[389-devel] SELinux errors with 389-ds-base-1.2.6-0.5.rc1

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

In IPA v2 I'm getting the following SELinux AVCs from ns-slapd:

type=AVC msg=audit(1276693069.494:16808): avc:  denied  { getattr } for 
  pid=16334 comm="ns-slapd" path="/var/tmp/ldap_496" dev=sda1 ino=180255 
scontext=unconfined_u:system_r:dirsrv_t:s0 
tcontext=unconfined_u:object_r:initrc_tmp_t:s0 tclass=file
type=AVC msg=audit(1276693069.494:16809): avc:  denied  { unlink } for 
pid=16334 comm="ns-slapd" name="ldap_496" dev=sda1 ino=180255 
scontext=unconfined_u:system_r:dirsrv_t:s0 
tcontext=unconfined_u:object_r:initrc_tmp_t:s0 tclass=file

I'm seeing a related error in my Apache logs:

[Wed Jun 16 08:57:49 2010] [error] ACIError: Insufficient access: 
SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor 
code may provide more information (Cannot create replay cache file 
/var/tmp/ldap_496: File exists) Invalid credentials

The context is we create an ldapi connection during Apache startup. We 
use GSSAPI and a keytab to authenticate.

At this point I'm not sure if this is an issue with 389-ds or IPA.

I've got the latest selinux-polixy installed: selinux-policy-3.6.32-116

rob
--
389-devel mailing list
389-devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-devel
[Index of Archives]     [Fedora Directory Announce]     [Fedora Users]     [Older Fedora Users Mail]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Review]     [Fedora Art]     [Fedora Music]     [Fedora Packaging]     [CentOS]     [Fedora SELinux]     [Big List of Linux Books]     [KDE Users]     [Fedora Art]     [Fedora Docs]

  Powered by Linux