Description of problem: -selinux package uses "fixfiles -R <package>" to label files, but this does not set the labels of the installed servers in /etc/dirsrv/slapd-<name> and /var/.../dirsrv/slapd-<name>. I think you want something like: restorecon -R /etc/dirsrv /var/*/dirsrv Version-Release number of selected component (if applicable): 389-ds-base-selinux-1.2.6-0.2.a2.el5
I think that this is something that needs to be taken care of when running 'setup-ds.pl -u' since some of the instance path's may be customized. The spec file doesn't have any knowledge of where the instance files live right now, which is probably how it should be kept.
Created attachment 401899 [details] 0001-Bug-572355-Relabel-instance-files-and-ports-at-upgra.patch The updateDSInstance() has been modified to invoke updateSelinuxPolicy() to set the SELinux labels on instance files and ports.
Looks ok to me - Nathan?
The patch looks good. Was it tested in an upgrade scenario to ensure no AVCs are seen in the audit log?
There seems to be an existing problem with SELinux policy. This was tested on F12. Install the 1.2.6 rpms from testing repo (which doesn't include this patch): % yum install --enablerepo=updates-testing 389-ds-base 389-ds-base-selinux Create a new instance (not an upgrade) with setup-ds.pl. The server will start automatically, but the following messages will appear in the audit log: type=MAC_POLICY_LOAD msg=audit(1269577256.583:778): policy loaded auid=0 ses=1 type=SYSCALL msg=audit(1269577256.583:778): arch=40000003 syscall=4 success=yes exit=4795358 a0=4 a1=b7326000 a2=492bde a3=4 items=0 ppid=4378 pid=4380 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts7 ses=1 comm="load_policy" exe="/sbin/load_policy" subj=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1269577367.896:779): avc: denied { create } for pid=4469 comm="ns-slapd" scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:system_r:dirsrv_t:s0 tclass=unix_dgram_socket type=SYSCALL msg=audit(1269577367.896:779): arch=40000003 syscall=102 success=no exit=-13 a0=1 a1=bffc7acc a2=b7dff4 a3=1 items=0 ppid=4466 pid=4469 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts7 ses=1 comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null) type=AVC msg=audit(1269577367.896:780): avc: denied { create } for pid=4469 comm="ns-slapd" scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:system_r:dirsrv_t:s0 tclass=unix_dgram_socket type=SYSCALL msg=audit(1269577367.896:780): arch=40000003 syscall=102 success=no exit=-13 a0=1 a1=bffc7b0c a2=b7dff4 a3=1 items=0 ppid=4466 pid=4469 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts7 ses=1 comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null)
(In reply to comment #6) > There seems to be an existing problem with SELinux policy. This was tested on > F12. Install the 1.2.6 rpms from testing repo (which doesn't include this > patch): > > % yum install --enablerepo=updates-testing 389-ds-base 389-ds-base-selinux > > Create a new instance (not an upgrade) with setup-ds.pl. The server will start > automatically, but the following messages will appear in the audit log: > <snip> > type=AVC msg=audit(1269577367.896:780): avc: denied { create } for pid=4469 > comm="ns-slapd" scontext=unconfined_u:system_r:dirsrv_t:s0 > tcontext=unconfined_u:system_r:dirsrv_t:s0 tclass=unix_dgram_socket > type=SYSCALL msg=audit(1269577367.896:780): arch=40000003 syscall=102 > success=no exit=-13 a0=1 a1=bffc7b0c a2=b7dff4 a3=1 items=0 ppid=4466 pid=4469 > auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts7 ses=1 > comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 > key=(null) I have been unable to reproduce this on my F12 VM. My instance is created and started just fine under the confined dirsrv_t domain with no AVCs. Were you just using the defaults for the install?
I have tested the patch in an upgrade scenario on my F-12 system, and the instance files are labelled properly with the instance running in the confined domain after installing the new RPM. No AVCs are reported in the audit log. Pushed patch to master. Thanks for the patch Endi! Counting objects: 15, done. Delta compression using 2 threads. Compressing objects: 100% (7/7), done. Writing objects: 100% (8/8), 816 bytes, done. Total 8 (delta 6), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git 1f56658..e72f8af master -> master
Thanks Nathan. I was using the defaults, but probably my machine was not properly configured. Sorry about that, thanks for verifying.
Hi Nathan, Request you to please guide how should I verify this with RHDS 8.2. Thanks and Regards, Amita