[389-users] is anybody having problems with latest selinux policy update in F12?
Nathan Kinder
nkinder at redhat.com
Wed Mar 3 16:51:00 UTC 2010
On 03/03/2010 07:44 AM, me wrote:
> hi Rich
> do you know why it all broke so suddenly with latest update for base policy?
>
As Rich said, it was a miscommunication between the 389 and SELinux dev
teams. We have a 389 specific SELinux policy module that was recently
developed but is not released yet. It will be in 389 1.2.6. This
policy will confine the ns-slapd daemon to the dirsrv_t domain.
A change was made to the base selinux policy to confine 389 to the
slapd_t domain, which is the policy used for OpenLDAP. This does not
just work with 389 since different paths are used (among other things).
This change was backed out of the selinux-policy package at my request.
This should be fixed in selinux-policy-3.6.32-92, which is currently in
the testing repo. Please see this comment in the bug where this change
was made:
https://bugzilla.redhat.com/show_bug.cgi?id=559298#c28
I would encourage you to test the fixed selinux-policy package and
provide feedback as requested in the bug.
Thanks,
-NGK
> for some users it could be kind of a disaster, if now base policy is
> lacking rules for 389
> then some other dependencies, like ones you said of, should be pulled in
> automatically
> for me it looked like that, everything just crashed, like if there was
> no major part
> of 389's things in base selinux policy.
> I've just yumed 389-ds and no extra deps were looked for with regards to
> selinux
> tracking seliunx events and rendering custom module for inevitable
> I guess lots of people on F12 were having lots of problems today
> cheers
>
> On 03/03/2010 03:07 PM, Rich Megginson wrote:
>
>> me wrote:
>>
>>
>>> regards
>>>
>>>
>>>
>> 389-ds-base 1.2.6.a2 has a selinux sub-package - 389-ds-base-selinux -
>> and 389-admin-1.1.11.a2 also - 389-admin-selinux - these are currently
>> in the testing repos - yum install/upgrade --enablerepo=updates-testing
>> 389-ds-base-selinux 389-admin-selinux
>> Not sure if these packages have hit all of the mirrors yet, but if they
>> have, try them out (and give us some feedback!)
>>
>>
>>> --
>>> 389 users mailing list
>>> 389-users at lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>
>>>
>>>
>> --
>> 389 users mailing list
>> 389-users at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
More information about the 389-users
mailing list