Description of problem: slapd fails when using openldap-servers-sql with postgresql Version-Release number of selected component (if applicable): openldap-servers-sql-2.3.19-4 openldap-servers-2.3.19-4 postgresql-server-8.1.3-1 postgresql-odbc-08.01.0200-1.2 unixODBC-2.2.11-6.2.1 How reproducible: 100 % Steps to Reproduce: 1. configure FedoraCore using SELINUX=enforcing 2. configure slapd for using postgres 2. start slapd using the init script /etc/init.d/slapd start 3. check for slapd still running using /etc/init.d/slapd status 4. Read /var/log/messages Actual results: slapd crashes directly after startup with the following audit entries in /var/log/messages Apr 21 20:11:01 rlxrz01 kernel: audit(1145643061.479:46): avc: denied { unix_read unix_write } for pid=3218 comm="slaptest" key=2030075928 scontext=root:system_r:slapd_t:s0 tcontext=root:system_r:unconfined_t:s0-s0:c0.c255 tclass=sem Apr 21 20:11:01 rlxrz01 kernel: audit(1145643061.531:47): avc: denied { unix_read unix_write } for pid=3225 comm="slapd" key=2030075928 scontext=root:system_r:slapd_t:s0 tcontext=root:system_r:unconfined_t:s0-s0:c0.c255 tclass=sem Apr 21 20:11:01 rlxrz01 kernel: audit(1145643061.583:48): avc: denied { write } for pid=3226 comm="slapd" name=".s.PGSQL.5432" dev=dm-0 ino=672233 scontext=root:system_r:slapd_t:s0 tcontext=root:object_r:postgresql_tmp_t:s0 tclass=sock_file Expected results: it should simply work and not crash :-) Additional info: running slapd as root by starting it directly from the command line using # slapd -d9 works just fine
Almost forgot: You have to add -u to slaptestflag in /etc/init.d/ldap to get around the test which will fail due to almost the same problem. Apr 21 20:41:37 rlxrz01 kernel: audit(1145644897.622:49): avc: denied { unix_read unix_write } for pid=3425 comm="slaptest" key=2030075928 scontext=root:system_r:slapd_t:s0 tcontext=root:system_r:unconfined_t:s0-s0:c0.c255 tclass=sem Apr 21 20:41:37 rlxrz01 kernel: audit(1145644897.650:50): avc: denied { write } for pid=3425 comm="slaptest" name=".s.PGSQL.5432" dev=dm-0 ino=672233 scontext=root:system_r:slapd_t:s0 tcontext=root:object_r:postgresql_tmp_t:s0 tclass=sock_file Apr 21 20:41:37 rlxrz01 kernel: audit(1145644897.690:51): avc: denied { unix_read unix_write } for pid=3429 comm="slaptest" key=2030075928 scontext=root:system_r:slapd_t:s0 tcontext=root:system_r:unconfined_t:s0-s0:c0.c255 tclass=sem
Dan, maybe the ldap init script run a program that happens to transition to unconfined_t to create a semaphore for ldap's use?
But then it would be running in initrc_t not unconfined_t???? Dan
Heiko, it there a process running as by a user account that is trying to communicate with ldap?
Heiko could you send us your configuration setup.
Created attachment 129780 [details] config files for odbc and slapd
Fixed in selinux-policy-2.3.6-3.fc5
Sorry forgot to mention: Works after upgrading selinux policies