Bug 1571328

Summary: SELinux is preventing LD_PRELOAD from working
Product: [Fedora] Fedora Reporter: mreynolds
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 28CC: dwalsh, lvrabec, mgrepl, plautrba, pmoore, vashirov
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.14.1-29.fc28 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-05-26 20:44:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
INSTALL_FILE mentioned in comment 1 none

Description mreynolds 2018-04-24 14:21:59 UTC 
Description of problem:

In F28 we need to bundle jemalloc for 389-ds-base, and preload it.  But selinux is preventing libjemalloc from being preloaded:

# semodule -DB
# ausearch -m AVC                                                                                                                      
----                                   
time->Tue Apr 24 04:15:41 2018 
type=AVC msg=audit(1524557741.999:497): avc:  denied  { siginh } for  pid=16828 comm="ds_systemd_ask_" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=0
----
time->Tue Apr 24 04:15:42 2018
type=AVC msg=audit(1524557742.038:498): avc:  denied  { noatsecure } for  pid=16833 comm="(ns-slapd)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:dirsrv_t:s0 tclass=process permissive=0
```

I'm reproducing this on F26 thru rawhide.

How to reproduce:

[1]  # dnf install 389-ds-base jemalloc
[2]  # vi /etc/sysconfig/dirsrv

  add at the bottom:

  LD_PRELOAD=/usr/lib64/libjemalloc.so.2

[3]  Restart the server

    # restart-dirsrv

[4]  Check if libjemalloc was loaded

    # ps -ef | grep slapd
    # lsof -p PID_OF_SLAPD
   
  ---> libjemalloc is not listed

[5]  Disable selinux and restart the server:

    # setenforce 0
    # restart-dirsrv

[5]  Redo "lsof" test and now libjemalloc is listed


In Fedora 28 and RHEL 8 we need LD_PRELOADing working out of the box for 389-ds-base.

Thanks!
Comment 1 mreynolds 2018-04-24 14:26:21 UTC 
Sorry I left out a step between steps [2] and [3]

[2.5]  Create instance of 389-ds-base

    # setup-ds.pl -s -f INSTALL_FILE

I am attaching the install text file next (it assumes localhost.localdonmain for hostname, but very easy to change in file)
Comment 2 mreynolds 2018-04-24 14:27:51 UTC 
Created attachment 1426089 [details]
INSTALL_FILE mentioned in comment 1

Put this file in /tmp and then run the setup as follows:

# setup-ds.pl -s -f /tmp/setup.inf
Comment 3 Fedora Update System 2018-05-24 14:36:55 UTC 
selinux-policy-3.14.1-29.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a74875b364
Comment 4 Fedora Update System 2018-05-25 18:43:07 UTC 
selinux-policy-3.14.1-29.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a74875b364
Comment 5 Fedora Update System 2018-05-26 20:44:56 UTC 
selinux-policy-3.14.1-29.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.