Re: Saltstack and ipa-install on Centos7 failing

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Stephen Smalley <sds@tycho.nsa.gov>
To: Andrew Holway <andrew.holway@native-instruments.de>,
	selinux@tycho.nsa.gov
Subject: Re: Saltstack and ipa-install on Centos7 failing
Date: Fri, 13 Mar 2015 13:46:18 -0400	[thread overview]
Message-ID: <5503226A.2060708@tycho.nsa.gov> (raw)
In-Reply-To: <55031D59.2040909@native-instruments.de>

On 03/13/2015 01:24 PM, Andrew Holway wrote:
> Hallo,
> 
> Could someone please lend a hand with this issue?
> 
> https://www.redhat.com/archives/freeipa-users/2015-March/msg00345.html
> 
> When I run ipa-server-install from Saltstack it is breaking. I imagine
> this is because the script is being run in an unexpected domain
> (init_t rather than unconfined_t).

How is it launched?  How much control do you have over how it is
launched?  If you can just modify its init script or unit file or
whatever, you could either have it invoke runcon with an explicit
context to run in the desired context or put the launch command in a
script file and label it with an appropriate _exec_t type to transition
automatically into the desired domain.  That said, neither initrc_t nor
unconfined_t are particularly desirable domains; it should really have
its own domain.

next prev parent reply	other threads:[~2015-03-13 17:46 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-03-13 17:24 Saltstack and ipa-install on Centos7 failing Andrew Holway
2015-03-13 17:46 ` Stephen Smalley [this message]
2015-03-13 20:49 ` Daniel J Walsh
2015-03-16 13:00   ` Miroslav Grepl

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5503226A.2060708@tycho.nsa.gov \
    --to=sds@tycho.nsa.gov \
    --cc=andrew.holway@native-instruments.de \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.