767225 – Error with /usr/sbin/setup-ds-admin.pl

Bug 767225 - Error with /usr/sbin/setup-ds-admin.pl

Summary: Error with /usr/sbin/setup-ds-admin.pl

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora EPEL
Classification:	Fedora
Component:	389-admin
Sub Component:
Version:	el5
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Rich Megginson
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-12-13 15:08 UTC by David Spurek
Modified:	2020-09-13 20:23 UTC (History)
CC List:	7 users (show)
Fixed In Version:	389-ds-base-1.2.11.25-1.el5
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-12-18 19:47:10 UTC
Type:	---

Attachments	(Terms of Use)
Comment (75.27 KB, text/plain) 2013-02-07 10:55 UTC, David Spurek	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	389ds 389-ds-base issues 586	0	None	closed	selinux errors with /usr/sbin/setup-ds-admin.pl	2020-10-20 15:13:22 UTC

Description David Spurek 2011-12-13 15:08:32 UTC

Description of problem:
When i run /usr/sbin/setup-ds-admin.pl, script fail with 
Creating directory server . . .
/usr/bin/pwdhash-bin: error while loading shared libraries: libslapd.so.0: cannot open shared object file: No such file or directory

Version-Release number of selected component (if applicable):
389-admin-1.1.23-1.el5
389-ds-base-1.2.9.9-1.el5

How reproducible:
always

Steps to Reproduce:
1.run  /usr/sbin/setup-ds-admin.pl
2.Setup with:

Would you like to continue with set up? yes
Do you agree to the license terms? yes
Would you like to continue? yes
Choose a setup type 2
Computer name `hostname`
System User nobody
System Group nobody
configuration directory server? no

administrator ID admin
Password: foobartmp

Administration Domain foobar.com
Directory server network port 389
Directory server identifier foobar
Suffix "dc=foo,dc=bar,dc=com"

Directory Manager DN  "cn=Manager"
Password: foobartmp

Administration port 9830

Are you ready to set up your servers? [yes]: yes

  
Actual results:

Creating directory server . . .
/usr/bin/pwdhash-bin: error while loading shared libraries: libslapd.so.0: cannot open shared object file: No such file or directory
Could not import LDIF file '/tmp/ldifYnRYn3.ldif'.  Error: 32512.  Output: importing data ...
./ns-slapd: error while loading shared libraries: libslapd.so.0: cannot open shared object file: No such file or directory


Expected results:
Correctly setup ds

Additional info:

Comment 1 Rich Megginson 2011-12-13 16:22:10 UTC

rpm -qa|grep 389

Comment 2 David Spurek 2011-12-14 07:09:22 UTC

rpm -qa|grep 389

389-admin-1.1.23-1.el5
389-ds-base-libs-1.2.9.9-1.el5
389-ds-base-1.2.9.9-1.el5
389-adminutil-1.1.14-1.el5

Comment 3 Rich Megginson 2011-12-14 14:12:32 UTC

rpm -ql 389-ds-base-libs
rpm -V 389-ds-base-libs

Comment 4 David Spurek 2011-12-15 07:15:53 UTC

rpm -ql 389-ds-base-libs

/usr/lib/dirsrv
/usr/lib/dirsrv/libslapd.so.0
/usr/lib/dirsrv/libslapd.so.0.0.0
/usr/share/doc/389-ds-base-libs-1.2.9.9
/usr/share/doc/389-ds-base-libs-1.2.9.9/EXCEPTION
/usr/share/doc/389-ds-base-libs-1.2.9.9/LICENSE
/usr/share/doc/389-ds-base-libs-1.2.9.9/LICENSE.GPLv2
/usr/share/doc/389-ds-base-libs-1.2.9.9/README.devel


rpm -V 389-ds-base-libs (nothing output, should be ok)

Comment 5 Rich Megginson 2011-12-15 14:15:21 UTC

This is a 32-bit system?
ls -al /usr/lib/dirsrv/libslapd*
ldd /usr/sbin/ns-slapd

Comment 6 David Spurek 2011-12-16 09:45:00 UTC

Yes, this is a 32-bit system.

ls -al /usr/lib/dirsrv/libslapd*

lrwxrwxrwx 1 root root     17 Dec 14 02:04 /usr/lib/dirsrv/libslapd.so.0 -> libslapd.so.0.0.0
-rwxr-xr-x 1 root root 929568 Sep  1 16:40 /usr/lib/dirsrv/libslapd.so.0.0.0

