Bug 1514284
| Summary: | Cannot start slapd | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Marek Greško <marek.gresko> |
| Component: | selinux-policy-targeted | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Ben Levenson <benl> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 27 | CC: | dwalsh |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-01-10 02:05:34 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
selinux-policy-3.13.1-283.16.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-5178e6a393 selinux-policy-3.13.1-283.16.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. The bug is not fixed in selinux-policy-targeted-3.13.1-283.16.fc27.noarch.
nov 20 21:33:54 myhost.mydomain.lan audit[1761]: AVC avc: denied { getattr } for pid=1761 comm="named" path="/dev/random" dev="dm-2" ino=262172 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=chr_file
nov 20 21:33:54 myhost.mydomain.lan named[1761]: configuring command channel from '/etc/rndc.key'
nov 20 21:33:54 myhost.mydomain.lan named[1761]: command channel listening on ::1#953
nov 20 21:33:54 myhost.mydomain.lan named[1761]: could not open entropy source /dev/random: permission denied
nov 20 21:33:54 myhost.mydomain.lan named[1761]: using pre-chroot entropy source /dev/random
nov 20 21:33:54 myhost.mydomain.lan audit[1787]: AVC avc: denied { map } for pid=1787 comm="slapd" path="/var/lib/ldap/__db.001" dev="dm-2" ino=524309 scontext=system_u:system_r:slapd_t:s0 tcontext=system_u:object_r:slapd_db_t:s0 tclass=file
nov 20 21:33:54 myhost.mydomain.lan slapd[1787]: bdb(dc=mydomain,dc=lan): BDB0126 mmap: Permission denied
nov 20 21:33:54 myhost.mydomain.lan slapd[1787]: bdb_db_open: database "dc=mydomain,dc=lan" cannot be opened, err 13. Restore from backup!
nov 20 21:33:54 myhost.mydomain.lan slapd[1787]: bdb(dc=mydomain,dc=lan): BDB1566 txn_checkpoint interface requires an environment configured for the transaction subsystem
nov 20 21:33:54 myhost.mydomain.lan slapd[1787]: bdb_db_close: database "dc=mydomain,dc=lan": txn_checkpoint failed: Invalid argument (22).
nov 20 21:33:54 myhost.mydomain.lan slapd[1787]: backend_startup_one (type=bdb, suffix="dc=mydomain,dc=lan"): bi_db_open failed! (13)
nov 20 21:33:54 myhost.mydomain.lan slapd[1787]: bdb_db_close: database "dc=mydomain,dc=lan": alock_close failed
There are also logs for unrelated bug about named not being able to open /dev/random. Could you fix this also?
Hmm your system looks mislabeled. Could you run: # restorecon -Rv / And then try to reproduce your issue. Thanks, Lukas. I did fixfiles -v -F / before the above report. For me scontext=system_u:system_r:slapd_t:s0 tcontext=system_u:object_r:slapd_db_t:s0 seems correct. Is not it? Sorry, I meant fixfiles -v -F relabel Issue still persists with selinux-policy-targeted-3.13.1-283.17.fc27.noarch. ping Marek, Could you try to reproduce this issue with selinux-policy-targeted-3.13.1-283.19.fc27.noarch? This build is in updates-testing repo. You can install it by: # dnf update selinux-policy --enablerepo=updates-testing Lukas. Hello Lukas, thanks for the fix. It works. # dnf update selinux-policy --enablerepo=updates-testing # fixfiles -v -F relabel # cd /var/named/chroot # restorecon -R -v . # see #1525641 # reboot No complains about slapd. Reverted to enforcing mode. Marek selinux-policy-3.13.1-283.20.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-0d8506aba4 selinux-policy-3.13.1-283.20.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-0d8506aba4 selinux-policy-3.13.1-283.21.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-0d8506aba4 selinux-policy-3.13.1-283.21.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-0d8506aba4 selinux-policy-3.13.1-283.21.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: Slapd fails to start because of AVC avc: denied { map } for pid=1782 comm="slapd" path="/var/lib/ldap/__db.001" dev="dm-2" ino=524309 scontext=system_u:system_r:slapd_t:s0 tcontext=system_u:object_r:slapd_db_t:s0 tclass=file permissive=1 (This log comes from permissive mode). Version-Release number of selected component (if applicable): selinux-policy-targeted-3.13.1-283.14.fc27.noarch How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: