Description of problem: # run_init service ldap start Authenticating root. Password: could not open session /etc/openldap/ldap.keytab is not readable by "ldap" [WARNING] could not open session /etc/openldap/cacerts/cacert.pem is not readable by "ldap" [WARNING] could not open session /etc/openldap/slapd.pem is not readable by "ldap" [WARNING] could not open session /etc/openldap/slapd.key is not readable by "ldap" [WARNING] Checking configuration files for slapd: [FAILED] could not open session Version-Release number of selected component (if applicable): selinux-policy-mls-3.3.1-87.fc9.noarch How reproducible: 100% Steps to Reproduce: 1. install ldap on f9 mls system 2. configure it 3. run_init service ldap start Actual results: se error messages above Expected results: Additional info: type=AVC msg=audit(1221578948.488:498): avc: denied { search } for pid=11726 comm="runuser" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tclass=key type=AVC msg=audit(1221578948.491:499): avc: denied { create } for pid=11726 comm="runuser" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=netlink_audit_socket type=AVC msg=audit(1221579304.220:514): avc: denied { search } for pid=11779 comm="runuser" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=key type=AVC msg=audit(1221579304.223:515): avc: denied { write } for pid=11779 comm="runuser" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=netlink_audit_socket type=AVC msg=audit(1221579488.254:525): avc: denied { nlmsg_relay } for pid=11838 comm="runuser" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=netlink_audit_socket type=AVC msg=audit(1221579583.680:540): avc: denied { audit_write } for pid=11884 comm="runuser" capability=29 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=capability type=AVC msg=audit(1221579583.681:541): avc: denied { read } for pid=11884 comm="runuser" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=netlink_audit_socket not sure what the heck the sshd_t is doing in there.. removed that from the policy audit2allow generated, and all worked well. resulting policy: module myldap 1.0.4; require { type initrc_t; class capability audit_write; class key search; class netlink_audit_socket { write nlmsg_relay create read }; } #============= initrc_t ============== allow initrc_t self:capability audit_write; allow initrc_t self:key search; allow initrc_t self:netlink_audit_socket { write nlmsg_relay create read };
Fixed in selinux-policy-3_3_1-94_fc9
Closing all bugs that have been in modified for over a month. Please reopen if the bug is not actually fixed.