Bug 1230240 - start-ds-admin and dirsrv-admin.service start httpd under different SELinux contexts
Summary: start-ds-admin and dirsrv-admin.service start httpd under different SELinux c...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Directory Server
Classification: Red Hat
Component: Admin
Version: 10.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: DS10.1
: ---
Assignee: mreynolds
QA Contact: Viktor Ashirov
URL:
Whiteboard:
: 1280259 (view as bug list)
Depends On: 1273451
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-06-10 13:25 UTC by Viktor Ashirov
Modified: 2020-09-13 21:48 UTC (History)
5 users (show)

Fixed In Version: 389-admin-1.1.44-1.el7dsrv
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-07 15:38:48 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github 389ds 389-ds-base issues 1624 0 None None None 2020-09-13 21:32:53 UTC
Github 389ds 389-ds-base issues 1990 0 None None None 2020-09-13 21:48:01 UTC
Red Hat Knowledge Base (Solution) 2048443 0 None None None 2020-02-14 17:36:13 UTC
Red Hat Product Errata RHBA-2016:2665 0 normal SHIPPED_LIVE Red Hat Directory Server bug fix and enhancement update 2016-11-07 20:38:00 UTC

Description Viktor Ashirov 2015-06-10 13:25:55 UTC 
Description of problem:
start-ds-admin and dirsrv-admin.service start httpd under different SELinux contexts. This causes pidfile and socket created with different labels, which causes inability to restart Admin server from GUI Console.

/usr/sbin/start-ds-admin:
 98 if [ -z "yes" ] ; then
 99     if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then
100         SELINUX_CMD="runcon -t unconfined_t --"
101     fi
102 fi
103 
104 $SELINUX_CMD $HTTPD $OMIT_DEFLATE -k start -f /etc/dirsrv/admin-serv/httpd.conf "$@"


Version-Release number of selected component (if applicable):
389-admin-1.1.42-1.el7dsrv.x86_64

How reproducible:
always

Steps to Reproduce:
1. start Admin server using start-ds-admin
2. stop Admin server
3. start Admin server using systemctl start dirsrv-admin

Actual results:
# start-ds-admin 
# ps -Zaux | grep [h]ttpd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 8308 0.0  0.1 165132 3028 ? Ss 17:14   0:00 /usr/sbin/httpd -k start -f /etc/dirsrv/admin-serv/httpd.conf
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 8310 0.0  0.1 165116 2104 ? S 17:14   0:00 /usr/sbin/httpd -k start -f /etc/dirsrv/admin-serv/httpd.conf
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 nobody 8311 0.0  0.3 771604 6144 ? Sl 17:14   0:00 /usr/sbin/httpd -k start -f /etc/dirsrv/admin-serv/httpd.conf
# ls /var/run/dirsrv/admin-serv.pid -laZ
-rw-r--r--. root root unconfined_u:object_r:dirsrv_var_run_t:s0 /var/run/dirsrv/admin-serv.pid


# systemctl start dirsrv-admin
# ps -Zaux | grep [h]ttpd
system_u:system_r:httpd_t:s0    root      8226  0.0  0.1 165132  3020 ?        Ss   17:13   0:00 /usr/sbin/httpd -k start -f /etc/dirsrv/admin-serv/httpd.conf
system_u:system_r:httpd_t:s0    root      8227  0.0  0.1 165116  2100 ?        S    17:13   0:00 /usr/sbin/httpd -k start -f /etc/dirsrv/admin-serv/httpd.conf
system_u:system_r:httpd_t:s0    nobody    8228  0.0  0.3 771604  6136 ?        Sl   17:13   0:00 /usr/sbin/httpd -k start -f /etc/dirsrv/admin-serv/httpd.conf
# ls /var/run/dirsrv/admin-serv.pid -laZ
-rw-r--r--. root root system_u:object_r:dirsrv_var_run_t:s0 /var/run/dirsrv/admin-serv.pid


Expected results:
start-ds-admin should not use unconfined_t for httpd. 

Additional info:
Comment 6 Noriko Hosoi 2016-07-21 17:31:04 UTC 
*** Bug 1280259 has been marked as a duplicate of this bug. ***
Comment 8 Viktor Ashirov 2016-09-13 13:41:11 UTC 
Builds tested:
389-admin-1.1.44-1.el7dsrv.x86_64
selinux-policy-3.13.1-97.el7.noarch

[0 root@qeos-141 ~]# start-ds-admin 
[0 root@qeos-141 ~]# ps -Zaux | grep [h]ttpd
system_u:system_r:httpd_t:s0    root      2969  0.3  0.1  39224  2712 ?        S    09:37   0:00 /usr/libexec/nss_pcache 196609 off /etc/dirsrv/admin-serv
system_u:system_r:httpd_t:s0    root      2970  0.0  0.4 171004  8880 ?        Ss   09:37   0:00 /usr/sbin/httpd -k start -f /etc/dirsrv/admin-serv/httpd.conf
system_u:system_r:httpd_t:s0    root      2971  0.0  0.1 166068  2884 ?        S    09:37   0:00 /usr/sbin/httpd -k start -f /etc/dirsrv/admin-serv/httpd.conf
system_u:system_r:httpd_t:s0    dirsrv    2972  0.6  0.7 777744 14028 ?        Sl   09:37   0:00 /usr/sbin/httpd -k start -f /etc/dirsrv/admin-serv/httpd.conf
[0 root@qeos-141 ~]# ls /var/run/dirsrv/admin-serv.pid -laZ
-rw-r--r--. root root system_u:object_r:dirsrv_var_run_t:s0 /var/run/dirsrv/admin-serv.pid



[0 root@qeos-141 ~]# systemctl start dirsrv-admin
[0 root@qeos-141 ~]# ps -Zaux | grep [h]ttpd
system_u:system_r:httpd_t:s0    root      2969  0.0  0.1  39224  2712 ?        S    09:37   0:00 /usr/libexec/nss_pcache 196609 off /etc/dirsrv/admin-serv
system_u:system_r:httpd_t:s0    root      2970  0.0  0.4 171004  8880 ?        Ss   09:37   0:00 /usr/sbin/httpd -k start -f /etc/dirsrv/admin-serv/httpd.conf
system_u:system_r:httpd_t:s0    root      2971  0.0  0.1 166068  2884 ?        S    09:37   0:00 /usr/sbin/httpd -k start -f /etc/dirsrv/admin-serv/httpd.conf
system_u:system_r:httpd_t:s0    dirsrv    2972  0.0  0.7 777744 14028 ?        Sl   09:37   0:00 /usr/sbin/httpd -k start -f /etc/dirsrv/admin-serv/httpd.conf
[0 root@qeos-141 ~]# ls /var/run/dirsrv/admin-serv.pid -laZ
-rw-r--r--. root root system_u:object_r:dirsrv_var_run_t:s0 /var/run/dirsrv/admin-serv.pid

Marking as VERIFIED.
Comment 10 errata-xmlrpc 2016-11-07 15:38:48 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2665.html
Note You need to log in before you can comment on or make changes to this bug.