Bug 174855 - Need SELinux policy for Admin Server
Need SELinux policy for Admin Server
Status: CLOSED DUPLICATE of bug 442228
Product: 389
Classification: Community
Component: Admin (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Rich Megginson
Chandrasekar Kannan
: 175199 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2005-12-02 15:38 EST by Andrey Klochko
Modified: 2015-01-04 18:19 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-07-01 09:32:50 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
strace -f /opt/fedora-ds/start-admin output (146.17 KB, text/plain)
2005-12-02 15:38 EST, Andrey Klochko
no flags Details
strace -f /opt/fedora-ds/start-admin output with string size set to 128 (179.23 KB, text/plain)
2005-12-02 16:13 EST, Andrey Klochko
no flags Details
Output of: grep avc /var/log/audit/audit.log |grep -v 'dmidecode\|ping\|netstat' (12.76 KB, text/plain)
2007-07-20 19:13 EDT, David Keegel
no flags Details

  None (edit)
Description Andrey Klochko 2005-12-02 15:38:38 EST
Description of problem:

Admin Server doesn't start

Version-Release number of selected component (if applicable):

How reproducible:


Steps to Reproduce:
1.rpm -i fedora-ds-1.0-2.FC4.i386.opt.rpm

Actual results:

Configuring Global Parameters in Directory Server...
Can't start Admin server [/opt/fedora-ds/start-admin > /tmp/filev4ufdJ 2>&1]
(error: No such file or directory)

Expected results:

Additional info:
output of 
strace -f /opt/fedora-ds/start-admin
is attached. It seems there is a problem loading libnspr4.so library by
Comment 1 Andrey Klochko 2005-12-02 15:38:38 EST
Created attachment 121782 [details]
strace -f /opt/fedora-ds/start-admin output
Comment 2 Rich Megginson 2005-12-02 15:54:31 EST
Hmm - is this an SELinux thing?  What's the full output?  In the strace log, it
is truncated:
{"cannot enable executable stack a"..., 56}, {": ", 2}, {"Permission denied",
17}, {"\n", 1}],

"cannot enable executable stack" looks like some sort of selinux problem.  Also
check your /var/log/messages and /var/log/secure.

If all else fails, try changing your selinux policy:
edit /etc/selinux/config
change SELINUX=enforcing
to SELINUX=permissive
and reboot.
Comment 3 Andrey Klochko 2005-12-02 16:13:56 EST
Created attachment 121783 [details]
strace -f /opt/fedora-ds/start-admin output with string size set to 128
Comment 4 Andrey Klochko 2005-12-02 16:14:33 EST
Yes, selinux was the culprit.
Anyway I'm attached full strace output.


Comment 5 Rich Megginson 2005-12-02 16:37:16 EST
So, did you set the selinux policy to permissive?  And the problem went away?
Comment 6 Andrey Klochko 2005-12-02 16:44:15 EST
Yes, that is correct.
Now I'm able to run admin server just fine.
Comment 7 Rich Megginson 2005-12-16 11:21:36 EST
We really need an explicit SELinux policy for Admin Server, so that you can run
the system with SELinux enforcing.
Comment 8 Kevin Unthank 2006-01-30 13:34:04 EST
*** Bug 175199 has been marked as a duplicate of this bug. ***
Comment 9 David Keegel 2007-07-20 01:56:28 EDT
This problem (FDS admin server wont start on FC4 when selinux is enforcing) 
still exists with FDS 1.0.4 on FC4.

Do we have any other options now apart from making SELinux permissive?
Comment 10 Karl MacMillan 2007-07-20 10:13:35 EDT
Can you provide an avc messages in /var/log/messages (perhaps via audit2allow <

Also - enforcing / permissive can be toggled with /usr/sbin/setenforce (1 for
enforcing 0 for permissive). No reboot is required and the state is reset to the
value in /etc/selinux/config on boot.
Comment 11 Rich Megginson 2007-07-20 10:16:45 EDT
Karl, I think the problem is that the SELinux profiles for directory server and
admin server didn't go into Fedora until FC5.
Comment 12 Karl MacMillan 2007-07-20 10:28:20 EDT
Without a policy it should run unconfined - so it should work fine.
Comment 13 David Keegel 2007-07-20 19:12:00 EDT
There was nothing in /var/log/messages (or even in the syslog file that gets
debug.*), but thanks to the man page for audit2allow, I found the SELinux
messages in /var/log/audit/audit.log.

Here is an example message:
type=AVC msg=audit(1184909713.024:4052): avc:  denied  { execstack } for  pid=31
05 comm="httpd.worker" scontext=root:system_r:httpd_t tcontext=root:system_r:htt
pd_t tclass=process

I will attach the output (66 lines) of:
 grep avc /var/log/audit/audit.log |grep -v 'dmidecode\|ping\|netstat' 
Comment 14 David Keegel 2007-07-20 19:13:24 EDT
Created attachment 159712 [details]
Output of: grep avc /var/log/audit/audit.log |grep -v 'dmidecode\|ping\|netstat'
Comment 15 Karl MacMillan 2007-07-24 09:27:10 EDT
The execstack permission isn't present in the FC4 kernels - are you using a
custom kernel? If so, you need to update the selinux userland tools and policy
as well.
Comment 17 David Keegel 2007-07-26 02:41:46 EDT
That machine is running pretty standard stuff:
kernel-2.6.17-1.2142_FC4 (.i686.rpm)
fedora-ds-1.0.4-1.Linux   (fedora-ds-1.0.4-1.FC4.i386.opt.rpm)

One unusual thing is that I had previously installed
fedora-ds-1.0.4-1.FC6.i386.opt.rpm, before I noticed the machine was FC4.
I did rpm -e on the FC6 (wrong) version and rm -r /opt/fedora-ds, before I
installed the FC4 rpm, so I assumed the FC6 version would be gone.
Comment 18 Scott Haines 2008-03-03 17:50:47 EST
per bug council on 03/03/2008, setting target DS8.2
Comment 19 Scott Haines 2008-03-03 17:53:25 EST
Unblocking 152373, 249650
Comment 20 Rich Megginson 2008-07-01 09:32:50 EDT

*** This bug has been marked as a duplicate of 442228 ***

Note You need to log in before you can comment on or make changes to this bug.