Bug 1420612
Summary: | Selinux denies directory server access to create dir in var lock | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | wibrown <wibrown> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 7.2 | CC: | lvrabec, mgrepl, mmalik, mreynolds, plautrba, pvrabec, ssekidde, wibrown |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.13.1-164.el7 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-08-01 15:22:43 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
wibrown@redhat.com
2017-02-09 04:46:53 UTC
Could you switch the dirsrv_t domain to permissive, re-run your scenario and collect SELinux denials? # semanage permissive -a dirsrv_t (re-run your scenario) # ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today Please attach the output of the last command here. The /var/lock/dirsrv directory should be labeled dirsrv_var_lock_t: # cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.2 (Maipo) # matchpathcon /var/lock/dirsrv /var/lock/dirsrv system_u:object_r:dirsrv_var_lock_t:s0 # But an appropriate type transition rule for a newly created directory is missing (true for RHEL-7.2, RHEL-7.3 and RHEL-7.4 nightly): # sesearch -s dirsrv_t -t var_lock_t -T Found 1 semantic te rules: type_transition dirsrv_t var_lock_t : file dirsrv_var_lock_t; # As you can see, the directory does not exist after installation (yum -y install /var/lock/dirsrv): # rpm -qf /var/lock/dirsrv 389-ds-base-1.3.4.0-19.el7.x86_64 # ls -dZ /var/lock/dirsrv ls: cannot access /var/lock/dirsrv: No such file or directory # This needs to be fixed in selinux-policy. The request from comment#1 should reveal additional SELinux denials. That is permissive. [root@victoria]/home/william/development/389ds/lib389# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today | grep -i dirsrv_t | grep avc type=AVC msg=audit(09/02/17 14:35:52.326:3591) : avc: denied { setrlimit } for pid=28259 comm=ns-slapd scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:system_r:dirsrv_t:s0 tclass=process type=AVC msg=audit(09/02/17 14:35:52.694:3641) : avc: denied { create } for pid=28259 comm=ns-slapd name=imports scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir type=AVC msg=audit(09/02/17 14:36:21.494:3649) : avc: denied { setrlimit } for pid=28285 comm=ns-slapd scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:system_r:dirsrv_t:s0 tclass=process type=AVC msg=audit(09/02/17 14:36:21.787:3656) : avc: denied { create } for pid=28285 comm=ns-slapd name=imports scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir type=AVC msg=audit(09/02/17 14:41:51.083:8192) : avc: denied { setrlimit } for pid=28420 comm=ns-slapd scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:system_r:dirsrv_t:s0 tclass=process type=AVC msg=audit(09/02/17 14:41:51.459:8242) : avc: denied { create } for pid=28420 comm=ns-slapd name=imports scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir type=AVC msg=audit(09/02/17 14:44:25.524:12908) : avc: denied { setrlimit } for pid=28596 comm=ns-slapd scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:system_r:dirsrv_t:s0 tclass=process type=AVC msg=audit(09/02/17 14:44:25.918:12958) : avc: denied { create } for pid=28596 comm=ns-slapd name=imports scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir type=AVC msg=audit(09/02/17 14:48:32.976:17642) : avc: denied { setrlimit } for pid=28775 comm=ns-slapd scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:system_r:dirsrv_t:s0 tclass=process type=AVC msg=audit(09/02/17 14:48:33.329:17692) : avc: denied { create } for pid=28775 comm=ns-slapd name=imports scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir type=AVC msg=audit(09/02/17 18:01:40.173:22567) : avc: denied { setrlimit } for pid=30331 comm=ns-slapd scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:system_r:dirsrv_t:s0 tclass=process type=AVC msg=audit(09/02/17 18:01:40.579:22617) : avc: denied { create } for pid=30331 comm=ns-slapd name=imports scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir type=AVC msg=audit(09/02/17 18:02:50.646:22846) : avc: denied { create } for pid=30424 comm=ns-slapd name=imports scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1861 |