Bug 1483170
Summary: | 'map' denial for comm 'ns-slapd' path '/run/dirsrv/slapd-DOMAIN-LOCAL.stats' (breaks FreeIPA deployment) | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Adam Williamson <awilliam> |
Component: | selinux-policy-targeted | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Ben Levenson <benl> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 27 | CC: | abokovoy, dwalsh, kparal, lslebodn, rcritten, robatino, ssorce, tkrizek |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | AcceptedBlocker | ||
Fixed In Version: | selinux-policy-3.13.1-276.fc27 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-09-12 22:46:15 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1396702, 1481454 |
Description
Adam Williamson
2017-08-18 23:16:46 UTC
cc'ing freeipa folks for reference (just so you know what's busted; I don't think you have anything to fix here). Discussed during blocker review [1]: AcceptedBlocker (Beta) - breaks deployment of FreeIPA servers, clear violation of Alpha criterion "Release-blocking roles and the supported role configuration interfaces must meet the core functional Role Definition Requirements to the extent that supported roles can be successfully deployed, started..." for the domain controller role [1] https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2017-08-21/ 3.13.1-273 does seem to fix this exact denial, but 389-ds still fails to start (and FreeIPA deployment fails) due to another, similar denial: Aug 23 12:42:11 ipa001.domain.local audit[4319]: AVC avc: denied { map } for pid=4319 comm="ns-slapd" path="/dev/shm/QSql25" dev="tmpfs" ino=32992 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:dirsrv_tmpfs_t:s0 tclass=file permissive=0 should I file a new bug for that? No, I'll fix it. Once again, that denial is fixed in -276 (well, I checked with -280), but there are still some denials that prevent deployment working in -280: Sep 11 12:04:07 ipa001.domain.local audit[5710]: AVC avc: denied { write } for pid=5710 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=9435129 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=0 Sep 11 12:04:07 ipa001.domain.local audit[5710]: AVC avc: denied { write } for pid=5710 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=9435129 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=0 Sep 11 12:04:07 ipa001.domain.local audit[5710]: AVC avc: denied { write } for pid=5710 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=9435129 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=0 Sep 11 12:04:07 ipa001.domain.local audit[5710]: AVC avc: denied { link } for pid=5710 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=9435129 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=0 I have also mentioned this in https://bugzilla.redhat.com/show_bug.cgi?id=1488404 . (In reply to Adam Williamson from comment #5) > Once again, that denial is fixed in -276 (well, I checked with -280), but > there are still some denials that prevent deployment working in -280: > > Sep 11 12:04:07 ipa001.domain.local audit[5710]: AVC avc: denied { write } > for pid=5710 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=9435129 > scontext=system_u:system_r:dirsrv_t:s0 > tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=0 > Sep 11 12:04:07 ipa001.domain.local audit[5710]: AVC avc: denied { write } > for pid=5710 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=9435129 > scontext=system_u:system_r:dirsrv_t:s0 > tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=0 > Sep 11 12:04:07 ipa001.domain.local audit[5710]: AVC avc: denied { write } > for pid=5710 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=9435129 > scontext=system_u:system_r:dirsrv_t:s0 > tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=0 > Sep 11 12:04:07 ipa001.domain.local audit[5710]: AVC avc: denied { link } > for pid=5710 comm="ns-slapd" name="dse.ldif" dev="dm-0" ino=9435129 > scontext=system_u:system_r:dirsrv_t:s0 > tcontext=system_u:object_r:rolekit_tmp_t:s0 tclass=file permissive=0 > Lukas, I hope you didn't try to allow these AVCs because it is bug in ipa-server-install script BZ1490762 I have fixed it in https://github.com/freeipa/freeipa/pull/1062 So we either use this bug to deliver freeipa update with it or add bugzilla 1490762 to the blockers list. We've made 1490762 an AcceptedBlocker, please send out a FreeIPA update marked as fixing it. thanks! Since there's only the rolekit_tmp denials and one other denial for systemd during decommissioning left in current F27 composes, I'm going to close this bug now. |