When you start Admin Server from the command line on a non-systemd system (like el6), our init script (/etc/init.d/dirsrv-admin) creates the lock file by doing this:
touch /var/lock/subsys/dirsrv-admin
This file is created with a label of var_lock_t, which causes AVCs when you issue a restart from Console. This happens because the label is incorrect. If I make our init script do a restorecon immediately after creating the lockfile, it gets relabeled properly as dirsrv_var_lock_t. I am then able to restart Admin Server from Console sucessfully.
This is the change that is needed to the 389-admin code:
diff --git a/wrappers/initscript.in b/wrappers/initscript.in index 82dd20e..51419f5 100644 --- a/wrappers/initscript.in +++ b/wrappers/initscript.in @@ -164,6 +164,9 @@ start() { fi fi [ $RETVAL -eq 0 -a -d /var/lock/subsys ] && touch $lockfile + if [ -f $lockfile ]; then + restorecon $lockfile + fi }
attachment 0001-Ticket-47333-Relabel-lockfile-when-starting-Admin-Se.patch
Pushed to master (7e277bf2171fb05722742abc867361e2be5b8776):
Counting objects: 7, done. Delta compression using up to 4 threads. Compressing objects: 100% (4/4), done. Writing objects: 100% (4/4), 744 bytes, done. Total 4 (delta 2), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/admin.git 78e36de..7e277bf master -> master
Metadata Update from @nkinder: - Issue assigned to nkinder - Issue set to the milestone: 389-admin,console 1.1.35
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/670
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Fixed)
Login to comment on this ticket.