Re: [Freeipa-users] Configuring httpd error when selinux is permissive
On (08/11/16 16:57), 郑磊 wrote: >Command returns the result: >root@ipaserver:/tmp/freeipa-4.3.1# /usr/sbin/setsebool -P >httpd_can_network_connect=on httpd_run_ipa=on httpd_manage_ipa=on >Cannot set persistent booleans without managed policy. > >root@ipaserver:/tmp/freeipa-4.3.1# /usr/sbin/getsebool httpd_run_ipa >Error getting active value for httpd_run_ipa > Then it just mean that selinux-policy on ununtu does not contain such boolean. You have few options: * create your own SELinux rules * backport SELinux rules from upstream/fedora * Use freeIPA with SELinux on different distribution. * use freeIPA without SELinux on ubuntu (IIRC the default is Apparmor) LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Configuring httpd error when selinux is permissive
Command returns the result: root@ipaserver:/tmp/freeipa-4.3.1# /usr/sbin/setsebool -P httpd_can_network_connect=on httpd_run_ipa=on httpd_manage_ipa=on Cannot set persistent booleans without managed policy. root@ipaserver:/tmp/freeipa-4.3.1# /usr/sbin/getsebool httpd_run_ipa Error getting active value for httpd_run_ipa root@ipaserver:/tmp/freeipa-4.3.1# /usr/sbin/getsebool httpd_can_network_connect httpd_can_network_connect --> off root@ipaserver:/tmp/freeipa-4.3.1# /usr/sbin/getsebool httpd_manage_ipa httpd_manage_ipa --> off I want the result is not to appear error in the configuration process information. -- 祝: 工作顺利!生活愉快! -- 长沙研发中心 郑磊 电话:18684703229 邮箱:zheng...@kylinos.cn 公司:天津麒麟信息技术有限公司 地址:湖南长沙市开福区三一大道工美大厦十四楼 -- Original -- From: "Umarzuki Mochlis"; Date: Tue, Nov 8, 2016 04:42 PM To: "郑磊"; Cc: "freeipa-users"; Subject: Re: [Freeipa-users] Configuring httpd error when selinux is permissive 2016-11-08 16:33 GMT+08:00 郑磊 : > Hello everyone, > I have been setting up freeipa(its version is 4.3.1) on Ubuntu. Selinux is > enable, and its mode is permissive. I met a problem at configuring the httpd > process, but the process won't be interrupted. The configuration information > is as follows: > Configuring the web interface (httpd). Estimated time: 1 minute > [1/20]: setting mod_nss port to 443 > [2/20]: setting mod_nss cipher suite > [3/20]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 > [4/20]: setting mod_nss password file > [5/20]: enabling mod_nss renegotiate > [6/20]: adding URL rewriting rules > [7/20]: configuring httpd > [8/20]: configure certmonger for renewals > [9/20]: setting up httpd keytab > [10/20]: setting up ssl > [11/20]: importing CA certificates from LDAP > [12/20]: publish CA cert > [13/20]: clean up any existing httpd ccache > [14/20]: configuring SELinux for httpd > ipa.ipaplatform.redhat.tasks: ERRORCannot get SELinux boolean > 'httpd_run_ipa': Command '/usr/sbin/getsebool httpd_run_ipa' returned > non-zero exit status 255 > WARNING: Could not set SELinux booleans: httpd_can_network_connect=on > httpd_run_ipa=on httpd_manage_ipa=on > > The web interface may not function correctly until > the booleans are successfully changed with the command: > /usr/sbin/setsebool -P httpd_can_network_connect=on httpd_run_ipa=on > httpd_manage_ipa=on > Try updating the policycoreutils and selinux-policy packages. > [15/20]: create KDC proxy user > [16/20]: create KDC proxy config > [17/20]: enable KDC proxy > [18/20]: restarting httpd > [19/20]: configuring httpd to start on boot > [20/20]: enabling oddjobd > Done configuring the web interface (httpd). > Is there anyone can help me? > > Thanks! > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project Hi, Have you tried the suggested setsebool command?-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Configuring httpd error when selinux is permissive
