389 Directory Server Admin コンソールから「Start Directory Server」または「Stop Directory Server」のボタンをクリックして dirsrv のデーモンをコントロールしようとすると、SELinux Enforcing な環境で以下のエラーが /var/log/dirsrv/admin-serv/error に記録される。
Failed to get load state of dirsrv@xxxxx.service: Access denied
Failed to stop dirsrv@xxxxx.service: Access denied
See system logs and 'systemctl status dirsrv@xxxxx.service' for details.
Failed to get load state of dirsrv@xxxxxx.service: Access denied
以下の URL によれば、どうも既知の問題らしい。SELinux をチョチョイといじれば治るってものでも無いらしい。
The issue is that to do this, we need to give apache (httpd_t, dirsrv_admin_t) control of the initrc_t, which is basically root on the system. We can't do that just to allow communication to systemd, especially when this is an old java based console.
The alternate is to allow dbus_t and policykit access, but this is extremely complex and time consuming to integrate. We feel our energy is better spent elsewhere, as server restarts can be conducted in other ways.
We have previously decided not to fix this issue, advising either the use of specific permissive contexts (semanage permissive -a dirsrvadmin_script_t), or through out-of-band restart.
Red Hat Directory Server 10.1 の Release Note には、known issue として Admin Server の起動だけ失敗するとあるが、上記 URL によれば Directory Server の方もだよと。まぁ複雑だってことで勘弁してもらおう。
0 件のコメント:
コメントを投稿