Description of problem: start-ds-admin and dirsrv-admin.service start httpd under different SELinux contexts. This causes pidfile and socket created with different labels, which causes inability to restart Admin server from GUI Console.
/usr/sbin/start-ds-admin: 98 if [ -z "yes" ] ; then 99 if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then 100 SELINUX_CMD="runcon -t unconfined_t --" 101 fi 102 fi 103 104 $SELINUX_CMD $HTTPD $OMIT_DEFLATE -k start -f /etc/dirsrv/admin-serv/httpd.conf "$@"
Version-Release number of selected component (if applicable): 389-admin-1.1.42-1.el7dsrv.x86_64
How reproducible: always
Steps to Reproduce: 1. start Admin server using start-ds-admin 2. stop Admin server 3. start Admin server using systemctl start dirsrv-admin
Actual results:
# start-ds-admin # ps -Zaux | grep [h]ttpd unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 8308 0.0 0.1 165132 3028 ? Ss 17:14 0:00 /usr/sbin/httpd -k start -f /etc/dirsrv/admin-serv/httpd.conf unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 8310 0.0 0.1 165116 2104 ? S 17:14 0:00 /usr/sbin/httpd -k start -f /etc/dirsrv/admin-serv/httpd.conf unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 nobody 8311 0.0 0.3 771604 6144 ? Sl 17:14 0:00 /usr/sbin/httpd -k start -f /etc/dirsrv/admin-serv/httpd.conf # ls /var/run/dirsrv/admin-serv.pid -laZ -rw-r--r--. root root unconfined_u:object_r:dirsrv_var_run_t:s0 /var/run/dirsrv/admin-serv.pid # systemctl start dirsrv-admin # ps -Zaux | grep [h]ttpd system_u:system_r:httpd_t:s0 root 8226 0.0 0.1 165132 3020 ? Ss 17:13 0:00 /usr/sbin/httpd -k start -f /etc/dirsrv/admin-serv/httpd.conf system_u:system_r:httpd_t:s0 root 8227 0.0 0.1 165116 2100 ? S 17:13 0:00 /usr/sbin/httpd -k start -f /etc/dirsrv/admin-serv/httpd.conf system_u:system_r:httpd_t:s0 nobody 8228 0.0 0.3 771604 6136 ? Sl 17:13 0:00 /usr/sbin/httpd -k start -f /etc/dirsrv/admin-serv/httpd.conf # ls /var/run/dirsrv/admin-serv.pid -laZ -rw-r--r--. root root system_u:object_r:dirsrv_var_run_t:s0 /var/run/dirsrv/admin-serv.pid
Expected results: start-ds-admin should not use unconfined_t for httpd.
Note: Milestone is up to the SELinux policy fix.
The selinux policy will be fixed in RHEL 7.3 (aka 1.3.5), closing ticket...
Metadata Update from @mreynolds: - Issue assigned to mreynolds - Issue set to the milestone: 1.3.5.0
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/1624
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Fixed)
Login to comment on this ticket.