Bug 1206339

Summary: SELinux prevents /usr/sbin/slappasswd from 'execmod' accesses on the file /usr/sbin/slapadd.
Product: Red Hat Enterprise Linux 7 Reporter: Hong Xu <hong>
Component: selinux-policyAssignee: Simon Sekidde <ssekidde>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.1CC: fweimer, lvrabec, mgrepl, mmalik, omajid, plautrba, pvrabec, sreber, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-83.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-04 02:18:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Hong Xu 2015-03-26 20:01:39 UTC 
Description of problem:

When install slapd in a Debian system in a SELinux enabled docker container, SELinux prevents slappasswd from 'execmod' accesses.

/var/log/audit/audit.log:type=AVC msg=audit(1427399438.232:448): avc:  denied  { execmod } for  pid=4483 comm="slappasswd" path="/usr/sbin/slappasswd" dev="dm-2" ino=399582 scontext=system_u:system_r:svirt_lxc_net_t:s0:c263,c493 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c263,c493 tclass=fil

Version-Release number of selected component (if applicable):
3.13.1-23.el7

How reproducible:

sudo yum install docker
sudo systemctl start docker
sudo docker run --rm -t -i debian /bin/bash
(Now we are on the container's shell)
apt-get update && apt-get install -y slapd
(You should be prompted of some questions, just randomly fill them)

You should then have the SELinux error.

Actual results:

The container shell outputs:

slappasswd: error while loading shared libraries: cannot restore segment prot after reloc: Permission denied
  Creating initial configuration... Loading the initial configuration from the ldif file () failed with
the following error while running slapadd:
    slapadd: error while loading shared libraries: cannot restore segment prot after reloc: Permission denied

----
SELinux audit log:

/var/log/audit/audit.log:type=AVC msg=audit(1427399438.232:448): avc:  denied  { execmod } for  pid=4483 comm="slappasswd" path="/usr/sbin/slappasswd" dev="dm-2" ino=399582 scontext=system_u:system_r:svirt_lxc_net_t:s0:c263,c493 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c263,c493 tclass=fil

----

SETroubleshoot Details:

SELinux is preventing /usr/sbin/slappasswd from execmod access on the file /usr/sbin/slapadd.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that slappasswd should be allowed execmod access on the slapadd file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep slappasswd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:svirt_lxc_net_t:s0:c263,c493
Target Context                system_u:object_r:svirt_sandbox_file_t:s0:c263,c49
                              3
Target Objects                /usr/sbin/slapadd [ file ]
Source                        slappasswd
Source Path                   /usr/sbin/slappasswd
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-23.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                              3.10.0-229.1.2.el7.x86_64 #1 SMP Fri Mar 6
                              17:12:08 EST 2015 x86_64 x86_64
Alert Count                   2
First Seen                    2015-03-26 15:50:38 EDT
Last Seen                     2015-03-26 15:50:38 EDT
Local ID                      339bb4ee-3f70-4d05-a167-532ba2130837

Raw Audit Messages
type=AVC msg=audit(1427399438.272:449): avc:  denied  { execmod } for  pid=4511 comm="slapadd" path="/usr/sbin/slapadd" dev="dm-2" ino=399582 scontext=system_u:system_r:svirt_lxc_net_t:s0:c263,c493 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c263,c493 tclass=file


type=SYSCALL msg=audit(1427399438.272:449): arch=x86_64 syscall=mprotect success=no exit=EACCES a0=7fd20489e000 a1=12a000 a2=5 a3=7fd203eb9428 items=0 ppid=4461 pid=4511 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm=slapadd exe=/usr/sbin/slapadd subj=system_u:system_r:svirt_lxc_net_t:s0:c263,c493 key=(null)

Hash: slappasswd,svirt_lxc_net_t,svirt_sandbox_file_t,file,execmod

----

Additional info:

This seems to have been fixed in Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1129706

Maybe back port the fix should be enough.
Comment 15 errata-xmlrpc 2016-11-04 02:18:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html