Description of problem: [stef@f19 ~]$ sudo setenforce permissive [sudo] password for stef: [stef@f19 ~]$ realm join --user=admin --verbose ipa.thewalter.lan * Searching for kerberos SRV records for domain: _kerberos._udp.ipa.thewalter.lan * Searching for MSDCS SRV records on domain: _kerberos._tcp.dc._msdcs.ipa.thewalter.lan * dc.ipa.thewalter.lan:88 * Trying to retrieve IPA certificate from dc.ipa.thewalter.lan * Retrieved IPA CA certificate verifies the HTTPS connection ! Couldn't discover IPA KDC * Found kerberos DNS records for: ipa.thewalter.lan * Found IPA style certificate for: ipa.thewalter.lan * Successfully discovered: ipa.thewalter.lan Password for admin: * Required files: /usr/sbin/ipa-client-install, /usr/sbin/sss_cache, /usr/sbin/sssd * LANG=C /usr/sbin/ipa-client-install --domain ipa.thewalter.lan --realm IPA.THEWALTER.LAN --principal admin -W --mkhomedir --no-ntp --enable-dns-updates --unattended Discovery was successful! Hostname: f19.ipa.thewalter.lan Realm: IPA.THEWALTER.LAN DNS Domain: ipa.thewalter.lan IPA Server: dc.ipa.thewalter.lan BaseDN: dc=ipa,dc=thewalter,dc=lan Synchronizing time with KDC... Successfully retrieved CA cert Subject: CN=Certificate Authority,O=IPA.THEWALTER.LAN Issuer: CN=Certificate Authority,O=IPA.THEWALTER.LAN Valid From: Wed Apr 17 12:45:40 2013 UTC Valid Until: Sun Apr 17 12:45:40 2033 UTC Enrolled in IPA realm IPA.THEWALTER.LAN Created /etc/ipa/default.conf New SSSD config will be created Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm IPA.THEWALTER.LAN trying https://dc.ipa.thewalter.lan/ipa/xml Forwarding 'env' to server u'https://dc.ipa.thewalter.lan/ipa/xml' Hostname (f19.ipa.thewalter.lan) not found in DNS DNS server record set to: f19.ipa.thewalter.lan -> 192.168.12.249 Forwarding 'host_mod' to server u'https://dc.ipa.thewalter.lan/ipa/xml' host_mod: 2.57 client incompatible with 2.47 server at u'https://dc.ipa.thewalter.lan/ipa/xml' Failed to upload host SSH public keys. SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Installed OpenSSH server does not support dynamically loading authorized user keys. Public key authentication of IPA users will not be available. Configured /etc/ssh/sshd_config Client configuration complete. * /usr/bin/systemctl enable sssd.service * /usr/bin/systemctl restart sssd.service * /usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart * Successfully enrolled machine in realm SELinux is preventing ipa-submit from 'read' accesses on the file unix. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that ipa-submit should be allowed read access on the unix file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep ipa-submit /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:certmonger_t:s0 Target Context system_u:object_r:proc_net_t:s0 Target Objects unix [ file ] Source ipa-submit Source Path ipa-submit Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.12.1-32.fc19.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 3.9.0-0.rc6.git2.3.fc19.i686 #1 SMP Mon Apr 15 20:44:46 UTC 2013 i686 i686 Alert Count 1 First Seen 2013-04-18 13:29:53 CEST Last Seen 2013-04-18 13:29:53 CEST Local ID 5651c6af-6137-4af1-ad84-8aae369deb33 Raw Audit Messages type=AVC msg=audit(1366284593.671:967): avc: denied { read } for pid=3839 comm="ipa-submit" name="unix" dev="proc" ino=4026532002 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file Hash: ipa-submit,certmonger_t,proc_net_t,file,read audit2allow #============= certmonger_t ============== allow certmonger_t proc_net_t:file read; audit2allow -R require { type certmonger_t; type proc_net_t; class file read; } #============= certmonger_t ============== allow certmonger_t proc_net_t:file read; Additional info: hashmarkername: setroubleshoot kernel: 3.9.0-0.rc6.git2.3.fc19.i686 type: libreport
Added.
selinux-policy-3.12.1-39.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-39.fc19
Package selinux-policy-3.12.1-39.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-39.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-7338/selinux-policy-3.12.1-39.fc19 then log in and leave karma (feedback).
Package selinux-policy-3.12.1-40.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-40.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-7338/selinux-policy-3.12.1-40.fc19 then log in and leave karma (feedback).
The selinux-policy package noted is now part of stable Fedora 19.