Bug 735509

Summary: Need systemd policy for 389-ds-base and 389-admin
Product: [Fedora] Fedora Reporter: Rich Megginson <rmeggins>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: dominick.grift, dwalsh, mgrepl, nhosoi, nkinder, rmeggins
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-11-29 22:03:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Rich Megginson 2011-09-02 20:47:35 UTC 
Using systemctl to start a 389-ds-base instance on F16 gives this message:

Sep  2 14:30:04 f16x8664 kernel: [ 3669.247238] type=1400 audit(1314995404.405:96): avc:  denied  { read } for  pid=3939 comm="ns-slapd" name="online" dev=sysfs ino=34 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file

Using systemctl to start 389-admin on F16 gives these messages:

Sep  2 14:25:06 f16x8664 kernel: [ 3370.879324] type=1400 audit(1314995106.037:92): avc:  denied  { name_connect } for  pid=3393 comm="httpd.worker" dest=389 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket
Comment 1 Miroslav Grepl 2011-09-05 05:51:38 UTC 
(In reply to comment #0)
> Using systemctl to start a 389-ds-base instance on F16 gives this message:
> 
> Sep  2 14:30:04 f16x8664 kernel: [ 3669.247238] type=1400
> audit(1314995404.405:96): avc:  denied  { read } for  pid=3939 comm="ns-slapd"
> name="online" dev=sysfs ino=34 scontext=system_u:system_r:dirsrv_t:s0
> tcontext=system_u:object_r:sysfs_t:s0 tclass=file
> 
Fixing.

> Using systemctl to start 389-admin on F16 gives these messages:
> 
> Sep  2 14:25:06 f16x8664 kernel: [ 3370.879324] type=1400
> audit(1314995106.037:92): avc:  denied  { name_connect } for  pid=3393
> comm="httpd.worker" dest=389 scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket

How are labelled CGI scripts in /usr/lib(64)?/dirsrv/cgi-bin directroy?

# ls -lZ /usr/lib64/dirsrv/cgi-bin
Comment 2 Rich Megginson 2011-09-06 15:55:35 UTC 
The directory is labeled
system_u:object_r:httpd_dirsrvadmin_script_exec_t:s0

the files are labeled the same
Comment 3 Rich Megginson 2011-09-08 13:12:32 UTC 
Was there more info you needed?
Comment 4 Daniel Walsh 2011-11-23 14:45:08 UTC 
Is this issue still open?
Comment 5 Rich Megginson 2011-11-28 15:18:45 UTC 
(In reply to comment #4)
> Is this issue still open?

Yes.  Do you need any more info?
Comment 6 Miroslav Grepl 2011-11-29 08:41:01 UTC 
(In reply to comment #5)
> (In reply to comment #4)
> > Is this issue still open?
> 
> Yes.  Do you need any more info?

So are you still getting both AVC msgs?
Comment 7 Rich Megginson 2011-11-29 22:03:53 UTC 
(In reply to comment #6)
> (In reply to comment #5)
> > (In reply to comment #4)
> > > Is this issue still open?
> > 
> > Yes.  Do you need any more info?
> 
> So are you still getting both AVC msgs?

Nope.  Was this fixed in policy?  If so, what version?