Bug 1155617
| Summary: | nslcd generates AVCs when started | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | David Spurek <dspurek> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.0 | CC: | ebenes, lvrabec, mgrepl, mmalik, plautrba, pvrabec, tmraz |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.13.1-7.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-03-05 10:46:21 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I do not think this is authconfig bug. It is bug in SELinux policy. I had following packages installed: selinux-policy-3.13.1-2.bs4.noarch nss-pam-ldapd-0.8.13-8.bs4.ppc64le Milos, What about permissive mode? Here are AVCs caught in permissive mode:
----
time->Wed Oct 29 18:25:49 2014
type=PATH msg=audit(1414603549.528:479): item=0 name="/dev/urandom" inode=4553 dev=00:05 mode=020666 ouid=0 ogid=0 rdev=01:09 obj=system_u:object_r:urandom_device_t:s0 objtype=NORMAL
type=CWD msg=audit(1414603549.528:479): cwd="/"
type=SYSCALL msg=audit(1414603549.528:479): arch=c000003e syscall=2 success=yes exit=3 a0=7f1f0ffb0f42 a1=0 a2=1b6 a3=7fffc2717e50 items=1 ppid=1 pid=12771 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nslcd" exe="/usr/sbin/nslcd" subj=system_u:system_r:nslcd_t:s0 key=(null)
type=AVC msg=audit(1414603549.528:479): avc: denied { open } for pid=12771 comm="nslcd" path="/dev/urandom" dev="devtmpfs" ino=4553 scontext=system_u:system_r:nslcd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
type=AVC msg=audit(1414603549.528:479): avc: denied { read } for pid=12771 comm="nslcd" name="urandom" dev="devtmpfs" ino=4553 scontext=system_u:system_r:nslcd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
----
time->Wed Oct 29 18:25:49 2014
type=PATH msg=audit(1414603549.528:480): item=0 name="/dev/urandom" inode=4553 dev=00:05 mode=020666 ouid=0 ogid=0 rdev=01:09 obj=system_u:object_r:urandom_device_t:s0 objtype=NORMAL
type=CWD msg=audit(1414603549.528:480): cwd="/"
type=SYSCALL msg=audit(1414603549.528:480): arch=c000003e syscall=4 success=yes exit=0 a0=7f1f0ffb0f42 a1=7fffc2713f70 a2=7fffc2713f70 a3=7fffc2713ce0 items=1 ppid=1 pid=12771 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nslcd" exe="/usr/sbin/nslcd" subj=system_u:system_r:nslcd_t:s0 key=(null)
type=AVC msg=audit(1414603549.528:480): avc: denied { getattr } for pid=12771 comm="nslcd" path="/dev/urandom" dev="devtmpfs" ino=4553 scontext=system_u:system_r:nslcd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
----
Lukas, did you add any changes? no commit a56884f58d9bda3b5112d3cd05219f62569e2fbd
Author: Miroslav Grepl <mgrepl>
Date: Mon Nov 3 11:49:39 2014 +0100
Allow nslcd to execute netstat.
