Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1514284 - Cannot start slapd
Summary: Cannot start slapd
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 27
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-11-17 00:23 UTC by Marek Greško
Modified: 2018-01-10 02:05 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-01-10 02:05:34 UTC


Attachments (Terms of Use)

Description Marek Greško 2017-11-17 00:23:24 UTC
Description of problem:
Slapd fails to start because of AVC avc:  denied  { map } for  pid=1782 comm="slapd" path="/var/lib/ldap/__db.001" dev="dm-2" ino=524309 scontext=system_u:system_r:slapd_t:s0 tcontext=system_u:object_r:slapd_db_t:s0 tclass=file permissive=1

(This log comes from permissive mode).

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.13.1-283.14.fc27.noarch


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Fedora Update System 2017-11-20 13:12:37 UTC
selinux-policy-3.13.1-283.16.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-5178e6a393

Comment 2 Fedora Update System 2017-11-20 16:57:37 UTC
selinux-policy-3.13.1-283.16.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 3 Marek Greško 2017-11-20 20:47:13 UTC
The bug is not fixed in selinux-policy-targeted-3.13.1-283.16.fc27.noarch.

nov 20 21:33:54 myhost.mydomain.lan audit[1761]: AVC avc:  denied  { getattr } for  pid=1761 comm="named" path="/dev/random" dev="dm-2" ino=262172 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=chr_file
nov 20 21:33:54 myhost.mydomain.lan named[1761]: configuring command channel from '/etc/rndc.key'
nov 20 21:33:54 myhost.mydomain.lan named[1761]: command channel listening on ::1#953
nov 20 21:33:54 myhost.mydomain.lan named[1761]: could not open entropy source /dev/random: permission denied
nov 20 21:33:54 myhost.mydomain.lan named[1761]: using pre-chroot entropy source /dev/random
nov 20 21:33:54 myhost.mydomain.lan audit[1787]: AVC avc:  denied  { map } for  pid=1787 comm="slapd" path="/var/lib/ldap/__db.001" dev="dm-2" ino=524309 scontext=system_u:system_r:slapd_t:s0 tcontext=system_u:object_r:slapd_db_t:s0 tclass=file
nov 20 21:33:54 myhost.mydomain.lan slapd[1787]: bdb(dc=mydomain,dc=lan): BDB0126 mmap: Permission denied
nov 20 21:33:54 myhost.mydomain.lan slapd[1787]: bdb_db_open: database "dc=mydomain,dc=lan" cannot be opened, err 13. Restore from backup!
nov 20 21:33:54 myhost.mydomain.lan slapd[1787]: bdb(dc=mydomain,dc=lan): BDB1566 txn_checkpoint interface requires an environment configured for the transaction subsystem
nov 20 21:33:54 myhost.mydomain.lan slapd[1787]: bdb_db_close: database "dc=mydomain,dc=lan": txn_checkpoint failed: Invalid argument (22).
nov 20 21:33:54 myhost.mydomain.lan slapd[1787]: backend_startup_one (type=bdb, suffix="dc=mydomain,dc=lan"): bi_db_open failed! (13)
nov 20 21:33:54 myhost.mydomain.lan slapd[1787]: bdb_db_close: database "dc=mydomain,dc=lan": alock_close failed


There are also logs for unrelated bug about named not being able to open /dev/random. Could you fix this also?

Comment 4 Lukas Vrabec 2017-11-21 13:49:32 UTC
Hmm your system looks mislabeled. 

Could you run: 

# restorecon -Rv / 

And then try to reproduce your issue. 

Thanks,
Lukas.

Comment 5 Marek Greško 2017-11-23 10:42:49 UTC
I did fixfiles -v -F / before the above report.

Comment 6 Marek Greško 2017-11-23 10:44:52 UTC
For me scontext=system_u:system_r:slapd_t:s0 tcontext=system_u:object_r:slapd_db_t:s0 seems correct. Is not it?

Comment 7 Marek Greško 2017-11-23 11:56:31 UTC
Sorry, I meant
fixfiles -v -F relabel

Comment 8 Marek Greško 2017-12-01 17:42:34 UTC
Issue still persists with selinux-policy-targeted-3.13.1-283.17.fc27.noarch.

Comment 9 Marek Greško 2017-12-13 19:03:44 UTC
ping

Comment 10 Lukas Vrabec 2018-01-02 14:41:11 UTC
Marek, 

Could you try to reproduce this issue with selinux-policy-targeted-3.13.1-283.19.fc27.noarch? 

This build is in updates-testing repo. You can install it by:
# dnf update selinux-policy --enablerepo=updates-testing 

Lukas.

Comment 11 Marek Greško 2018-01-02 19:03:14 UTC
Hello Lukas,

thanks for the fix. It works.

# dnf update selinux-policy --enablerepo=updates-testing
# fixfiles -v -F relabel
# cd /var/named/chroot
# restorecon -R -v .     # see #1525641
# reboot

No complains about slapd. Reverted to enforcing mode.

Marek

Comment 12 Fedora Update System 2018-01-04 12:08:49 UTC
selinux-policy-3.13.1-283.20.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-0d8506aba4

Comment 13 Fedora Update System 2018-01-05 11:57:45 UTC
selinux-policy-3.13.1-283.20.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-0d8506aba4

Comment 14 Fedora Update System 2018-01-05 14:47:37 UTC
selinux-policy-3.13.1-283.21.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-0d8506aba4

Comment 15 Fedora Update System 2018-01-06 21:07:46 UTC
selinux-policy-3.13.1-283.21.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-0d8506aba4

Comment 16 Fedora Update System 2018-01-10 02:05:34 UTC
selinux-policy-3.13.1-283.21.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.