On F-14 after running ipa-nis-manage enable and restarting dirsrv the restart fails and this is logged in the audit log:
type=AVC msg=audit(1295547915.331:4111): avc: denied { node_bind } for pid=23494 comm="ns-slapd" src=965 scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=udp_socket
I'm guessing that after resolving this more errors may pop up.
I think this is a complete list of the AVCs I'm seeing:
type=AVC msg=audit(1295547915.331:4111): avc: denied { node_bind } for pid=23494 comm="ns-slapd" src=965 scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=udp_socket type=AVC msg=audit(1295548287.301:4113): avc: denied { create } for pid=23543 comm="ns-slapd" scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:system_r:dirsrv_t:s0 tclass=unix_dgram_socket type=AVC msg=audit(1295549851.635:4114): avc: denied { create } for pid=23550 comm="ns-slapd" scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:system_r:dirsrv_t:s0 tclass=unix_dgram_socket type=AVC msg=audit(1295550044.067:4116): avc: denied { connect } for pid=23675 comm="ns-slapd" scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:system_r:dirsrv_t:s0 tclass=unix_dgram_socket type=AVC msg=audit(1295550136.493:4123): avc: denied { connect } for pid=23682 comm="ns-slapd" scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:system_r:dirsrv_t:s0 tclass=unix_dgram_socket type=AVC msg=audit(1295550324.494:4126): avc: denied { write } for pid=23809 comm="ns-slapd" name="log" dev=devtmpfs ino=9816 scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file type=AVC msg=audit(1295550540.437:4130): avc: denied { sendto } for pid=23933 comm="ns-slapd" path="/dev/log" scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket type=AVC msg=audit(1295550939.062:4133): avc: denied { write } for pid=24055 comm="ns-slapd" scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:system_r:dirsrv_t:s0 tclass=unix_dgram_socket type=AVC msg=audit(1295550939.065:4134): avc: denied { write } for pid=24055 comm="ns-slapd" scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:system_r:dirsrv_t:s0 tclass=unix_dgram_socket
Filed bug against slapi-nis in Fedora https://bugzilla.redhat.com/show_bug.cgi?id=671444
Appears to be fixed in selinux-policy-3.9.7-27. This has not hit updates-testing yet, I pulled the rpms from koji.
This has been pushed to updates-testing.
Metadata Update from @rcritten: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 2.0 - 2011/01 (cleanup)
Login to comment on this ticket.