Bug 189621 - slapd with postgresql backend won't start
slapd with postgresql backend won't start
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
5
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-04-21 14:23 EDT by Heiko Jakob
Modified: 2007-11-30 17:11 EST (History)
4 users (show)

See Also:
Fixed In Version: selinux-policy-2.3.6-3.fc5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-10-20 16:08:46 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
config files for odbc and slapd (1.70 KB, application/x-gzip)
2006-05-21 09:08 EDT, Heiko Jakob
no flags Details

  None (edit)
Description Heiko Jakob 2006-04-21 14:23:01 EDT
Description of problem:

slapd fails when using openldap-servers-sql with postgresql

Version-Release number of selected component (if applicable):
openldap-servers-sql-2.3.19-4
openldap-servers-2.3.19-4
postgresql-server-8.1.3-1
postgresql-odbc-08.01.0200-1.2
unixODBC-2.2.11-6.2.1



How reproducible:

100 %

Steps to Reproduce:
1. configure FedoraCore using SELINUX=enforcing
2. configure slapd for using postgres
2. start slapd using the init script /etc/init.d/slapd start
3. check for slapd still running using /etc/init.d/slapd status
4. Read /var/log/messages

  
Actual results:

slapd crashes directly after startup with the following audit entries in
/var/log/messages

Apr 21 20:11:01 rlxrz01 kernel: audit(1145643061.479:46): avc:  denied  {
unix_read unix_write } for  pid=3218 comm="slaptest" key=2030075928
scontext=root:system_r:slapd_t:s0
tcontext=root:system_r:unconfined_t:s0-s0:c0.c255 tclass=sem
Apr 21 20:11:01 rlxrz01 kernel: audit(1145643061.531:47): avc:  denied  {
unix_read unix_write } for  pid=3225 comm="slapd" key=2030075928
scontext=root:system_r:slapd_t:s0
tcontext=root:system_r:unconfined_t:s0-s0:c0.c255 tclass=sem
Apr 21 20:11:01 rlxrz01 kernel: audit(1145643061.583:48): avc:  denied  { write
} for  pid=3226 comm="slapd" name=".s.PGSQL.5432" dev=dm-0 ino=672233
scontext=root:system_r:slapd_t:s0 tcontext=root:object_r:postgresql_tmp_t:s0
tclass=sock_file


Expected results:

it should simply work and not crash :-)

Additional info:

running slapd as root by starting it directly from the command line using 
# slapd -d9 

works just fine
Comment 1 Heiko Jakob 2006-04-21 14:36:18 EDT
Almost forgot:
You have to add -u to slaptestflag in /etc/init.d/ldap to get around the test
which will fail due to almost the same problem.

Apr 21 20:41:37 rlxrz01 kernel: audit(1145644897.622:49): avc:  denied  {
unix_read unix_write } for  pid=3425 comm="slaptest" key=2030075928
scontext=root:system_r:slapd_t:s0
tcontext=root:system_r:unconfined_t:s0-s0:c0.c255 tclass=sem
Apr 21 20:41:37 rlxrz01 kernel: audit(1145644897.650:50): avc:  denied  { write
} for  pid=3425 comm="slaptest" name=".s.PGSQL.5432" dev=dm-0 ino=672233
scontext=root:system_r:slapd_t:s0 tcontext=root:object_r:postgresql_tmp_t:s0
tclass=sock_file
Apr 21 20:41:37 rlxrz01 kernel: audit(1145644897.690:51): avc:  denied  {
unix_read unix_write } for  pid=3429 comm="slaptest" key=2030075928
scontext=root:system_r:slapd_t:s0
tcontext=root:system_r:unconfined_t:s0-s0:c0.c255 tclass=sem


Comment 3 Chris PeBenito 2006-05-15 09:33:33 EDT
Dan, maybe the ldap init script run a program that happens to transition to
unconfined_t to create a semaphore for ldap's use?
Comment 4 Daniel Walsh 2006-05-15 10:52:31 EDT
But then it would be running in initrc_t not unconfined_t????

Dan
Comment 5 Daniel Walsh 2006-05-15 10:53:59 EDT
Heiko, it there a process running as by a user account that is trying to
communicate with ldap?
Comment 6 Daniel Walsh 2006-05-15 11:35:11 EDT
Heiko could you send us your configuration setup.
Comment 7 Heiko Jakob 2006-05-21 09:08:10 EDT
Created attachment 129780 [details]
config files for odbc and slapd
Comment 8 Daniel Walsh 2006-08-11 15:25:59 EDT
Fixed in  selinux-policy-2.3.6-3.fc5
Comment 9 Heiko Jakob 2006-10-20 16:07:18 EDT
Sorry forgot to mention:
Works after upgrading selinux policies


Note You need to log in before you can comment on or make changes to this bug.