Bug 174855

Summary: Need SELinux policy for Admin Server
Product: [Retired] 389 Reporter: Andrey Klochko <aklochko>
Component: AdminAssignee: Rich Megginson <rmeggins>
Status: CLOSED DUPLICATE QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: medium    
Version: 1.0CC: benl, djk, k.georgiou, mclayton
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-07-01 13:32:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
strace -f /opt/fedora-ds/start-admin output
none
strace -f /opt/fedora-ds/start-admin output with string size set to 128
none
Output of: grep avc /var/log/audit/audit.log |grep -v 'dmidecode\|ping\|netstat' none

Description Andrey Klochko 2005-12-02 20:38:38 UTC 
Description of problem:

Admin Server doesn't start

Version-Release number of selected component (if applicable):


How reproducible:

always

Steps to Reproduce:
1.rpm -i fedora-ds-1.0-2.FC4.i386.opt.rpm
2./opt/fedora-ds/setup/setup

Actual results:

...
Configuring Global Parameters in Directory Server...
Can't start Admin server [/opt/fedora-ds/start-admin > /tmp/filev4ufdJ 2>&1]
(error: No such file or directory)
....  

Expected results:


Additional info:
output of 
strace -f /opt/fedora-ds/start-admin
is attached. It seems there is a problem loading libnspr4.so library by
/usr/sbin/httpd.worker
Comment 1 Andrey Klochko 2005-12-02 20:38:38 UTC 
Created attachment 121782 [details]
strace -f /opt/fedora-ds/start-admin output
Comment 2 Rich Megginson 2005-12-02 20:54:31 UTC 
Hmm - is this an SELinux thing?  What's the full output?  In the strace log, it
is truncated:
{"cannot enable executable stack a"..., 56}, {": ", 2}, {"Permission denied",
17}, {"\n", 1}],

"cannot enable executable stack" looks like some sort of selinux problem.  Also
check your /var/log/messages and /var/log/secure.

If all else fails, try changing your selinux policy:
edit /etc/selinux/config
change SELINUX=enforcing
to SELINUX=permissive
and reboot.
Comment 3 Andrey Klochko 2005-12-02 21:13:56 UTC 
Created attachment 121783 [details]
strace -f /opt/fedora-ds/start-admin output with string size set to 128
Comment 4 Andrey Klochko 2005-12-02 21:14:33 UTC 
Yes, selinux was the culprit.
Anyway I'm attached full strace output.

Thanks,

Andrey
Comment 5 Rich Megginson 2005-12-02 21:37:16 UTC 
So, did you set the selinux policy to permissive?  And the problem went away?
Comment 6 Andrey Klochko 2005-12-02 21:44:15 UTC 
Yes, that is correct.
Now I'm able to run admin server just fine.
Comment 7 Rich Megginson 2005-12-16 16:21:36 UTC 
We really need an explicit SELinux policy for Admin Server, so that you can run
the system with SELinux enforcing.
Comment 8 Kevin Unthank 2006-01-30 18:34:04 UTC 
*** Bug 175199 has been marked as a duplicate of this bug. ***
Comment 9 David Keegel 2007-07-20 05:56:28 UTC 
This problem (FDS admin server wont start on FC4 when selinux is enforcing) 
still exists with FDS 1.0.4 on FC4.

Do we have any other options now apart from making SELinux permissive?
Comment 10 Karl MacMillan 2007-07-20 14:13:35 UTC 
Can you provide an avc messages in /var/log/messages (perhaps via audit2allow <
/var/log/messages.

Also - enforcing / permissive can be toggled with /usr/sbin/setenforce (1 for
enforcing 0 for permissive). No reboot is required and the state is reset to the
value in /etc/selinux/config on boot.
Comment 11 Rich Megginson 2007-07-20 14:16:45 UTC 
Karl, I think the problem is that the SELinux profiles for directory server and
admin server didn't go into Fedora until FC5.
Comment 12 Karl MacMillan 2007-07-20 14:28:20 UTC 
Without a policy it should run unconfined - so it should work fine.
Comment 13 David Keegel 2007-07-20 23:12:00 UTC 
There was nothing in /var/log/messages (or even in the syslog file that gets
debug.*), but thanks to the man page for audit2allow, I found the SELinux
messages in /var/log/audit/audit.log.

Here is an example message:
type=AVC msg=audit(1184909713.024:4052): avc:  denied  { execstack } for  pid=31
05 comm="httpd.worker" scontext=root:system_r:httpd_t tcontext=root:system_r:htt
pd_t tclass=process

I will attach the output (66 lines) of:
 grep avc /var/log/audit/audit.log |grep -v 'dmidecode\|ping\|netstat'
Comment 14 David Keegel 2007-07-20 23:13:24 UTC 
Created attachment 159712 [details]
Output of: grep avc /var/log/audit/audit.log |grep -v 'dmidecode\|ping\|netstat'
Comment 15 Karl MacMillan 2007-07-24 13:27:10 UTC 
The execstack permission isn't present in the FC4 kernels - are you using a
custom kernel? If so, you need to update the selinux userland tools and policy
as well.
Comment 17 David Keegel 2007-07-26 06:41:46 UTC 
That machine is running pretty standard stuff:
kernel-2.6.17-1.2142_FC4 (.i686.rpm)
selinux-policy-targeted-1.27.1-2.28
httpd-2.0.54-10.4
fedora-ds-1.0.4-1.Linux   (fedora-ds-1.0.4-1.FC4.i386.opt.rpm)

One unusual thing is that I had previously installed
fedora-ds-1.0.4-1.FC6.i386.opt.rpm, before I noticed the machine was FC4.
I did rpm -e on the FC6 (wrong) version and rm -r /opt/fedora-ds, before I
installed the FC4 rpm, so I assumed the FC6 version would be gone.
Comment 18 Scott Haines 2008-03-03 22:50:47 UTC 
per bug council on 03/03/2008, setting target DS8.2
Comment 19 Scott Haines 2008-03-03 22:53:25 UTC 
Unblocking 152373, 249650
Comment 20 Rich Megginson 2008-07-01 13:32:50 UTC 

*** This bug has been marked as a duplicate of 442228 ***