2016-11-08 16:33 GMT+08:00 郑磊 : > Hello everyone, > I have been setting up freeipa(its version is 4.3.1) on Ubuntu. Selinux is > enable, and its mode is permissive. I met a problem at configuring the httpd > process, but the process won't be interrupted. The configuration information > is as follows: > Configuring the web interface (httpd). Estimated time: 1 minute > [1/20]: setting mod_nss port to 443 > [2/20]: setting mod_nss cipher suite > [3/20]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 > [4/20]: setting mod_nss password file > [5/20]: enabling mod_nss renegotiate > [6/20]: adding URL rewriting rules > [7/20]: configuring httpd > [8/20]: configure certmonger for renewals > [9/20]: setting up httpd keytab > [10/20]: setting up ssl > [11/20]: importing CA certificates from LDAP > [12/20]: publish CA cert > [13/20]: clean up any existing httpd ccache > [14/20]: configuring SELinux for httpd > ipa.ipaplatform.redhat.tasks: ERRORCannot get SELinux boolean > 'httpd_run_ipa': Command '/usr/sbin/getsebool httpd_run_ipa' returned > non-zero exit status 255 > WARNING: Could not set SELinux booleans: httpd_can_network_connect=on > httpd_run_ipa=on httpd_manage_ipa=on > > The web interface may not function correctly until > the booleans are successfully changed with the command: > /usr/sbin/setsebool -P httpd_can_network_connect=on httpd_run_ipa=on > httpd_manage_ipa=on > Try updating the policycoreutils and selinux-policy packages. > [15/20]: create KDC proxy user > [16/20]: create KDC proxy config > [17/20]: enable KDC proxy > [18/20]: restarting httpd > [19/20]: configuring httpd to start on boot > [20/20]: enabling oddjobd > Done configuring the web interface (httpd). > Is there anyone can help me? > > Thanks! > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project Hi, Have you tried the suggested setsebool command? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Configuring httpd error when selinux is permissive
Hello everyone, I have been setting up freeipa(its version is 4.3.1) on Ubuntu. Selinux is enable, and its mode is permissive. I met a problem at configuring the httpd process, but the process won't be interrupted. The configuration information is as follows: Configuring the web interface (httpd). Estimated time: 1 minute [1/20]: setting mod_nss port to 443 [2/20]: setting mod_nss cipher suite [3/20]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2 [4/20]: setting mod_nss password file [5/20]: enabling mod_nss renegotiate [6/20]: adding URL rewriting rules [7/20]: configuring httpd [8/20]: configure certmonger for renewals [9/20]: setting up httpd keytab [10/20]: setting up ssl [11/20]: importing CA certificates from LDAP [12/20]: publish CA cert [13/20]: clean up any existing httpd ccache [14/20]: configuring SELinux for httpd ipa.ipaplatform.redhat.tasks: ERRORCannot get SELinux boolean 'httpd_run_ipa': Command '/usr/sbin/getsebool httpd_run_ipa' returned non-zero exit status 255 WARNING: Could not set SELinux booleans: httpd_can_network_connect=on httpd_run_ipa=on httpd_manage_ipa=on The web interface may not function correctly until the booleans are successfully changed with the command: /usr/sbin/setsebool -P httpd_can_network_connect=on httpd_run_ipa=on httpd_manage_ipa=on Try updating the policycoreutils and selinux-policy packages. [15/20]: create KDC proxy user [16/20]: create KDC proxy config [17/20]: enable KDC proxy [18/20]: restarting httpd [19/20]: configuring httpd to start on boot [20/20]: enabling oddjobd Done configuring the web interface (httpd). Is there anyone can help me? Thanks! -- 祝: 工作顺利!生活愉快! -- 长沙研发中心 郑磊 电话:18684703229 邮箱:zheng...@kylinos.cn 公司:天津麒麟信息技术有限公司 地址:湖南长沙市开福区三一大道工美大厦十四楼-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
