Bug 166456
| Summary: | Strict policy breaks slapd TLS | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | W. Michael Petullo <redhat> |
| Component: | selinux-policy-strict | Assignee: | Russell Coker <rcoker> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 4 | ||
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | 1.27.1-2.1 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2006-03-27 05:56:43 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
First off you are doing all this as staff_t? You never transitioned to sysadm_t? You must be running in permissive mode. ldap never transitions because you are not sysadm_t. I had logged in using ssh. Here is the output when slapd is started from a console:
audit(1125109138.379:13013285): avc: denied { read } for pid=2067 comm="find"
name="certs" dev=hda2 ino=62603 scontext=root:system_r:initrc_t
tcontext=system_u:object_r:cert_t tclass=dir
audit(1125109138.379:13013285): arch=40000003 syscall=5 success=no exit=-13
a0=8055e6a a1=8000 a2=0 a3=8000 items=1 pid=2067 auid=0 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="find" exe="/usr/bin/find"
audit(1125109138.379:13013285): cwd="/etc/pki/tls/certs"
audit(1125109138.379:13013285): item=0 name="." flags=101
inode=62603 dev=03:02 mode=040755 ouid=0 ogid=0 rdev=00:00
audit(1125109138.381:13013319): avc: denied { read } for pid=2067 comm="find"
name="certs" dev=hda2 ino=62603 scontext=root:system_r:initrc_t
tcontext=system_u:object_r:cert_t tclass=dir
audit(1125109138.381:13013319): arch=40000003 syscall=5 success=no exit=-13
a0=8055e6a a1=28000 a2=0 a3=28000 items=1 pid=2067 auid=0 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="find" exe="/usr/bin/find"
audit(1125109138.381:13013319): cwd="/etc/pki/tls/certs"
audit(1125109138.381:13013319): item=0 name="." flags=100
inode=62603 dev=03:02 mode=040755 ouid=0 ogid=0 rdev=00:00
audit(1125109138.448:13013872): avc: denied { read } for pid=2072 comm="sh"
name="ca-bundle.crt" dev=hda2 ino=87828 scontext=root:system_r:initrc_t
tcontext=system_u:object_r:cert_t tclass=file
audit(1125109138.448:13013872): arch=40000003 syscall=33 success=no exit=-13
a0=8411358 a1=4 a2=1 a3=84113c0 items=1 pid=2072 auid=0 uid=55 gid=55 euid=55
suid=55 fsuid=55 egid=55 sgid=55 fsgid=55 comm="sh" exe="/bin/bash"
audit(1125109138.448:13013872): cwd="/etc/pki/tls/certs"
audit(1125109138.448:13013872): item=0 name="/etc/pki/tls/certs/ca-bundle.crt"
flags=401
inode=87828 dev=03:02 mode=0100644 ouid=0 ogid=0 rdev=00:00
audit(1125109138.483:13014218): avc: denied { read } for pid=2074 comm="sh"
name="slapd.pem" dev=hda2 ino=58671 scontext=root:system_r:initrc_t
tcontext=root:object_r:cert_t tclass=file
audit(1125109138.483:13014218): arch=40000003 syscall=33 success=no exit=-13
a0=9fd3358 a1=4 a2=1 a3=9fd33c0 items=1 pid=2074 auid=0 uid=55 gid=55 euid=55
suid=55 fsuid=55 egid=55 sgid=55 fsgid=55 comm="sh" exe="/bin/bash"
audit(1125109138.483:13014218): cwd="/etc/pki/tls/certs"
audit(1125109138.483:13014218): item=0 name="/etc/pki/tls/certs/slapd.pem" flags=401
inode=58671 dev=03:02 mode=0100640 ouid=0 ogid=55 rdev=00:00
audit(1125109138.518:13014577): avc: denied { read } for pid=2076 comm="sh"
name="slapd.pem" dev=hda2 ino=58671 scontext=root:system_r:initrc_t
tcontext=root:object_r:cert_t tclass=file
audit(1125109138.518:13014577): arch=40000003 syscall=33 success=no exit=-13
a0=898a358 a1=4 a2=1 a3=898a3c0 items=1 pid=2076 auid=0 uid=55 gid=55 euid=55
suid=55 fsuid=55 egid=55 sgid=55 fsgid=55 comm="sh" exe="/bin/bash"
audit(1125109138.518:13014577): cwd="/etc/pki/tls/certs"
