCS SRV records on domain: _kerberos._tcp.dc._msdcs.skynet.com
Apr 18 15:50:45 client realmd[4556]:  * f19.skynet.com:88 
Apr 18 15:50:45 client realmd[4556]:  * Trying to retrieve IPA certificate from f19.skynet.com
Apr 18 15:50:45 client dbus-daemon[373]: dbus[373]: [system] Successfully activated service 'org.freedesktop.realmd'
Apr 18 15:50:45 client dbus[373]: [system] Successfully activated service 'org.freedesktop.realmd'
Apr 18 15:50:46 client realmd[4556]:  * Retrieved IPA CA certificate verifies the HTTPS connection
Apr 18 15:50:46 client realmd[4556]:  ! Couldn't discover IPA KDC
Apr 18 15:50:46 client realmd[4556]:  * Found kerberos DNS records for: skynet.com
Apr 18 15:50:47 client realmd[4556]:  * Found IPA style certificate for: skynet.com
Apr 18 15:50:47 client realmd[4556]:  * Successfully discovered: skynet.com
Apr 18 15:50:49 client realmd[4556]:  * Required files: /usr/sbin/ipa-client-install, /usr/sbin/sss_cache, /usr/sbin/sssd
Apr 18 15:50:49 client realmd[4556]:  * LANG=C /usr/sbin/ipa-client-install --domain skynet.com --realm SKYNET.COM --principal admin -W --mkhomedir --no-ntp --enable-dns-updates --unattended
Apr 18 15:50:54 client realmd[4556]: Discovery was successful!
Apr 18 15:50:54 client realmd[4556]: Hostname: client.skynet.com
Apr 18 15:50:54 client realmd[4556]: Realm: SKYNET.COM
Apr 18 15:50:54 client realmd[4556]: DNS Domain: skynet.com
Apr 18 15:50:54 client realmd[4556]: IPA Server: f19.skynet.com
Apr 18 15:50:54 client realmd[4556]: BaseDN: dc=skynet,dc=com
Apr 18 15:50:54 client realmd[4556]: Synchronizing time with KDC...
Apr 18 15:50:54 client ntpdate[4567]: ntpdate 4.2.6p5 Tue Apr  2 17:47:01 UTC 2013 (1)
Apr 18 15:51:00 client ntpdate[4567]: step time server 192.168.100.83 offset 0.000029 sec
Apr 18 15:51:00 client systemd[1]: Time has been changed
Apr 18 15:51:02 client realmd[4556]: Successfully retrieved CA cert
Apr 18 15:51:02 client realmd[4556]:     Subject:     CN=Certificate Authority,O=SKYNET.COM
Apr 18 15:51:02 client realmd[4556]:     Issuer:      CN=Certificate Authority,O=SKYNET.COM
Apr 18 15:51:02 client realmd[4556]:     Valid From:  Tue Apr 16 15:52:24 2013 UTC
Apr 18 15:51:02 client realmd[4556]:     Valid Until: Sat Apr 16 15:52:24 2033 UTC
Apr 18 15:51:02 client realmd[4556]: 
Apr 18 15:51:04 client realmd[4556]: Enrolled in IPA realm SKYNET.COM
Apr 18 15:51:04 client realmd[4556]: Created /etc/ipa/default.conf
Apr 18 15:51:05 client realmd[4556]: New SSSD config will be created
Apr 18 15:51:05 client realmd[4556]: Configured /etc/sssd/sssd.conf
Apr 18 15:51:06 client systemd[1]: Starting PC/SC Smart Card Daemon...
Apr 18 15:51:06 client systemd[1]: Started PC/SC Smart Card Daemon.
Apr 18 15:51:06 client pcscd[4576]: 00000000 utils.c:53:GetDaemonPid() Can't open /var/run/pcscd/pcscd.pid: No such file or directory
Apr 18 15:51:06 client pcscd[4576]: 00123982 winscard.c:240:SCardConnect() Reader E-Gate 0 0 Not Found
Apr 18 15:51:06 client pcscd[4576]: 00004403 winscard.c:240:SCardConnect() Reader E-Gate 0 0 Not Found
Apr 18 15:51:06 client pcscd[4576]: 00001137 winscard.c:240:SCardConnect() Reader E-Gate 0 0 Not Found
Apr 18 15:51:06 client pcscd[4576]: 00001453 winscard.c:240:SCardConnect() Reader E-Gate 0 0 Not Found
Apr 18 15:51:06 client realmd[4556]: Configured /etc/krb5.conf for IPA realm SKYNET.COM
Apr 18 15:51:06 client realmd[4556]: trying https://f19.skynet.com/ipa/xml
Apr 18 15:51:06 client realmd[4556]: Forwarding 'env' to server u'https://f19.skynet.com/ipa/xml'
Apr 18 15:51:06 client pcscd[4576]: 00208825 winscard.c:240:SCardConnect() Reader E-Gate 0 0 Not Found
Apr 18 15:51:06 client pcscd[4576]: 00002515 winscard.c:240:SCardConnect() Reader E-Gate 0 0 Not Found
Apr 18 15:51:06 client pcscd[4576]: 00002184 winscard.c:240:SCardConnect() Reader E-Gate 0 0 Not Found
Apr 18 15:51:06 client pcscd[4576]: 00000217 winscard.c:240:SCardConnect() Reader E-Gate 0 0 Not Found
Apr 18 15:51:06 client /usr/bin/dbus-launch[606]: JS ERROR: !!!   Exception was: TypeError: realm is undefined
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     message = '"realm is undefined"'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     fileName = '"/usr/share/gnome-shell/js/gdm/realmd.js"'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     lineNumber = '88'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     stack = '"()@/usr/share/gnome-shell/js/gdm/realmd.js:88
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: wrapper()@/usr/share/gjs-1.0/lang.js:213
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: ([object GObject_Object],[object GObject_Boxed],[object Array])@/usr/share/gnome-shell/js/gdm/realmd.js:109
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: "'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!   Exception was: TypeError: realm is undefined
