Bug 735509 - Need systemd policy for 389-ds-base and 389-admin
Summary: Need systemd policy for 389-ds-base and 389-admin
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 16
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-09-02 20:47 UTC by Rich Megginson
Modified: 2011-11-29 22:03 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-11-29 22:03:53 UTC


Attachments (Terms of Use)

Description Rich Megginson 2011-09-02 20:47:35 UTC
Using systemctl to start a 389-ds-base instance on F16 gives this message:

Sep  2 14:30:04 f16x8664 kernel: [ 3669.247238] type=1400 audit(1314995404.405:96): avc:  denied  { read } for  pid=3939 comm="ns-slapd" name="online" dev=sysfs ino=34 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file

Using systemctl to start 389-admin on F16 gives these messages:

Sep  2 14:25:06 f16x8664 kernel: [ 3370.879324] type=1400 audit(1314995106.037:92): avc:  denied  { name_connect } for  pid=3393 comm="httpd.worker" dest=389 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket

Comment 1 Miroslav Grepl 2011-09-05 05:51:38 UTC
(In reply to comment #0)
> Using systemctl to start a 389-ds-base instance on F16 gives this message:
> 
> Sep  2 14:30:04 f16x8664 kernel: [ 3669.247238] type=1400
> audit(1314995404.405:96): avc:  denied  { read } for  pid=3939 comm="ns-slapd"
> name="online" dev=sysfs ino=34 scontext=system_u:system_r:dirsrv_t:s0
> tcontext=system_u:object_r:sysfs_t:s0 tclass=file
> 
Fixing.

> Using systemctl to start 389-admin on F16 gives these messages:
> 
> Sep  2 14:25:06 f16x8664 kernel: [ 3370.879324] type=1400
> audit(1314995106.037:92): avc:  denied  { name_connect } for  pid=3393
> comm="httpd.worker" dest=389 scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket

How are labelled CGI scripts in /usr/lib(64)?/dirsrv/cgi-bin directroy?

# ls -lZ /usr/lib64/dirsrv/cgi-bin

Comment 2 Rich Megginson 2011-09-06 15:55:35 UTC
The directory is labeled
system_u:object_r:httpd_dirsrvadmin_script_exec_t:s0

the files are labeled the same

Comment 3 Rich Megginson 2011-09-08 13:12:32 UTC
Was there more info you needed?

Comment 4 Daniel Walsh 2011-11-23 14:45:08 UTC
Is this issue still open?

Comment 5 Rich Megginson 2011-11-28 15:18:45 UTC
(In reply to comment #4)
> Is this issue still open?

Yes.  Do you need any more info?

Comment 6 Miroslav Grepl 2011-11-29 08:41:01 UTC
(In reply to comment #5)
> (In reply to comment #4)
> > Is this issue still open?
> 
> Yes.  Do you need any more info?

So are you still getting both AVC msgs?

Comment 7 Rich Megginson 2011-11-29 22:03:53 UTC
(In reply to comment #6)
> (In reply to comment #5)
> > (In reply to comment #4)
> > > Is this issue still open?
> > 
> > Yes.  Do you need any more info?
> 
> So are you still getting both AVC msgs?

Nope.  Was this fixed in policy?  If so, what version?


Note You need to log in before you can comment on or make changes to this bug.