audit(1125109138.518:13014577): item=0 name="/etc/pki/tls/certs/slapd.pem" flags=401
inode=58671 dev=03:02 mode=0100640 ouid=0 ogid=55 rdev=00:00
audit(1125109138.690:13015465): avc: denied { read } for pid=2083
comm="chmod" name="certs" dev=hda2 ino=62603 scontext=root:system_r:initrc_t
tcontext=system_u:object_r:cert_t tclass=dir
audit(1125109138.690:13015465): arch=40000003 syscall=5 success=no exit=-13
a0=804ed6f a1=8000 a2=0 a3=8000 items=1 pid=2083 auid=0 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="chmod" exe="/bin/chmod"
audit(1125109138.690:13015465): cwd="/etc/pki/tls/certs"
audit(1125109138.690:13015465): item=0 name="." flags=101
inode=62603 dev=03:02 mode=040755 ouid=0 ogid=0 rdev=00:00
audit(1125109138.733:13015799): avc: denied { search } for pid=2084
comm="slapd" name="root" dev=hda2 ino=102370 scontext=root:system_r:slapd_t
tcontext=system_u:object_r:default_t tclass=dir
audit(1125109138.733:13015799): arch=40000003 syscall=5 success=no exit=-13
a0=890d580 a1=0 a2=1b6 a3=890d068 items=1 pid=2084 auid=0 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="slapd" exe="/usr/sbin/slapd"
audit(1125109138.733:13015799): cwd="/etc/pki/tls/certs"
audit(1125109138.733:13015799): item=0 name="/root/ldaprc" flags=101
inode=102370 dev=03:02 mode=040750 ouid=0 ogid=0 rdev=00:00
audit(1125109138.735:13015800): avc: denied { search } for pid=2084
comm="slapd" name="root" dev=hda2 ino=102370 scontext=root:system_r:slapd_t
tcontext=system_u:object_r:default_t tclass=dir
audit(1125109138.735:13015800): arch=40000003 syscall=5 success=no exit=-13
a0=890d580 a1=0 a2=1b6 a3=890d068 items=1 pid=2084 auid=0 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="slapd" exe="/usr/sbin/slapd"
audit(1125109138.735:13015800): cwd="/etc/pki/tls/certs"
audit(1125109138.735:13015800): item=0 name="/root/.ldaprc" flags=101
inode=102370 dev=03:02 mode=040750 ouid=0 ogid=0 rdev=00:00
audit(1125109138.754:13015941): avc: denied { search } for pid=2084
comm="slapd" name="root" dev=hda2 ino=102370 scontext=root:system_r:slapd_t
tcontext=system_u:object_r:default_t tclass=dir
audit(1125109138.754:13015941): arch=40000003 syscall=5 success=no exit=-13
a0=890e6c0 a1=0 a2=1b6 a3=890ed68 items=1 pid=2084 auid=0 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="slapd" exe="/usr/sbin/slapd"
audit(1125109138.754:13015941): cwd="/etc/pki/tls/certs"
audit(1125109138.754:13015941): item=0 name="/root/ldaprc" flags=101
inode=102370 dev=03:02 mode=040750 ouid=0 ogid=0 rdev=00:00
audit(1125109138.756:13015942): avc: denied { search } for pid=2084
comm="slapd" name="root" dev=hda2 ino=102370 scontext=root:system_r:slapd_t
tcontext=system_u:object_r:default_t tclass=dir
audit(1125109138.756:13015942): arch=40000003 syscall=5 success=no exit=-13
a0=890e6c0 a1=0 a2=1b6 a3=890ed68 items=1 pid=2084 auid=0 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="slapd" exe="/usr/sbin/slapd"
audit(1125109138.756:13015942): cwd="/etc/pki/tls/certs"
audit(1125109138.756:13015942): item=0 name="/root/.ldaprc" flags=101
inode=102370 dev=03:02 mode=040750 ouid=0 ogid=0 rdev=00:00
Fixed in selinux-policy-*-1.27.1-2.1 |