ldd /usr/sbin/ns-slapd

	linux-gate.so.1 =>  (0x001b0000)
	libslapd.so.0 => /usr/lib/dirsrv/libslapd.so.0 (0x00c2e000)
	libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x003fd000)
	libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x00153000)
	libcom_err.so.2 => /lib/libcom_err.so.2 (0x0010b000)
	libpcre.so.0 => /lib/libpcre.so.0 (0x0083d000)
	libssldap60.so => /usr/lib/libssldap60.so (0x00b58000)
	libprldap60.so => /usr/lib/libprldap60.so (0x00932000)
	libldap60.so => /usr/lib/libldap60.so (0x0093f000)
	libldif60.so => /usr/lib/libldif60.so (0x0093a000)
	libssl3.so => /usr/lib/libssl3.so (0x07154000)
	libnss3.so => /usr/lib/libnss3.so (0x06de1000)
	libplc4.so => /usr/lib/libplc4.so (0x06ddb000)
	libplds4.so => /usr/lib/libplds4.so (0x06dd5000)
	libnspr4.so => /usr/lib/libnspr4.so (0x00683000)
	libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x071b5000)
	libsvrcore.so.0 => /usr/lib/libsvrcore.so.0 (0x008a0000)
	libpthread.so.0 => /lib/libpthread.so.0 (0x00884000)
	libc.so.6 => /lib/libc.so.6 (0x006e1000)
	libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0x00512000)
	libkeyutils.so.1 => /lib/libkeyutils.so.1 (0x00110000)
	libresolv.so.2 => /lib/libresolv.so.2 (0x00b2d000)
	libsmime3.so => /usr/lib/libsmime3.so (0x0718b000)
	libsoftokn3.so => /usr/lib/libsoftokn3.so (0x00d9d000)
	libdl.so.2 => /lib/libdl.so.2 (0x00868000)
	libnssutil3.so => /usr/lib/libnssutil3.so (0x06f0b000)
	libz.so.1 => /lib/libz.so.1 (0x0086f000)
	libcrypt.so.1 => /lib/libcrypt.so.1 (0x06da1000)
	/lib/ld-linux.so.2 (0x006c2000)
	libselinux.so.1 => /lib/libselinux.so.1 (0x008f3000)
	libsepol.so.1 => /lib/libsepol.so.1 (0x008ab000)

Comment 7 Rich Megginson 2011-12-16 14:20:06 UTC

Try

/usr/sbin/ns-slapd -v
and
/usr/sbin/ns-slapd -V

readelf -d /usr/lib/dirsrv/libslapd.so.0
ldd /usr/lib/dirsrv/libslapd.so.0

Comment 8 David Spurek 2011-12-19 15:05:05 UTC

/usr/sbin/ns-slapd -v
389 Project
389-Directory/1.2.9.9 B2011.244.2040

/usr/sbin/ns-slapd -V
usage: ns-slapd -D configdir [-d debuglevel] [-i pidlogfile] [-v] [-V]

what is wrong?


readelf -d /usr/lib/dirsrv/libslapd.so.0

Dynamic section at offset 0xdc0d0 contains 37 entries:
  Tag        Type                         Name/Value
 0x00000001 (NEEDED)                     Shared library: [libssldap60.so]
 0x00000001 (NEEDED)                     Shared library: [libprldap60.so]
 0x00000001 (NEEDED)                     Shared library: [libldap60.so]
 0x00000001 (NEEDED)                     Shared library: [libldif60.so]
 0x00000001 (NEEDED)                     Shared library: [libsasl2.so.2]
 0x00000001 (NEEDED)                     Shared library: [libsvrcore.so.0]
 0x00000001 (NEEDED)                     Shared library: [libssl3.so]
 0x00000001 (NEEDED)                     Shared library: [libnss3.so]
 0x00000001 (NEEDED)                     Shared library: [libplc4.so]
 0x00000001 (NEEDED)                     Shared library: [libplds4.so]
 0x00000001 (NEEDED)                     Shared library: [libnspr4.so]
 0x00000001 (NEEDED)                     Shared library: [libkrb5.so.3]
 0x00000001 (NEEDED)                     Shared library: [libk5crypto.so.3]
 0x00000001 (NEEDED)                     Shared library: [libcom_err.so.2]
 0x00000001 (NEEDED)                     Shared library: [libpcre.so.0]
 0x00000001 (NEEDED)                     Shared library: [libpthread.so.0]
 0x00000001 (NEEDED)                     Shared library: [libc.so.6]
 0x0000000e (SONAME)                     Library soname: [libslapd.so.0]
 0x0000000c (INIT)                       0x20eec
 0x0000000d (FINI)                       0xac3e4
 0x6ffffef5 (GNU_HASH)                   0xd4
 0x00000005 (STRTAB)                     0xb780
 0x00000006 (SYMTAB)                     0x3470
 0x0000000a (STRSZ)                      43368 (bytes)
 0x0000000b (SYMENT)                     16 (bytes)
 0x00000003 (PLTGOT)                     0xdc32c
 0x00000002 (PLTRELSZ)                   10192 (bytes)
 0x00000014 (PLTREL)                     REL
 0x00000017 (JMPREL)                     0x1e71c
 0x00000011 (REL)                        0x172ac
 0x00000012 (RELSZ)                      29808 (bytes)
 0x00000013 (RELENT)                     8 (bytes)
 0x6ffffffe (VERNEED)                    0x1714c
 0x6fffffff (VERNEEDNUM)                 5
 0x6ffffff0 (VERSYM)                     0x160e8
 0x6ffffffa (RELCOUNT)                   3433
 0x00000000 (NULL)                       0x0



ldd /usr/lib/dirsrv/libslapd.so.0
	linux-gate.so.1 =>  (0x00794000)
	libssldap60.so => /usr/lib/libssldap60.so (0x00c49000)
	libprldap60.so => /usr/lib/libprldap60.so (0x0021a000)
	libldap60.so => /usr/lib/libldap60.so (0x00992000)
	libldif60.so => /usr/lib/libldif60.so (0x00cda000)
	libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x00873000)
	libsvrcore.so.0 => /usr/lib/libsvrcore.so.0 (0x002d0000)
	libssl3.so => /usr/lib/libssl3.so (0x001a5000)
	libnss3.so => /usr/lib/libnss3.so (0x002d4000)
	libplc4.so => /usr/lib/libplc4.so (0x006ea000)
	libplds4.so => /usr/lib/libplds4.so (0x002c8000)
	libnspr4.so => /usr/lib/libnspr4.so (0x00110000)
	libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x004a1000)
	libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x007d0000)
	libcom_err.so.2 => /lib/libcom_err.so.2 (0x00b3e000)
	libpcre.so.0 => /lib/libpcre.so.0 (0x0026f000)
	libpthread.so.0 => /lib/libpthread.so.0 (0x007b4000)
	libc.so.6 => /lib/libc.so.6 (0x00d18000)
	libsmime3.so => /usr/lib/libsmime3.so (0x00149000)
	libsoftokn3.so => /usr/lib/libsoftokn3.so (0x003fc000)
	libdl.so.2 => /lib/libdl.so.2 (0x00645000)
	libresolv.so.2 => /lib/libresolv.so.2 (0x00171000)
	libcrypt.so.1 => /lib/libcrypt.so.1 (0x00890000)
	libnssutil3.so => /usr/lib/libnssutil3.so (0x0061e000)
	libz.so.1 => /lib/libz.so.1 (0x00835000)
	libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0x00186000)
	libkeyutils.so.1 => /lib/libkeyutils.so.1 (0x001fa000)
	/lib/ld-linux.so.2 (0x006c2000)
	libselinux.so.1 => /lib/libselinux.so.1 (0x00cab000)
	libsepol.so.1 => /lib/libsepol.so.1 (0x00220000)

