Re: [389-users] Announcing 389 Directory Server 1.2.6 Release Candidate 3

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 07/19/2010 01:30 PM, Aaron Hagopian wrote:
 
How did you create the ldif file in "/var/lib/dirsrv/slapd-<instance>/ldif/"?  Did you move the ldif file there from elsewhere on your system?  That could explain why your ldif file has an incorrect context of "var_t".

Yes I moved the file there from another location.  I was just trying to see if there is some acceptable directory.
This explains it.  When you move a file, it's SELinux context is preserved (as opposed to copying, which creates a new file with the correct context for the target directory).
 

Try creating a new file in "/var/lib/dirsrv/slapd-<instance>/ldif/" using 'touch', then run 'ls -lZ' to see what the SELinux context is on that new file.  It should be "dirsrv_var_lib_t".

Yes creating a new file in that directory gets dirsrv_var_lib_t.  I did get it in once I was able to get my file to have that SELinux attribute.  The ldif file was created on my production server which is running 1.2.5.

I can't say I know that much about SELinux but I imagine this may become a problem for people upgrading to 1.2.6 who want to start fresh?  Maybe can the db2ldif.pl utility add that SELinux attribute?  Although that seems like it would go against the point of SELinux if things can just add attributes as needed.  Does the file not have the attribute because it was created in 1.2.5 or was it because on my production machine, when I created the file (using db2ldif.pl), I saved it to a directory other than the SELinux one?  It looks like when I run the db2ldif.pl command on my 1.2.6 machine it does add some SELinux attributes.
This is a general problem for those new to SELinux.  A directory on the file-system has a default SELinux context that will be used when a file is created in it.  When you move a file from one location to another, it's previous SELinux context is preserved.  This can cause issues like what you've run into.  If you copy a file instead of moving it, the new file will have the appropriate context as defined by the policy for the target directory.

I think the main reason I don't use the /var/lib/dirsrv/slapd-<instance>/ldif/ file for my backups in the first place is because by default the "nobody" user cannot write to that directory. 
The dirsrv SELinux is going make things like this more restrictive.  It's one of those tradeoffs for being able to confine ns-slapd.

-NGK


 

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux