I'm trying to run an OpenLDAP server on CentOS 6.4 with selinux enabled, but slapd is dieing as soon as it's started via /etc/init.d/slapd start. (init script reports OK; everything works fine after setenforce 0.

found these messages in /var/log/audit/audit.log:

 type=AVC msg=audit(1372888328.397:3262): avc: denied { write } for pid=1492 comm="slapd" name="slapd.log" dev=dm-0 ino=4348 scontext=unconfined_u:system_r:slapd_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file type=SYSCALL msg=audit(1372888328.397:3262): arch=40000003 syscall=5 success=no exit=-13 a0=1bd1018 a1=241 a2=1b6 a3=7ea191 items=0 ppid=1491 pid=1492 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=337 comm="slapd" exe="/usr/sbin/slapd" subj=unconfined_u:system_r:slapd_t:s0 key=(null) type=AVC msg=audit(1372888328.408:3263): avc: denied { sys_nice } for pid=1492 comm="slapd" capability=23 scontext=unconfined_u:system_r:slapd_t:s0 tcontext=unconfined_u:system_r:slapd_t:s0 tclass=capability type=SYSCALL msg=audit(1372888328.408:3263): arch=40000003 syscall=156 success=yes exit=0 a0=5d4 a1=0 a2=bfe64968 a3=b787a6c0 items=0 ppid=1491 pid=1492 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=337 comm="slapd" exe="/usr/sbin/slapd" subj=unconfined_u:system_r:slapd_t:s0 key=(null) type=AVC msg=audit(1372888328.424:3264): avc: denied { read } for pid=1493 comm="slapd" name="log.0000000001" dev=dm-0 ino=263969 scontext=unconfined_u:system_r:slapd_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file type=SYSCALL msg=audit(1372888328.424:3264): arch=40000003 syscall=5 success=no exit=-13 a0=1c78270 a1=8000 a2=0 a3=0 items=0 ppid=1 pid=1493 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=337 comm="slapd" exe="/usr/sbin/slapd" subj=unconfined_u:system_r:slapd_t:s0 key=(null) 

However this leaves me with no idea how to fix it. How do I tell selinux to allow the LDAP daemon to run?

I tried

restorecon -v -F -R /etc/openldap restorecon -v -F -R /var/lib/ldap 

but this didn't work. Got a lot of messages like

restorecon reset /etc/openldap/cacerts context unconfined_u:object_r:etc_t:s0->system_u:object_r:etc_t:s0

I'm trying to run an OpenLDAP server on CentOS 6.4 with selinux enabled, but slapd is dieing as soon as it's started via /etc/init.d/slapd start. (init script reports OK; everything works fine after setenforce 0.

found these messages in /var/log/audit/audit.log:

 type=AVC msg=audit(1372888328.397:3262): avc: denied { write } for pid=1492 comm="slapd" name="slapd.log" dev=dm-0 ino=4348 scontext=unconfined_u:system_r:slapd_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file type=SYSCALL msg=audit(1372888328.397:3262): arch=40000003 syscall=5 success=no exit=-13 a0=1bd1018 a1=241 a2=1b6 a3=7ea191 items=0 ppid=1491 pid=1492 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=337 comm="slapd" exe="/usr/sbin/slapd" subj=unconfined_u:system_r:slapd_t:s0 key=(null) type=AVC msg=audit(1372888328.408:3263): avc: denied { sys_nice } for pid=1492 comm="slapd" capability=23 scontext=unconfined_u:system_r:slapd_t:s0 tcontext=unconfined_u:system_r:slapd_t:s0 tclass=capability type=SYSCALL msg=audit(1372888328.408:3263): arch=40000003 syscall=156 success=yes exit=0 a0=5d4 a1=0 a2=bfe64968 a3=b787a6c0 items=0 ppid=1491 pid=1492 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=337 comm="slapd" exe="/usr/sbin/slapd" subj=unconfined_u:system_r:slapd_t:s0 key=(null) type=AVC msg=audit(1372888328.424:3264): avc: denied { read } for pid=1493 comm="slapd" name="log.0000000001" dev=dm-0 ino=263969 scontext=unconfined_u:system_r:slapd_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file type=SYSCALL msg=audit(1372888328.424:3264): arch=40000003 syscall=5 success=no exit=-13 a0=1c78270 a1=8000 a2=0 a3=0 items=0 ppid=1 pid=1493 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=337 comm="slapd" exe="/usr/sbin/slapd" subj=unconfined_u:system_r:slapd_t:s0 key=(null) 

However this leaves me with no idea how to fix it. How do I tell selinux to allow the LDAP daemon to run?

I tried

restorecon -v -F -R /etc/openldap restorecon -v -F -R /var/lib/ldap 

but this didn't work (and in fact it seems to have broken my ability to start slapd even with selinux disabled). Got a lot of messages like

restorecon reset /etc/openldap/cacerts context unconfined_u:object_r:etc_t:s0->system_u:object_r:etc_t:s0

I'm trying to run an OpenLDAP server on CentOS 6.4 with selinux enabled, but slapd is dieing as soon as it's started via /etc/init.d/slapd start. (init script reports OK; everything works fine after setenforce 0.

found these messages in /var/log/audit/audit.log:

 type=AVC msg=audit(1372888328.397:3262): avc: denied { write } for pid=1492 comm="slapd" name="slapd.log" dev=dm-0 ino=4348 scontext=unconfined_u:system_r:slapd_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file type=SYSCALL msg=audit(1372888328.397:3262): arch=40000003 syscall=5 success=no exit=-13 a0=1bd1018 a1=241 a2=1b6 a3=7ea191 items=0 ppid=1491 pid=1492 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=337 comm="slapd" exe="/usr/sbin/slapd" subj=unconfined_u:system_r:slapd_t:s0 key=(null) type=AVC msg=audit(1372888328.408:3263): avc: denied { sys_nice } for pid=1492 comm="slapd" capability=23 scontext=unconfined_u:system_r:slapd_t:s0 tcontext=unconfined_u:system_r:slapd_t:s0 tclass=capability type=SYSCALL msg=audit(1372888328.408:3263): arch=40000003 syscall=156 success=yes exit=0 a0=5d4 a1=0 a2=bfe64968 a3=b787a6c0 items=0 ppid=1491 pid=1492 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=337 comm="slapd" exe="/usr/sbin/slapd" subj=unconfined_u:system_r:slapd_t:s0 key=(null) type=AVC msg=audit(1372888328.424:3264): avc: denied { read } for pid=1493 comm="slapd" name="log.0000000001" dev=dm-0 ino=263969 scontext=unconfined_u:system_r:slapd_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file type=SYSCALL msg=audit(1372888328.424:3264): arch=40000003 syscall=5 success=no exit=-13 a0=1c78270 a1=8000 a2=0 a3=0 items=0 ppid=1 pid=1493 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=337 comm="slapd" exe="/usr/sbin/slapd" subj=unconfined_u:system_r:slapd_t:s0 key=(null) 

However this leaves me with no idea how to fix it. How do I tell selinux to allow the LDAP daemon to run?

I'm trying to run an OpenLDAP server on CentOS 6.4 with selinux enabled, but slapd is dieing as soon as it's started via /etc/init.d/slapd start. (init script reports OK; everything works fine after setenforce 0.

found these messages in /var/log/audit/audit.log:

 type=AVC msg=audit(1372888328.397:3262): avc: denied { write } for pid=1492 comm="slapd" name="slapd.log" dev=dm-0 ino=4348 scontext=unconfined_u:system_r:slapd_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file type=SYSCALL msg=audit(1372888328.397:3262): arch=40000003 syscall=5 success=no exit=-13 a0=1bd1018 a1=241 a2=1b6 a3=7ea191 items=0 ppid=1491 pid=1492 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=337 comm="slapd" exe="/usr/sbin/slapd" subj=unconfined_u:system_r:slapd_t:s0 key=(null) type=AVC msg=audit(1372888328.408:3263): avc: denied { sys_nice } for pid=1492 comm="slapd" capability=23 scontext=unconfined_u:system_r:slapd_t:s0 tcontext=unconfined_u:system_r:slapd_t:s0 tclass=capability type=SYSCALL msg=audit(1372888328.408:3263): arch=40000003 syscall=156 success=yes exit=0 a0=5d4 a1=0 a2=bfe64968 a3=b787a6c0 items=0 ppid=1491 pid=1492 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=337 comm="slapd" exe="/usr/sbin/slapd" subj=unconfined_u:system_r:slapd_t:s0 key=(null) type=AVC msg=audit(1372888328.424:3264): avc: denied { read } for pid=1493 comm="slapd" name="log.0000000001" dev=dm-0 ino=263969 scontext=unconfined_u:system_r:slapd_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file type=SYSCALL msg=audit(1372888328.424:3264): arch=40000003 syscall=5 success=no exit=-13 a0=1c78270 a1=8000 a2=0 a3=0 items=0 ppid=1 pid=1493 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=337 comm="slapd" exe="/usr/sbin/slapd" subj=unconfined_u:system_r:slapd_t:s0 key=(null) 

However this leaves me with no idea how to fix it. How do I tell selinux to allow the LDAP daemon to run?

I tried

restorecon -v -F -R /etc/openldap restorecon -v -F -R /var/lib/ldap 

but this didn't work. Got a lot of messages like

restorecon reset /etc/openldap/cacerts context unconfined_u:object_r:etc_t:s0->system_u:object_r:etc_t:s0