Hi guys.
Anybody on CentOS Stream? With updates among which I have selinux-policy-3.14.3-79.el8.noarch ipa-selinux-4.9.6-4.module_el8.5.0+921+2b5d5825.noarch I end up with problems:
Starting The Apache HTTP Server... ipa: INFO: KDC proxy enabled ipa-httpd-kdcproxy: INFO KDC proxy enabled [Mon Sep 27 08:58:25.895507 2021] [auth_gssapi:error] [pid 9238:tid 140576742644032] Failed to open key file /etc/httpd/alias/ipasession.key [Mon Sep 27 08:58:25.895674 2021] [auth_gssapi:error] [pid 9238:tid 140576742644032] Failed to open key file /etc/httpd/alias/ipasession.key AH00526: Syntax error on line 85 of /etc/httpd/conf.d/ssl.conf: SSLCertificateFile: file '/var/lib/ipa/certs/httpd.crt' does not exist or is empty httpd.service: Main process exited, code=exited, status=1/FAILURE httpd.service: Failed with result 'exit-code'. Failed to start The Apache HTTP Server.
-> $ restorecon -RFv /var/lib/ipa/certs/ restorecon: Could not set context for /var/lib/ipa/certs: Invalid argument restorecon: Could not set context for /var/lib/ipa/certs/httpd.crt: Invalid argument
I told OS to autorelabel and after reboot I can not get to the system, not via 'ssh' nor with terminal login - that's new :)
regards, L.
Hi,
Any AVC present in /var/log/audit/audit.log?
Thank you, François
On Mon, Sep 27, 2021 at 12:52 PM lejeczek via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hi guys.
Anybody on CentOS Stream? With updates among which I have selinux-policy-3.14.3-79.el8.noarch ipa-selinux-4.9.6-4.module_el8.5.0+921+2b5d5825.noarch I end up with problems:
Starting The Apache HTTP Server... ipa: INFO: KDC proxy enabled ipa-httpd-kdcproxy: INFO KDC proxy enabled [Mon Sep 27 08:58:25.895507 2021] [auth_gssapi:error] [pid 9238:tid 140576742644032] Failed to open key file /etc/httpd/alias/ipasession.key [Mon Sep 27 08:58:25.895674 2021] [auth_gssapi:error] [pid 9238:tid 140576742644032] Failed to open key file /etc/httpd/alias/ipasession.key AH00526: Syntax error on line 85 of /etc/httpd/conf.d/ssl.conf: SSLCertificateFile: file '/var/lib/ipa/certs/httpd.crt' does not exist or is empty httpd.service: Main process exited, code=exited, status=1/FAILURE httpd.service: Failed with result 'exit-code'. Failed to start The Apache HTTP Server.
-> $ restorecon -RFv /var/lib/ipa/certs/ restorecon: Could not set context for /var/lib/ipa/certs: Invalid argument restorecon: Could not set context for /var/lib/ipa/certs/httpd.crt: Invalid argument
I told OS to autorelabel and after reboot I can not get to the system, not via 'ssh' nor with terminal login - that's new :)
regards, L. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
On 27/09/2021 12:23, François Cami wrote:
Hi,
Any AVC present in /var/log/audit/audit.log?
Thank you, François
On Mon, Sep 27, 2021 at 12:52 PM lejeczek via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hi guys.
Anybody on CentOS Stream? With updates among which I have selinux-policy-3.14.3-79.el8.noarch ipa-selinux-4.9.6-4.module_el8.5.0+921+2b5d5825.noarch I end up with problems:
Starting The Apache HTTP Server... ipa: INFO: KDC proxy enabled ipa-httpd-kdcproxy: INFO KDC proxy enabled [Mon Sep 27 08:58:25.895507 2021] [auth_gssapi:error] [pid 9238:tid 140576742644032] Failed to open key file /etc/httpd/alias/ipasession.key [Mon Sep 27 08:58:25.895674 2021] [auth_gssapi:error] [pid 9238:tid 140576742644032] Failed to open key file /etc/httpd/alias/ipasession.key AH00526: Syntax error on line 85 of /etc/httpd/conf.d/ssl.conf: SSLCertificateFile: file '/var/lib/ipa/certs/httpd.crt' does not exist or is empty httpd.service: Main process exited, code=exited, status=1/FAILURE httpd.service: Failed with result 'exit-code'. Failed to start The Apache HTTP Server.
-> $ restorecon -RFv /var/lib/ipa/certs/ restorecon: Could not set context for /var/lib/ipa/certs: Invalid argument restorecon: Could not set context for /var/lib/ipa/certs/httpd.crt: Invalid argument
I told OS to autorelabel and after reboot I can not get to the system, not via 'ssh' nor with terminal login - that's new :)
regards, L.
