[389-devel] SELinux errors with 389-ds-base-1.2.6-0.5.rc1
Rob Crittenden
rcritten at redhat.com
Wed Jun 16 13:04:25 UTC 2010
In IPA v2 I'm getting the following SELinux AVCs from ns-slapd:
type=AVC msg=audit(1276693069.494:16808): avc: denied { getattr } for
pid=16334 comm="ns-slapd" path="/var/tmp/ldap_496" dev=sda1 ino=180255
scontext=unconfined_u:system_r:dirsrv_t:s0
tcontext=unconfined_u:object_r:initrc_tmp_t:s0 tclass=file
type=AVC msg=audit(1276693069.494:16809): avc: denied { unlink } for
pid=16334 comm="ns-slapd" name="ldap_496" dev=sda1 ino=180255
scontext=unconfined_u:system_r:dirsrv_t:s0
tcontext=unconfined_u:object_r:initrc_tmp_t:s0 tclass=file
I'm seeing a related error in my Apache logs:
[Wed Jun 16 08:57:49 2010] [error] ACIError: Insufficient access:
SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor
code may provide more information (Cannot create replay cache file
/var/tmp/ldap_496: File exists) Invalid credentials
The context is we create an ldapi connection during Apache startup. We
use GSSAPI and a keytab to authenticate.
At this point I'm not sure if this is an issue with 389-ds or IPA.
I've got the latest selinux-polixy installed: selinux-policy-3.6.32-116
rob
More information about the 389-devel
mailing list