Description of problem: Incorrect default label on /etc/openldap/cacerts and /etc/openldap/certs. Thel label should be slapd_cert_t, but now is: matchpathcon /etc/openldap/certs /etc/openldap/certs system_u:object_r:etc_t:s0 Version-Release number of selected component (if applicable): selinux-policy-3.7.19-154.el6 How reproducible: always Actual results: matchpathcon /etc/openldap/certs /etc/openldap/certs system_u:object_r:etc_t:s0 Expected results: matchpathcon /etc/openldap/certs /etc/openldap/certs system_u:object_r:slapd_cert_t:s0 Additional info:
# sesearch -s slapd_t -t slapd_cert_t --allow -C Found 7 semantic av rules: allow slapd_t cert_type : file { ioctl read getattr lock open } ; allow slapd_t cert_type : dir { ioctl read getattr lock search open } ; allow slapd_t cert_type : lnk_file { read getattr } ; allow slapd_t file_type : filesystem getattr ; allow slapd_t slapd_cert_t : file { ioctl read getattr lock open } ; allow slapd_t slapd_cert_t : dir { ioctl read getattr lock search open } ; allow slapd_t slapd_cert_t : lnk_file { read getattr } ; #
What does # rpm -qf /etc/openldap # rpm -qf /etc/openldap/certs
# rpm -qf /etc/openldap openldap-2.4.23-26.el6.i686 # rpm -qf /etc/openldap/certs openldap-2.4.23-26.el6.i686 #
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0314.html