Bug 164211
Summary: | Strict SELinux policy breaks /etc/init.d/ldap | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | W. Michael Petullo <redhat> |
Component: | selinux-policy-strict | Assignee: | Russell Coker <rcoker> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 4 | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | 1.27.1-2.1 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2006-03-27 05:57:51 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
W. Michael Petullo
2005-07-25 23:13:21 UTC
Fixed in selinux-policy-targetd-1.25.3-9 selinux-policy-strict-1.26-1 and openldap-servers-2.2.26-1 fail with: audit(1127000147.632:2398): avc: denied { siginh } for pid=2931 comm="ldap" scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c127 tcontext=root:system_r:initrc_t:s0-s0:c0.c127 tclass=process audit(1127000147.632:2398): avc: denied { rlimitinh } for pid=2931 comm="ldap" scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c127 tcontext=root:system_r:initrc_t:s0-s0:c0.c127 tclass=process audit(1127000147.632:2398): avc: denied { noatsecure } for pid=2931 comm="ldap" scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c127 tcontext=root:system_r:initrc_t:s0-s0:c0.c127 tclass=process audit(1127000147.632:2398): arch=40000003 syscall=11 success=yes exit=0 a0=93fc3f8 a1=941b090 a2=93fe500 a3=1 items=3 pid=2931 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ldap" exe="/bin/bash" audit(1127000147.632:2398): cwd="/root" audit(1127000147.632:2398): item=0 name="/etc/init.d/ldap" flags=101 inode=65960 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 audit(1127000147.632:2398): item=1 flags=101 inode=87856 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 audit(1127000147.632:2398): item=2 flags=101 inode=47854 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 audit(1127000147.652:2399): avc: denied { siginh } for pid=2933 comm="consoletype" scontext=root:system_r:initrc_t:s0-s0:c0.c127 tcontext=root:system_r:consoletype_t:s0-s0:c0.c127 tclass=process audit(1127000147.652:2399): avc: denied { rlimitinh } for pid=2933 comm="consoletype" scontext=root:system_r:initrc_t:s0-s0:c0.c127 tcontext=root:system_r:consoletype_t:s0-s0:c0.c127 tclass=processaudit(1127000147.652:2399): avc: denied { noatsecure } for pid=2933 comm="consoletype" scontext=root:system_r:initrc_t:s0-s0:c0.c127 tcontext=root:system_r:consoletype_t:s0-s0:c0.c127 tclass=process audit(1127000147.652:2399): arch=40000003 syscall=11 success=yes exit=0 a0=84f5628 a1=84f5670 a2=84f4f28 a3=0 items=2 pid=2933 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="consoletype" exe="/sbin/consoletype" audit(1127000147.652:2399): cwd="/root" audit(1127000147.652:2399): item=0 name="/sbin/consoletype" flags=101 inode=102505 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 audit(1127000147.652:2399): item=1 flags=101 inode=47854 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 audit(1127000147.992:2400): avc: denied { read write } for pid=2949 comm="slaptest" name="tty1" dev=tmpfs ino=869 scontext=root:system_r:slapd_t:s0-s0:c0.c127 tcontext=root:object_r:sysadm_tty_device_t:s0 tclass=chr_file audit(1127000147.992:2400): avc: denied { read write } for pid=2949 comm="slaptest" name="tty1" dev=tmpfs ino=869 scontext=root:system_r:slapd_t:s0-s0:c0.c127 tcontext=root:object_r:sysadm_tty_device_t:s0 tclass=chr_file audit(1127000147.992:2400): avc: denied { read write } for pid=2949 comm="slaptest" name="tty1" dev=tmpfs ino=869 scontext=root:system_r:slapd_t:s0-s0:c0.c127 tcontext=root:object_r:sysadm_tty_device_t:s0 tclass=chr_file audit(1127000147.992:2400): avc: denied { read write } for pid=2949 comm="slaptest" name="tty1" dev=tmpfs ino=869 scontext=root:system_r:slapd_t:s0-s0:c0.c127 tcontext=root:object_r:sysadm_tty_device_t:s0 tclass=chr_file audit(1127000147.992:2400): arch=40000003 syscall=11 success=yes exit=0 a0=850f888 a1=84f5190 a2=850e118 a3=0 items=2 pid=2949 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="slaptest" exe="/usr/sbin/slapd" audit(1127000147.992:2400): path="/dev/tty1" audit(1127000147.992:2400): path="/dev/tty1" audit(1127000147.992:2400): path="/dev/tty1" audit(1127000147.992:2400): cwd="/root" audit(1127000147.992:2400): item=0 name="/usr/sbin/slaptest" flags=101 inode=37360 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 audit(1127000147.992:2400): item=1 flags=101 inode=47854 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 audit(1127000148.244:2401): avc: denied { execute } for pid=2955 comm="bash" name="start-slapd.am2951" dev=hda2 ino=43933 scontext=root:system_r:initrc_t:s0-s0:c0.c127 tcontext=root:object_r:initrc_tmp_t:s0 tclass=file audit(1127000148.244:2401): arch=40000003 syscall=11 success=no exit=-13 a0=8439188 a1=8439680 a2=8439210 a3=0 items=1 pid=2955 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="bash" exe="/bin/bash" audit(1127000148.244:2401): cwd="/root" audit(1127000148.244:2401): item=0 name="/tmp/start-slapd.am2951" flags=101 inode=43933 dev=03:02 mode=0100700 ouid=0 ogid=0 rdev=00:00 audit(1127000148.248:2402): avc: denied { execute } for pid=2955 comm="bash" name="start-slapd.am2951" dev=hda2 ino=43933 scontext=root:system_r:initrc_t:s0-s0:c0.c127 tcontext=root:object_r:initrc_tmp_t:s0 tclass=file audit(1127000148.248:2402): arch=40000003 syscall=33 success=no exit=-13 a0=8439188 a1=1 a2=8439188 a3=0 items=1 pid=2955 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="bash" exe="/bin/bash" audit(1127000148.248:2402): cwd="/root" audit(1127000148.248:2402): item=0 name="/tmp/start-slapd.am2951" flags=401 inode=43933 dev=03:02 mode=0100700 ouid=0 ogid=0 rdev=00:00 Fixed in selinux-policy-*-1.27.1-2.1 |