Admin server restart from console denied by SELinux

[389-ds-bot]

Cloned from Pagure issue: https://pagure.io/389-ds-base/issue/47333

• Created at 2013-04-18 21:50:17 by nkinder (@nkinder)
• Closed as Fixed
• Assigned to nkinder (@nkinder)
• Associated bugzillas
  • https://bugzilla.redhat.com/show_bug.cgi?id=953600

---

When you start Admin Server from the command line on a non-systemd system (like el6), our init script (/etc/init.d/dirsrv-admin) creates the lock file by doing this:

touch /var/lock/subsys/dirsrv-admin

This file is created with a label of var_lock_t, which causes AVCs when you
issue a restart from Console. This happens because the label is incorrect. If
I make our init script do a restorecon immediately after creating the lockfile,
it gets relabeled properly as dirsrv_var_lock_t. I am then able to restart
Admin Server from Console sucessfully.

This is the change that is needed to the 389-admin code:

diff --git a/wrappers/initscript.in b/wrappers/initscript.in
index 82dd20e..51419f5 100644
--- a/wrappers/initscript.in
+++ b/wrappers/initscript.in
@@ -164,6 +164,9 @@ start() {
fi
fi
[ $RETVAL -eq 0 -a -d /var/lock/subsys ] && touch $lockfile

• if [ -f $lockfile ]; then

•    restorecon $lockfile
  

• fi
  }

[389-ds-bot]

Comment from nkinder (@nkinder) at 2013-04-18 22:56:24

attachment
0001-Ticket-47333-Relabel-lockfile-when-starting-Admin-Se.patch

[389-ds-bot]

Comment from nkinder (@nkinder) at 2013-04-19 00:02:53

Pushed to master (7e277bf2171fb05722742abc867361e2be5b8776):

Counting objects: 7, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (4/4), done.
Writing objects: 100% (4/4), 744 bytes, done.
Total 4 (delta 2), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/admin.git
78e36de..7e277bf master -> master

[389-ds-bot]

Comment from nkinder (@nkinder) at 2017-02-11 23:11:38

Metadata Update from @nkinder:

• Issue assigned to nkinder
• Issue set to the milestone: 389-admin,console 1.1.35