Ok this time I think I have hit a legit issue with SELinux and 1.2.6 RC3. On my workstation to sync up my ldap server with production I take a ldif dump from production and load it into my system with the <a href="http://ldif2db.pl">ldif2db.pl</a> script. For versions 1.2.5 and previous that ldif file could be located anywhere that was readable to the "nobody" user. Since upgrading, I try to use the same command and get denied because of SELinux. <div>
<br></div><div>My real question here is what is an acceptable directory? I thought for sure the /var/lib/dirsrv/slapd-<instance>/ldif/ directory would be acceptable but I get a "SELinux is preventing /usr/sbin/ns-slapd "read" access on ..." message no matter where I place the LDIF file.<div>
<br></div><div>Attached is the full SELinux error.</div><div><br></div><div>Thanks,</div><div><br>Aaron</div><div><br></div><br><div class="gmail_quote">On Fri, Jul 16, 2010 at 8:49 AM, Aaron Hagopian <span dir="ltr"><<a href="mailto:airhead1@gmail.com">airhead1@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">As I was looking up the version number of admin I noticed that I had only updated 389-ds* and not 389* so the 389-admin* packages were mismatched. Once I upgraded everything to what was in updates-testing no more selinux messages, sorry about the confusion.<div>
<br></div><div>Aaron<br><br><div class="gmail_quote">2010/7/15 Nathan Kinder <span dir="ltr"><<a href="mailto:nkinder@redhat.com" target="_blank">nkinder@redhat.com</a>></span><div><div></div><div class="h5"><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#ffffff" text="#000000"><div>
On 07/15/2010 09:12 AM, Aaron Hagopian wrote:
<blockquote type="cite">I upgraded my fedora 13 x86_64 machine to the RC3 using
the rpms in updates-testing and now I cannot start the admin server
with selinux enabled. I am attaching the selinux message. It does
start when I disable selinux.</blockquote></div>
What version of 389-admin are you running?<br>
<br>
I'd also like to see the output of 'semodule -l | grep 389' from your
system.<br>
<br>
-NGK<div><div></div><div><br>
<blockquote type="cite">
<div><br>
</div>
<div><br>
<div class="gmail_quote">On Tue, Jul 6, 2010 at 2:38 PM, Rich
Megginson <span dir="ltr"><<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="border-left:1px solid rgb(204, 204, 204);margin:0pt 0pt 0pt 0.8ex;padding-left:1ex">The
389 team is pleased to announce the availability of Release<br>
Candidate 3 of version 1.2.6. This release has a few bug fixes.<br>
<br>
***We need your help! Please help us test this software.*** It is a<br>
release candidate, so it may have a few glitches, but it has been tested<br>
for regressions and for new feature bugs. The Fedora system<br>
strongly encourages packages to be in Testing until verified and pushed<br>
to Stable. If we don't get any feedback while the packages are in<br>
Testing, the packages will remain in limbo, or get pushed to Stable.<br>
<br>
The more testing we get, the faster we can release these packages to<br>
Stable. See the Release Notes for information about how to provide<br>
testing feedback (or just send an email to<br>
<a href="mailto:389-users@lists.fedoraproject.org" target="_blank">389-users@lists.fedoraproject.org</a>).<br>
<br>
The packages that need testing are:<br>
* 389-ds-base-1.2.6.rc3 - 389-ds-base<br>
<br>
More information<br>
* Release Notes - <a href="http://port389.org/wiki/Release_Notes" target="_blank">http://port389.org/wiki/Release_Notes</a><br>
* Install_Guide - <a href="http://port389.org/wiki/Install_Guide" target="_blank">http://port389.org/wiki/Install_Guide</a><br>
* Download - <a href="http://port389.org/wiki/Download" target="_blank">http://port389.org/wiki/Download</a><br>
<br>
=== Bugs Fixed ===<br>
This release contains a couple of bug fixes. The complete list of bugs<br>
fixed is found at the link below. Note that bugs marked as MODIFIED<br>
have been fixed but are still in testing.<br>
* Tracking bug for 1.2.6 release -<br>
<a href="https://bugzilla.redhat.com/showdependencytree.cgi?id=543590&hide_resolved=0" target="_blank">https://bugzilla.redhat.com/showdependencytree.cgi?id=543590&hide_resolved=0</a><br>
** Bug 606920 - anonymous resource limit - nstimelimit - also applied<br>
to "cn=directory manager"<br>
** Bug 604453 - SASL Stress and Server crash: Program quits with the<br>
assertion failure in PR_Poll<br>
** Bug 605827 - In-place upgrade: upgrade dn format should not run in<br>
<a href="http://setup-ds-admin.pl" target="_blank">setup-ds-admin.pl</a><br>
** Bug 578296 - Attribute type entrydn needs to be added when subtree<br>
rename switch is on<br>
** Bug 609256 - Selinux: pwdhash fails if called via Admin Server CGI<br>
** Bug 603942 - null deref in _ger_parse_control() for subjectdn<br>
<font color="#888888"><br>
--<br>
389 users mailing list<br>
<a href="mailto:389-users@lists.fedoraproject.org" target="_blank">389-users@lists.fedoraproject.org</a><br>
<a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a><br>
</font></blockquote>
</div>
<br>
</div>
<pre><fieldset></fieldset>
--
389 users mailing list
<a href="mailto:389-users@lists.fedoraproject.org" target="_blank">389-users@lists.fedoraproject.org</a>
<a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></pre>
</blockquote>
<br>
</div></div></div>
<br>--<br>
389 users mailing list<br>
<a href="mailto:389-users@lists.fedoraproject.org" target="_blank">389-users@lists.fedoraproject.org</a><br>
<a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a><br></blockquote></div></div></div><br></div>
</blockquote></div><br></div>