On Mon, Sep 27, 2021 at 2:12 PM lejeczek via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: > > > > On 27/09/2021 12:23, François Cami wrote: > > Hi, > > > > Any AVC present in /var/log/audit/audit.log? > > > > Thank you, > > François > > > > On Mon, Sep 27, 2021 at 12:52 PM lejeczek via FreeIPA-users > > <freeipa-users@lists.fedorahosted.org> wrote: > >> Hi guys. > >> > >> Anybody on CentOS Stream? > >> With updates among which I have > >> selinux-policy-3.14.3-79.el8.noarch > >> ipa-selinux-4.9.6-4.module_el8.5.0+921+2b5d5825.noarch > >> I end up with problems: > >> > >> Starting The Apache HTTP Server... > >> ipa: INFO: KDC proxy enabled > >> ipa-httpd-kdcproxy: INFO KDC proxy enabled > >> [Mon Sep 27 08:58:25.895507 2021] [auth_gssapi:error] [pid > >> 9238:tid 140576742644032] Failed to open key file > >> /etc/httpd/alias/ipasession.key > >> [Mon Sep 27 08:58:25.895674 2021] [auth_gssapi:error] [pid > >> 9238:tid 140576742644032] Failed to open key file > >> /etc/httpd/alias/ipasession.key > >> AH00526: Syntax error on line 85 of /etc/httpd/conf.d/ssl.conf: > >> SSLCertificateFile: file '/var/lib/ipa/certs/httpd.crt' does > >> not exist or is empty > >> httpd.service: Main process exited, code=exited, > >> status=1/FAILURE > >> httpd.service: Failed with result 'exit-code'. > >> Failed to start The Apache HTTP Server. > >> > >> -> $ restorecon -RFv /var/lib/ipa/certs/ > >> restorecon: Could not set context for /var/lib/ipa/certs: > >> Invalid argument > >> restorecon: Could not set context for > >> /var/lib/ipa/certs/httpd.crt: Invalid argument > >> > >> I told OS to autorelabel and after reboot I can not get to > >> the system, not via 'ssh' nor with terminal login - that's > >> new :) > >> > >> regards, L. > Ough.. the same one "old" culprit. Whether it's due to > courtesy of SELinux - being only a consumer - I cannot tell. > If you have a custom paths fcontext labels but no > definitions for fcontext because a selinux module is absent, > such as 'glusterfs-selinux', then a cascade of problems you > shall expect. > Why SELinux allows for such a (I'd imagine common) case.. > boggles my mind. > regards, L.
So your problem is solved? Regards, François > >> _______________________________________________ > >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > >> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > >> Fedora Code of Conduct: > >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > >> List Archives: > >> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > >> Do not reply to spam on the list, report it: > >> https://pagure.io/fedora-infrastructure > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
