Bug 1507476 - slapd can not map it's database to memeory
Summary: slapd can not map it's database to memeory
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 27
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-10-30 10:37 UTC by Patrik Kis
Modified: 2018-01-02 16:49 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.13.1-300.fc28 selinux-policy-3.13.1-283.19.fc27
Clone Of:
Environment:
Last Closed: 2018-01-02 16:49:53 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Patrik Kis 2017-10-30 10:37:33 UTC 
Description of problem:
The following AVC denial appeared on Fedora rawhide while starting slpad (openldap-servers).

----
type=AVC msg=audit(10/30/2017 10:14:56.519:957) : avc:  denied  { map } for  pid=31226 comm=slapd path=/var/lib/ldap/__db.001 dev="dm-0" ino=18346072 scontext=system_u:system_r:slapd_t:s0 tcontext=unconfined_u:object_r:slapd_db_t:s0 tclass=file permissive=1 


Version-Release number of selected component (if applicable):
openldap-servers-2.4.45-3.fc27
selinux-policy-3.13.1-298.fc28

How reproducible:
always

Steps to Reproduce:
1. Configure and start slapd

# ls -lZ /var/lib/ldap/__db.001
-rw-------. 1 ldap ldap unconfined_u:object_r:slapd_db_t:s0 352256 Oct 30 10:36 /var/lib/ldap/__db.001
Comment 1 Jason Tibbitts 2017-12-14 17:48:45 UTC 
I just found that this is also an issue in F27 (selinux-policy-3.13.1-283.17.fc27.noarch):

type=AVC msg=audit(1513218886.813:423): avc:  denied  { map } for  pid=981 comm="slapd" path="/var/lib/ldap/__db.001" dev="dm-1" ino=393331 scontext=system_u:system_r:slapd_t:s0 tcontext=system_u:object_r:slapd_db_t:s0 tclass=file permissive=0

I assume this was fixed in rawhide's 3.13.1-299 via:

 - Allow slapd_t domain to mmap files labeled as slpad_db_t BZ(1505414)

Can this be pulled back to F27?

(Sorry if it's preferred that I open a new ticket rather than reopening this one.  I know there are so many selinux tickets so I thought it would be better to preserve the context.)
Comment 2 Lukas Vrabec 2017-12-18 23:54:14 UTC 
Done, 

Will be part of next SELinux policy F27 update.
Comment 3 Fedora Update System 2017-12-20 11:21:01 UTC 
selinux-policy-3.13.1-283.19.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-8225c4e502
Comment 4 Fedora Update System 2017-12-20 11:27:51 UTC 
selinux-policy-3.13.1-283.19.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-8225c4e502
Comment 5 Fedora Update System 2017-12-21 20:22:56 UTC 
selinux-policy-3.13.1-283.19.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-8225c4e502
Comment 6 Fedora Update System 2018-01-02 16:49:53 UTC 
selinux-policy-3.13.1-283.19.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.