Bug 462514 - MLS: ldap service won't start
MLS: ldap service won't start
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-mls (Show other bugs)
9
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-09-16 16:03 EDT by Robert Story
Modified: 2008-11-17 17:05 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-11-17 17:05:48 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Robert Story 2008-09-16 16:03:17 EDT
Description of problem:
# run_init service ldap start
Authenticating root.
Password:
could not open session
/etc/openldap/ldap.keytab is not readable by "ldap"        [WARNING]
could not open session
/etc/openldap/cacerts/cacert.pem is not readable by "ldap" [WARNING]
could not open session
/etc/openldap/slapd.pem is not readable by "ldap"          [WARNING]
could not open session
/etc/openldap/slapd.key is not readable by "ldap"          [WARNING]
Checking configuration files for slapd:                    [FAILED]
could not open session

Version-Release number of selected component (if applicable):
selinux-policy-mls-3.3.1-87.fc9.noarch

How reproducible:
100%

Steps to Reproduce:
1. install ldap on f9 mls system
2. configure it
3. run_init service ldap start
  
Actual results:
se error messages above

Expected results:


Additional info:
type=AVC msg=audit(1221578948.488:498): avc:  denied  { search } for  pid=11726 comm="runuser" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tclass=key
type=AVC msg=audit(1221578948.491:499): avc:  denied  { create } for  pid=11726 comm="runuser" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=netlink_audit_socket
type=AVC msg=audit(1221579304.220:514): avc:  denied  { search } for  pid=11779 comm="runuser" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=key
type=AVC msg=audit(1221579304.223:515): avc:  denied  { write } for  pid=11779 comm="runuser" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=netlink_audit_socket
type=AVC msg=audit(1221579488.254:525): avc:  denied  { nlmsg_relay } for  pid=11838 comm="runuser" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=netlink_audit_socket
type=AVC msg=audit(1221579583.680:540): avc:  denied  { audit_write } for  pid=11884 comm="runuser" capability=29 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=capability
type=AVC msg=audit(1221579583.681:541): avc:  denied  { read } for  pid=11884 comm="runuser" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=netlink_audit_socket

not sure what the heck the sshd_t is doing in there.. removed that from the policy audit2allow generated, and all worked well. resulting policy:


module myldap 1.0.4;

require {
        type initrc_t;
        class capability audit_write;
        class key search;
        class netlink_audit_socket { write nlmsg_relay create read };
}

#============= initrc_t ==============
allow initrc_t self:capability audit_write;
allow initrc_t self:key search;
allow initrc_t self:netlink_audit_socket { write nlmsg_relay create read };
Comment 1 Daniel Walsh 2008-09-23 16:10:20 EDT
Fixed in selinux-policy-3_3_1-94_fc9
Comment 2 Daniel Walsh 2008-11-17 17:05:48 EST
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.

Note You need to log in before you can comment on or make changes to this bug.