Bug 622882
Summary: | SELinux is preventing /usr/sbin/ns-slapd "getattr" access to /usr/lib64/dirsrv. | ||||||
---|---|---|---|---|---|---|---|
Product: | [Retired] 389 | Reporter: | Rich Megginson <rmeggins> | ||||
Component: | Security - General | Assignee: | Nathan Kinder <nkinder> | ||||
Status: | CLOSED WONTFIX | QA Contact: | Chandrasekar Kannan <ckannan> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | high | ||||||
Version: | 1.2.6 | CC: | benl | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2010-09-29 14:51:49 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 434915, 543590 | ||||||
Attachments: |
|
This has to do with the change made for fixing bug 594745. We removed the dirsrv_lib_t label and labeled our libs as the default of lib_t. When a label is removed (by removing a policy module), any files using that label are changed to use unlabeled_t. For the attached AVC, we can see that /usr/lib64/dirsrv is using the unlabeled_t label, yet the policy default is lib_t. The files owned by the 389-ds-base package are supposed to be relabelled by calling fixfiles from the specfile. Perhaps this scriptlet is not working? *** Bug 622880 has been marked as a duplicate of this bug. *** This bug only affects upgrades from 1.2.6.rc5 to 1.2.6.rc6 or later. I've tried clean install - no problem - 1.2.5 -> 1.2.6 - no problem - 1.2.6.a1 -> 1.2.6.rc6 - no problem. I've added a warning about this to the release notes. |
Created attachment 437946 [details] avc This was on F-13 but I suspect it may affect other platforms. This happened after upgrading to the 389-ds-base-1.2.6.rc6.