Bug 679051 - selinux detection in /usr/sbin/start-ds-admin
selinux detection in /usr/sbin/start-ds-admin
Status: CLOSED INSUFFICIENT_DATA
Product: Fedora
Classification: Fedora
Component: 389-admin (Show other bugs)
14
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Rich Megginson
Fedora Extras Quality Assurance
: screened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-02-21 07:41 EST by Denis Baklikov
Modified: 2011-04-25 19:27 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-03-28 17:52:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Denis Baklikov 2011-02-21 07:41:28 EST
Description of problem:

If confition for selinux detection never ckecks because of [ -z "yes" ] condition.

/usr/sbin/start-ds-admin

if [ -z "yes" ] ; then # always FALSE
    if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then
        SELINUX_CMD="runcon -t unconfined_t --"
    fi
fi

Version-Release number of selected component (if applicable):


How reproducible:
/etc/init.d/dirsrv-admin restart


Actual results:
[FAILED] httpd.worker: Could not open configuration file /etc/dirsrv/admin-serv/httpd.conf: Permission denied

Expected results:
[OK]
Comment 1 Nathan Kinder 2011-02-21 11:03:48 EST
(In reply to comment #0)
> Description of problem:
> 
> If confition for selinux detection never ckecks because of [ -z "yes" ]
> condition.
> 
> /usr/sbin/start-ds-admin
> 
> if [ -z "yes" ] ; then # always FALSE
>     if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then
>         SELINUX_CMD="runcon -t unconfined_t --"
>     fi
> fi
> 

This is by design.  This code makes the admin server run unconfined, which we only want to happen if the admin server was compiled without SELinux support.  Current versions of 389-admin are confined by SELinux policy and are compiled with SELinux support.

> Actual results:
> [FAILED] httpd.worker: Could not open configuration file
> /etc/dirsrv/admin-serv/httpd.conf: Permission denied
> 

What version of 389-ds-base and 389-admin are you running?  I'd also like to know what version of selinux-policy you have installed.  There is a bug that was recently fixed in selinux-policy that you may be running into.

It would also be useful to see if there are any AVC messages that get output in /var/log/audit/audit when you try to start the dirsrv-admin service.
Comment 2 Rich Megginson 2011-02-28 16:24:15 EST
ping - can you help?
Comment 3 Nathan Kinder 2011-03-28 17:52:25 EDT
Closing this since we have not heard back from the reporter.

Note You need to log in before you can comment on or make changes to this bug.