Issue 6155 - ldap-agent fails to start because of permission error by progier389 · Pull Request #6179 · 389ds/389-ds-base

progier389 · 2024-05-28T09:19:54Z

Issue: dirsrv-snmp service fails to starts when SELinux is enforced because of AVC preventing to open some files
One workaround is to use the dac_override capability but it is a bad practice.
Fix: Setting proper permissions:

Running ldap-agent with uid=root and gid=dirsrv to be able to access both snmp and dirsrv resources.
Setting read permission on the group for the dse.ldif file
Setting r/w permissions on the group for the snmp semaphore and mmap file
For that one special care is needed because ns-slapd umask overrides the file creation permission
as is better to avoid changing the umask (changing umask within the code is not thread safe,
and the current 0022 umask value is correct for most of the files) so the safest way is to chmod the snmp file
if the needed permission are not set.

Issue: #6155

Reviewed by: @droideck , @vashirov (Thanks ! )

progier389 · 2024-05-28T09:24:03Z

Note:
The test also show that two rules are missing in the ldap SELinux policy to allow the use of mmap on the snmp semaphore file and on the snmp mmap file:
allow dirsrv_snmp_t dirsrv_tmpfs_t:file map;
allow dirsrv_snmp_t dirsrv_var_run_t:file map;

progier389 · 2024-05-28T18:18:27Z

Split the test in two and skip AVC test if SELinux is not enabled.
Fixed a few errors about missing packages handling
Fixed a problem with the curtime generation
FYI: Both testcases are PASS on Fedora40 1minutetip VMs after installing required packages and fixing SELinux policy ldap-agent rule ("2 map permissions are missing"

droideck

LGTM!

@droideck

…6179) Issue: dirsrv-snmp service fails to starts when SELinux is enforced because of AVC preventing to open some files One workaround is to use the dac_override capability but it is a bad practice. Fix: Setting proper permissions: Running ldap-agent with uid=root and gid=dirsrv to be able to access both snmp and dirsrv resources. Setting read permission on the group for the dse.ldif file Setting r/w permissions on the group for the snmp semaphore and mmap file For that one special care is needed because ns-slapd umask overrides the file creation permission as is better to avoid changing the umask (changing umask within the code is not thread safe, and the current 0022 umask value is correct for most of the files) so the safest way is to chmod the snmp file if the needed permission are not set. Issue: #6155 Reviewed by: @droideck , @vashirov (Thanks ! ) (cherry picked from commit eb7e57d)

@droideck

…6179) Issue: dirsrv-snmp service fails to starts when SELinux is enforced because of AVC preventing to open some files One workaround is to use the dac_override capability but it is a bad practice. Fix: Setting proper permissions: Running ldap-agent with uid=root and gid=dirsrv to be able to access both snmp and dirsrv resources. Setting read permission on the group for the dse.ldif file Setting r/w permissions on the group for the snmp semaphore and mmap file For that one special care is needed because ns-slapd umask overrides the file creation permission as is better to avoid changing the umask (changing umask within the code is not thread safe, and the current 0022 umask value is correct for most of the files) so the safest way is to chmod the snmp file if the needed permission are not set. Issue: #6155 Reviewed by: @droideck , @vashirov (Thanks ! ) (cherry picked from commit eb7e57d)

progier389 · 2024-07-08T09:53:35Z

3fe5661..eb7e57d main -> main
0fb7496..c3ff6e8 389-ds-base-3.0 -> 389-ds-base-3.0
cf6cdd0..7cb34ed 389-ds-base-2.5 -> 389-ds-base-2.5

@droideck

…6179) Issue: dirsrv-snmp service fails to starts when SELinux is enforced because of AVC preventing to open some files One workaround is to use the dac_override capability but it is a bad practice. Fix: Setting proper permissions: Running ldap-agent with uid=root and gid=dirsrv to be able to access both snmp and dirsrv resources. Setting read permission on the group for the dse.ldif file Setting r/w permissions on the group for the snmp semaphore and mmap file For that one special care is needed because ns-slapd umask overrides the file creation permission as is better to avoid changing the umask (changing umask within the code is not thread safe, and the current 0022 umask value is correct for most of the files) so the safest way is to chmod the snmp file if the needed permission are not set. Issue: #6155 Reviewed by: @droideck , @vashirov (Thanks ! ) (cherry picked from commit eb7e57d)

@droideck

…6179) Issue: dirsrv-snmp service fails to starts when SELinux is enforced because of AVC preventing to open some files One workaround is to use the dac_override capability but it is a bad practice. Fix: Setting proper permissions: Running ldap-agent with uid=root and gid=dirsrv to be able to access both snmp and dirsrv resources. Setting read permission on the group for the dse.ldif file Setting r/w permissions on the group for the snmp semaphore and mmap file For that one special care is needed because ns-slapd umask overrides the file creation permission as is better to avoid changing the umask (changing umask within the code is not thread safe, and the current 0022 umask value is correct for most of the files) so the safest way is to chmod the snmp file if the needed permission are not set. Issue: #6155 Reviewed by: @droideck , @vashirov (Thanks ! ) (cherry picked from commit eb7e57d)