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     message = '"realm is undefined"'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     fileName = '"/usr/share/gnome-shell/js/gdm/realmd.js"'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     lineNumber = '88'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     stack = '"()@/usr/share/gnome-shell/js/gdm/realmd.js:88
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: wrapper()@/usr/share/gjs-1.0/lang.js:213
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: ([object GObject_Object],[object GObject_Boxed],[object Array])@/usr/share/gnome-shell/js/gdm/realmd.js:109
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: "'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!   Exception was: TypeError: realm is undefined
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     message = '"realm is undefined"'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     fileName = '"/usr/share/gnome-shell/js/gdm/realmd.js"'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     lineNumber = '88'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     stack = '"()@/usr/share/gnome-shell/js/gdm/realmd.js:88
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: wrapper()@/usr/share/gjs-1.0/lang.js:213
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: ([object GObject_Object],[object GObject_Boxed],[object Array])@/usr/share/gnome-shell/js/gdm/realmd.js:109
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: "'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!   Exception was: TypeError: realm is undefined
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     message = '"realm is undefined"'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     fileName = '"/usr/share/gnome-shell/js/gdm/realmd.js"'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     lineNumber = '88'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     stack = '"()@/usr/share/gnome-shell/js/gdm/realmd.js:88
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: wrapper()@/usr/share/gjs-1.0/lang.js:213
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: ([object GObject_Object],[object GObject_Boxed],[object Array])@/usr/share/gnome-shell/js/gdm/realmd.js:109
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: "'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!   Exception was: TypeError: realm is undefined
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     message = '"realm is undefined"'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     fileName = '"/usr/share/gnome-shell/js/gdm/realmd.js"'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     lineNumber = '88'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     stack = '"()@/usr/share/gnome-shell/js/gdm/realmd.js:88
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: wrapper()@/usr/share/gjs-1.0/lang.js:213
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: ([object GObject_Object],[object GObject_Boxed],[object Array])@/usr/share/gnome-shell/js/gdm/realmd.js:109
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: "'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!   Exception was: TypeError: realm is undefined
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     message = '"realm is undefined"'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     fileName = '"/usr/share/gnome-shell/js/gdm/realmd.js"'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     lineNumber = '88'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     stack = '"()@/usr/share/gnome-shell/js/gdm/realmd.js:88
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: wrapper()@/usr/share/gjs-1.0/lang.js:213
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: ([object GObject_Object],[object GObject_Boxed],[object Array])@/usr/share/gnome-shell/js/gdm/realmd.js:109
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: "'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!   Exception was: TypeError: realm is undefined
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     message = '"realm is undefined"'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     fileName = '"/usr/share/gnome-shell/js/gdm/realmd.js"'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     lineNumber = '88'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     stack = '"()@/usr/share/gnome-shell/js/gdm/realmd.js:88
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: wrapper()@/usr/share/gjs-1.0/lang.js:213
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: ([object GObject_Object],[object GObject_Boxed],[object Array])@/usr/share/gnome-shell/js/gdm/realmd.js:109
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: "'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!   Exception was: TypeError: realm is undefined
