Bug 462514 - MLS: ldap service won't start
Summary: MLS: ldap service won't start
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-mls
Version: 9
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-09-16 20:03 UTC by Robert Story
Modified: 2008-11-17 22:05 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-11-17 22:05:48 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Robert Story 2008-09-16 20:03:17 UTC 
Description of problem:
# run_init service ldap start
Authenticating root.
Password:
could not open session
/etc/openldap/ldap.keytab is not readable by "ldap"        [WARNING]
could not open session
/etc/openldap/cacerts/cacert.pem is not readable by "ldap" [WARNING]
could not open session
/etc/openldap/slapd.pem is not readable by "ldap"          [WARNING]
could not open session
/etc/openldap/slapd.key is not readable by "ldap"          [WARNING]
Checking configuration files for slapd:                    [FAILED]
could not open session

Version-Release number of selected component (if applicable):
selinux-policy-mls-3.3.1-87.fc9.noarch

How reproducible:
100%

Steps to Reproduce:
1. install ldap on f9 mls system
2. configure it
3. run_init service ldap start
  
Actual results:
se error messages above

Expected results:


Additional info:
type=AVC msg=audit(1221578948.488:498): avc:  denied  { search } for  pid=11726 comm="runuser" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tclass=key
type=AVC msg=audit(1221578948.491:499): avc:  denied  { create } for  pid=11726 comm="runuser" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=netlink_audit_socket
type=AVC msg=audit(1221579304.220:514): avc:  denied  { search } for  pid=11779 comm="runuser" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=key
type=AVC msg=audit(1221579304.223:515): avc:  denied  { write } for  pid=11779 comm="runuser" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=netlink_audit_socket
type=AVC msg=audit(1221579488.254:525): avc:  denied  { nlmsg_relay } for  pid=11838 comm="runuser" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=netlink_audit_socket
type=AVC msg=audit(1221579583.680:540): avc:  denied  { audit_write } for  pid=11884 comm="runuser" capability=29 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=capability
type=AVC msg=audit(1221579583.681:541): avc:  denied  { read } for  pid=11884 comm="runuser" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=netlink_audit_socket

not sure what the heck the sshd_t is doing in there.. removed that from the policy audit2allow generated, and all worked well. resulting policy:


module myldap 1.0.4;

require {
        type initrc_t;
        class capability audit_write;
        class key search;
        class netlink_audit_socket { write nlmsg_relay create read };
}

#============= initrc_t ==============
allow initrc_t self:capability audit_write;
allow initrc_t self:key search;
allow initrc_t self:netlink_audit_socket { write nlmsg_relay create read };
Comment 1 Daniel Walsh 2008-09-23 20:10:20 UTC 
Fixed in selinux-policy-3_3_1-94_fc9
Comment 2 Daniel Walsh 2008-11-17 22:05:48 UTC 
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.
Note You need to log in before you can comment on or make changes to this bug.