commit 3cc957a29f8c80f36bea7c5334bff3e4d9807795
Author: Miroslav Grepl <mgrepl>
Date: Mon Nov 3 10:23:52 2014 +0100
Allow nslcd to read /dev/urandom.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-0458.html |
Description of problem: authconfig generate AVC when changes environment [test]getsebool -a | grep nsswitch authlogin_nsswitch_use_ldap --> off [test]ausearch -m avc -ts recent <no matches> [test]authconfig --update --enableldap --enableldapauth --disablekrb5 --disablecache --disablenis --ldapserver my-domain.com --ldapbasedn dc=my-domain,dc=com --enableforcelegacy [test]ausearch -m avc -ts recent ---- time->Wed Oct 22 09:09:35 2014 type=SYSCALL msg=audit(1413983375.455:1015): arch=80000015 syscall=106 success=no exit=-13 a0=3fff99aa9090 a1=3fffc1e53978 a2=3fffc1e53978 a3=0 items=0 ppid=1 pid=7819 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nslcd" exe="/usr/sbin/nslcd" subj=system_u:system_r:nslcd_t:s0 key=(null) type=AVC msg=audit(1413983375.455:1015): avc: denied { getattr } for pid=7819 comm="nslcd" path="/dev/urandom" dev="devtmpfs" ino=1032 scontext=system_u:system_r:nslcd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file ---- time->Wed Oct 22 09:09:35 2014 type=SYSCALL msg=audit(1413983375.455:1016): arch=80000015 syscall=11 success=no exit=-13 a0=3fffc1e55977 a1=3fffc1e55a80 a2=1003c6c2490 a3=6e69622f items=0 ppid=7819 pid=7820 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nslcd" exe="/usr/sbin/nslcd" subj=system_u:system_r:nslcd_t:s0 key=(null) type=AVC msg=audit(1413983375.455:1016): avc: denied { execute } for pid=7820 comm="nslcd" name="netstat" dev="dm-0" ino=136704895 scontext=system_u:system_r:nslcd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file ---- time->Wed Oct 22 09:09:35 2014 type=SYSCALL msg=audit(1413983375.455:1014): arch=80000015 syscall=5 success=no exit=-13 a0=3fff99aa9090 a1=0 a2=1b6 a3=0 items=0 ppid=1 pid=7819 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nslcd" exe="/usr/sbin/nslcd" subj=system_u:system_r:nslcd_t:s0 key=(null) type=AVC msg=audit(1413983375.455:1014): avc: denied { read } for pid=7819 comm="nslcd" name="urandom" dev="devtmpfs" ino=1032 scontext=system_u:system_r:nslcd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file ---- time->Wed Oct 22 09:09:35 2014 type=SYSCALL msg=audit(1413983375.455:1017): arch=80000015 syscall=11 success=no exit=-13 a0=3fffc1e55973 a1=3fffc1e55a80 a2=1003c6c2490 a3=7273752f items=0 ppid=7819 pid=7820 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nslcd" exe="/usr/sbin/nslcd" subj=system_u:system_r:nslcd_t:s0 key=(null) type=AVC msg=audit(1413983375.455:1017): avc: denied { execute } for pid=7820 comm="nslcd" name="netstat" dev="dm-0" ino=136704895 scontext=system_u:system_r:nslcd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file ---- time->Wed Oct 22 09:09:35 2014 type=SYSCALL msg=audit(1413983375.455:1018): arch=80000015 syscall=5 success=no exit=-13 a0=3fff99aa9090 a1=0 a2=1b6 a3=0 items=0 ppid=1 pid=7819 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nslcd" exe="/usr/sbin/nslcd" subj=system_u:system_r:nslcd_t:s0 key=(null) type=AVC msg=audit(1413983375.455:1018): avc: denied { read } for pid=7819 comm="nslcd" name="urandom" dev="devtmpfs" ino=1032 scontext=system_u:system_r:nslcd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file ---- time->Wed Oct 22 09:09:35 2014 type=SYSCALL msg=audit(1413983375.465:1019): arch=80000015 syscall=106 success=no exit=-13 a0=3fffc1e555f8 a1=3fffc1e55568 a2=3fffc1e55568 a3=0 items=0 ppid=1 pid=7819 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nslcd" exe="/usr/sbin/nslcd" subj=system_u:system_r:nslcd_t:s0 key=(null) type=AVC msg=audit(1413983375.465:1019): avc: denied { getattr } for pid=7819 comm="nslcd" path="/etc/lvm" dev="dm-0" ino=135786857 scontext=system_u:system_r:nslcd_t:s0 tcontext=system_u:object_r:lvm_etc_t:s0 tclass=dir [test]getsebool -a | grep nsswitch authlogin_nsswitch_use_ldap --> on Version-Release number of selected component (if applicable): authconfig-6.2.8-9.bs4.ppc64le How reproducible: always Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: