Bug 164211

Summary: Strict SELinux policy breaks /etc/init.d/ldap
Product: [Fedora] Fedora Reporter: W. Michael Petullo <redhat>
Component: selinux-policy-strictAssignee: Russell Coker <rcoker>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 1.27.1-2.1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-03-27 05:57:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description W. Michael Petullo 2005-07-25 23:13:21 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.7.8) Gecko/20050513 Epiphany/1.6.3

Description of problem:
The strict SELinux policy breaks /etc/init.d/ldap.

Version-Release number of selected component (if applicable):
selinux-policy-strict-1.23.16-6

How reproducible:
Always

Steps to Reproduce:
1.  Load the strict SELinux policy in strict mode.
2.  /etc/init.d/ldap start.
  

Actual Results:  Jul 25 17:33:17 golem kernel: audit(1122330797.327:244): avc:  denied  { read } for  pid=4445 comm="find" name="policy" dev=hda2 ino=63919 scontext=root:system_r:initrc_t tcontext=system_u:object_r:policy_src_t tclass=dir
Jul 25 17:33:17 golem kernel: audit(1122330797.522:245): avc:  denied  { execute } for  pid=4455 comm="ldap" name="start-slapd.EN4451" dev=hda2 ino=47457 scontext=root:system_r:initrc_t tcontext=root:object_r:initrc_tmp_t tclass=file
Jul 25 17:33:17 golem kernel: audit(1122330797.523:246): avc:  denied  { execute_no_trans } for  pid=4455 comm="ldap" name="start-slapd.EN4451" dev=hda2 ino=47457 scontext=root:system_r:initrc_t tcontext=root:object_r:initrc_tmp_t tclass=file
Jul 25 17:33:17 golem kernel: audit(1122330797.554:247): avc:  denied  { search } for  pid=4455 comm="slapd" name="root" dev=hda2 ino=102370 scontext=root:system_r:slapd_t tcontext=system_u:object_r:default_t tclass=dir
Jul 25 17:39:50 golem kernel: audit(1122331190.640:263): avc:  denied  { search } for  pid=4576 comm="slapd" name="root" dev=hda2 ino=102370 scontext=root:system_r:slapd_t tcontext=system_u:object_r:default_t tclass=dir
Jul 25 17:40:09 golem kernel: audit(1122331209.262:264): avc:  denied  { read } for  pid=4601 comm="find" name="policy" dev=hda2 ino=63919 scontext=root:system_r:initrc_t tcontext=system_u:object_r:policy_src_t tclass=dir
Jul 25 17:40:09 golem kernel: audit(1122331209.264:265): avc:  denied  { read } for  pid=4601 comm="find" name="policy" dev=hda2 ino=63919 scontext=root:system_r:initrc_t tcontext=system_u:object_r:policy_src_t tclass=dir
Jul 25 17:40:09 golem kernel: audit(1122331209.451:266): avc:  denied  { read } for  pid=4610 comm="chmod" name="policy" dev=hda2 ino=63919 scontext=root:system_r:initrc_t tcontext=system_u:object_r:policy_src_t tclass=dir
Jul 25 17:40:09 golem kernel: audit(1122331209.490:267): avc:  denied  { search } for  pid=4611 comm="slapd" name="root" dev=hda2 ino=102370 scontext=root:system_r:slapd_t tcontext=system_u:object_r:default_t tclass=dir
Jul 25 17:40:09 golem kernel: audit(1122331209.490:268): avc:  denied  { search } for  pid=4611 comm="slapd" name="root" dev=hda2 ino=102370 scontext=root:system_r:slapd_t tcontext=system_u:object_r:default_t tclass=dir
Jul 25 17:40:09 golem kernel: audit(1122331209.502:269): avc:  denied  { search } for  pid=4611 comm="slapd" name="root" dev=hda2 ino=102370 scontext=root:system_r:slapd_t tcontext=system_u:object_r:default_t tclass=dir
Jul 25 17:40:09 golem kernel: audit(1122331209.503:270): avc:  denied  { search } for  pid=4611 comm="slapd" name="root" dev=hda2 ino=102370 scontext=root:system_r:slapd_t tcontext=system_u:object_r:default_t tclass=dir

Expected Results:  Slapd should start up.

Additional info:

The following additions to the policy allow slapd to start:

allow initrc_t initrc_tmp_t:file { execute execute_no_trans };
allow initrc_t policy_src_t:dir read;

Although, it may make more sense to refactor /etc/init.d/ldap so that it does not create this temporary script.
Comment 1 Daniel Walsh 2005-07-28 16:45:11 UTC 
Fixed in selinux-policy-targetd-1.25.3-9
Comment 2 W. Michael Petullo 2005-09-17 23:40:46 UTC 
selinux-policy-strict-1.26-1 and openldap-servers-2.2.26-1 fail with:

audit(1127000147.632:2398): avc:  denied  { siginh } for  pid=2931 comm="ldap"
scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c127
tcontext=root:system_r:initrc_t:s0-s0:c0.c127 tclass=process
audit(1127000147.632:2398): avc:  denied  { rlimitinh } for  pid=2931
comm="ldap" scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c127
tcontext=root:system_r:initrc_t:s0-s0:c0.c127 tclass=process
audit(1127000147.632:2398): avc:  denied  { noatsecure } for  pid=2931
comm="ldap" scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c127
tcontext=root:system_r:initrc_t:s0-s0:c0.c127 tclass=process
audit(1127000147.632:2398): arch=40000003 syscall=11 success=yes exit=0
a0=93fc3f8 a1=941b090 a2=93fe500 a3=1 items=3 pid=2931 auid=0 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ldap" exe="/bin/bash"
audit(1127000147.632:2398):  cwd="/root"
audit(1127000147.632:2398): item=0 name="/etc/init.d/ldap" flags=101
 inode=65960 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00
audit(1127000147.632:2398): item=1 flags=101
 inode=87856 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00
audit(1127000147.632:2398): item=2 flags=101
 inode=47854 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00
audit(1127000147.652:2399): avc:  denied  { siginh } for  pid=2933
comm="consoletype" scontext=root:system_r:initrc_t:s0-s0:c0.c127
tcontext=root:system_r:consoletype_t:s0-s0:c0.c127 tclass=process
audit(1127000147.652:2399): avc:  denied  { rlimitinh } for  pid=2933
comm="consoletype" scontext=root:system_r:initrc_t:s0-s0:c0.c127
tcontext=root:system_r:consoletype_t:s0-s0:c0.c127
tclass=processaudit(1127000147.652:2399): avc:  denied  { noatsecure } for 
pid=2933 comm="consoletype" scontext=root:system_r:initrc_t:s0-s0:c0.c127
tcontext=root:system_r:consoletype_t:s0-s0:c0.c127 tclass=process
audit(1127000147.652:2399): arch=40000003 syscall=11 success=yes exit=0
a0=84f5628 a1=84f5670 a2=84f4f28 a3=0 items=2 pid=2933 auid=0 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="consoletype" exe="/sbin/consoletype"
audit(1127000147.652:2399):  cwd="/root"
audit(1127000147.652:2399): item=0 name="/sbin/consoletype" flags=101
 inode=102505 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00
audit(1127000147.652:2399): item=1 flags=101
 inode=47854 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00
audit(1127000147.992:2400): avc:  denied  { read write } for  pid=2949
comm="slaptest" name="tty1" dev=tmpfs ino=869
scontext=root:system_r:slapd_t:s0-s0:c0.c127
tcontext=root:object_r:sysadm_tty_device_t:s0 tclass=chr_file
audit(1127000147.992:2400): avc:  denied  { read write } for  pid=2949
comm="slaptest" name="tty1" dev=tmpfs ino=869
scontext=root:system_r:slapd_t:s0-s0:c0.c127
tcontext=root:object_r:sysadm_tty_device_t:s0 tclass=chr_file
audit(1127000147.992:2400): avc:  denied  { read write } for  pid=2949
comm="slaptest" name="tty1" dev=tmpfs ino=869
scontext=root:system_r:slapd_t:s0-s0:c0.c127
tcontext=root:object_r:sysadm_tty_device_t:s0 tclass=chr_file
audit(1127000147.992:2400): avc:  denied  { read write } for  pid=2949
comm="slaptest" name="tty1" dev=tmpfs ino=869
scontext=root:system_r:slapd_t:s0-s0:c0.c127
tcontext=root:object_r:sysadm_tty_device_t:s0 tclass=chr_file
audit(1127000147.992:2400): arch=40000003 syscall=11 success=yes exit=0
a0=850f888 a1=84f5190 a2=850e118 a3=0 items=2 pid=2949 auid=0 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="slaptest" exe="/usr/sbin/slapd"
audit(1127000147.992:2400):  path="/dev/tty1"
audit(1127000147.992:2400):  path="/dev/tty1"
audit(1127000147.992:2400):  path="/dev/tty1"
audit(1127000147.992:2400):  cwd="/root"
audit(1127000147.992:2400): item=0 name="/usr/sbin/slaptest" flags=101
 inode=37360 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00
audit(1127000147.992:2400): item=1 flags=101
 inode=47854 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00
audit(1127000148.244:2401): avc:  denied  { execute } for  pid=2955 comm="bash"
name="start-slapd.am2951" dev=hda2 ino=43933
scontext=root:system_r:initrc_t:s0-s0:c0.c127
tcontext=root:object_r:initrc_tmp_t:s0 tclass=file
audit(1127000148.244:2401): arch=40000003 syscall=11 success=no exit=-13
a0=8439188 a1=8439680 a2=8439210 a3=0 items=1 pid=2955 auid=0 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="bash" exe="/bin/bash"
audit(1127000148.244:2401):  cwd="/root"
audit(1127000148.244:2401): item=0 name="/tmp/start-slapd.am2951" flags=101
 inode=43933 dev=03:02 mode=0100700 ouid=0 ogid=0 rdev=00:00
audit(1127000148.248:2402): avc:  denied  { execute } for  pid=2955 comm="bash"
name="start-slapd.am2951" dev=hda2 ino=43933
scontext=root:system_r:initrc_t:s0-s0:c0.c127
tcontext=root:object_r:initrc_tmp_t:s0 tclass=file
audit(1127000148.248:2402): arch=40000003 syscall=33 success=no exit=-13
a0=8439188 a1=1 a2=8439188 a3=0 items=1 pid=2955 auid=0 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="bash" exe="/bin/bash"
audit(1127000148.248:2402):  cwd="/root"
audit(1127000148.248:2402): item=0 name="/tmp/start-slapd.am2951" flags=401
 inode=43933 dev=03:02 mode=0100700 ouid=0 ogid=0 rdev=00:00
Comment 3 Daniel Walsh 2005-09-19 20:20:35 UTC 
Fixed in selinux-policy-*-1.27.1-2.1