On Mon, Sep 27, 2021 at 2:12 PM lejeczek via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
On 27/09/2021 12:23, François Cami wrote:
> Hi,
>
> Any AVC present in /var/log/audit/audit.log?
>
> Thank you,
> François
>
> On Mon, Sep 27, 2021 at 12:52 PM lejeczek via FreeIPA-users
> <freeipa-users(a)lists.fedorahosted.org> wrote:
>> Hi guys.
>>
>> Anybody on CentOS Stream?
>> With updates among which I have
>> selinux-policy-3.14.3-79.el8.noarch
>> ipa-selinux-4.9.6-4.module_el8.5.0+921+2b5d5825.noarch
>> I end up with problems:
>>
>> Starting The Apache HTTP Server...
>> ipa: INFO: KDC proxy enabled
>> ipa-httpd-kdcproxy: INFO KDC proxy enabled
>> [Mon Sep 27 08:58:25.895507 2021] [auth_gssapi:error] [pid
>> 9238:tid 140576742644032] Failed to open key file
>> /etc/httpd/alias/ipasession.key
>> [Mon Sep 27 08:58:25.895674 2021] [auth_gssapi:error] [pid
>> 9238:tid 140576742644032] Failed to open key file
>> /etc/httpd/alias/ipasession.key
>> AH00526: Syntax error on line 85 of /etc/httpd/conf.d/ssl.conf:
>> SSLCertificateFile: file '/var/lib/ipa/certs/httpd.crt' does
>> not exist or is empty
>> httpd.service: Main process exited, code=exited,
>> status=1/FAILURE
>> httpd.service: Failed with result 'exit-code'.
>> Failed to start The Apache HTTP Server.
>>
>> -> $ restorecon -RFv /var/lib/ipa/certs/
>> restorecon: Could not set context for /var/lib/ipa/certs:
>> Invalid argument
>> restorecon: Could not set context for
>> /var/lib/ipa/certs/httpd.crt: Invalid argument
>>
>> I told OS to autorelabel and after reboot I can not get to
>> the system, not via 'ssh' nor with terminal login - that's
>> new :)
>>
>> regards, L.
Ough.. the same one "old" culprit. Whether it's due to
courtesy of SELinux - being only a consumer - I cannot tell.
If you have a custom paths fcontext labels but no
definitions for fcontext because a selinux module is absent,
such as 'glusterfs-selinux', then a cascade of problems you
shall expect.
Why SELinux allows for such a (I'd imagine common) case..
boggles my mind.
regards, L.
So your problem is solved?
Regards,
François
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
>> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>> Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure