Bug 166456
Summary: | Strict policy breaks slapd TLS | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | W. Michael Petullo <redhat> |
Component: | selinux-policy-strict | Assignee: | Russell Coker <rcoker> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 4 | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | 1.27.1-2.1 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2006-03-27 05:56:43 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
W. Michael Petullo
2005-08-21 22:16:03 UTC
First off you are doing all this as staff_t? You never transitioned to sysadm_t? You must be running in permissive mode. ldap never transitions because you are not sysadm_t. I had logged in using ssh. Here is the output when slapd is started from a console: audit(1125109138.379:13013285): avc: denied { read } for pid=2067 comm="find" name="certs" dev=hda2 ino=62603 scontext=root:system_r:initrc_t tcontext=system_u:object_r:cert_t tclass=dir audit(1125109138.379:13013285): arch=40000003 syscall=5 success=no exit=-13 a0=8055e6a a1=8000 a2=0 a3=8000 items=1 pid=2067 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="find" exe="/usr/bin/find" audit(1125109138.379:13013285): cwd="/etc/pki/tls/certs" audit(1125109138.379:13013285): item=0 name="." flags=101 inode=62603 dev=03:02 mode=040755 ouid=0 ogid=0 rdev=00:00 audit(1125109138.381:13013319): avc: denied { read } for pid=2067 comm="find" name="certs" dev=hda2 ino=62603 scontext=root:system_r:initrc_t tcontext=system_u:object_r:cert_t tclass=dir audit(1125109138.381:13013319): arch=40000003 syscall=5 success=no exit=-13 a0=8055e6a a1=28000 a2=0 a3=28000 items=1 pid=2067 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="find" exe="/usr/bin/find" audit(1125109138.381:13013319): cwd="/etc/pki/tls/certs" audit(1125109138.381:13013319): item=0 name="." flags=100 inode=62603 dev=03:02 mode=040755 ouid=0 ogid=0 rdev=00:00 audit(1125109138.448:13013872): avc: denied { read } for pid=2072 comm="sh" name="ca-bundle.crt" dev=hda2 ino=87828 scontext=root:system_r:initrc_t tcontext=system_u:object_r:cert_t tclass=file audit(1125109138.448:13013872): arch=40000003 syscall=33 success=no exit=-13 a0=8411358 a1=4 a2=1 a3=84113c0 items=1 pid=2072 auid=0 uid=55 gid=55 euid=55 suid=55 fsuid=55 egid=55 sgid=55 fsgid=55 comm="sh" exe="/bin/bash" audit(1125109138.448:13013872): cwd="/etc/pki/tls/certs" audit(1125109138.448:13013872): item=0 name="/etc/pki/tls/certs/ca-bundle.crt" flags=401 inode=87828 dev=03:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 audit(1125109138.483:13014218): avc: denied { read } for pid=2074 comm="sh" name="slapd.pem" dev=hda2 ino=58671 scontext=root:system_r:initrc_t tcontext=root:object_r:cert_t tclass=file audit(1125109138.483:13014218): arch=40000003 syscall=33 success=no exit=-13 a0=9fd3358 a1=4 a2=1 a3=9fd33c0 items=1 pid=2074 auid=0 uid=55 gid=55 euid=55 suid=55 fsuid=55 egid=55 sgid=55 fsgid=55 comm="sh" exe="/bin/bash" audit(1125109138.483:13014218): cwd="/etc/pki/tls/certs" audit(1125109138.483:13014218): item=0 name="/etc/pki/tls/certs/slapd.pem" flags=401 inode=58671 dev=03:02 mode=0100640 ouid=0 ogid=55 rdev=00:00 audit(1125109138.518:13014577): avc: denied { read } for pid=2076 comm="sh" name="slapd.pem" dev=hda2 ino=58671 scontext=root:system_r:initrc_t tcontext=root:object_r:cert_t tclass=file audit(1125109138.518:13014577): arch=40000003 