Bug 622882
| Summary: | SELinux is preventing /usr/sbin/ns-slapd "getattr" access to /usr/lib64/dirsrv. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Retired] 389 | Reporter: | Rich Megginson <rmeggins> | ||||
| Component: | Security - General | Assignee: | Nathan Kinder <nkinder> | ||||
| Status: | CLOSED WONTFIX | QA Contact: | Chandrasekar Kannan <ckannan> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | 1.2.6 | CC: | benl | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2010-09-29 14:51:49 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 434915, 543590 | ||||||
| Attachments: |
|
||||||
This has to do with the change made for fixing bug 594745. We removed the dirsrv_lib_t label and labeled our libs as the default of lib_t. When a label is removed (by removing a policy module), any files using that label are changed to use unlabeled_t. For the attached AVC, we can see that /usr/lib64/dirsrv is using the unlabeled_t label, yet the policy default is lib_t. The files owned by the 389-ds-base package are supposed to be relabelled by calling fixfiles from the specfile. Perhaps this scriptlet is not working? *** Bug 622880 has been marked as a duplicate of this bug. *** This bug only affects upgrades from 1.2.6.rc5 to 1.2.6.rc6 or later. I've tried clean install - no problem - 1.2.5 -> 1.2.6 - no problem - 1.2.6.a1 -> 1.2.6.rc6 - no problem. I've added a warning about this to the release notes. |
Created attachment 437946 [details] avc This was on F-13 but I suspect it may affect other platforms. This happened after upgrading to the 389-ds-base-1.2.6.rc6.