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     message = '"realm is undefined"'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     fileName = '"/usr/share/gnome-shell/js/gdm/realmd.js"'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     lineNumber = '88'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     stack = '"()@/usr/share/gnome-shell/js/gdm/realmd.js:88
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: wrapper()@/usr/share/gjs-1.0/lang.js:213
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: ([object GObject_Object],[object GObject_Boxed],[object Array])@/usr/share/gnome-shell/js/gdm/realmd.js:109
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: "'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!   Exception was: TypeError: realm is undefined
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     message = '"realm is undefined"'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     fileName = '"/usr/share/gnome-shell/js/gdm/realmd.js"'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     lineNumber = '88'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     stack = '"()@/usr/share/gnome-shell/js/gdm/realmd.js:88
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: wrapper()@/usr/share/gjs-1.0/lang.js:213
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: ([object GObject_Object],[object GObject_Boxed],[object Array])@/usr/share/gnome-shell/js/gdm/realmd.js:109
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: "'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!   Exception was: TypeError: realm is undefined
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     message = '"realm is undefined"'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     fileName = '"/usr/share/gnome-shell/js/gdm/realmd.js"'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     lineNumber = '88'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     stack = '"()@/usr/share/gnome-shell/js/gdm/realmd.js:88
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: wrapper()@/usr/share/gjs-1.0/lang.js:213
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: ([object GObject_Object],[object GObject_Boxed],[object Array])@/usr/share/gnome-shell/js/gdm/realmd.js:109
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: "'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!   Exception was: TypeError: realm is undefined
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     message = '"realm is undefined"'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     fileName = '"/usr/share/gnome-shell/js/gdm/realmd.js"'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     lineNumber = '88'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     stack = '"()@/usr/share/gnome-shell/js/gdm/realmd.js:88
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: wrapper()@/usr/share/gjs-1.0/lang.js:213
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: ([object GObject_Object],[object GObject_Boxed],[object Array])@/usr/share/gnome-shell/js/gdm/realmd.js:109
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: "'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!   Exception was: TypeError: realm is undefined
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     message = '"realm is undefined"'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     fileName = '"/usr/share/gnome-shell/js/gdm/realmd.js"'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     lineNumber = '88'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     stack = '"()@/usr/share/gnome-shell/js/gdm/realmd.js:88
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: wrapper()@/usr/share/gjs-1.0/lang.js:213
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: ([object GObject_Object],[object GObject_Boxed],[object Array])@/usr/share/gnome-shell/js/gdm/realmd.js:109
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: "'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!   Exception was: TypeError: realm is undefined
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     message = '"realm is undefined"'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     fileName = '"/usr/share/gnome-shell/js/gdm/realmd.js"'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     lineNumber = '88'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     stack = '"()@/usr/share/gnome-shell/js/gdm/realmd.js:88
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: wrapper()@/usr/share/gjs-1.0/lang.js:213
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: ([object GObject_Object],[object GObject_Boxed],[object Array])@/usr/share/gnome-shell/js/gdm/realmd.js:109
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: "'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!   Exception was: TypeError: realm is undefined
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     message = '"realm is undefined"'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     fileName = '"/usr/share/gnome-shell/js/gdm/realmd.js"'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     lineNumber = '88'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     stack = '"()@/usr/share/gnome-shell/js/gdm/realmd.js:88
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: wrapper()@/usr/share/gjs-1.0/lang.js:213
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: ([object GObject_Object],[object GObject_Boxed],[object Array])@/usr/share/gnome-shell/js/gdm/realmd.js:109
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: "'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!   Exception was: TypeError: realm is undefined
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     message = '"realm is undefined"'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     fileName = '"/usr/share/gnome-shell/js/gdm/realmd.js"'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     lineNumber = '88'
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: JS ERROR: !!!     stack = '"()@/usr/share/gnome-shell/js/gdm/realmd.js:88
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: wrapper()@/usr/share/gjs-1.0/lang.js:213
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: ([object GObject_Object],[object GObject_Boxed],[object Array])@/usr/share/gnome-shell/js/gdm/realmd.js:109
Apr 18 15:51:07 client /usr/bin/dbus-launch[606]: "'
Apr 18 15:51:08 client realmd[4556]: DNS server record set to: client.skynet.com -> 192.168.100.31
Apr 18 15:51:08 client systemd[1]: Started D-Bus System Message Bus.
Apr 18 15:51:08 client systemd[1]: Starting Certificate monitoring and PKI enrollment...
Apr 18 15:51:08 client systemd[1]: Started Certificate monitoring and PKI enrollment.
Apr 18 15:51:08 client systemd[1]: Stopping Certificate monitoring and PKI enrollment...
Apr 18 15:51:09 client systemd[1]: Starting Certificate monitoring and PKI enrollment...
Apr 18 15:51:09 client systemd[1]: Started Certificate monitoring and PKI enrollment.
Apr 18 15:51:09 client systemd[1]: Reloading.
Apr 18 15:51:41 client realmd[4556]: certmonger request for host certificate failed
Apr 18 15:51:41 client realmd[4556]: Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Apr 18 15:51:41 client realmd[4556]: Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Apr 18 15:51:41 client realmd[4556]: Forwarding 'host_mod' to server u'https://f19.skynet.com/ipa/xml'
Apr 18 15:51:41 client pcscd[4576]: 34671710 winscard.c:240:SCardConnect() Reader E-Gate 0 0 Not Found
Apr 18 15:51:45 client abrt: detected unhandled Python exception in '/usr/sbin/ipa-client-install'
Apr 18 15:51:46 client pcscd[4576]: 04766489 winscard.c:240:SCardConnect() Reader E-Gate 0 0 Not Found
Apr 18 15:51:46 client abrtd: New client connected
Apr 18 15:51:46 client abrtd: Directory 'pyhook-2013-04-18-15:51:46-4564' creation detected
Apr 18 15:51:46 client abrt-server[4623]: Saved problem directory of pid 4564 to '/var/tmp/abrt/pyhook-2013-04-18-15:51:46-4564'
Apr 18 15:51:47 client realmd[4556]: 
Apr 18 15:51:47 client realmd[4556]: Traceback (most recent call last):
Apr 18 15:51:47 client realmd[4556]:   File "/usr/sbin/ipa-client-install", line 2464, in <module>
Apr 18 15:51:47 client realmd[4556]:     sys.exit(main())
Apr 18 15:51:47 client realmd[4556]:   File "/usr/sbin/ipa-client-install", line 2450, in main
Apr 18 15:51:47 client realmd[4556]:     rval = install(options, env, fstore, statestore)
Apr 18 15:51:47 client realmd[4556]:   File "/usr/sbin/ipa-client-install", line 2330, in install
Apr 18 15:51:47 client realmd[4556]:     auth_config.execute()
Apr 18 15:51:47 client realmd[4556]:   File "/usr/lib/python2.7/site-packages/ipapython/platform/redhat/auth.py", line 49, in execute
Apr 18 15:51:47 client realmd[4556]:     ipautil.run(["/usr/sbin/authconfig"]+args)
Apr 18 15:51:47 client realmd[4556]:   File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 300, in run
Apr 18 15:51:47 client realmd[4556]:     close_fds=True, env=env, cwd=cwd)
Apr 18 15:51:47 client realmd[4556]:   File "/usr/lib64/python2.7/subprocess.py", line 711, in __init__
Apr 18 15:51:47 client realmd[4556]:     errread, errwrite)
Apr 18 15:51:47 client realmd[4556]:   File "/usr/lib64/python2.7/subprocess.py", line 1308, in _execute_child
Apr 18 15:51:47 client realmd[4556]:     raise child_exception
Apr 18 15:51:47 client realmd[4556]: OSError: [Errno 13] Permission denied
Apr 18 15:51:47 client realmd[4556]:  ! Running ipa-client-install failed
Apr 18 15:51:47 client abrtd: Core backtrace is generated and saved, 678 bytes
Apr 18 15:51:47 client abrtd: Duplicate: core backtrace
Apr 18 15:51:47 client abrtd: DUP_OF_DIR: /var/tmp/abrt/pyhook-2013-04-18-13:10:06-1279
Apr 18 15:51:47 client abrtd: Deleting problem directory pyhook-2013-04-18-15:51:46-4564 (dup of pyhook-2013-04-18-13:10:06-1279)

