Bug 1050981

Summary: SELinux is preventing /usr/sbin/httpd from getattr access on the directory /etc/openldap/certs.
Product: [Fedora] Fedora Reporter: Anthony Messina <amessina>
Component: selinux-policy-targetedAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.12.1-74.17.fc19 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-01-20 03:08:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Anthony Messina 2014-01-09 13:13:38 UTC 
This seems to be related to Bug 845201, but in Fedora 19 with Apache/httpd configured to use LDAP/TLS authentication something like:

AuthLDAPURL ldap://ldap.example.com:389/ou=people,dc=example,dc=com?uid?one?(objectClass=posixAccount) STARTTLS
AuthLDAPBindDN "uid=apache,ou=sysaccounts,dc=example,dc=com"
AuthLDAPBindPassword secret

several AVCs are generated regarding using, searching and reading /etc/openldap/certs.  Similar AVCs are also generated by my Horde installation which also uses LDAP/TLS authentication.


SELinux is preventing /usr/sbin/httpd from getattr access on the directory /etc/openldap/certs:
type=AVC msg=audit(1389271503.763:36607): avc:  denied  { getattr } for  pid=28443 comm="httpd" path="/etc/openldap/certs" dev="md1" ino=58178895 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:slapd_cert_t:s0 tclass=dir

type=SYSCALL msg=audit(1389271503.763:36607): arch=x86_64 syscall=stat success=yes exit=0 a0=7fadcc9e64f0 a1=7fff88b01e20 a2=7fff88b01e20 a3=7fadc9a864d0 items=0 ppid=9914 pid=28443 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)


SELinux is preventing /usr/sbin/httpd from getattr access on the file /etc/openldap/certs/secmod.db.
type=AVC msg=audit(1389271503.764:36608): avc:  denied  { getattr } for  pid=28443 comm="httpd" path="/etc/openldap/certs/secmod.db" dev="md1" ino=58182868 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:slapd_cert_t:s0 tclass=file

type=SYSCALL msg=audit(1389271503.764:36608): arch=x86_64 syscall=stat success=yes exit=0 a0=7fadcbebb270 a1=7fff88b019d0 a2=7fff88b019d0 a3=0 items=0 ppid=9914 pid=28443 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)

SELinux is preventing /usr/sbin/httpd from read access on the file secmod.db.
type=AVC msg=audit(1389271503.764:36609): avc:  denied  { read } for  pid=28443 comm="httpd" name="secmod.db" dev="md1" ino=58182868 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:slapd_cert_t:s0 tclass=file

type=AVC msg=audit(1389271503.764:36609): avc:  denied  { open } for  pid=28443 comm="httpd" path="/etc/openldap/certs/secmod.db" dev="md1" ino=58182868 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:slapd_cert_t:s0 tclass=file

Currently, I am able to work around this issue by creating a local custom fix which includes:

~]# grep slapd_cert /var/log/audit/audit.log | audit2allow

#============= httpd_t ==============
allow httpd_t slapd_cert_t:dir getattr;
allow httpd_t slapd_cert_t:file { read getattr open };
Comment 1 Anthony Messina 2014-01-09 13:44:13 UTC 
The strange thing is that in Enforcing mode with the above policy enabled, I still get the following AVCs generated.  The only solution that seems to work at the moment is to relabel /etc/openldap/certs to etc_t:

chcon -R -t etc_t /etc/openldap/certs



cat /var/log/audit/audit.log | audit2allow 


#============= httpd_t ==============

#!!!! This avc is allowed in the current policy
allow httpd_t slapd_cert_t:dir getattr;
allow httpd_t slapd_cert_t:dir { read search };

#!!!! This avc is allowed in the current policy
allow httpd_t slapd_cert_t:file { read getattr open };


SELinux is preventing /usr/sbin/httpd from read access on the directory certs.
type=AVC msg=audit(1389274503.854:37052): avc:  denied  { read } for  pid=1390 comm="httpd" name="certs" dev="md1" ino=58178895 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:slapd_cert_t:s0 tclass=dir

type=SYSCALL msg=audit(1389274503.854:37052): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffffffffffff9c a1=7fd2679351c0 a2=90800 a3=0 items=0 ppid=32098 pid=1390 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)


SELinux is preventing /usr/sbin/httpd from search access on the directory certs.
type=AVC msg=audit(1389274503.850:37050): avc:  denied  { search } for  pid=1390 comm="httpd" name="certs" dev="md1" ino=58178895 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:slapd_cert_t:s0 tclass=dir

type=SYSCALL msg=audit(1389274503.850:37050): arch=x86_64 syscall=stat success=no exit=EACCES a0=7fd26799c800 a1=7fff3bf36e20 a2=7fff3bf36e20 a3=0 items=0 ppid=32098 pid=1390 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)
Comment 2 Daniel Walsh 2014-01-09 14:45:01 UTC 
 0a15b94edd82af20666dff9ab23e8131b01a5e1d fixes this in git.

Added
	ldap_read_certs(httpd_t)
Comment 3 Lukas Vrabec 2014-01-10 09:30:53 UTC 
back ported.
Comment 4 Fedora Update System 2014-01-10 14:13:40 UTC 
selinux-policy-3.12.1-74.17.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.17.fc19
Comment 5 Anthony Messina 2014-01-11 06:27:03 UTC 
(In reply to Fedora Update System from comment #4)
> selinux-policy-3.12.1-74.17.fc19 has been submitted as an update for Fedora
> 19.
> https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.17.fc19

That build resolves the issue.  Thank you.
Comment 6 Fedora Update System 2014-01-11 08:42:42 UTC 
Package selinux-policy-3.12.1-74.17.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.17.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-0636/selinux-policy-3.12.1-74.17.fc19
then log in and leave karma (feedback).
Comment 7 Fedora Update System 2014-01-20 03:08:58 UTC 
selinux-policy-3.12.1-74.17.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.