Bug 1420612

Summary: Selinux denies directory server access to create dir in var lock
Product: Red Hat Enterprise Linux 7 Reporter: wibrown <wibrown>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: high    
Version: 7.2CC: lvrabec, mgrepl, mmalik, mreynolds, plautrba, pvrabec, ssekidde, wibrown
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-164.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 15:22:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description wibrown@redhat.com 2017-02-09 04:46:53 UTC
Description of problem:
[william@victoria]~/development/389ds% sudo ausearch -ts recent | grep -i deni
type=AVC msg=audit(1486614952.326:3591): avc:  denied  { setrlimit } for  pid=28259 comm="ns-slapd" scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:system_r:dirsrv_t:s0 tclass=process
type=AVC msg=audit(1486614952.694:3641): avc:  denied  { create } for  pid=28259 comm="ns-slapd" name="imports" scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir
type=AVC msg=audit(1486614981.494:3649): avc:  denied  { setrlimit } for  pid=28285 comm="ns-slapd" scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:system_r:dirsrv_t:s0 tclass=process
type=AVC msg=audit(1486614981.787:3656): avc:  denied  { create } for  pid=28285 comm="ns-slapd" name="imports" scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir
type=AVC msg=audit(1486615311.083:8192): avc:  denied  { setrlimit } for  pid=28420 comm="ns-slapd" scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:system_r:dirsrv_t:s0 tclass=process
type=AVC msg=audit(1486615311.459:8242): avc:  denied  { create } for  pid=28420 comm="ns-slapd" name="imports" scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir
type=AVC msg=audit(1486615465.524:12908): avc:  denied  { setrlimit } for  pid=28596 comm="ns-slapd" scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:system_r:dirsrv_t:s0 tclass=process
type=AVC msg=audit(1486615465.918:12958): avc:  denied  { create } for  pid=28596 comm="ns-slapd" name="imports" scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir


Directory Server needs the ability to create the directories in var_lock_t (/var/lock/dirsrv/)

Please add the policy to dirsrv.te to allow this.

Comment 1 Milos Malik 2017-02-09 07:49:46 UTC
Could you switch the dirsrv_t domain to permissive, re-run your scenario and collect SELinux denials?

# semanage permissive -a dirsrv_t
(re-run your scenario)
# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today

Please attach the output of the last command here.

Comment 2 Milos Malik 2017-02-09 08:06:30 UTC
The /var/lock/dirsrv directory should be labeled dirsrv_var_lock_t:

# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.2 (Maipo)
# matchpathcon /var/lock/dirsrv
/var/lock/dirsrv	system_u:object_r:dirsrv_var_lock_t:s0
# 

But an appropriate type transition rule for a newly created directory is missing (true for RHEL-7.2, RHEL-7.3 and RHEL-7.4 nightly):

# sesearch -s dirsrv_t -t var_lock_t -T
Found 1 semantic te rules:
   type_transition dirsrv_t var_lock_t : file dirsrv_var_lock_t; 

#

As you can see, the directory does not exist after installation (yum -y install /var/lock/dirsrv):

# rpm -qf /var/lock/dirsrv
389-ds-base-1.3.4.0-19.el7.x86_64
# ls -dZ /var/lock/dirsrv
ls: cannot access /var/lock/dirsrv: No such file or directory
#

This needs to be fixed in selinux-policy. The request from comment#1 should reveal additional SELinux denials.

Comment 3 wibrown@redhat.com 2017-02-09 08:08:08 UTC
That is permissive. 

[root@victoria]/home/william/development/389ds/lib389# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today | grep -i dirsrv_t | grep avc
type=AVC msg=audit(09/02/17 14:35:52.326:3591) : avc:  denied  { setrlimit } for  pid=28259 comm=ns-slapd scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:system_r:dirsrv_t:s0 tclass=process 
type=AVC msg=audit(09/02/17 14:35:52.694:3641) : avc:  denied  { create } for  pid=28259 comm=ns-slapd name=imports scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir 
type=AVC msg=audit(09/02/17 14:36:21.494:3649) : avc:  denied  { setrlimit } for  pid=28285 comm=ns-slapd scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:system_r:dirsrv_t:s0 tclass=process 
type=AVC msg=audit(09/02/17 14:36:21.787:3656) : avc:  denied  { create } for  pid=28285 comm=ns-slapd name=imports scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir 
type=AVC msg=audit(09/02/17 14:41:51.083:8192) : avc:  denied  { setrlimit } for  pid=28420 comm=ns-slapd scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:system_r:dirsrv_t:s0 tclass=process 
type=AVC msg=audit(09/02/17 14:41:51.459:8242) : avc:  denied  { create } for  pid=28420 comm=ns-slapd name=imports scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir 
type=AVC msg=audit(09/02/17 14:44:25.524:12908) : avc:  denied  { setrlimit } for  pid=28596 comm=ns-slapd scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:system_r:dirsrv_t:s0 tclass=process 
type=AVC msg=audit(09/02/17 14:44:25.918:12958) : avc:  denied  { create } for  pid=28596 comm=ns-slapd name=imports scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir 
type=AVC msg=audit(09/02/17 14:48:32.976:17642) : avc:  denied  { setrlimit } for  pid=28775 comm=ns-slapd scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:system_r:dirsrv_t:s0 tclass=process 
type=AVC msg=audit(09/02/17 14:48:33.329:17692) : avc:  denied  { create } for  pid=28775 comm=ns-slapd name=imports scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir 
type=AVC msg=audit(09/02/17 18:01:40.173:22567) : avc:  denied  { setrlimit } for  pid=30331 comm=ns-slapd scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:system_r:dirsrv_t:s0 tclass=process 
type=AVC msg=audit(09/02/17 18:01:40.579:22617) : avc:  denied  { create } for  pid=30331 comm=ns-slapd name=imports scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir 
type=AVC msg=audit(09/02/17 18:02:50.646:22846) : avc:  denied  { create } for  pid=30424 comm=ns-slapd name=imports scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir

Comment 8 errata-xmlrpc 2017-08-01 15:22:43 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861