Description of problem: Slapd fails to start because of AVC avc: denied { map } for pid=1782 comm="slapd" path="/var/lib/ldap/__db.001" dev="dm-2" ino=524309 scontext=system_u:system_r:slapd_t:s0 tcontext=system_u:object_r:slapd_db_t:s0 tclass=file permissive=1 (This log comes from permissive mode). Version-Release number of selected component (if applicable): selinux-policy-targeted-3.13.1-283.14.fc27.noarch How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
selinux-policy-3.13.1-283.16.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-5178e6a393
selinux-policy-3.13.1-283.16.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
The bug is not fixed in selinux-policy-targeted-3.13.1-283.16.fc27.noarch. nov 20 21:33:54 myhost.mydomain.lan audit[1761]: AVC avc: denied { getattr } for pid=1761 comm="named" path="/dev/random" dev="dm-2" ino=262172 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=chr_file nov 20 21:33:54 myhost.mydomain.lan named[1761]: configuring command channel from '/etc/rndc.key' nov 20 21:33:54 myhost.mydomain.lan named[1761]: command channel listening on ::1#953 nov 20 21:33:54 myhost.mydomain.lan named[1761]: could not open entropy source /dev/random: permission denied nov 20 21:33:54 myhost.mydomain.lan named[1761]: using pre-chroot entropy source /dev/random nov 20 21:33:54 myhost.mydomain.lan audit[1787]: AVC avc: denied { map } for pid=1787 comm="slapd" path="/var/lib/ldap/__db.001" dev="dm-2" ino=524309 scontext=system_u:system_r:slapd_t:s0 tcontext=system_u:object_r:slapd_db_t:s0 tclass=file nov 20 21:33:54 myhost.mydomain.lan slapd[1787]: bdb(dc=mydomain,dc=lan): BDB0126 mmap: Permission denied nov 20 21:33:54 myhost.mydomain.lan slapd[1787]: bdb_db_open: database "dc=mydomain,dc=lan" cannot be opened, err 13. Restore from backup! nov 20 21:33:54 myhost.mydomain.lan slapd[1787]: bdb(dc=mydomain,dc=lan): BDB1566 txn_checkpoint interface requires an environment configured for the transaction subsystem nov 20 21:33:54 myhost.mydomain.lan slapd[1787]: bdb_db_close: database "dc=mydomain,dc=lan": txn_checkpoint failed: Invalid argument (22). nov 20 21:33:54 myhost.mydomain.lan slapd[1787]: backend_startup_one (type=bdb, suffix="dc=mydomain,dc=lan"): bi_db_open failed! (13) nov 20 21:33:54 myhost.mydomain.lan slapd[1787]: bdb_db_close: database "dc=mydomain,dc=lan": alock_close failed There are also logs for unrelated bug about named not being able to open /dev/random. Could you fix this also?
Hmm your system looks mislabeled. Could you run: # restorecon -Rv / And then try to reproduce your issue. Thanks, Lukas.
I did fixfiles -v -F / before the above report.
For me scontext=system_u:system_r:slapd_t:s0 tcontext=system_u:object_r:slapd_db_t:s0 seems correct. Is not it?
Sorry, I meant fixfiles -v -F relabel
Issue still persists with selinux-policy-targeted-3.13.1-283.17.fc27.noarch.
ping
Marek, Could you try to reproduce this issue with selinux-policy-targeted-3.13.1-283.19.fc27.noarch? This build is in updates-testing repo. You can install it by: # dnf update selinux-policy --enablerepo=updates-testing Lukas.
Hello Lukas, thanks for the fix. It works. # dnf update selinux-policy --enablerepo=updates-testing # fixfiles -v -F relabel # cd /var/named/chroot # restorecon -R -v . # see #1525641 # reboot No complains about slapd. Reverted to enforcing mode. Marek
selinux-policy-3.13.1-283.20.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-0d8506aba4
selinux-policy-3.13.1-283.20.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-0d8506aba4
selinux-policy-3.13.1-283.21.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-0d8506aba4
selinux-policy-3.13.1-283.21.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-0d8506aba4
selinux-policy-3.13.1-283.21.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.