#49046 Add a hard dependency for >=selinux-policy-3.13.1-75
Closed: wontfix 6 years ago Opened 7 years ago by nhosoi.

Description of problem:
Some customers upgrade only 389-ds-base and it's dependencies during 7.2 -> 7.3
upgrade. 389-ds-base-1.3.5 depends on >=selinux-policy-3.13.1-75
From changelog:
Resolves: rhbz#1336722
- Directory Server (389-ds-base) has been updated to use systemd-ask-password.
In order to function correctly we need the following added to dirsrv.te

Currently 389-ds-base doesn't have a hard dependency on particular version. So
if customer has configured SSL with pin.txt and later decides to delete pin,
ns-slapd won't start.

Version-Release number of selected component (if applicable):
389-ds-base-1.3.5.10-11.el7

How reproducible:
always

Steps to Reproduce:
1. On RHEL7.2 configure an instance with SSL and pin.txt
1. yum update 389-ds-base (to 7.3 version)
2. remove pin.txt
3. restart-dirsrv

Actual results:
Nov 18 05:05:04 qeos-33.lab.eng.rdu2.redhat.com systemd[1]: Starting 389
Directory Server qeos-33....
Nov 18 05:05:04 qeos-33.lab.eng.rdu2.redhat.com ns-slapd[3240]:
[18/Nov/2016:05:05:04.944897933 -0500] SSL alert: Sending pin request to
SVRCore. You may need to run systemd-tty-ask-password-agent to provide the
password.
Nov 18 05:05:04 qeos-33.lab.eng.rdu2.redhat.com ns-slapd[3240]: SVRCORE
systemd:getPin() -> creating socket FAILED 7
Nov 18 05:05:04 qeos-33.lab.eng.rdu2.redhat.com ns-slapd[3240]:
[18/Nov/2016:05:05:04.946416549 -0500] slapd_ssl_init - Unable to authenticate
(Netscape Portable Runtime error -8177 - The security password entered is
incorrect.)[18/Nov/2016:05:05:04.947076107 -0500] ERROR: SSL Initialization
Failed.  Disabling SSL.
Nov 18 05:05:04 qeos-33.lab.eng.rdu2.redhat.com ns-slapd[3240]:
[18/Nov/2016:05:05:04.947821887 -0500] 389-Directory/1.3.5.10 B2016.257.1817
starting up
Nov 18 05:05:05 qeos-33.lab.eng.rdu2.redhat.com ns-slapd[3240]:
[18/Nov/2016:05:05:05.037750034 -0500] slapd started.  Listening on All
Interfaces port 389 for LDAP requests
Nov 18 05:05:05 qeos-33.lab.eng.rdu2.redhat.com systemd[1]: Started 389
Directory Server qeos-33..

ausearch -m AVC:
time->Fri Nov 18 05:05:04 2016
type=SYSCALL msg=audit(1479463504.946:488): arch=c000003e syscall=49 success=no
exit=-13 a0=a a1=7ffc0659add0 a2=6e a3=7ffc0659ab40 items=0 ppid=1 pid=3240
auid=4294967295 uid=389 gid=389 euid=389 suid=389 fsuid=389 egid=389 sgid=389
fsgid=389 tty=(none) ses=4294967295 comm="ns-slapd" exe="/usr/sbin/ns-slapd"
subj=system_u:system_r:dirsrv_t:s0 key=(null)
type=AVC msg=audit(1479463504.946:488): avc:  denied  { write } for  pid=3240
comm="ns-slapd" name="ask-password" dev="tmpfs" ino=6668
scontext=system_u:system_r:dirsrv_t:s0
tcontext=system_u:object_r:systemd_passwd_var_run_t:s0 tclass=dir


Expected results:
selinux-policy should updated as well

Additional info:

Metadata Update from @nhosoi:
- Issue set to the milestone: 1.3.6.0

7 years ago

Metadata Update from @mreynolds:
- Issue close_status updated to: None
- Issue set to the milestone: 1.3.7 backlog (was: 1.3.6.0)

6 years ago

Fixed in upstream & downstream specfiles

Metadata Update from @mreynolds:
- Custom field reviewstatus adjusted to None
- Custom field version adjusted to None
- Issue close_status updated to: fixed
- Issue set to the milestone: 1.3.7.0 (was: 1.3.7 backlog)
- Issue status updated to: Closed (was: Open)

6 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/2105

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: fixed)

3 years ago

Login to comment on this ticket.

Metadata