Installation of the CA Provisioning server will fail due to SELinux which is configured to run by default on CentOS 5.8. SELinux is explained in this link. To accomplish a running CA IdentityMinder Provisioning Server the following two actions need to occur:
- Disable SELinux for the CA Provisioning server install and re-enable afterwards
- Provide a permanent way to run the slapd CA executable without disabling SELinux completely
Here are the steps I used:
Step #1 – Get the Provisioning Server installed
Purpose: This will prevent the Provisioning Server install to fail with a log message of: “Starting im_ps failed…” or “Connection refused”
(as root) Prior to installing CA ProvisioningServer
/usr/sbin/setenforce 0
(as root) After installation is complete
/usr/sbin/setenforce 1
Step #2 – Allow the Provisioning Server to run in SELinux
Purpose: To allow the Provisioning Server to run without disabling SELinux completely and just isolating the CA slapd executable for a SELinux policy modification.
In a terminal session as root
su – imps
cd /opt/CA/IdentityManager/ProvisioningServer/bin
/opt/CA/IdentityManager/ProvisioningServer/bin/imps stop im_ps
/opt/CA/IdentityManager/ProvisioningServer/bin/imps start im_ps
You will receive the message: “Starting im_ps failed…”
Keep this terminal window open and start a new terminal as root
grep slapd /var/log/audit/audit.log | audit2allow -m postgreylocal > postgreylocal.te
cat postgreylocal.te – You should see something similar
module postgreylocal 1.0;
require {
type unconfined_t;
type usr_t;
class file execmod;
}
#============= unconfined_t ==============
allow unconfined_t usr_t:file execmod;
If it does than execute:
grep slapd /var/log/audit/audit.log | audit2allow -M postgreylocal
semodule -i postgreylocal.pp
Your slapd process has now been granted a SELinux policy to execute
Go back to your imps user terminal session and execute
/opt/CA/IdentityManager/ProvisioningServer/bin/imps start im_ps
You will receive a im_ps started successfully message (woot!)