@droideck

…6179) Issue: dirsrv-snmp service fails to starts when SELinux is enforced because of AVC preventing to open some files One workaround is to use the dac_override capability but it is a bad practice. Fix: Setting proper permissions: Running ldap-agent with uid=root and gid=dirsrv to be able to access both snmp and dirsrv resources. Setting read permission on the group for the dse.ldif file Setting r/w permissions on the group for the snmp semaphore and mmap file For that one special care is needed because ns-slapd umask overrides the file creation permission as is better to avoid changing the umask (changing umask within the code is not thread safe, and the current 0022 umask value is correct for most of the files) so the safest way is to chmod the snmp file if the needed permission are not set. Issue: #6155 Reviewed by: @droideck , @vashirov (Thanks ! ) (cherry picked from commit eb7e57d)

@droideck

…6179) Issue: dirsrv-snmp service fails to starts when SELinux is enforced because of AVC preventing to open some files One workaround is to use the dac_override capability but it is a bad practice. Fix: Setting proper permissions: Running ldap-agent with uid=root and gid=dirsrv to be able to access both snmp and dirsrv resources. Setting read permission on the group for the dse.ldif file Setting r/w permissions on the group for the snmp semaphore and mmap file For that one special care is needed because ns-slapd umask overrides the file creation permission as is better to avoid changing the umask (changing umask within the code is not thread safe, and the current 0022 umask value is correct for most of the files) so the safest way is to chmod the snmp file if the needed permission are not set. Issue: #6155 Reviewed by: @droideck , @vashirov (Thanks ! ) (cherry picked from commit eb7e57d)

@droideck

…6179) Issue: dirsrv-snmp service fails to starts when SELinux is enforced because of AVC preventing to open some files One workaround is to use the dac_override capability but it is a bad practice. Fix: Setting proper permissions: Running ldap-agent with uid=root and gid=dirsrv to be able to access both snmp and dirsrv resources. Setting read permission on the group for the dse.ldif file Setting r/w permissions on the group for the snmp semaphore and mmap file For that one special care is needed because ns-slapd umask overrides the file creation permission as is better to avoid changing the umask (changing umask within the code is not thread safe, and the current 0022 umask value is correct for most of the files) so the safest way is to chmod the snmp file if the needed permission are not set. Issue: #6155 Reviewed by: @droideck , @vashirov (Thanks ! ) (cherry picked from commit eb7e57d)

@droideck

…6179) Issue: dirsrv-snmp service fails to starts when SELinux is enforced because of AVC preventing to open some files One workaround is to use the dac_override capability but it is a bad practice. Fix: Setting proper permissions: Running ldap-agent with uid=root and gid=dirsrv to be able to access both snmp and dirsrv resources. Setting read permission on the group for the dse.ldif file Setting r/w permissions on the group for the snmp semaphore and mmap file For that one special care is needed because ns-slapd umask overrides the file creation permission as is better to avoid changing the umask (changing umask within the code is not thread safe, and the current 0022 umask value is correct for most of the files) so the safest way is to chmod the snmp file if the needed permission are not set. Issue: #6155 Reviewed by: @droideck , @vashirov (Thanks ! ) (cherry picked from commit eb7e57d)

progier389 added the work in progress Work in Progress - can be reviewed, but not ready for merge. label May 28, 2024

progier389 added this to the 2.5 milestone May 28, 2024

progier389 linked an issue May 28, 2024 that may be closed by this pull request

ldap-agent fails to start because of permission error #6155

Closed

progier389 self-assigned this May 28, 2024

vashirov reviewed May 28, 2024

View reviewed changes

Comment thread dirsrvtests/tests/suites/snmp/snmp.py Outdated

progier389 force-pushed the i6155 branch from a2f2c83 to 070fb37 Compare May 28, 2024 14:37

progier389 removed work in progress Work in Progress - can be reviewed, but not ready for merge. labels May 28, 2024

progier389 force-pushed the i6155 branch from 070fb37 to 3dccf57 Compare May 28, 2024 18:09

progier389 force-pushed the i6155 branch 3 times, most recently from 5bc7225 to daee45d Compare June 10, 2024 11:14

Issue 6155 - ldap-agent fails to start because of permission error

d974c92

progier389 force-pushed the i6155 branch from daee45d to d974c92 Compare June 24, 2024 10:11

droideck approved these changes Jul 5, 2024

View reviewed changes

progier389 merged commit eb7e57d into 389ds:main Jul 8, 2024

progier389 deleted the i6155 branch May 20, 2025 13:05

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Issue 6155 - ldap-agent fails to start because of permission error#6179

Issue 6155 - ldap-agent fails to start because of permission error#6179
progier389 merged 1 commit into389ds:mainfrom
progier389:i6155

progier389 commented May 28, 2024 •

edited

Loading

Uh oh!

progier389 commented May 28, 2024

Uh oh!

Uh oh!

progier389 commented May 28, 2024

Uh oh!

droideck left a comment

Uh oh!

progier389 commented Jul 8, 2024

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

progier389 commented May 28, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

progier389 commented May 28, 2024

Uh oh!

Uh oh!

progier389 commented May 28, 2024

Uh oh!

droideck left a comment

Choose a reason for hiding this comment

Uh oh!

progier389 commented Jul 8, 2024

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

progier389 commented May 28, 2024 •

edited

Loading