We currently have to run in permissive mode with the new session stuff. At a minimum we need to allow memcached to create a UNIX socket file in /var/run/ipa_memcached. We get this AVC otherwise:
type=AVC msg=audit(1327101214.892:696): avc: denied { create } for pid=17659 comm="memcached" name="ipa_memcached" scontext=system_u:system_r:memcached_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
We may have other SELinux denials to address as well, the development work has been done with SELinux in permissive mode.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=783592
Closed 2432 as as a duplicate of it.
We need to set the boolean httpd_manage_ipa to True to enable this.
In the closed ticket there is a brief discussion of the best place to do this, either use -P and set it during install or set it each time in the service file.
Moving to next month iteration.
This work was done in ticket 2432.
master: 0425d09
ipa-2-2: faa9b47
Metadata Update from @jdennis: - Issue assigned to jdennis - Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/03
Login to comment on this ticket.