> On 9 Jan 2020, at 10:13, Alberto Viana <albertocrj@gmail.com> wrote:
>
> William,
>
> Build 389 by myself. Also created and loaded an selinux module allowing the needed permissions. I Just wonder if is the right/best way to do that and if is an expected behavior.

CentOS should have an selinux policy for ns-slapd out of the box though. Can you do ls -alZ on /usr/sbin/ns-slapd for me?

You may find it could be as simple as "sudo touch /.autorelabel && sudo reboot" to fix the ns-slapd type to dirsrv, then ensure you use systemd to launch it.

If that doesn't work we can dig further.

Another advice could be that if you want to run this "yourself" you could consider running it in docker/podman as this will containerise selinux for you, and you have a lot less work to make it work.

Hope that helps,


>
> Thanks
>
> Alberto Viana
>
> On Wed, Jan 8, 2020, 20:58 William Brown <wbrown@suse.de> wrote:
>
>
> > On 9 Jan 2020, at 01:20, Alberto Viana <albertocrj@gmail.com> wrote:
> >
> > Hi Guys,
> > 389-Directory/1.4.2.5.20200106gitd52700340 B2020.06.1337
> > CentOS8
> >
> > I'm getting these alarms due to selinux:
> >
> > SELinux is preventing ns-slapd from getattr access on the directory /sys/fs/pstore.
> > SELinux is preventing /usr/sbin/ns-slapd from getattr access on the directory /sys/fs/bpf.
> > SELinux is preventing /usr/sbin/ns-slapd from getattr access on the directory /sys/kernel/config.
> > SELinux is preventing /usr/sbin/ns-slapd from read access on the lnk_file lock.
> > SELinux is preventing /usr/sbin/ns-slapd from using the ptrace access on a process.
> >
>
> To confirm, did you install this from the system rpm's or did you build it yourself?
>
> Thanks! 
>
> > What is the best approach to deal with this?
> >
> > Thanks
> >
> > Alberto Viana
> > _______________________________________________
> > 389-users mailing list -- 389-users@lists.fedoraproject.org
> > To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
> > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
>
> —
> Sincerely,
>
> William Brown
>
> Senior Software Engineer, 389 Directory Server
> SUSE Labs
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

—
Sincerely,

William Brown

Senior Software Engineer, 389 Directory Server
SUSE Labs
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org