Description of problem: If the nis-server plugin is enabled the 389-ds will fail to start: [12/Jul/2010:18:12:12 -0400] nis-plugin - error connecting rpcbind client socket to the service [12/Jul/2010:18:12:12 -0400] nis-plugin - error creating portmap/rpcbind client socket [12/Jul/2010:18:12:12 -0400] - Init function "nis_plugin_init" for "NIS Server" plugin in library "/usr/lib64/dirsrv/plugins/nisserver-plugin.so" failed [12/Jul/2010:18:12:12 -0400] - Unable to load plugin "cn=NIS Server,cn=plugins,cn=config" Version-Release number of selected component (if applicable): slapi-nis-0.17-4.fc12.x86_64 389-ds-base-1.2.6-0.5.rc3.fc12.x86_64 Additional info: This doesn't appear to be an ABI problem. I rebuilt the plugin against 1.2.6 and it still fails to load.
Is rpcbind running? This is the expected behavior if it isn't running, or there's some error registering with it. Aside: if you're just using this for testing purposes, you can set "nis_plugin_continue_without_portmap_for_testing_only_no_i_really_mean_that=1" in the environment to continue past the error. Clients won't be able to ask rpcbind which port the NIS server will answer, but the in-tree tests already know which port to use, so
Running: # service rpcbind status rpcbind (pid 765) is running... So I poked at it some more: # service dirsrv start Starting dirsrv: GREYOAK-COM...[13/Jul/2010:08:54:03 -0400] nis-plugin - error connecting rpcbind client socket to the service [13/Jul/2010:08:54:04 -0400] nis-plugin - error creating portmap/rpcbind client socket [13/Jul/2010:08:54:04 -0400] - Init function "nis_plugin_init" for "NIS Server" plugin in library "/usr/lib64/dirsrv/plugins/nisserver-plugin.so" failed [13/Jul/2010:08:54:04 -0400] - Unable to load plugin "cn=NIS Server,cn=plugins,cn=config" [FAILED] *** Warning: 1 instance(s) failed to start This is an SELinux issue: type=AVC msg=audit(1279025644.254:1156): avc: denied { name_bind } for pid=2427 comm="ns-slapd" src=890 scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket So the question is, do we try to get this into the system policy or add it to the IPA policy?
I guess, as a directory server plugin, it goes wherever the policy for dirsrv_t is defined.
Nathan, can we update the policy to let the server bind to UDP ports in the range named "hi_reserved_port_t"?
Alternatively I have no problem fixing this in the IPA policy, its just that as a standalone package slapi-nis wouldn't work with SELinux. Perhaps a README would address that if I fix it in IPA?
corenet_tcp_bind_all_rpc_ports(dirsrv_t) Should fix the problem.
(In reply to comment #5) > Alternatively I have no problem fixing this in the IPA policy, its just that as > a standalone package slapi-nis wouldn't work with SELinux. Perhaps a README > would address that if I fix it in IPA? That wouldn't really be a suitable fix for the Fedora packages, though. I'd expect 389-ds-base to be usable outside of an IPA context, either with or without this plugin.
(In reply to comment #6) > corenet_tcp_bind_all_rpc_ports(dirsrv_t) > > Should fix the problem. After some out of band conversation, I think we'll need corenet_udp_bind_all_rpc_ports(dirsrv_t), too.
Created attachment 431547 [details] Patch
Pushed to master and 389-ds-base-1.2.6 branches under the trivial fix rule. Counting objects: 7, done. Delta compression using 2 threads. Compressing objects: 100% (4/4), done. Writing objects: 100% (4/4), 484 bytes, done. Total 4 (delta 3), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git f1d509e..b7a93e6 master -> master Counting objects: 7, done. Delta compression using 2 threads. Compressing objects: 100% (4/4), done. Writing objects: 100% (4/4), 486 bytes, done. Total 4 (delta 3), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git 2570fbb..7b23290 126-local -> 389-ds-base-1.2.6
This message is a reminder that Fedora 13 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 13. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '13'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 13's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 13 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Fedora 13 changed to end-of-life (EOL) status on 2011-06-25. Fedora 13 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed.
I believe that this has been addressed.
This bug is currently assigned to an unsupported release. If you think this bug is still valid and should remain open, please re-assign it to a supported release (F22, F23) or to rawhide. Bugs which will be assigned to an unsupported release are going to be closed as EOL (End Of Life) on January 26th, 2016.
Since the status is MODIFIED, the fix is already included in the current releases. I'm closing this bug with CURRENTRELEASE. Thanks.