Comment 9 Rich Megginson 2011-12-19 17:26:19 UTC

Maybe selinux?  try
setenforce Permissive
also check /var/log/messages, /var/log/audit/audit.log, and dmesg AVC messages related to slapd

Comment 10 David Spurek 2013-02-07 10:48:52 UTC

Problem is with 389-ds-base-libs package. 

When 389-ds-base-libs package is installed on system and 389-ds-base package will be installed later, then problem appears.

If package 389-ds-base-libs is installed with 389-ds-base package together, then setup script correctly pass

Comment 11 David Spurek 2013-02-07 10:55:47 UTC

Created attachment 915669 [details]
Comment

(This comment was longer than 65,535 characters and has been moved to an attachment by Red Hat Bugzilla).

Comment 12 Nathan Kinder 2013-02-07 16:34:46 UTC

What does 'ldd /usr/bin/pwdhash-bin' show?

Comment 13 Rich Megginson 2013-02-07 17:20:04 UTC

I don't see any AVC messages for slapd?  I don't understand what the problem is.  You should always install 389-ds-base, and when you do yum install 389-ds-base, it will automatically install 389-ds-base-libs due to the Requires.

Can we close this as NOTABUG?

Comment 14 David Spurek 2013-02-11 10:55:27 UTC

Yes, I agree yum install 389-ds-base automatically install 389-ds-base-libs, but yum remove 389-ds-base removes only 389-ds-base but not 389-ds-base-libs as dependency. If I try install 389-ds-base again, 389-ds-base-libs is installed on the system and then error with /usr/sbin/setup-ds-admin.pl appear.

Comment 15 David Spurek 2013-02-11 11:29:29 UTC

(In reply to comment #11)

AVC messages (in comment #11) I see after running /usr/sbin/setup-ds-admin.pl (even if script correctly pass).

Here is expect script for setup-ds, maybe it will be useful for you:


spawn /usr/sbin/setup-ds-admin.pl
expect "Would you like to continue with set up?" { send "yes\r" }
expect "Do you agree to the license terms?" { send "yes\r" }
expect "Would you like to continue?" { send "yes\r" }
expect "Choose a setup type" { send "2\r" }
expect "Computer name" { send "`hostname`\r" }
expect "System User" { send "nobody\r" }
expect "System Group" { send "nobody\r" }
expect "configuration directory server?" { send "no\r" }

expect "administrator ID" {
  send "admin\r"
  expect "Password:" {
    send "foobartmp\r"
    expect "Password (confirm):" {
      send "foobartmp\r"
    }
  }
}

expect "Administration Domain" { send "foobar.com\r" }
expect "Directory server network port" { send "389\r" }
expect "Directory server identifier" { send "foobar\r" }
expect "Suffix" { send "dc=foo,dc=bar,dc=com\r" }

expect "Directory Manager DN" { 
  send "cn=Manager\r"
  expect "Password:" {
    send "foobartmp\r"
    expect "Password (confirm):" {
      send "foobartmp\r"
    }
  }
}

expect "Administration port" { send "9830\r" }

set timeout 120
expect "Are you ready to set up your servers?" { send "yes\r" }
expect "Log file is" { exit 0 }

exit 1

Comment 16 Rich Megginson 2013-02-11 15:13:51 UTC

(In reply to comment #14)
> Yes, I agree yum install 389-ds-base automatically install 389-ds-base-libs,
> but yum remove 389-ds-base removes only 389-ds-base but not 389-ds-base-libs
> as dependency. If I try install 389-ds-base again, 389-ds-base-libs is
> installed on the system and then error with /usr/sbin/setup-ds-admin.pl
> appear.

If you can figure out a way to make 

yum install 389-ds-base

automatically install the dependency of 389-ds-base-libs

AND

make 

yum erase 389-ds-base

automatically erase 389-ds-base-libs, I can make the changes to the spec files.  But afaik, this is not possible with yum/rpm.

As for the AVC messages - afaict, there are no slapd related AVC messages.

So I would like to close this bug as NOTABUG.  OK?

Comment 17 Milos Malik 2013-02-13 08:35:33 UTC

AVCs mentioned in comment#11 appear because following tools are executed:
 * semodule
 * restorecon or fixfiles

These tools are executed for example in postinstall scripts. To avoid such AVCs you should use close-on-exec flag wherever it is possible.

