Bug 1396448
| Summary: | Add a hard dependency for >=selinux-policy-3.13.1-75 | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Viktor Ashirov <vashirov> |
| Component: | 389-ds-base | Assignee: | mreynolds |
| Status: | CLOSED ERRATA | QA Contact: | Viktor Ashirov <vashirov> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.3 | CC: | gparente, mreynolds, nkinder, rmeggins |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | 389-ds-base-1.3.6.1-6.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-08-01 21:12:24 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Upstream ticket: https://fedorahosted.org/389/ticket/49046 Build tested: 389-ds-base-1.3.6.1-6.el7.x86_64 # repoquery --requires 389-ds-base | grep selinux selinux-policy >= 3.13.1-75 selinux-policy >= 3.13.1-75 Marking as VERIFIED. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2086 |
Description of problem: Some customers upgrade only 389-ds-base and it's dependencies during 7.2 -> 7.3 upgrade. 389-ds-base-1.3.5 depends on >=selinux-policy-3.13.1-75 From changelog: Resolves: rhbz#1336722 - Directory Server (389-ds-base) has been updated to use systemd-ask-password. In order to function correctly we need the following added to dirsrv.te Currently 389-ds-base doesn't have a hard dependency on particular version. So if customer has configured SSL with pin.txt and later decides to delete pin, ns-slapd won't start. Version-Release number of selected component (if applicable): 389-ds-base-1.3.5.10-11.el7 How reproducible: always Steps to Reproduce: 1. On RHEL7.2 configure an instance with SSL and pin.txt 1. yum update 389-ds-base (to 7.3 version) 2. remove pin.txt 3. restart-dirsrv Actual results: Nov 18 05:05:04 qeos-33.lab.eng.rdu2.redhat.com systemd[1]: Starting 389 Directory Server qeos-33.... Nov 18 05:05:04 qeos-33.lab.eng.rdu2.redhat.com ns-slapd[3240]: [18/Nov/2016:05:05:04.944897933 -0500] SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password. Nov 18 05:05:04 qeos-33.lab.eng.rdu2.redhat.com ns-slapd[3240]: SVRCORE systemd:getPin() -> creating socket FAILED 7 Nov 18 05:05:04 qeos-33.lab.eng.rdu2.redhat.com ns-slapd[3240]: [18/Nov/2016:05:05:04.946416549 -0500] slapd_ssl_init - Unable to authenticate (Netscape Portable Runtime error -8177 - The security password entered is incorrect.)[18/Nov/2016:05:05:04.947076107 -0500] ERROR: SSL Initialization Failed. Disabling SSL. Nov 18 05:05:04 qeos-33.lab.eng.rdu2.redhat.com ns-slapd[3240]: [18/Nov/2016:05:05:04.947821887 -0500] 389-Directory/1.3.5.10 B2016.257.1817 starting up Nov 18 05:05:05 qeos-33.lab.eng.rdu2.redhat.com ns-slapd[3240]: [18/Nov/2016:05:05:05.037750034 -0500] slapd started. Listening on All Interfaces port 389 for LDAP requests Nov 18 05:05:05 qeos-33.lab.eng.rdu2.redhat.com systemd[1]: Started 389 Directory Server qeos-33.. ausearch -m AVC: time->Fri Nov 18 05:05:04 2016 type=SYSCALL msg=audit(1479463504.946:488): arch=c000003e syscall=49 success=no exit=-13 a0=a a1=7ffc0659add0 a2=6e a3=7ffc0659ab40 items=0 ppid=1 pid=3240 auid=4294967295 uid=389 gid=389 euid=389 suid=389 fsuid=389 egid=389 sgid=389 fsgid=389 tty=(none) ses=4294967295 comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=system_u:system_r:dirsrv_t:s0 key=(null) type=AVC msg=audit(1479463504.946:488): avc: denied { write } for pid=3240 comm="ns-slapd" name="ask-password" dev="tmpfs" ino=6668 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:systemd_passwd_var_run_t:s0 tclass=dir Expected results: selinux-policy should updated as well Additional info: