Bug 570333

Summary: selinux: setup-ds-admin.pl cannot start admin server on Fedora 13
Product: [Retired] 389 Reporter: Rich Megginson <rmeggins>
Component: Security - GeneralAssignee: Nathan Kinder <nkinder>
Status: CLOSED DUPLICATE QA Contact: Chandrasekar Kannan <ckannan>
Severity: high Docs Contact:
Priority: high    
Version: 1.2.6CC: benl, rmeggins
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-03-04 18:02:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 543590    
Attachments:
Description Flags
selinux alerts none

Description Rich Megginson 2010-03-03 22:01:05 UTC 
Created attachment 397671 [details]
selinux alerts

platform: Fedora 13 x86_64

The attachment shows the 3 selinux messages.

admin server starts fine using start-ds-admin, just not when started from setup-ds-admin.pl during initial setup.
Comment 1 Nathan Kinder 2010-03-03 22:53:03 UTC 
Is the 389-admin-selinux package installed?

What is the output of 'semodule -l | grep dirsrv' when run as root?
Comment 2 Rich Megginson 2010-03-04 00:41:31 UTC 
semodule -l | grep dirsrv shows nothing.  389 - nothing.  ldap - shows 1.10.0


Name        : 389-admin-selinux            Relocations: (not relocatable)
Version     : 1.1.11                            Vendor: Fedora Project
Release     : 0.2.a2.fc13                   Build Date: Fri 26 Feb 2010 07:25:11 PM MST
Install Date: Wed 03 Mar 2010 02:45:45 PM MST      Build Host: x86-02.phx2.fedoraproject.org
Group       : System Environment/Daemons    Source RPM: 389-admin-1.1.11-0.2.a2.fc13.src.rpm
Size        : 272444                           License: GPLv2 and ASL 2.0
Signature   : RSA/8, Fri 26 Feb 2010 08:03:23 PM MST, Key ID 7edc6ad6e8e40fde
Packager    : Fedora Project
URL         : http://port389.org/
Summary     : SELinux policy for 389 Administration Server
Description :
SELinux policy for the 389 Adminstration Server package.

Name        : selinux-policy               Relocations: (not relocatable)
Version     : 3.7.10                            Vendor: Fedora Project
Release     : 4.fc13                        Build Date: Wed 24 Feb 2010 03:15:00 PM MST
Install Date: Wed 03 Mar 2010 12:16:01 PM MST      Build Host: x86-01.phx2.fedoraproject.org
Group       : System Environment/Base       Source RPM: selinux-policy-3.7.10-4.fc13.src.rpm
Size        : 7050606                          License: GPLv2+
Signature   : RSA/8, Wed 24 Feb 2010 05:05:30 PM MST, Key ID 7edc6ad6e8e40fde
Packager    : Fedora Project
URL         : http://oss.tresys.com/repos/refpolicy/
Summary     : SELinux policy configuration
Description :
SELinux Reference Policy - modular.
Based off of reference policy: Checked out revision  2.20091117

Name        : selinux-policy-targeted      Relocations: (not relocatable)
Version     : 3.7.10                            Vendor: Fedora Project
Release     : 4.fc13                        Build Date: Wed 24 Feb 2010 03:15:00 PM MST
Install Date: Wed 03 Mar 2010 12:27:19 PM MST      Build Host: x86-01.phx2.fedoraproject.org
Group       : System Environment/Base       Source RPM: selinux-policy-3.7.10-4.fc13.src.rpm
Size        : 2505008                          License: GPLv2+
Signature   : RSA/8, Wed 24 Feb 2010 04:55:38 PM MST, Key ID 7edc6ad6e8e40fde
Packager    : Fedora Project
URL         : http://oss.tresys.com/repos/refpolicy/
Summary     : SELinux targeted base policy
Description :
SELinux Reference policy targeted base module.
Comment 3 Nathan Kinder 2010-03-04 16:16:09 UTC 
(In reply to comment #2)
> semodule -l | grep dirsrv shows nothing.  389 - nothing.  ldap - shows 1.10.0

This is a problem.  You should have two lines returned from thsi command showing that the dirsrv and dirsrv-admin policy modules are loaded:

  [root@boraras ~]# semodule -l | grep dirsrv
  dirsrv-admin	1.0.0
  dirsrv	1.0.0

The 389-ds-base-selinux and 389-admin-selinux packages should install their respective policy modules on disk in /usr/share/selinux/targeted (dirsrv.pp and dirsrv-admin.pp).  The spec files are then responsible for loading these modules in a post scriptlet by running the following commands:

  semodule -s targeted -i /usr/share/selinux/targetted/dirsrv.pp
  semodule -s targeted -i /usr/share/selinux/targetted/dirsrv-admin.pp

Something must be failing in the post scriptlet on your system.
Comment 4 Rich Megginson 2010-03-04 18:02:25 UTC 
https://bugzilla.redhat.com/show_bug.cgi?id=570562

yep - the post scriptlet is failing - the rpm redirects all output to /dev/null, so I ran the commands manually as root:

[root@f13x8664 ~]# semodule -v -s mls -i /usr/share/selinux/mls/dirsrv.pp
semodule: SELinux policy is not managed or store cannot be accessed.
[root@f13x8664 ~]# ll /usr/share/selinux/mls/dirsrv.pp 
-rw-r--r--. 1 root root 120250 Mar  2 13:25 /usr/share/selinux/mls/dirsrv.pp
[root@f13x8664 ~]# semodule -s mls -i /usr/share/selinux/mls/dirsrv.pp
semodule: SELinux policy is not managed or store cannot be accessed.
[root@f13x8664 ~]# echo $?
1
[root@f13x8664 ~]# ll /usr/share/selinux/targeted/dirsrv.pp 
-rw-r--r--. 1 root root 119578 Mar  2 13:25 /usr/share/selinux/targeted/dirsrv.pp
[root@f13x8664 ~]# semodule -v -s targeted -i /usr/share/selinux/targeted/dirsrv.pp 
Attempting to install module '/usr/share/selinux/targeted/dirsrv.pp':
Ok: return value of 0.
Committing changes:
/etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /usr/sbin/ns-slapd  (system_u:object_r:slapd_exec_t:s0 and system_u:object_r:dirsrv_exec_t:s0).
/etc/selinux/targeted/contexts/files/file_contexts: Invalid argument
libsemanage.semanage_install_active: setfiles returned error code 1.
semodule:  Failed!
[root@f13x8664 ~]#

*** This bug has been marked as a duplicate of bug 570562 ***