Here is a nice article written by Dan Walsh about this topic:
Excuse me son, but your code is leaking !!!
http://danwalsh.livejournal.com/53603.html

Comment 18 Rich Megginson 2013-02-13 18:23:06 UTC

(In reply to comment #17)
> AVCs mentioned in comment#11 appear because following tools are executed:
>  * semodule
>  * restorecon or fixfiles
> 
> These tools are executed for example in postinstall scripts. To avoid such
> AVCs you should use close-on-exec flag wherever it is possible.
> 
> Here is a nice article written by Dan Walsh about this topic:
> Excuse me son, but your code is leaking !!!
> http://danwalsh.livejournal.com/53603.html

All of our setup code is in perl.  According to all of the perl documentation I have seen, perl automatically sets close-on-exec for all file descriptors except for stdin, stdout, and stderr - and for some of the perl constructs we use e.g.

            # check if the port is already labeled properly
            my $portline = `semanage port -l | grep ldap_port_t | grep tcp`;

we have to have the stdout of the child open to read the result.
For other things we don't need any FDs:
            system("restorecon -R $localstatedir/dirsrv");

So is selinux really complaining about leaked stdin/stdout/stderr?  If so, there are some tricks we can play with the perl $^F variable.

Comment 19 Rich Megginson 2013-02-16 00:22:39 UTC

Upstream ticket:
https://fedorahosted.org/389/ticket/586

Comment 20 mreynolds 2013-04-11 15:42:25 UTC

Update:

I can't reproduce any errors during install on rhel 6.3 running 389-ds-base-1.2.10.2-15.el6.x86_64.

This is what I did:

[root@cisco-c22m3-01 ~]# getenforce
Enforcing

[1] yum install 389-ds-base

    this installs 389-ds-base-libs 

[2] yum erase 389-bs-base

    this leaves 389-ds-base-libs intact. 

[3] yum install 389-ds-base
[4] yum install 389-admin
[5] setup-ds.admin.pl

I also tried without 389-admin(step 4), and just running setup-ds.pl.

They both work, and there are no SE linux errors in the audit.log.


Appears to be platform specific.

Comment 21 mreynolds 2013-04-11 15:45:33 UTC

Milos,

There is a new version that should work at :  http://dl.fedoraproject.org/pub/epel/5/x86_64/repoview/389-ds-base.html

Can you test this?

Thanks,
Mark

Comment 22 mreynolds 2013-04-19 14:46:20 UTC

Any update?  I will give this a few more days then I will close this bug/ticket.

Comment 23 Milos Malik 2013-04-19 15:21:27 UTC

# rpm -qa 389\*
389-adminutil-1.1.15-1.el5
389-ds-base-libs-1.2.10.14-2.el5
389-admin-1.1.29-1.el5
389-ds-base-1.2.10.14-2.el5
# rpm -qa selinux-policy\*
selinux-policy-mls-2.4.6-338.el5
selinux-policy-strict-2.4.6-338.el5
selinux-policy-devel-2.4.6-338.el5
selinux-policy-2.4.6-338.el5
selinux-policy-targeted-2.4.6-338.el5
selinux-policy-minimum-2.4.6-338.el5
# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        targeted
# tail -n 22 /var/log/yum.log 
Apr 10 15:47:33 Installed: perl-Net-DNS-0.59-3.el5.i386
Apr 10 15:47:38 Installed: spamassassin-3.3.1-2.el5.i386
Apr 19 16:55:40 Installed: libicu-3.6-5.16.1.i386
Apr 19 16:55:41 Installed: perl-Mozilla-LDAP-1.5.2-4.el5.i386
Apr 19 16:55:43 Installed: apr-1.2.7-11.el5_6.5.i386
Apr 19 16:55:44 Installed: apr-util-1.2.7-11.el5_5.2.i386
Apr 19 16:55:51 Installed: httpd-2.2.3-74.el5.i386
Apr 19 16:55:55 Installed: mod_nss-1.0.8-7.el5.i386
Apr 19 16:55:57 Installed: 389-adminutil-1.1.15-1.el5.i386
Apr 19 16:55:58 Installed: 389-ds-base-libs-1.2.10.14-2.el5.i386
Apr 19 16:55:59 Installed: mozldap-tools-6.0.5-2.el5.i386
Apr 19 16:56:00 Installed: cyrus-sasl-gssapi-2.1.22-7.el5_8.1.i386
Apr 19 16:56:59 Installed: 389-ds-base-1.2.10.14-2.el5.i386
Apr 19 16:57:52 Installed: 389-admin-1.1.29-1.el5.i386
Apr 19 16:57:52 Installed: httpd-2.2.3-74.el5.i386
Apr 19 16:57:52 Installed: 389-ds-base-1.2.10.14-2.el5.i386
Apr 19 16:57:52 Installed: 389-admin-1.1.29-1.el5.i386
Apr 19 17:09:42 Updated: rhts-python-4.55-1.el5.noarch
Apr 19 17:09:43 Updated: rhts-test-env-4.55-1.el5.noarch
Apr 19 17:09:45 Updated: beaker-0.12.0-2.el5.noarch
Apr 19 17:09:48 Updated: beaker-client-0.12.0-2.el5.noarch
Apr 19 17:09:49 Updated: rhts-devel-4.55-1.el5.noarch
#

Following AVCs appeared today around 16:57, which is the time when 389-ds-base package was being installed. Because these audit records contain "success=yes" I still believe this is a leaked file descriptor problem.

