Description of problem: In F28 we need to bundle jemalloc for 389-ds-base, and preload it. But selinux is preventing libjemalloc from being preloaded: # semodule -DB # ausearch -m AVC ---- time->Tue Apr 24 04:15:41 2018 type=AVC msg=audit(1524557741.999:497): avc: denied { siginh } for pid=16828 comm="ds_systemd_ask_" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=0 ---- time->Tue Apr 24 04:15:42 2018 type=AVC msg=audit(1524557742.038:498): avc: denied { noatsecure } for pid=16833 comm="(ns-slapd)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:dirsrv_t:s0 tclass=process permissive=0 ``` I'm reproducing this on F26 thru rawhide. How to reproduce: [1] # dnf install 389-ds-base jemalloc [2] # vi /etc/sysconfig/dirsrv add at the bottom: LD_PRELOAD=/usr/lib64/libjemalloc.so.2 [3] Restart the server # restart-dirsrv [4] Check if libjemalloc was loaded # ps -ef | grep slapd # lsof -p PID_OF_SLAPD ---> libjemalloc is not listed [5] Disable selinux and restart the server: # setenforce 0 # restart-dirsrv [5] Redo "lsof" test and now libjemalloc is listed In Fedora 28 and RHEL 8 we need LD_PRELOADing working out of the box for 389-ds-base. Thanks!
Sorry I left out a step between steps [2] and [3] [2.5] Create instance of 389-ds-base # setup-ds.pl -s -f INSTALL_FILE I am attaching the install text file next (it assumes localhost.localdonmain for hostname, but very easy to change in file)
Created attachment 1426089 [details] INSTALL_FILE mentioned in comment 1 Put this file in /tmp and then run the setup as follows: # setup-ds.pl -s -f /tmp/setup.inf
selinux-policy-3.14.1-29.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a74875b364
selinux-policy-3.14.1-29.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a74875b364
selinux-policy-3.14.1-29.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.