Bug 570333 - selinux: setup-ds-admin.pl cannot start admin server on Fedora 13
Summary: selinux: setup-ds-admin.pl cannot start admin server on Fedora 13
Keywords:
Status: CLOSED DUPLICATE of bug 570562
Alias: None
Product: 389
Classification: Retired
Component: Security - General
Version: 1.2.6
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Nathan Kinder
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On:
Blocks: 389_1.2.6
TreeView+ depends on / blocked
 
Reported: 2010-03-03 22:01 UTC by Rich Megginson
Modified: 2015-01-04 23:41 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2010-03-04 18:02:25 UTC
Embargoed:

Attachments (Terms of Use)
selinux alerts (10.58 KB, application/octet-stream)
2010-03-03 22:01 UTC, Rich Megginson 		no flags Details
View All

Description Rich Megginson 2010-03-03 22:01:05 UTC 
Created attachment 397671 [details]
selinux alerts

platform: Fedora 13 x86_64

The attachment shows the 3 selinux messages.

admin server starts fine using start-ds-admin, just not when started from setup-ds-admin.pl during initial setup.
Comment 1 Nathan Kinder 2010-03-03 22:53:03 UTC 
Is the 389-admin-selinux package installed?

What is the output of 'semodule -l | grep dirsrv' when run as root?
Comment 2 Rich Megginson 2010-03-04 00:41:31 UTC 
semodule -l | grep dirsrv shows nothing.  389 - nothing.  ldap - shows 1.10.0


Name        : 389-admin-selinux            Relocations: (not relocatable)
Version     : 1.1.11                            Vendor: Fedora Project
Release     : 0.2.a2.fc13                   Build Date: Fri 26 Feb 2010 07:25:11 PM MST
Install Date: Wed 03 Mar 2010 02:45:45 PM MST      Build Host: x86-02.phx2.fedoraproject.org
Group       : System Environment/Daemons    Source RPM: 389-admin-1.1.11-0.2.a2.fc13.src.rpm
Size        : 272444                           License: GPLv2 and ASL 2.0
Signature   : RSA/8, Fri 26 Feb 2010 08:03:23 PM MST, Key ID 7edc6ad6e8e40fde
Packager    : Fedora Project
URL         : http://port389.org/
Summary     : SELinux policy for 389 Administration Server
Description :
SELinux policy for the 389 Adminstration Server package.

Name        : selinux-policy               Relocations: (not relocatable)
Version     : 3.7.10                            Vendor: Fedora Project
Release     : 4.fc13                        Build Date: Wed 24 Feb 2010 03:15:00 PM MST
Install Date: Wed 03 Mar 2010 12:16:01 PM MST      Build Host: x86-01.phx2.fedoraproject.org
Group       : System Environment/Base       Source RPM: selinux-policy-3.7.10-4.fc13.src.rpm
Size        : 7050606                          License: GPLv2+
Signature   : RSA/8, Wed 24 Feb 2010 05:05:30 PM MST, Key ID 7edc6ad6e8e40fde
Packager    : Fedora Project
URL         : http://oss.tresys.com/repos/refpolicy/
Summary     : SELinux policy configuration
Description :
SELinux Reference Policy - modular.
Based off of reference policy: Checked out revision  2.20091117

Name        : selinux-policy-targeted      Relocations: (not relocatable)
Version     : 3.7.10                            Vendor: Fedora Project
Release     : 4.fc13                        Build Date: Wed 24 Feb 2010 03:15:00 PM MST
Install Date: Wed 03 Mar 2010 12:27:19 PM MST      Build Host: x86-01.phx2.fedoraproject.org
Group       : System Environment/Base       Source RPM: selinux-policy-3.7.10-4.fc13.src.rpm
Size        : 2505008                          License: GPLv2+
Signature   : RSA/8, Wed 24 Feb 2010 04:55:38 PM MST, Key ID 7edc6ad6e8e40fde
Packager    : Fedora Project
URL         : http://oss.tresys.com/repos/refpolicy/
Summary     : SELinux targeted base policy
Description :
SELinux Reference policy targeted base module.
Comment 3 Nathan Kinder 2010-03-04 16:16:09 UTC 
(In reply to comment #2)
> semodule -l | grep dirsrv shows nothing.  389 - nothing.  ldap - shows 1.10.0

This is a problem.  You should have two lines returned from thsi command showing that the dirsrv and dirsrv-admin policy modules are loaded:

  [root@boraras ~]# semodule -l | grep dirsrv
  dirsrv-admin	1.0.0
  dirsrv	1.0.0

The 389-ds-base-selinux and 389-admin-selinux packages should install their respective policy modules on disk in /usr/share/selinux/targeted (dirsrv.pp and dirsrv-admin.pp).  The spec files are then responsible for loading these modules in a post scriptlet by running the following commands:

  semodule -s targeted -i /usr/share/selinux/targetted/dirsrv.pp
  semodule -s targeted -i /usr/share/selinux/targetted/dirsrv-admin.pp

Something must be failing in the post scriptlet on your system.
Comment 4 Rich Megginson 2010-03-04 18:02:25 UTC 
https://bugzilla.redhat.com/show_bug.cgi?id=570562

yep - the post scriptlet is failing - the rpm redirects all output to /dev/null, so I ran the commands manually as root:

[root@f13x8664 ~]# semodule -v -s mls -i /usr/share/selinux/mls/dirsrv.pp
semodule: SELinux policy is not managed or store cannot be accessed.
[root@f13x8664 ~]# ll /usr/share/selinux/mls/dirsrv.pp 
-rw-r--r--. 1 root root 120250 Mar  2 13:25 /usr/share/selinux/mls/dirsrv.pp
[root@f13x8664 ~]# semodule -s mls -i /usr/share/selinux/mls/dirsrv.pp
semodule: SELinux policy is not managed or store cannot be accessed.
[root@f13x8664 ~]# echo $?
1
[root@f13x8664 ~]# ll /usr/share/selinux/targeted/dirsrv.pp 
-rw-r--r--. 1 root root 119578 Mar  2 13:25 /usr/share/selinux/targeted/dirsrv.pp
[root@f13x8664 ~]# semodule -v -s targeted -i /usr/share/selinux/targeted/dirsrv.pp 
Attempting to install module '/usr/share/selinux/targeted/dirsrv.pp':
Ok: return value of 0.
Committing changes:
/etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /usr/sbin/ns-slapd  (system_u:object_r:slapd_exec_t:s0 and system_u:object_r:dirsrv_exec_t:s0).
/etc/selinux/targeted/contexts/files/file_contexts: Invalid argument
libsemanage.semanage_install_active: setfiles returned error code 1.
semodule:  Failed!
[root@f13x8664 ~]#

*** This bug has been marked as a duplicate of bug 570562 ***
Note You need to log in before you can comment on or make changes to this bug.