syscall=33 success=no exit=-13 a0=898a358 a1=4 a2=1 a3=898a3c0 items=1 pid=2076 auid=0 uid=55 gid=55 euid=55 suid=55 fsuid=55 egid=55 sgid=55 fsgid=55 comm="sh" exe="/bin/bash" audit(1125109138.518:13014577): cwd="/etc/pki/tls/certs" audit(1125109138.518:13014577): item=0 name="/etc/pki/tls/certs/slapd.pem" flags=401 inode=58671 dev=03:02 mode=0100640 ouid=0 ogid=55 rdev=00:00 audit(1125109138.690:13015465): avc: denied { read } for pid=2083 comm="chmod" name="certs" dev=hda2 ino=62603 scontext=root:system_r:initrc_t tcontext=system_u:object_r:cert_t tclass=dir audit(1125109138.690:13015465): arch=40000003 syscall=5 success=no exit=-13 a0=804ed6f a1=8000 a2=0 a3=8000 items=1 pid=2083 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="chmod" exe="/bin/chmod" audit(1125109138.690:13015465): cwd="/etc/pki/tls/certs" audit(1125109138.690:13015465): item=0 name="." flags=101 inode=62603 dev=03:02 mode=040755 ouid=0 ogid=0 rdev=00:00 audit(1125109138.733:13015799): avc: denied { search } for pid=2084 comm="slapd" name="root" dev=hda2 ino=102370 scontext=root:system_r:slapd_t tcontext=system_u:object_r:default_t tclass=dir audit(1125109138.733:13015799): arch=40000003 syscall=5 success=no exit=-13 a0=890d580 a1=0 a2=1b6 a3=890d068 items=1 pid=2084 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="slapd" exe="/usr/sbin/slapd" audit(1125109138.733:13015799): cwd="/etc/pki/tls/certs" audit(1125109138.733:13015799): item=0 name="/root/ldaprc" flags=101 inode=102370 dev=03:02 mode=040750 ouid=0 ogid=0 rdev=00:00 audit(1125109138.735:13015800): avc: denied { search } for pid=2084 comm="slapd" name="root" dev=hda2 ino=102370 scontext=root:system_r:slapd_t tcontext=system_u:object_r:default_t tclass=dir audit(1125109138.735:13015800): arch=40000003 syscall=5 success=no exit=-13 a0=890d580 a1=0 a2=1b6 a3=890d068 items=1 pid=2084 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="slapd" exe="/usr/sbin/slapd" audit(1125109138.735:13015800): cwd="/etc/pki/tls/certs" audit(1125109138.735:13015800): item=0 name="/root/.ldaprc" flags=101 inode=102370 dev=03:02 mode=040750 ouid=0 ogid=0 rdev=00:00 audit(1125109138.754:13015941): avc: denied { search } for pid=2084 comm="slapd" name="root" dev=hda2 ino=102370 scontext=root:system_r:slapd_t tcontext=system_u:object_r:default_t tclass=dir audit(1125109138.754:13015941): arch=40000003 syscall=5 success=no exit=-13 a0=890e6c0 a1=0 a2=1b6 a3=890ed68 items=1 pid=2084 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="slapd" exe="/usr/sbin/slapd" audit(1125109138.754:13015941): cwd="/etc/pki/tls/certs" audit(1125109138.754:13015941): item=0 name="/root/ldaprc" flags=101 inode=102370 dev=03:02 mode=040750 ouid=0 ogid=0 rdev=00:00 audit(1125109138.756:13015942): avc: denied { search } for pid=2084 comm="slapd" name="root" dev=hda2 ino=102370 scontext=root:system_r:slapd_t tcontext=system_u:object_r:default_t tclass=dir audit(1125109138.756:13015942): arch=40000003 syscall=5 success=no exit=-13 a0=890e6c0 a1=0 a2=1b6 a3=890ed68 items=1 pid=2084 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="slapd" exe="/usr/sbin/slapd" audit(1125109138.756:13015942): cwd="/etc/pki/tls/certs" audit(1125109138.756:13015942): item=0 name="/root/.ldaprc" flags=101 inode=102370 dev=03:02 mode=040750 ouid=0 ogid=0 rdev=00:00 Fixed in selinux-policy-*-1.27.1-2.1 |