Comment 22 Patrik Kis 2013-04-18 15:00:12 UTC

This is a reminder to mgrepl, how this issue was fixed:

[root@client ~]# cat mypol1.te 

module mypol1 1.0;

require {
	type sssd_t;
	type selinux_config_t;
	type realmd_t;
	type rpm_var_lib_t;
	type setroubleshootd_t;
	type system_dbusd_t;
	class process { siginh noatsecure rlimitinh };
	class file { read write getattr open };
	role system_r;
	type authconfig_t;
}

role system_r types authconfig_t;

Comment 23 Miroslav Grepl 2013-04-18 15:02:26 UTC

Building selinux-policy-3.12.1-34.fc19 for f19-candidate

Comment 24 yelley 2013-04-18 20:06:37 UTC

after downloading selinux-policy-3.12.1-34.fc19, "realm join" and "realm leave" are working in enforcing mode without any problems . yay! :)

Comment 25 Stef Walter 2013-04-19 19:50:06 UTC

*** Bug 953936 has been marked as a duplicate of this bug. ***

Comment 26 Fedora Update System 2013-05-03 12:44:52 UTC

selinux-policy-3.12.1-39.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-39.fc19

Comment 27 Fedora Update System 2013-05-03 15:20:10 UTC

Package selinux-policy-3.12.1-39.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-39.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-7338/selinux-policy-3.12.1-39.fc19
then log in and leave karma (feedback).

Comment 28 Fedora Update System 2013-05-04 18:54:17 UTC

Package selinux-policy-3.12.1-40.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-40.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-7338/selinux-policy-3.12.1-40.fc19
then log in and leave karma (feedback).

Comment 29 Patrik Kis 2013-05-06 10:56:55 UTC

The following commands were verified against an IPA domain in enforcing mode and they work without problems; no AVCs appeared during the test.
realm discover
realm join
realm list
realm leave

Verified components:
realmd-0.13.91-1.fc19
selinux-policy-targeted-3.12.1-40.fc19
selinux-policy-3.12.1-40.fc19

Comment 30 Stef Walter 2013-05-13 15:17:20 UTC

These packages have now made it into Fedora 19.

Note You need to log in before you can comment on or make changes to this bug.