On 07/19/2010 01:30 PM, Aaron Hagopian wrote: > I filed a bug per Rich: https://bugzilla.redhat.com/show_bug.cgi?id=616206 > > How did you create the ldif file in > "/var/lib/dirsrv/slapd-<instance>/ldif/"? Did you move the ldif > file there from elsewhere on your system? That could explain why > your ldif file has an incorrect context of "var_t". > > > Yes I moved the file there from another location. I was just trying > to see if there is some acceptable directory. This explains it. When you move a file, it's SELinux context is preserved (as opposed to copying, which creates a new file with the correct context for the target directory). > > > Try creating a new file in > "/var/lib/dirsrv/slapd-<instance>/ldif/" using 'touch', then run > 'ls -lZ' to see what the SELinux context is on that new file. It > should be "dirsrv_var_lib_t". > > > Yes creating a new file in that directory gets dirsrv_var_lib_t. I > did get it in once I was able to get my file to have that SELinux > attribute. The ldif file was created on my production server which is > running 1.2.5. > > I can't say I know that much about SELinux but I imagine this may > become a problem for people upgrading to 1.2.6 who want to start > fresh? Maybe can the db2ldif.pl <http://db2ldif.pl> utility add that > SELinux attribute? Although that seems like it would go against the > point of SELinux if things can just add attributes as needed. Does > the file not have the attribute because it was created in 1.2.5 or was > it because on my production machine, when I created the file (using > db2ldif.pl <http://db2ldif.pl>), I saved it to a directory other than > the SELinux one? It looks like when I run the db2ldif.pl > <http://db2ldif.pl> command on my 1.2.6 machine it does add some > SELinux attributes. This is a general problem for those new to SELinux. A directory on the file-system has a default SELinux context that will be used when a file is created in it. When you move a file from one location to another, it's previous SELinux context is preserved. This can cause issues like what you've run into. If you copy a file instead of moving it, the new file will have the appropriate context as defined by the policy for the target directory. > > I think the main reason I don't use the > /var/lib/dirsrv/slapd-<instance>/ldif/ file for my backups in the > first place is because by default the "nobody" user cannot write to > that directory. The dirsrv SELinux is going make things like this more restrictive. It's one of those tradeoffs for being able to confine ns-slapd. -NGK > > > > -- > 389 users mailing list > 389-users at lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/389-users -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20100719/c404cf28/attachment.html
