[389-users] Announcing 389 Directory Server 1.2.6 Release Candidate 3
Nathan Kinder
nkinder at redhat.com
Mon Jul 19 21:03:26 UTC 2010
On 07/19/2010 01:30 PM, Aaron Hagopian wrote:
> I filed a bug per Rich: https://bugzilla.redhat.com/show_bug.cgi?id=616206
>
> How did you create the ldif file in
> "/var/lib/dirsrv/slapd-<instance>/ldif/"? Did you move the ldif
> file there from elsewhere on your system? That could explain why
> your ldif file has an incorrect context of "var_t".
>
>
> Yes I moved the file there from another location. I was just trying
> to see if there is some acceptable directory.
This explains it. When you move a file, it's SELinux context is
preserved (as opposed to copying, which creates a new file with the
correct context for the target directory).
>
>
> Try creating a new file in
> "/var/lib/dirsrv/slapd-<instance>/ldif/" using 'touch', then run
> 'ls -lZ' to see what the SELinux context is on that new file. It
> should be "dirsrv_var_lib_t".
>
>
> Yes creating a new file in that directory gets dirsrv_var_lib_t. I
> did get it in once I was able to get my file to have that SELinux
> attribute. The ldif file was created on my production server which is
> running 1.2.5.
>
> I can't say I know that much about SELinux but I imagine this may
> become a problem for people upgrading to 1.2.6 who want to start
> fresh? Maybe can the db2ldif.pl <http://db2ldif.pl> utility add that
> SELinux attribute? Although that seems like it would go against the
> point of SELinux if things can just add attributes as needed. Does
> the file not have the attribute because it was created in 1.2.5 or was
> it because on my production machine, when I created the file (using
> db2ldif.pl <http://db2ldif.pl>), I saved it to a directory other than
> the SELinux one? It looks like when I run the db2ldif.pl
> <http://db2ldif.pl> command on my 1.2.6 machine it does add some
> SELinux attributes.
This is a general problem for those new to SELinux. A directory on the
file-system has a default SELinux context that will be used when a file
is created in it. When you move a file from one location to another,
it's previous SELinux context is preserved. This can cause issues like
what you've run into. If you copy a file instead of moving it, the new
file will have the appropriate context as defined by the policy for the
target directory.
>
> I think the main reason I don't use the
> /var/lib/dirsrv/slapd-<instance>/ldif/ file for my backups in the
> first place is because by default the "nobody" user cannot write to
> that directory.
The dirsrv SELinux is going make things like this more restrictive.
It's one of those tradeoffs for being able to confine ns-slapd.
-NGK
>
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20100719/c404cf28/attachment.html>
More information about the 389-users
mailing list