Bug 189621
| Summary: | slapd with postgresql backend won't start | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Heiko Jakob <buffalo> | ||||
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Ben Levenson <benl> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 5 | CC: | dwalsh, fenlason, nalin, pgraner | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | selinux-policy-2.3.6-3.fc5 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2006-10-20 20:08:46 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Almost forgot:
You have to add -u to slaptestflag in /etc/init.d/ldap to get around the test
which will fail due to almost the same problem.
Apr 21 20:41:37 rlxrz01 kernel: audit(1145644897.622:49): avc: denied {
unix_read unix_write } for pid=3425 comm="slaptest" key=2030075928
scontext=root:system_r:slapd_t:s0
tcontext=root:system_r:unconfined_t:s0-s0:c0.c255 tclass=sem
Apr 21 20:41:37 rlxrz01 kernel: audit(1145644897.650:50): avc: denied { write
} for pid=3425 comm="slaptest" name=".s.PGSQL.5432" dev=dm-0 ino=672233
scontext=root:system_r:slapd_t:s0 tcontext=root:object_r:postgresql_tmp_t:s0
tclass=sock_file
Apr 21 20:41:37 rlxrz01 kernel: audit(1145644897.690:51): avc: denied {
unix_read unix_write } for pid=3429 comm="slaptest" key=2030075928
scontext=root:system_r:slapd_t:s0
tcontext=root:system_r:unconfined_t:s0-s0:c0.c255 tclass=sem
Dan, maybe the ldap init script run a program that happens to transition to unconfined_t to create a semaphore for ldap's use? But then it would be running in initrc_t not unconfined_t???? Dan Heiko, it there a process running as by a user account that is trying to communicate with ldap? Heiko could you send us your configuration setup. Created attachment 129780 [details]
config files for odbc and slapd
Fixed in selinux-policy-2.3.6-3.fc5 Sorry forgot to mention: Works after upgrading selinux policies |
Description of problem: slapd fails when using openldap-servers-sql with postgresql Version-Release number of selected component (if applicable): openldap-servers-sql-2.3.19-4 openldap-servers-2.3.19-4 postgresql-server-8.1.3-1 postgresql-odbc-08.01.0200-1.2 unixODBC-2.2.11-6.2.1 How reproducible: 100 % Steps to Reproduce: 1. configure FedoraCore using SELINUX=enforcing 2. configure slapd for using postgres 2. start slapd using the init script /etc/init.d/slapd start 3. check for slapd still running using /etc/init.d/slapd status 4. Read /var/log/messages Actual results: slapd crashes directly after startup with the following audit entries in /var/log/messages Apr 21 20:11:01 rlxrz01 kernel: audit(1145643061.479:46): avc: denied { unix_read unix_write } for pid=3218 comm="slaptest" key=2030075928 scontext=root:system_r:slapd_t:s0 tcontext=root:system_r:unconfined_t:s0-s0:c0.c255 tclass=sem Apr 21 20:11:01 rlxrz01 kernel: audit(1145643061.531:47): avc: denied { unix_read unix_write } for pid=3225 comm="slapd" key=2030075928 scontext=root:system_r:slapd_t:s0 tcontext=root:system_r:unconfined_t:s0-s0:c0.c255 tclass=sem Apr 21 20:11:01 rlxrz01 kernel: audit(1145643061.583:48): avc: denied { write } for pid=3226 comm="slapd" name=".s.PGSQL.5432" dev=dm-0 ino=672233 scontext=root:system_r:slapd_t:s0 tcontext=root:object_r:postgresql_tmp_t:s0 tclass=sock_file Expected results: it should simply work and not crash :-) Additional info: running slapd as root by starting it directly from the command line using # slapd -d9 works just fine