On Mon, 2021-08-02 at 18:05 -0400, Rob Crittenden via FreeIPA-users
wrote:
> We can't anticipate every possible script one may want to run.
>
Yes, that's not lost on me and I completely understand. Still, I wish
there wasn't a denial! lol
> It was suggested you ask the SELinux folks about the AV
Ranbir via FreeIPA-users wrote:
> On Tue, 2021-07-27 at 08:45 +, Sam Morris via FreeIPA-users wrote:
>> If you can reproduce this on Fedora or CentOS Stream then it's worth
>> filing a bug on Red Hat bugzilla (but of course have a search first
>> to see if this particular behaviour has been see
On Tue, 2021-07-27 at 08:45 +, Sam Morris via FreeIPA-users wrote:
> If you can reproduce this on Fedora or CentOS Stream then it's worth
> filing a bug on Red Hat bugzilla (but of course have a search first
> to see if this particular behaviour has been seen before).
I migrated the host to Ce
I've seen similar before.
In this case, your script probably wanted to look up information about a user
by UID. To do so, it called each of the NSS modules listed in the passwd: line
of /etc/nsswitch.conf. One of those modules made a D-Bus call to a process
confined by init_t, which was allowed
On Mon, 2021-07-26 at 22:02 +, Sam Morris via FreeIPA-users wrote:
>
> I'm surprised setting your script to certmonger_unconfined_exec_t
> didn't help - - can you try the ausearch command after doing so &
> confirm that your script is now running in the certmonger_unconfined_t
> domain?
I ran
On Mon, 2021-07-26 at 19:21 -0400, Ranbir via FreeIPA-users wrote:
> I ran your test on my server, but it failed to run the command on my
> end. Also, the steps reported by certmonger are different for me:
>
> New signing request "20210726231003" added.
> State NEWLY_ADDED_READING_CERT, stuck: no.
On Mon, 2021-07-26 at 08:20 -0400, Rob Crittenden via FreeIPA-users
wrote:
> [root@ipa] # cat /usr/local/sbin/testme
> #!/bin/sh
> touch /tmp/hello
> [root@ipa]# ls -l /tmp/hello
> ls: cannot access '/tmp/hello': No such file or directory
> [root@ipa]# ipa-getcert request -f /etc/pki/tls/certs/test
> On Mon, 2021-07-26 at 16:38 +, Sam Morris via FreeIPA-users wrote:
> type=PROCTITLE msg=audit(2021-07-26 00:16:16.758:5255) :
> proctitle=/usr/sbin/certmonger -S -p /run/certmonger.pid -n -d2
> type=SYSCALL msg=audit(2021-07-26 00:16:16.758:5255) : arch=x86_64
> syscall=execve success=no exi
Ranbir via FreeIPA-users wrote:
> On Mon, 2021-07-26 at 16:38 +, Sam Morris via FreeIPA-users wrote:
>> If you are running SELinux in enforcing mode then it's possible that
>> your script is being confined by the certmonger_t domain, which could
>> prevent your file copy from working.
>>
>> You
On Mon, Jul 26, 2021 at 7:25 PM Ranbir via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
> On Mon, 2021-07-26 at 16:38 +, Sam Morris via FreeIPA-users wrote:
> > If you are running SELinux in enforcing mode then it's possible that
> > your script is being confined by the certmon
On Mon, 2021-07-26 at 16:38 +, Sam Morris via FreeIPA-users wrote:
> If you are running SELinux in enforcing mode then it's possible that
> your script is being confined by the certmonger_t domain, which could
> prevent your file copy from working.
>
> You can search for AVC denials related to
If you are running SELinux in enforcing mode then it's possible that your
script is being confined by the certmonger_t domain, which could prevent your
file copy from working.
You can search for AVC denials related to certmonger_t with the command:
# ausearch --interpret --context certmonger_t
On Mon, 2021-07-26 at 08:20 -0400, Rob Crittenden via FreeIPA-users
wrote:
> Perhaps the command isn't executable?
It's definitely executable because I ran the script on its own. The
podman command works if I use it directly instead of from the script.
That's why I'm confused!
> It works fine fo
Ranbir via FreeIPA-users wrote:
> Hello Everyone,
>
> I'm running an updated CentOS 8 KVM on an up to date CentOS 7 host. My
> freeipa servers CentOS 7 hosts and fully updated, too. In the KVM I'm
> requesting a certificate from my freeipa CA, which in and of itself
> works just find. But, when I
14 matches
Mail list logo
