Bug 174855
Summary: | Need SELinux policy for Admin Server | ||
---|---|---|---|
Product: | [Retired] 389 | Reporter: | Andrey Klochko <aklochko> |
Component: | Admin | Assignee: | Rich Megginson <rmeggins> |
Status: | CLOSED DUPLICATE | QA Contact: | Chandrasekar Kannan <ckannan> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 1.0 | CC: | benl, djk, k.georgiou, mclayton |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-07-01 13:32:50 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Attachments: |
Description
Andrey Klochko
2005-12-02 20:38:38 UTC
Created attachment 121782 [details]
strace -f /opt/fedora-ds/start-admin output
Hmm - is this an SELinux thing? What's the full output? In the strace log, it is truncated: {"cannot enable executable stack a"..., 56}, {": ", 2}, {"Permission denied", 17}, {"\n", 1}], "cannot enable executable stack" looks like some sort of selinux problem. Also check your /var/log/messages and /var/log/secure. If all else fails, try changing your selinux policy: edit /etc/selinux/config change SELINUX=enforcing to SELINUX=permissive and reboot. Created attachment 121783 [details]
strace -f /opt/fedora-ds/start-admin output with string size set to 128
Yes, selinux was the culprit. Anyway I'm attached full strace output. Thanks, Andrey So, did you set the selinux policy to permissive? And the problem went away? Yes, that is correct. Now I'm able to run admin server just fine. We really need an explicit SELinux policy for Admin Server, so that you can run the system with SELinux enforcing. *** Bug 175199 has been marked as a duplicate of this bug. *** This problem (FDS admin server wont start on FC4 when selinux is enforcing) still exists with FDS 1.0.4 on FC4. Do we have any other options now apart from making SELinux permissive? Can you provide an avc messages in /var/log/messages (perhaps via audit2allow < /var/log/messages. Also - enforcing / permissive can be toggled with /usr/sbin/setenforce (1 for enforcing 0 for permissive). No reboot is required and the state is reset to the value in /etc/selinux/config on boot. Karl, I think the problem is that the SELinux profiles for directory server and admin server didn't go into Fedora until FC5. Without a policy it should run unconfined - so it should work fine. There was nothing in /var/log/messages (or even in the syslog file that gets debug.*), but thanks to the man page for audit2allow, I found the SELinux messages in /var/log/audit/audit.log. Here is an example message: type=AVC msg=audit(1184909713.024:4052): avc: denied { execstack } for pid=31 05 comm="httpd.worker" scontext=root:system_r:httpd_t tcontext=root:system_r:htt pd_t tclass=process I will attach the output (66 lines) of: grep avc /var/log/audit/audit.log |grep -v 'dmidecode\|ping\|netstat' Created attachment 159712 [details]
Output of: grep avc /var/log/audit/audit.log |grep -v 'dmidecode\|ping\|netstat'
The execstack permission isn't present in the FC4 kernels - are you using a custom kernel? If so, you need to update the selinux userland tools and policy as well. That machine is running pretty standard stuff: kernel-2.6.17-1.2142_FC4 (.i686.rpm) selinux-policy-targeted-1.27.1-2.28 httpd-2.0.54-10.4 fedora-ds-1.0.4-1.Linux (fedora-ds-1.0.4-1.FC4.i386.opt.rpm) One unusual thing is that I had previously installed fedora-ds-1.0.4-1.FC6.i386.opt.rpm, before I noticed the machine was FC4. I did rpm -e on the FC6 (wrong) version and rm -r /opt/fedora-ds, before I installed the FC4 rpm, so I assumed the FC6 version would be gone. per bug council on 03/03/2008, setting target DS8.2 Unblocking 152373, 249650 *** This bug has been marked as a duplicate of 442228 *** |