# ausearch -m avc -ts today -i
----
type=SYSCALL msg=audit(04/19/2013 16:57:04.145:426) : arch=i386 syscall=execve success=yes exit=0 a0=92f9d30 a1=92f9e48 a2=92f8dd8 a3=0 items=0 ppid=17739 pid=17740 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=10 comm=semodule exe=/usr/sbin/semodule subj=root:system_r:semanage_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(04/19/2013 16:57:04.145:426) : avc:  denied  { write } for  pid=17740 comm=semodule path=/var/cache/yum/qa-tools/filelists.xml.gz.sqlite dev=vda3 ino=590550 scontext=root:system_r:semanage_t:s0-s0:c0.c1023 tcontext=root:object_r:var_t:s0 tclass=file 
type=AVC msg=audit(04/19/2013 16:57:04.145:426) : avc:  denied  { write } for  pid=17740 comm=semodule path=/var/cache/yum/epel/d3b68d02bc09cb27762c494cbb06cb40b29f931d-filelists.sqlite dev=vda3 ino=492188 scontext=root:system_r:semanage_t:s0-s0:c0.c1023 tcontext=root:object_r:var_t:s0 tclass=file 
type=AVC msg=audit(04/19/2013 16:57:04.145:426) : avc:  denied  { write } for  pid=17740 comm=semodule path=/var/cache/yum/beaker-client/49818a7ebdf156482f420c00eac5de4b80bfac4e-filelists.xml.gz.sqlite dev=vda3 ino=65674 scontext=root:system_r:semanage_t:s0-s0:c0.c1023 tcontext=root:object_r:var_t:s0 tclass=file 
type=AVC msg=audit(04/19/2013 16:57:04.145:426) : avc:  denied  { write } for  pid=17740 comm=semodule path=/var/cache/yum/RHEL-5.9-VT/filelists.xml.gz.sqlite dev=vda3 ino=492186 scontext=root:system_r:semanage_t:s0-s0:c0.c1023 tcontext=root:object_r:var_t:s0 tclass=file 
type=AVC msg=audit(04/19/2013 16:57:04.145:426) : avc:  denied  { write } for  pid=17740 comm=semodule path=/var/cache/yum/RHEL-5.9-Server/filelists.xml.gz.sqlite dev=vda3 ino=492183 scontext=root:system_r:semanage_t:s0-s0:c0.c1023 tcontext=root:object_r:var_t:s0 tclass=file 
type=AVC msg=audit(04/19/2013 16:57:04.145:426) : avc:  denied  { write } for  pid=17740 comm=semodule path=/var/cache/yum/RHEL-5.9-ClusterStorage/filelists.xml.gz.sqlite dev=vda3 ino=492171 scontext=root:system_r:semanage_t:s0-s0:c0.c1023 tcontext=root:object_r:var_t:s0 tclass=file 
type=AVC msg=audit(04/19/2013 16:57:04.145:426) : avc:  denied  { write } for  pid=17740 comm=semodule path=/var/cache/yum/RHEL-5.9-Cluster/filelists.xml.gz.sqlite dev=vda3 ino=492169 scontext=root:system_r:semanage_t:s0-s0:c0.c1023 tcontext=root:object_r:var_t:s0 tclass=file 
type=AVC msg=audit(04/19/2013 16:57:04.145:426) : avc:  denied  { write } for  pid=17740 comm=semodule path=/var/cache/yum/qa-tools/primary.xml.gz.sqlite dev=vda3 ino=590547 scontext=root:system_r:semanage_t:s0-s0:c0.c1023 tcontext=root:object_r:var_t:s0 tclass=file 
type=AVC msg=audit(04/19/2013 16:57:04.145:426) : avc:  denied  { write } for  pid=17740 comm=semodule path=/var/cache/yum/epel/a0cf90138986d7899e21a257400ecafb23a6533b-primary.sqlite dev=vda3 ino=492168 scontext=root:system_r:semanage_t:s0-s0:c0.c1023 tcontext=root:object_r:var_t:s0 tclass=file 
type=AVC msg=audit(04/19/2013 16:57:04.145:426) : avc:  denied  { write } for  pid=17740 comm=semodule path=/var/cache/yum/beaker-client/6b96c3842ff287871926040b34f200858819313e-primary.xml.gz.sqlite dev=vda3 ino=65672 scontext=root:system_r:semanage_t:s0-s0:c0.c1023 tcontext=root:object_r:var_t:s0 tclass=file 
type=AVC msg=audit(04/19/2013 16:57:04.145:426) : avc:  denied  { write } for  pid=17740 comm=semodule path=/var/cache/yum/RHEL-5.9-VT/primary.xml.gz.sqlite dev=vda3 ino=491955 scontext=root:system_r:semanage_t:s0-s0:c0.c1023 tcontext=root:object_r:var_t:s0 tclass=file 
type=AVC msg=audit(04/19/2013 16:57:04.145:426) : avc:  denied  { write } for  pid=17740 comm=semodule path=/var/cache/yum/RHEL-5.9-Server/primary.xml.gz.sqlite dev=vda3 ino=491946 scontext=root:system_r:semanage_t:s0-s0:c0.c1023 tcontext=root:object_r:var_t:s0 tclass=file 
type=AVC msg=audit(04/19/2013 16:57:04.145:426) : avc:  denied  { write } for  pid=17740 comm=semodule path=/var/cache/yum/RHEL-5.9-ClusterStorage/primary.xml.gz.sqlite dev=vda3 ino=491939 scontext=root:system_r:semanage_t:s0-s0:c0.c1023 tcontext=root:object_r:var_t:s0 tclass=file 
type=AVC msg=audit(04/19/2013 16:57:04.145:426) : avc:  denied  { write } for  pid=17740 comm=semodule path=/var/cache/yum/RHEL-5.9-Cluster/primary.xml.gz.sqlite dev=vda3 ino=491927 scontext=root:system_r:semanage_t:s0-s0:c0.c1023 tcontext=root:object_r:var_t:s0 tclass=file 
----
type=SYSCALL msg=audit(04/19/2013 16:57:34.980:427) : arch=i386 syscall=execve success=yes exit=0 a0=9c4a190 a1=f9e97f8 a2=0 a3=0 items=0 ppid=17740 pid=17746 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=10 comm=setfiles exe=/sbin/setfiles subj=root:system_r:setfiles_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(04/19/2013 16:57:34.980:427) : avc:  denied  { read } for  pid=17746 comm=setfiles path=/var/cache/yum/epel/packages/389-admin-1.1.29-1.el5.i386.rpm dev=vda3 ino=492201 scontext=root:system_r:setfiles_t:s0-s0:c0.c1023 tcontext=root:object_r:var_t:s0 tclass=file 
----
type=SYSCALL msg=audit(04/19/2013 16:57:36.006:428) : arch=i386 syscall=execve success=yes exit=0 a0=8fe7d50 a1=8fe7e68 a2=8fe6de0 a3=0 items=0 ppid=17752 pid=17753 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=10 comm=semodule exe=/usr/sbin/semodule subj=root:system_r:semanage_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(04/19/2013 16:57:36.006:428) : avc:  denied  { write } for  pid=17753 comm=semodule path=/var/cache/yum/qa-tools/filelists.xml.gz.sqlite dev=vda3 ino=590550 scontext=root:system_r:semanage_t:s0-s0:c0.c1023 tcontext=root:object_r:var_t:s0 tclass=file 
