Description of problem: SELinux in enforcing mode prevents normal operation of OpenLDAP init script. Version-Release number of selected component (if applicable): openldap-2.4.18-5 Steps to Reproduce: 1. Install openldap and openldap-servers 2. Turn SELinux on 3. setenforce 1 4. restorecon -v -R /etc/openldap/ /var/run/ /var/lib/ 5. service slapd start Actual results: SELinux prevents in creating hard link /var/run/slapd.pid to /var/run/openldap/slapd.pid Expected results: Hard link is created Detailed info gathered using salert -l (partially in czech): Summary: SELinux is preventing /bin/ln "link" access on slapd.pid. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by ln. It is not expected that this access is required by ln and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:system_r:initrc_t:s0 Target Context unconfined_u:object_r:slapd_var_run_t:s0 Target Objects slapd.pid [ file ] Source ln Source Path /bin/ln Port <Unknown> Host vbox-f12 Source RPM Packages coreutils-7.6-5.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-40.fc12 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall Host Name vbox-f12 Platform Linux vbox-f12 2.6.31.5-115.fc12.x86_64 #1 SMP Tue Nov 3 23:56:19 EST 2009 x86_64 x86_64 Alert Count 3 First Seen Thu Nov 5 11:20:43 2009 Last Seen Thu Nov 5 11:30:52 2009 Local ID 5642691b-0414-4bb8-bf5d-7ef62b8ca744 Line Numbers Raw Audit Messages node=vbox-f12 type=AVC msg=audit(1257417052.171:81): avc: denied { link } for pid=2221 comm="ln" name="slapd.pid" dev=dm-0 ino=227 scontext=unconfined_u:system_r:initrc_t:s0 tcontext=unconfined_u:object_r:slapd_var_run_t:s0 tclass=file node=vbox-f12 type=SYSCALL msg=audit(1257417052.171:81): arch=c000003e syscall=86 success=yes exit=0 a0=7fffb6348f4d a1=7fffb6348f69 a2=0 a3=7fffb6347810 items=0 ppid=2182 pid=2221 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="ln" exe="/bin/ln" subj=unconfined_u:system_r:initrc_t:s0 key=(null) Some other information: ps -eZ | grep initrc: system_u:system_r:initrc_t:s0 1226 ? 00:00:00 vboxadd-service rpm -q selinux-policy: selinux-policy-3.6.32-40.fc12.noarch When switching to Permissive mode, everything seems to work.
This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle. Changing version to '12'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Is this issue still present? It should have been fixed by new policy in selinux combined with some modifications to openldap init script. Please let me know if these problems persist.
Works for me now. Thanks!
Perfect. I'm closing this bug then.