Bug 679051

Summary: selinux detection in /usr/sbin/start-ds-admin
Product: [Fedora] Fedora Reporter: Denis Baklikov <denis.baklikov>
Component: 389-adminAssignee: Rich Megginson <rmeggins>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 14CC: nhosoi, nkinder, rmeggins, shaines
Target Milestone: ---Keywords: screened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-03-28 17:52:25 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:

Description Denis Baklikov 2011-02-21 07:41:28 EST
Description of problem:

If confition for selinux detection never ckecks because of [ -z "yes" ] condition.

/usr/sbin/start-ds-admin

if [ -z "yes" ] ; then # always FALSE
    if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then
        SELINUX_CMD="runcon -t unconfined_t --"
    fi
fi

Version-Release number of selected component (if applicable):


How reproducible:
/etc/init.d/dirsrv-admin restart


Actual results:
[FAILED] httpd.worker: Could not open configuration file /etc/dirsrv/admin-serv/httpd.conf: Permission denied

Expected results:
[OK]
Comment 1 Nathan Kinder 2011-02-21 11:03:48 EST
(In reply to comment #0)
> Description of problem:
> 
> If confition for selinux detection never ckecks because of [ -z "yes" ]
> condition.
> 
> /usr/sbin/start-ds-admin
> 
> if [ -z "yes" ] ; then # always FALSE
>     if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then
>         SELINUX_CMD="runcon -t unconfined_t --"
>     fi
> fi
> 

This is by design.  This code makes the admin server run unconfined, which we only want to happen if the admin server was compiled without SELinux support.  Current versions of 389-admin are confined by SELinux policy and are compiled with SELinux support.

> Actual results:
> [FAILED] httpd.worker: Could not open configuration file
> /etc/dirsrv/admin-serv/httpd.conf: Permission denied
> 

What version of 389-ds-base and 389-admin are you running?  I'd also like to know what version of selinux-policy you have installed.  There is a bug that was recently fixed in selinux-policy that you may be running into.

It would also be useful to see if there are any AVC messages that get output in /var/log/audit/audit when you try to start the dirsrv-admin service.
Comment 2 Rich Megginson 2011-02-28 16:24:15 EST
ping - can you help?
Comment 3 Nathan Kinder 2011-03-28 17:52:25 EDT
Closing this since we have not heard back from the reporter.