type=AVC msg=audit(04/19/2013 16:57:36.006:428) : avc:  denied  { write } for  pid=17753 comm=semodule path=/var/cache/yum/epel/d3b68d02bc09cb27762c494cbb06cb40b29f931d-filelists.sqlite dev=vda3 ino=492188 scontext=root:system_r:semanage_t:s0-s0:c0.c1023 tcontext=root:object_r:var_t:s0 tclass=file 
type=AVC msg=audit(04/19/2013 16:57:36.006:428) : avc:  denied  { write } for  pid=17753 comm=semodule path=/var/cache/yum/beaker-client/49818a7ebdf156482f420c00eac5de4b80bfac4e-filelists.xml.gz.sqlite dev=vda3 ino=65674 scontext=root:system_r:semanage_t:s0-s0:c0.c1023 tcontext=root:object_r:var_t:s0 tclass=file 
type=AVC msg=audit(04/19/2013 16:57:36.006:428) : avc:  denied  { write } for  pid=17753 comm=semodule path=/var/cache/yum/RHEL-5.9-VT/filelists.xml.gz.sqlite dev=vda3 ino=492186 scontext=root:system_r:semanage_t:s0-s0:c0.c1023 tcontext=root:object_r:var_t:s0 tclass=file 
type=AVC msg=audit(04/19/2013 16:57:36.006:428) : avc:  denied  { write } for  pid=17753 comm=semodule path=/var/cache/yum/RHEL-5.9-Server/filelists.xml.gz.sqlite dev=vda3 ino=492183 scontext=root:system_r:semanage_t:s0-s0:c0.c1023 tcontext=root:object_r:var_t:s0 tclass=file 
type=AVC msg=audit(04/19/2013 16:57:36.006:428) : avc:  denied  { write } for  pid=17753 comm=semodule path=/var/cache/yum/RHEL-5.9-ClusterStorage/filelists.xml.gz.sqlite dev=vda3 ino=492171 scontext=root:system_r:semanage_t:s0-s0:c0.c1023 tcontext=root:object_r:var_t:s0 tclass=file 
type=AVC msg=audit(04/19/2013 16:57:36.006:428) : avc:  denied  { write } for  pid=17753 comm=semodule path=/var/cache/yum/RHEL-5.9-Cluster/filelists.xml.gz.sqlite dev=vda3 ino=492169 scontext=root:system_r:semanage_t:s0-s0:c0.c1023 tcontext=root:object_r:var_t:s0 tclass=file 
type=AVC msg=audit(04/19/2013 16:57:36.006:428) : avc:  denied  { write } for  pid=17753 comm=semodule path=/var/cache/yum/qa-tools/primary.xml.gz.sqlite dev=vda3 ino=590547 scontext=root:system_r:semanage_t:s0-s0:c0.c1023 tcontext=root:object_r:var_t:s0 tclass=file 
type=AVC msg=audit(04/19/2013 16:57:36.006:428) : avc:  denied  { write } for  pid=17753 comm=semodule path=/var/cache/yum/epel/a0cf90138986d7899e21a257400ecafb23a6533b-primary.sqlite dev=vda3 ino=492168 scontext=root:system_r:semanage_t:s0-s0:c0.c1023 tcontext=root:object_r:var_t:s0 tclass=file 
type=AVC msg=audit(04/19/2013 16:57:36.006:428) : avc:  denied  { write } for  pid=17753 comm=semodule path=/var/cache/yum/beaker-client/6b96c3842ff287871926040b34f200858819313e-primary.xml.gz.sqlite dev=vda3 ino=65672 scontext=root:system_r:semanage_t:s0-s0:c0.c1023 tcontext=root:object_r:var_t:s0 tclass=file 
type=AVC msg=audit(04/19/2013 16:57:36.006:428) : avc:  denied  { write } for  pid=17753 comm=semodule path=/var/cache/yum/RHEL-5.9-VT/primary.xml.gz.sqlite dev=vda3 ino=491955 scontext=root:system_r:semanage_t:s0-s0:c0.c1023 tcontext=root:object_r:var_t:s0 tclass=file 
type=AVC msg=audit(04/19/2013 16:57:36.006:428) : avc:  denied  { write } for  pid=17753 comm=semodule path=/var/cache/yum/RHEL-5.9-Server/primary.xml.gz.sqlite dev=vda3 ino=491946 scontext=root:system_r:semanage_t:s0-s0:c0.c1023 tcontext=root:object_r:var_t:s0 tclass=file 
type=AVC msg=audit(04/19/2013 16:57:36.006:428) : avc:  denied  { write } for  pid=17753 comm=semodule path=/var/cache/yum/RHEL-5.9-ClusterStorage/primary.xml.gz.sqlite dev=vda3 ino=491939 scontext=root:system_r:semanage_t:s0-s0:c0.c1023 tcontext=root:object_r:var_t:s0 tclass=file 
type=AVC msg=audit(04/19/2013 16:57:36.006:428) : avc:  denied  { write } for  pid=17753 comm=semodule path=/var/cache/yum/RHEL-5.9-Cluster/primary.xml.gz.sqlite dev=vda3 ino=491927 scontext=root:system_r:semanage_t:s0-s0:c0.c1023 tcontext=root:object_r:var_t:s0 tclass=file 
----
type=SYSCALL msg=audit(04/19/2013 16:57:50.806:432) : arch=i386 syscall=execve success=yes exit=0 a0=8b60190 a1=b245a20 a2=0 a3=0 items=0 ppid=17753 pid=17764 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=10 comm=setfiles exe=/sbin/setfiles subj=root:system_r:setfiles_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(04/19/2013 16:57:50.806:432) : avc:  denied  { read } for  pid=17764 comm=setfiles path=/var/cache/yum/epel/packages/389-admin-1.1.29-1.el5.i386.rpm dev=vda3 ino=492201 scontext=root:system_r:setfiles_t:s0-s0:c0.c1023 tcontext=root:object_r:var_t:s0 tclass=file 
----
type=SYSCALL msg=audit(04/19/2013 16:57:49.834:429) : arch=i386 syscall=execve success=yes exit=0 a0=8b603f0 a1=8bb9c78 a2=0 a3=0 items=0 ppid=17753 pid=17759 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=10 comm=load_policy exe=/usr/sbin/load_policy subj=root:system_r:load_policy_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(04/19/2013 16:57:49.834:429) : avc:  denied  { read } for  pid=17759 comm=load_policy path=/var/cache/yum/epel/packages/389-admin-1.1.29-1.el5.i386.rpm dev=vda3 ino=492201 scontext=root:system_r:load_policy_t:s0-s0:c0.c1023 tcontext=root:object_r:var_t:s0 tclass=file 
