Bug 576427 - starting dirsrv-admin in current selinux policy fails
starting dirsrv-admin in current selinux policy fails
Status: CLOSED DUPLICATE of bug 570912
Product: Fedora
Classification: Fedora
Component: 389-admin (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Rich Megginson
Fedora Extras Quality Assurance
: screened
Depends On:
  Show dependency treegraph
Reported: 2010-03-23 21:19 EDT by lejeczek
Modified: 2011-04-25 19:27 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-03-29 16:38:07 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description lejeczek 2010-03-23 21:19:18 EDT
Description of problem:
this standard-way generated module is a quick fix:

require {
	type user_tmp_t;
	type dirsrv_var_run_t;
	type dirsrv_var_log_t;
	type security_t;
	type user_devpts_t;
	type httpd_t;
	type dirsrv_share_t;
	type dirsrv_lib_t;
	type dirsrv_config_t;
	class sock_file { create setattr };
	class chr_file { read write append };
	class dir { write search getattr remove_name add_name };
	class file { execute read lock create write getattr open };

allow httpd_t dirsrv_config_t:dir getattr;

allow httpd_t dirsrv_config_t:dir search;

allow httpd_t dirsrv_config_t:file { read lock getattr open };
allow httpd_t dirsrv_lib_t:dir search;

allow httpd_t dirsrv_lib_t:file { read getattr open execute };
allow httpd_t dirsrv_share_t:dir search;

allow httpd_t dirsrv_var_log_t:dir { write add_name };

allow httpd_t dirsrv_var_log_t:file create;
allow httpd_t dirsrv_var_run_t:dir remove_name;

allow httpd_t dirsrv_var_run_t:dir { write search add_name };

allow httpd_t dirsrv_var_run_t:file { write create open };

allow httpd_t dirsrv_var_run_t:sock_file { create setattr };
allow httpd_t security_t:file { read open };

allow httpd_t user_devpts_t:chr_file { read write append };

allow httpd_t user_tmp_t:file write;

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
Actual results:

Expected results:

Additional info:
Comment 1 Nathan Kinder 2010-03-24 12:42:30 EDT
There is already a dirsrv-admin selinux module in testing for the 389-admin component.

What version of 389-ds-base and 389-admin are you using?  What AVCs do you receive when you attempt to start the dirsrv-admin service?
Comment 2 lejeczek 2010-03-24 13:10:21 EDT


these denials don't seem to be audited
Comment 3 Nathan Kinder 2010-03-24 14:15:56 EDT
What does 'semodule -l | grep dirsrv' show?

We do have some known issues we are working on with regards to the policy modules not being properly loaded due to recent changes in the base selinux policy.  We plan to resolve these before the next testing release of 389.
Comment 4 lejeczek 2010-03-24 15:41:57 EDT
dirsrv	1.0.0
Comment 5 Nathan Kinder 2010-03-24 15:58:05 EDT
(In reply to comment #4)
> dirsrv 1.0.0    

Ok, this shows that the dirsrv-admin module is not loaded, even though 389-admin-selinux is installed.

Please run the following as root and put the error(s) in this bug:

  'semodule -i /usr/share/selinux/targeted/dirsrv-admin.pp'
Comment 6 lejeczek 2010-03-25 06:04:55 EDT
libsepol.expand_terule_helper: conflicting TE rule for (httpd_t, var_run_t:dir):  old was httpd_var_run_t, new is dirsrv_var_run_t
libsepol.expand_module: Error during expand
libsemanage.semanage_expand_sandbox: Expand module failed
semodule:  Failed!
Comment 7 Nathan Kinder 2010-03-29 16:38:07 EDT
This is a duplicate of bug 570912.

*** This bug has been marked as a duplicate of bug 570912 ***

Note You need to log in before you can comment on or make changes to this bug.