389-ds-base

Clone
Source Code
GIT

#49705 Python installer doesn't label ports with ldap_port_t
Closed: wontfix 5 years ago Opened 5 years ago by vashirov.

Closed: wontfix
Reopen Issue

Issue Description

When using dscreate with non-standard ports, installer fails:

# dscreate fromfile config.ini 
READY: Preparing installation for localhost
READY: Beginning installation for localhost
Created symlink /etc/systemd/system/multi-user.target.wants/dirsrv@localhost.service → /usr/lib/systemd/system/dirsrv@.service.
Job for dirsrv@localhost.service failed because the control process exited with error code.
See "systemctl status dirsrv@localhost.service" and "journalctl -xe" for details.
Error: Command '['/usr/bin/systemctl', 'start', 'dirsrv@localhost']' returned non-zero exit status 1.
FAIL: Command failed. See output for details.

In the audit log I can see that SELinux denies bind on the port (because it's not labebeled): 

----
time->Mon May 21 13:22:50 2018
type=AVC msg=audit(1526923370.196:577): avc:  denied  { name_bind } for  pid=19915 comm="ns-slapd" src=390 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket permissive=0

Package Version and Platform

389-ds-base-1.4.0.9-20180521git213f3c47a.fc28.x86_64

Steps to reproduce

  1. Create an instance using dscreate with non-standard port like 390

Metadata Update from @mreynolds:
- Custom field component adjusted to None
- Custom field origin adjusted to None
- Custom field reviewstatus adjusted to None
- Custom field type adjusted to None
- Custom field version adjusted to None
- Issue set to the milestone: 1.4.0
5 years ago

Metadata Update from @mreynolds:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1631461
5 years ago

Issue linked to Bugzilla: Bug 1631461

Pretty sure that the labeling is done at startup? I remember writing the script to do it ....

Currently it is handled only in the old perl installer: https://pagure.io/389-ds-base/blob/master/f/ldap/admin/src/scripts/DSCreate.pm.in#_1021

Perhaps you're thinking of 8269288.
I think we can incorporate these scripts into lib389 to reuse them in dscreate.

Metadata Update from @mreynolds:
- Issue close_status updated to: duplicate
- Issue status updated to: Closed (was: Open)
5 years ago

Closed as a duplicate of #49814.

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/2764

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: duplicate)
3 years ago

Login to comment on this ticket.

Metadata
None
None
None
None
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.