type=AVC msg=audit(04/19/2013 16:57:49.834:429) : avc:  denied  { append } for  pid=17759 comm=load_policy path=/var/log/yum.log dev=vda3 ino=491922 scontext=root:system_r:load_policy_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_log_t:s0 tclass=file 
type=AVC msg=audit(04/19/2013 16:57:49.834:429) : avc:  denied  { append } for  pid=17759 comm=load_policy path=/var/log/rhsm/rhsm.log dev=vda3 ino=492162 scontext=root:system_r:load_policy_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rhsmcertd_log_t:s0 tclass=file 
----
type=SYSCALL msg=audit(04/19/2013 16:57:51.729:433) : arch=i386 syscall=execve success=yes exit=0 a0=8fbfc98 a1=8fb4cd8 a2=8fb4fc0 a3=40 items=0 ppid=17771 pid=17790 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=10 comm=restorecon exe=/sbin/restorecon subj=root:system_r:restorecon_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(04/19/2013 16:57:51.729:433) : avc:  denied  { read } for  pid=17790 comm=restorecon path=/var/cache/yum/epel/packages/389-admin-1.1.29-1.el5.i386.rpm dev=vda3 ino=492201 scontext=root:system_r:restorecon_t:s0-s0:c0.c1023 tcontext=root:object_r:var_t:s0 tclass=file 
type=AVC msg=audit(04/19/2013 16:57:51.729:433) : avc:  denied  { read write } for  pid=17790 comm=restorecon path=/var/cache/yum/qa-tools/filelists.xml.gz.sqlite dev=vda3 ino=590550 scontext=root:system_r:restorecon_t:s0-s0:c0.c1023 tcontext=root:object_r:var_t:s0 tclass=file 
type=AVC msg=audit(04/19/2013 16:57:51.729:433) : avc:  denied  { read write } for  pid=17790 comm=restorecon path=/var/cache/yum/epel/d3b68d02bc09cb27762c494cbb06cb40b29f931d-filelists.sqlite dev=vda3 ino=492188 scontext=root:system_r:restorecon_t:s0-s0:c0.c1023 tcontext=root:object_r:var_t:s0 tclass=file 
type=AVC msg=audit(04/19/2013 16:57:51.729:433) : avc:  denied  { read write } for  pid=17790 comm=restorecon path=/var/cache/yum/beaker-client/49818a7ebdf156482f420c00eac5de4b80bfac4e-filelists.xml.gz.sqlite dev=vda3 ino=65674 scontext=root:system_r:restorecon_t:s0-s0:c0.c1023 tcontext=root:object_r:var_t:s0 tclass=file 
type=AVC msg=audit(04/19/2013 16:57:51.729:433) : avc:  denied  { read write } for  pid=17790 comm=restorecon path=/var/cache/yum/RHEL-5.9-VT/filelists.xml.gz.sqlite dev=vda3 ino=492186 scontext=root:system_r:restorecon_t:s0-s0:c0.c1023 tcontext=root:object_r:var_t:s0 tclass=file 
type=AVC msg=audit(04/19/2013 16:57:51.729:433) : avc:  denied  { read write } for  pid=17790 comm=restorecon path=/var/cache/yum/RHEL-5.9-Server/filelists.xml.gz.sqlite dev=vda3 ino=492183 scontext=root:system_r:restorecon_t:s0-s0:c0.c1023 tcontext=root:object_r:var_t:s0 tclass=file 
type=AVC msg=audit(04/19/2013 16:57:51.729:433) : avc:  denied  { read write } for  pid=17790 comm=restorecon path=/var/cache/yum/RHEL-5.9-ClusterStorage/filelists.xml.gz.sqlite dev=vda3 ino=492171 scontext=root:system_r:restorecon_t:s0-s0:c0.c1023 tcontext=root:object_r:var_t:s0 tclass=file 
type=AVC msg=audit(04/19/2013 16:57:51.729:433) : avc:  denied  { read write } for  pid=17790 comm=restorecon path=/var/cache/yum/RHEL-5.9-Cluster/filelists.xml.gz.sqlite dev=vda3 ino=492169 scontext=root:system_r:restorecon_t:s0-s0:c0.c1023 tcontext=root:object_r:var_t:s0 tclass=file 
type=AVC msg=audit(04/19/2013 16:57:51.729:433) : avc:  denied  { read write } for  pid=17790 comm=restorecon path=/var/cache/yum/qa-tools/primary.xml.gz.sqlite dev=vda3 ino=590547 scontext=root:system_r:restorecon_t:s0-s0:c0.c1023 tcontext=root:object_r:var_t:s0 tclass=file 
type=AVC msg=audit(04/19/2013 16:57:51.729:433) : avc:  denied  { read write } for  pid=17790 comm=restorecon path=/var/cache/yum/epel/a0cf90138986d7899e21a257400ecafb23a6533b-primary.sqlite dev=vda3 ino=492168 scontext=root:system_r:restorecon_t:s0-s0:c0.c1023 tcontext=root:object_r:var_t:s0 tclass=file 
type=AVC msg=audit(04/19/2013 16:57:51.729:433) : avc:  denied  { read write } for  pid=17790 comm=restorecon path=/var/cache/yum/beaker-client/6b96c3842ff287871926040b34f200858819313e-primary.xml.gz.sqlite dev=vda3 ino=65672 scontext=root:system_r:restorecon_t:s0-s0:c0.c1023 tcontext=root:object_r:var_t:s0 tclass=file 
type=AVC msg=audit(04/19/2013 16:57:51.729:433) : avc:  denied  { read write } for  pid=17790 comm=restorecon path=/var/cache/yum/RHEL-5.9-VT/primary.xml.gz.sqlite dev=vda3 ino=491955 scontext=root:system_r:restorecon_t:s0-s0:c0.c1023 tcontext=root:object_r:var_t:s0 tclass=file 
type=AVC msg=audit(04/19/2013 16:57:51.729:433) : avc:  denied  { read write } for  pid=17790 comm=restorecon path=/var/cache/yum/RHEL-5.9-Server/primary.xml.gz.sqlite dev=vda3 ino=491946 scontext=root:system_r:restorecon_t:s0-s0:c0.c1023 tcontext=root:object_r:var_t:s0 tclass=file 
type=AVC msg=audit(04/19/2013 16:57:51.729:433) : avc:  denied  { read write } for  pid=17790 comm=restorecon path=/var/cache/yum/RHEL-5.9-ClusterStorage/primary.xml.gz.sqlite dev=vda3 ino=491939 scontext=root:system_r:restorecon_t:s0-s0:c0.c1023 tcontext=root:object_r:var_t:s0 tclass=file 
type=AVC msg=audit(04/19/2013 16:57:51.729:433) : avc:  denied  { read write } for  pid=17790 comm=restorecon path=/var/cache/yum/RHEL-5.9-Cluster/primary.xml.gz.sqlite dev=vda3 ino=491927 scontext=root:system_r:restorecon_t:s0-s0:c0.c1023 tcontext=root:object_r:var_t:s0 tclass=file 
----

