<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
On 07/19/2010 08:47 AM, Aaron Hagopian wrote:
<blockquote
cite="mid:AANLkTikQPd0w0d94m8dq7TAO0U8KPJtxU5DSkiUxmbx_@mail.gmail.com"
type="cite">Ok this time I think I have hit a legit issue with SELinux
and 1.2.6 RC3. On my workstation to sync up my ldap server with
production I take a ldif dump from production and load it into my
system with the <a moz-do-not-send="true" href="http://ldif2db.pl">ldif2db.pl</a>
script. For versions 1.2.5 and previous that ldif file could be
located anywhere that was readable to the "nobody" user. Since
upgrading, I try to use the same command and get denied because of
SELinux.
<div><br>
</div>
<div>My real question here is what is an acceptable directory? I
thought for sure the /var/lib/dirsrv/slapd-<instance>/ldif/
directory would be acceptable but I get a "SELinux is preventing
/usr/sbin/ns-slapd "read" access on ..." message no matter where I
place the LDIF file.</div>
</blockquote>
How did you create the ldif file in
"/var/lib/dirsrv/slapd-<instance>/ldif/"? Did you move the ldif
file there from elsewhere on your system? That could explain why your
ldif file has an incorrect context of "var_t".<br>
<br>
Try creating a new file in
"/var/lib/dirsrv/slapd-<instance>/ldif/" using 'touch', then run
'ls -lZ' to see what the SELinux context is on that new file. It
should be "dirsrv_var_lib_t".<br>
<br>
-NGK<br>
<blockquote
cite="mid:AANLkTikQPd0w0d94m8dq7TAO0U8KPJtxU5DSkiUxmbx_@mail.gmail.com"
type="cite">
<div>
<div><br>
</div>
<div>Attached is the full SELinux error.</div>
<div><br>
</div>
<div>Thanks,</div>
<div><br>
Aaron</div>
<div><br>
</div>
<br>
<div class="gmail_quote">On Fri, Jul 16, 2010 at 8:49 AM, Aaron
Hagopian <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:airhead1@gmail.com">airhead1@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">As
I was looking up the version number of admin I noticed that I had only
updated 389-ds* and not 389* so the 389-admin* packages were
mismatched. Once I upgraded everything to what was in updates-testing
no more selinux messages, sorry about the confusion.
<div><br>
</div>
<div>Aaron<br>
<br>
<div class="gmail_quote">2010/7/15 Nathan Kinder <span dir="ltr"><<a
moz-do-not-send="true" href="mailto:nkinder@redhat.com" target="_blank">nkinder@redhat.com</a>></span>
<div>
<div class="h5"><br>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000">
<div>On 07/15/2010 09:12 AM, Aaron Hagopian wrote:
<blockquote type="cite">I upgraded my fedora 13 x86_64 machine to
the RC3 using
the rpms in updates-testing and now I cannot start the admin server
with selinux enabled. I am attaching the selinux message. It does
start when I disable selinux.</blockquote>
</div>
What version of 389-admin are you running?<br>
<br>
I'd also like to see the output of 'semodule -l | grep 389' from your
system.<br>
<br>
-NGK
<div>
<div><br>
<blockquote type="cite">
<div><br>
</div>
<div><br>
<div class="gmail_quote">On Tue, Jul 6, 2010 at 2:38 PM, Rich
Megginson <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">The
389
team is pleased to announce the availability of Release<br>
Candidate 3 of version 1.2.6. This release has a few bug fixes.<br>
<br>
***We need your help! Please help us test this software.*** It is a<br>
release candidate, so it may have a few glitches, but it has been tested<br>
for regressions and for new feature bugs. The Fedora system<br>
strongly encourages packages to be in Testing until verified and pushed<br>
to Stable. If we don't get any feedback while the packages are in<br>
Testing, the packages will remain in limbo, or get pushed to Stable.<br>
<br>
The more testing we get, the faster we can release these packages to<br>
Stable. See the Release Notes for information about how to provide<br>
testing feedback (or just send an email to<br>
<a moz-do-not-send="true"
href="mailto:389-users@lists.fedoraproject.org" target="_blank">389-users@lists.fedoraproject.org</a>).<br>
<br>
The packages that need testing are:<br>
* 389-ds-base-1.2.6.rc3 - 389-ds-base<br>
<br>
More information<br>
* Release Notes - <a moz-do-not-send="true"
href="http://port389.org/wiki/Release_Notes" target="_blank">http://port389.org/wiki/Release_Notes</a><br>
* Install_Guide - <a moz-do-not-send="true"
href="http://port389.org/wiki/Install_Guide" target="_blank">http://port389.org/wiki/Install_Guide</a><br>
* Download - <a moz-do-not-send="true"
href="http://port389.org/wiki/Download" target="_blank">http://port389.org/wiki/Download</a><br>
<br>
=== Bugs Fixed ===<br>
This release contains a couple of bug fixes. The complete list of bugs<br>
fixed is found at the link below. Note that bugs marked as MODIFIED<br>
have been fixed but are still in testing.<br>
* Tracking bug for 1.2.6 release -<br>
<a moz-do-not-send="true"
href="https://bugzilla.redhat.com/showdependencytree.cgi?id=543590&hide_resolved=0"
target="_blank">https://bugzilla.redhat.com/showdependencytree.cgi?id=543590&hide_resolved=0</a><br>
** Bug 606920 - anonymous resource limit - nstimelimit - also applied<br>
to "cn=directory manager"<br>
** Bug 604453 - SASL Stress and Server crash: Program quits with the<br>
assertion failure in PR_Poll<br>
** Bug 605827 - In-place upgrade: upgrade dn format should not run in<br>
<a moz-do-not-send="true" href="http://setup-ds-admin.pl"
target="_blank">setup-ds-admin.pl</a><br>
** Bug 578296 - Attribute type entrydn needs to be added when subtree<br>
rename switch is on<br>
** Bug 609256 - Selinux: pwdhash fails if called via Admin Server CGI<br>
** Bug 603942 - null deref in _ger_parse_control() for subjectdn<br>
<font color="#888888"><br>
--<br>
389 users mailing list<br>
<a moz-do-not-send="true"
href="mailto:389-users@lists.fedoraproject.org" target="_blank">389-users@lists.fedoraproject.org</a><br>
<a moz-do-not-send="true"
href="https://admin.fedoraproject.org/mailman/listinfo/389-users"
target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a><br>
</font></blockquote>
</div>
<br>
</div>
<pre><fieldset></fieldset>
--
389 users mailing list
<a moz-do-not-send="true"
href="mailto:389-users@lists.fedoraproject.org" target="_blank">389-users@lists.fedoraproject.org</a>
<a moz-do-not-send="true"
href="https://admin.fedoraproject.org/mailman/listinfo/389-users"
target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></pre>
</blockquote>
<br>
</div>
</div>
</div>
<br>
--<br>
389 users mailing list<br>
<a moz-do-not-send="true"
href="mailto:389-users@lists.fedoraproject.org" target="_blank">389-users@lists.fedoraproject.org</a><br>
<a moz-do-not-send="true"
href="https://admin.fedoraproject.org/mailman/listinfo/389-users"
target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a><br>
</blockquote>
</div>
</div>
</div>
<br>
</div>
</blockquote>
</div>
<br>
</div>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
--
389 users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a>
<a class="moz-txt-link-freetext" href="https://admin.fedoraproject.org/mailman/listinfo/389-users">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></pre>
</blockquote>
<br>
</body>
</html>