Bug 1221121
| Summary: | Setup of 389ds fails due to selinux denial | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | William Brown <william> | |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | |
| Status: | CLOSED ERRATA | QA Contact: | Stanislav Zidek <szidek> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 7.1 | CC: | lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde, szidek, william | |
| Target Milestone: | rc | |||
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | selinux-policy-3.13.1-36.el7 | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1233108 (view as bug list) | Environment: | ||
| Last Closed: | 2015-11-19 10:33:48 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1233108 | |||
Are you running it in MLS? No. Running targeted policy with a user that is in staff_t, with a transition to sysadm_t on sudo. And what are you trying to do? Attempting to setup an LDAP server (389ds) with the install script setup-ds.pl. This attempts to bind to port 389 (ldap_port_t) as part of the installer, to determine if the port is in use and the server can use it. However, at this stage, the script is still running under your users context. Normally this would be unconfined_t, but on my system it is sysadm_t. Thus the denial. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2300.html |
Description of problem: type=AVC msg=audit(1431513105.519:14797): avc: denied { name_bind } for pid=14364 comm="perl" src=389 scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket Attempting to run setup-ds.pl as sysadm_t user.