I'm trying to run an OpenLDAP server on CentOS 6.4 with selinux enabled, but slapd
is dieing as soon as it's started via /etc/init.d/slapd start
. (init script reports OK; everything works fine after setenforce 0
.
found these messages in /var/log/audit/audit.log
:
type=AVC msg=audit(1372888328.397:3262): avc: denied { write } for pid=1492 comm="slapd" name="slapd.log" dev=dm-0 ino=4348 scontext=unconfined_u:system_r:slapd_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file type=SYSCALL msg=audit(1372888328.397:3262): arch=40000003 syscall=5 success=no exit=-13 a0=1bd1018 a1=241 a2=1b6 a3=7ea191 items=0 ppid=1491 pid=1492 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=337 comm="slapd" exe="/usr/sbin/slapd" subj=unconfined_u:system_r:slapd_t:s0 key=(null) type=AVC msg=audit(1372888328.408:3263): avc: denied { sys_nice } for pid=1492 comm="slapd" capability=23 scontext=unconfined_u:system_r:slapd_t:s0 tcontext=unconfined_u:system_r:slapd_t:s0 tclass=capability type=SYSCALL msg=audit(1372888328.408:3263): arch=40000003 syscall=156 success=yes exit=0 a0=5d4 a1=0 a2=bfe64968 a3=b787a6c0 items=0 ppid=1491 pid=1492 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=337 comm="slapd" exe="/usr/sbin/slapd" subj=unconfined_u:system_r:slapd_t:s0 key=(null) type=AVC msg=audit(1372888328.424:3264): avc: denied { read } for pid=1493 comm="slapd" name="log.0000000001" dev=dm-0 ino=263969 scontext=unconfined_u:system_r:slapd_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file type=SYSCALL msg=audit(1372888328.424:3264): arch=40000003 syscall=5 success=no exit=-13 a0=1c78270 a1=8000 a2=0 a3=0 items=0 ppid=1 pid=1493 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=337 comm="slapd" exe="/usr/sbin/slapd" subj=unconfined_u:system_r:slapd_t:s0 key=(null)
However this leaves me with no idea how to fix it. How do I tell selinux to allow the LDAP daemon to run?
I tried
restorecon -v -F -R /etc/openldap
restorecon -v -F -R /var/lib/ldap
but this didn't work (and in fact it seems to have broken my ability to start slapd even with selinux disabled). Got a lot of messages like
restorecon reset /etc/openldap/cacerts context unconfined_u:object_r:etc_t:s0->system_u:object_r:etc_t:s0