Bug 1002834

Summary: selinux prevents execmod with nslcd
Product: Red Hat Enterprise Linux 7 Reporter: David Spurek <dspurek>
Component: nss-pam-ldapdAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED CURRENTRELEASE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.0CC: dpal, dspurek, ebenes, jhrozek, mgrepl, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: s390x   
OS: Linux   
Whiteboard:
Fixed In Version: nss-pam-ldapd-0.8.13-4.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 10:55:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description David Spurek 2013-08-30 05:49:48 UTC 
Description of problem:
selinux prevents execmod with nslcd

time->Mon Aug 26 13:32:57 2013
type=SYSCALL msg=audit(1377538377.028:1491): arch=80000016 syscall=125 success=no exit=-13 a0=2aac7599000 a1=27000 a2=5 a3=2aac759a428 items=0 ppid=1 pid=18432 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nslcd" exe="/usr/sbin/nslcd" subj=system_u:system_r:nslcd_t:s0 key=(null)
type=AVC msg=audit(1377538377.028:1491): avc:  denied  { execmod } for  pid=18432 comm="nslcd" path="/usr/sbin/nslcd" dev="dm-2" ino=69797947 scontext=system_u:system_r:nslcd_t:s0 tcontext=system_u:object_r:nslcd_exec_t:s0 tclass=file
Fail: AVC messages found.
Checking for errors...
Using stronger AVC checks.
	Define empty RHTS_OPTION_STRONGER_AVC parameter if this causes any problems.
Running 'cat /mnt/testarea/tmp.rhts-db-submit-result.Zj5wRF | /sbin/ausearch -m AVC -m SELINUX_ERR'
Fail: AVC messages found.
Running 'cat %s | /sbin/ausearch -m USER_AVC >/mnt/testarea/tmp.rhts-db-submit-result.qGVBh1 2>&1'
Info: No AVC messages found.
/bin/grep 'avc: ' /mnt/testarea/dmesg.log | /bin/grep --invert-match TESTOUT.log
No AVC messages found in dmesg
Running '/usr/sbin/sestatus'
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
Running 'rpm -q selinux-policy || true'
selinux-policy-3.12.1-70.el7.noarch
Comment 2 Miroslav Grepl 2013-10-04 07:33:41 UTC 
http://danwalsh.livejournal.com/6117.html?thread=23525
Comment 3 Nalin Dahyabhai 2013-10-04 19:42:05 UTC 
Are you still seeing this bug?  Which version of nss-pam-ldapd was this?  What was its configuration?
Comment 4 David Spurek 2013-10-07 11:14:46 UTC 
I still see this bug on s390x with selinux-policy-3.12.1-80.el7 and  nss-pam-ldapd-0.8.13-2.el7.s390x. nslcd was configured with 'authconfig --enableldap --disablecache --enableldapauth --updateall --ldapbasedn dc=my-domain,dc=com --ldapserver ldap://my-domain.com'. 

nslcd.conf then looks like:

uid nslcd
gid ldap
uri ldap://my-domain.com
base dc=my-domain,dc=com
ssl no
tls_cacertdir /etc/openldap/cacerts
Comment 5 Nalin Dahyabhai 2013-10-16 19:58:34 UTC 
I'm not able to reproduce this on my x86_64 system with the same versions of selinux-policy and nss-pam-ldapd, on kernel 3.10.0-33.el7.x86_64.

My attempt to reserve an s390x system to see if it's arch-specific seems to have been stalled for a couple of days - do you have one which I'm able to access where you're still seeing this?
Comment 6 Jakub Hrozek 2013-10-18 15:45:53 UTC 
(In reply to Nalin Dahyabhai from comment #5)
> I'm not able to reproduce this on my x86_64 system with the same versions of
> selinux-policy and nss-pam-ldapd, on kernel 3.10.0-33.el7.x86_64.
> 
> My attempt to reserve an s390x system to see if it's arch-specific seems to
> have been stalled for a couple of days - do you have one which I'm able to
> access where you're still seeing this?

David, feel free to ping me on IRC if you have a system that exhibits this bug.
Comment 7 Nalin Dahyabhai 2013-10-18 17:19:56 UTC 
Beaker came through.  It looks like the -fPIE that the hardened build macros add to the compile of nslcd/log.c adds isn't enough to avoid having a TEXTREL section in the nslcd binary.  I'm not yet clear on the specifics, but it appears to be related to its use of thread-local storage.
Comment 9 Jakub Hrozek 2013-10-21 20:26:33 UTC 
I verified Nalin's findings on a s390x test machines.
Comment 12 Ludek Smid 2014-06-13 10:55:47 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.