Ough.. the same one "old" culprit. Whether it's due to courtesy of SELinux - being only a consumer - I cannot tell. If you have a custom paths fcontext labels but no definitions for fcontext because a selinux module is absent, such as 'glusterfs-selinux', then a cascade of problems you shall expect. Why SELinux allows for such a (I'd imagine common) case.. boggles my mind. regards, L.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
On Mon, Sep 27, 2021 at 2:12 PM lejeczek via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
On 27/09/2021 12:23, François Cami wrote:
Hi,
Any AVC present in /var/log/audit/audit.log?
Thank you, François
On Mon, Sep 27, 2021 at 12:52 PM lejeczek via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hi guys.
Anybody on CentOS Stream? With updates among which I have selinux-policy-3.14.3-79.el8.noarch ipa-selinux-4.9.6-4.module_el8.5.0+921+2b5d5825.noarch I end up with problems:
Starting The Apache HTTP Server... ipa: INFO: KDC proxy enabled ipa-httpd-kdcproxy: INFO KDC proxy enabled [Mon Sep 27 08:58:25.895507 2021] [auth_gssapi:error] [pid 9238:tid 140576742644032] Failed to open key file /etc/httpd/alias/ipasession.key [Mon Sep 27 08:58:25.895674 2021] [auth_gssapi:error] [pid 9238:tid 140576742644032] Failed to open key file /etc/httpd/alias/ipasession.key AH00526: Syntax error on line 85 of /etc/httpd/conf.d/ssl.conf: SSLCertificateFile: file '/var/lib/ipa/certs/httpd.crt' does not exist or is empty httpd.service: Main process exited, code=exited, status=1/FAILURE httpd.service: Failed with result 'exit-code'. Failed to start The Apache HTTP Server.
-> $ restorecon -RFv /var/lib/ipa/certs/ restorecon: Could not set context for /var/lib/ipa/certs: Invalid argument restorecon: Could not set context for /var/lib/ipa/certs/httpd.crt: Invalid argument
I told OS to autorelabel and after reboot I can not get to the system, not via 'ssh' nor with terminal login - that's new :)
regards, L.
Ough.. the same one "old" culprit. Whether it's due to courtesy of SELinux - being only a consumer - I cannot tell. If you have a custom paths fcontext labels but no definitions for fcontext because a selinux module is absent, such as 'glusterfs-selinux', then a cascade of problems you shall expect. Why SELinux allows for such a (I'd imagine common) case.. boggles my mind. regards, L.
So your problem is solved?
Regards, François
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
On 27/09/2021 13:30, François Cami wrote:
On Mon, Sep 27, 2021 at 2:12 PM lejeczek via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
On 27/09/2021 12:23, François Cami wrote:
Hi,
Any AVC present in /var/log/audit/audit.log?
Thank you, François
On Mon, Sep 27, 2021 at 12:52 PM lejeczek via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hi guys.
Anybody on CentOS Stream? With updates among which I have selinux-policy-3.14.3-79.el8.noarch ipa-selinux-4.9.6-4.module_el8.5.0+921+2b5d5825.noarch I end up with problems:
Starting The Apache HTTP Server... ipa: INFO: KDC proxy enabled ipa-httpd-kdcproxy: INFO KDC proxy enabled [Mon Sep 27 08:58:25.895507 2021] [auth_gssapi:error] [pid 9238:tid 140576742644032] Failed to open key file /etc/httpd/alias/ipasession.key [Mon Sep 27 08:58:25.895674 2021] [auth_gssapi:error] [pid 9238:tid 140576742644032] Failed to open key file /etc/httpd/alias/ipasession.key AH00526: Syntax error on line 85 of /etc/httpd/conf.d/ssl.conf: SSLCertificateFile: file '/var/lib/ipa/certs/httpd.crt' does not exist or is empty httpd.service: Main process exited, code=exited, status=1/FAILURE httpd.service: Failed with result 'exit-code'. Failed to start The Apache HTTP Server.
-> $ restorecon -RFv /var/lib/ipa/certs/ restorecon: Could not set context for /var/lib/ipa/certs: Invalid argument restorecon: Could not set context for /var/lib/ipa/certs/httpd.crt: Invalid argument
I told OS to autorelabel and after reboot I can not get to the system, not via 'ssh' nor with terminal login - that's new :)
regards, L.
Ough.. the same one "old" culprit. Whether it's due to courtesy of SELinux - being only a consumer - I cannot tell. If you have a custom paths fcontext labels but no definitions for fcontext because a selinux module is absent, such as 'glusterfs-selinux', then a cascade of problems you shall expect. Why SELinux allows for such a (I'd imagine common) case.. boggles my mind. regards, L.
So your problem is solved?
Regards, François
Yes - if anybody hits it - add 'selinux=0' to boot in order to get the OS back, then sort out defs/modules/fcontext if you see this weird SELinux misbehavior.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
freeipa-users@lists.fedorahosted.org
-
François Cami -
lejeczek