Bug 576427
| Summary: | starting dirsrv-admin in current selinux policy fails | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | lejeczek <peljasz> |
| Component: | 389-admin | Assignee: | Rich Megginson <rmeggins> |
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 13 | CC: | nhosoi, nkinder, rmeggins |
| Target Milestone: | --- | Keywords: | screened |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-03-29 20:38:07 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
There is already a dirsrv-admin selinux module in testing for the 389-admin component. What version of 389-ds-base and 389-admin are you using? What AVCs do you receive when you attempt to start the dirsrv-admin service? 389-admin-selinux-1.1.11-0.2.a2.fc13.x86_64 389-ds-base-1.2.6-0.2.a2.fc13.x86_64 389-admin-1.1.11-0.2.a2.fc13.x86_64 these denials don't seem to be audited What does 'semodule -l | grep dirsrv' show? We do have some known issues we are working on with regards to the policy modules not being properly loaded due to recent changes in the base selinux policy. We plan to resolve these before the next testing release of 389. dirsrv 1.0.0 (In reply to comment #4) > dirsrv 1.0.0 Ok, this shows that the dirsrv-admin module is not loaded, even though 389-admin-selinux is installed. Please run the following as root and put the error(s) in this bug: 'semodule -i /usr/share/selinux/targeted/dirsrv-admin.pp' libsepol.expand_terule_helper: conflicting TE rule for (httpd_t, var_run_t:dir): old was httpd_var_run_t, new is dirsrv_var_run_t libsepol.expand_module: Error during expand libsemanage.semanage_expand_sandbox: Expand module failed semodule: Failed! This is a duplicate of bug 570912. *** This bug has been marked as a duplicate of bug 570912 *** |
Description of problem: this standard-way generated module is a quick fix: require { type user_tmp_t; type dirsrv_var_run_t; type dirsrv_var_log_t; type security_t; type user_devpts_t; type httpd_t; type dirsrv_share_t; type dirsrv_lib_t; type dirsrv_config_t; class sock_file { create setattr }; class chr_file { read write append }; class dir { write search getattr remove_name add_name }; class file { execute read lock create write getattr open }; } allow httpd_t dirsrv_config_t:dir getattr; allow httpd_t dirsrv_config_t:dir search; allow httpd_t dirsrv_config_t:file { read lock getattr open }; allow httpd_t dirsrv_lib_t:dir search; allow httpd_t dirsrv_lib_t:file { read getattr open execute }; allow httpd_t dirsrv_share_t:dir search; allow httpd_t dirsrv_var_log_t:dir { write add_name }; allow httpd_t dirsrv_var_log_t:file create; allow httpd_t dirsrv_var_run_t:dir remove_name; allow httpd_t dirsrv_var_run_t:dir { write search add_name }; allow httpd_t dirsrv_var_run_t:file { write create open }; allow httpd_t dirsrv_var_run_t:sock_file { create setattr }; allow httpd_t security_t:file { read open }; allow httpd_t user_devpts_t:chr_file { read write append }; allow httpd_t user_tmp_t:file write; Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: