On 06/21/2016 09:40 AM, Jan Cholasta wrote: > On 21.6.2016 09:35, Petr Vobornik wrote: >> On 06/21/2016 08:31 AM, Jan Cholasta wrote: >>> On 17.6.2016 16:30, Petr Vobornik wrote: >>>> >>>> I'm not sure if following is related to thin client or other work, but >>>> it should be looked at. Feel free to open different ticket for it. >>>> >>>> I was doing some testing yesterday and this was in audit: >>>> >>>> time->Thu Jun 16 22:11:32 2016 >>>> type=AVC msg=audit(1466107892.404:662): avc: denied { write } for >>>> pid=26289 comm="dogtag-ipa-ca-r" name="ipa_memcached" dev="tmpfs" >>>> ino=183080 scontext=system_u:system_r:certmonger_t:s0 >>>> tcontext=system_u:object_r:memcached_var_run_t:s0 tclass=sock_file >>>> permissive=0 >>>> >>>> I did not investigate further, but couldn't it be caused by initialing >>>> api with api.bootstrap(in_server=True.. which then initializes session >>>> plugin which then initializes MemcacheSessionManager? >>>> >>>> Similar issue could be in other usages. >>> >>> AFAIK this is trigerred by importing ipalib.session and can happen even >>> with client API. >>> >> >> True, but it would have to be explicit, which won't probably happen. >> >> In ipaserver/plugins/session.py it is done automatically: >> >> if api.env.in_server: >> from ipalib.session import session_mgr > > IMHO that doesn't really matter, it should be fixed not to connect on > import, because that's just plain wrong. >
True, new ticket: https://fedorahosted.org/freeipa/ticket/5988 -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code