389-ds-base

Clone
Source Code
GIT

#49094 SELinux preventing stop/start/restart Directory Server from 389-console
Closed: wontfix None Opened 8 years ago by posadzka.

Closed: wontfix
Reopen Issue

OS:
[root@node4 ~]# uname -a
Linux node4.mysrv.mydomain 3.10.0-514.6.1.el7.x86_64 #1 SMP Wed Jan 18 13:06:36 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Steps to reproduce: open 389-console -> open directory server console -> click start/stop/restart directory server.

audit.log:
type=USER_AVC msg=audit(1484825839.542:139): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:
  denied  { stop } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/dirsrv@.service" 
   cmdline="/bin/systemctl stop dirsrv@node4.service" scontext=system_u:system_r:dirsrvadmin_script_t:s0
                                                      tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service
  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1484825839.543:140): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:
  denied  { status } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/dirsrv@.service"
   cmdline="/bin/systemctl stop dirsrv@node4.service" scontext=system_u:system_r:dirsrvadmin_script_t:s0 
                                                      tcontext=system_u:object_r:systemd_unit_file_t:s0 
tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'


This module solves it:
[root@node4 log]# cat local.te

module local 1.0;

require {
        type dirsrvadmin_script_t;
        type systemd_unit_file_t;
        class service { status stop start};
}

#============= dirsrvadmin_script_t ==============
allow dirsrvadmin_script_t systemd_unit_file_t:service { status stop start };

DS:
[root@node4 ~]# rpm -qa | grep 389
389-admin-console-1.1.12-1.el7.noarch
389-ds-1.2.2-6.el7.noarch
389-adminutil-1.1.21-2.el7.x86_64
389-ds-base-libs-1.3.5.10-15.el7_3.x86_64
389-ds-base-1.3.5.10-15.el7_3.x86_64
389-ds-console-1.2.16-1.el7.noarch
389-admin-console-doc-1.1.12-1.el7.noarch
389-dsgw-1.1.11-5.el7.x86_64
389-console-1.1.18-1.el7.noarch
389-admin-1.1.46-1.el7.x86_64
389-ds-console-doc-1.2.16-1.el7.noarch

It's a know issue (see at the end): https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Release_Notes/known-issues-10_1.html (It says Admin Server but Directory Server is also affected)

CC'ing William to give more context.

Hi,

The issue is that to do this, we need to give apache (httpd_t, dirsrv_admin_t) control of the initrc_t, which is basically root on the system. We can't do that just to allow communication to systemd, especially when this is an old java based console.

The alternate is to allow dbus_t and policykit access, but this is extremely complex and time consuming to integrate. We feel our energy is better spent elsewhere, as server restarts can be conducted in other ways.

We have previously decided not to fix this issue, advising either the use of specific permissive contexts (semanage permissive -a dirsrvadmin_script_t), or through out-of-band restart.

Another factor is that we plan to replace all our admin tools with python based ones - the java console is really on "life support" at this time, so we would rather spend our energy preparing something new and modern, than trying to save the java tools.

I hope this explains why we likely won't fix this issue.

I'm sorry for any inconvenience. :(

Sorry, this is noted in the release notes as a known issue.
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Release_Notes/known-issues-10_1.html

Closing this ticket as WONTFIX.

Metadata Update from @nhosoi:
- Issue set to the milestone: 0.0 NEEDS_TRIAGE
8 years ago

Metadata Update from @vashirov:
- Custom field reviewstatus adjusted to None
- Issue close_status updated to: None (was: Invalid)
- Issue set to the milestone: None (was: 0.0 NEEDS_TRIAGE)
5 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/2153

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix
4 years ago

Log in to comment on this ticket.

Metadata
None
None
None
None
normal
None
None
None
Community
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.