Comment 24 mreynolds 2013-08-12 19:39:27 UTC

So 1.2.10 is not being maintained anymore, only the current release 1.2.11.

In my testing I do not see these errors with these current versions:

 Tested 1.2.11.15-20 on RHEL 6.2:

   389-ds-base-1.2.11.15-20.el6_4.x86_64
   389-ds-base-libs-1.2.11.15-20.el6_4.x86_64
   389-admin-1.1.34-1.el6.x86_64
   selinux-policy-3.7.19-195.el6_4.12.noarch

 Tested 1.3.0.6-1 on Fedora 18 with:

   389-ds-base-1.3.0.6-1.fc18.x86_64
   389-ds-base-libs-1.3.0.6-1.fc18.x86_64
   389-admin-1.1.31-1.fc18.1.x86_64
   selinux-policy-3.11.1-97.fc18.noarch


I've retested yum installing/erasing/reinstalling the packages as described in this bug, and then rerunning setup-ds-admin.pl, etc.  I can not generate any selinux error messages(or anything else besides a load policy msg) installing admin server/DS.  So this appears to only happen running el5 and 1.2.10.x and earlier.

Unfortunately since 1.2.11 works, there is not too much we can do for this issue on 1.2.10(and earlier).

Comment 25 Nathan Kinder 2013-12-18 19:47:10 UTC

This was fixed for EPEL5 in 389-ds-base-1.2.11.25-1.el5.

Note You need to log in before you can comment on or make changes to this bug.