Description of problem: Version-Release number of selected component (if applicable): selinux-policy-strict-1.23.16-6 How reproducible: Steps to Reproduce: 1. Configure slapd.conf to use TLS: TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt TLSCertificateFile /etc/pki/tls/certs/slapd.pem TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem 2. Create a TLS certificate: cd /etc/pki/tls/certs make slapd.pem chgrp ldap slapd.pem chmod g+r slapd.pem 3. Attempt to start slapd. Actual results: audit(1124661503.060:12363709): avc: denied { read } for pid=20973 comm="find" name="certs" dev=hda2 ino=62603 scontext=root:staff_r:staff_t tcontext=system_u:object_r:cert_t tclass=dir audit(1124661503.060:12363709): arch=40000003 syscall=5 success=yes exit=3 a0=8055e6a a1=8000 a2=0 a3=8000 items=1 pid=20973 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="find" exe="/usr/bin/find" audit(1124661503.060:12363709): cwd="/etc/pki/tls/certs" audit(1124661503.060:12363709): item=0 name="." flags=101 inode=62603 dev=03:02 mode=040755 ouid=0 ogid=0 rdev=00:00 audit(1124661503.062:12363716): avc: denied { dac_override } for pid=20973 comm="find" capability=1 scontext=root:staff_r:staff_t tcontext=root:staff_r:staff_t tclass=capability audit(1124661503.062:12363716): arch=40000003 syscall=5 success=yes exit=4 a0=bf8a9c3f a1=18800 a2=bf8a9c36 a3=e items=1 pid=20973 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="find" exe="/usr/bin/find" audit(1124661503.062:12363716): cwd="/var/lib" audit(1124661503.062:12363716): item=0 name="ldap/" flags=103 inode=15183 dev=03:02 mode=040700 ouid=55 ogid=55 rdev=00:00 audit(1124661503.119:12364180): avc: denied { setuid } for pid=20978 comm="runuser" capability=7 scontext=root:staff_r:staff_t tcontext=root:staff_r:staff_t tclass=capability audit(1124661503.119:12364180): arch=40000003 syscall=213 success=yes exit=0 a0=37 a1=a46ff4 a2=0 a3=8a00d40 items=0 pid=20978 auid=0 uid=55 gid=55 euid=55 suid=55 fsuid=55 egid=55 sgid=55 fsgid=55 comm="runuser" exe="/sbin/runuser" audit(1124661503.130:12364281): avc: denied { read } for pid=20978 comm="sh" name="ca-bundle.crt" dev=hda2 ino=87828 scontext=root:staff_r:staff_t tcontext=system_u:object_r:cert_t tclass=file audit(1124661503.130:12364281): arch=40000003 syscall=33 success=yes exit=0 a0=9d32540 a1=4 a2=1 a3=9d325a8 items=1 pid=20978 auid=0 uid=55 gid=55 euid=55 suid=55 fsuid=55 egid=55 sgid=55 fsgid=55 comm="sh" exe="/bin/bash" audit(1124661503.130:12364281): cwd="/etc/pki/tls/certs" audit(1124661503.130:12364281): item=0 name="/etc/pki/tls/certs/ca-bundle.crt" flags=401 inode=87828 dev=03:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 audit(1124661503.161:12364609): avc: denied { read } for pid=20980 comm="sh" name="slapd.pem" dev=hda2 ino=58671 scontext=root:staff_r:staff_t tcontext=root:object_r:cert_t tclass=file audit(1124661503.161:12364609): arch=40000003 syscall=33 success=yes exit=0 a0=858d540 a1=4 a2=1 a3=858d5a8 items=1 pid=20980 auid=0 uid=55 gid=55 euid=55 suid=55 fsuid=55 egid=55 sgid=55 fsgid=55 comm="sh" exe="/bin/bash" audit(1124661503.161:12364609): cwd="/etc/pki/tls/certs" audit(1124661503.161:12364609): item=0 name="/etc/pki/tls/certs/slapd.pem" flags=401 inode=58671 dev=03:02 mode=0100640 ouid=0 ogid=55 rdev=00:00 audit(1124661503.303:12365361): avc: denied { read write } for pid=20983 comm="slaptest" name="__db.001" dev=hda2 ino=14750 scontext=root:staff_r:staff_t tcontext=root:object_r:slapd_db_t tclass=file audit(1124661503.303:12365361): arch=40000003 syscall=5 success=yes exit=3 a0=95833e8 a1=8002 a2=0 a3=8002 items=1 pid=20983 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="slaptest" exe="/usr/sbin/slapd" audit(1124661503.303:12365361): cwd="/etc/pki/tls/certs" audit(1124661503.303:12365361): item=0 name="/var/lib/ldap/__db.001" flags=101 inode=14750 dev=03:02 mode=0100600 ouid=55 ogid=55 rdev=00:00 audit(1124661503.406:12366209): avc: denied { net_bind_service } for pid=20989 comm="slapd" capability=10 scontext=root:staff_r:staff_t tcontext=root:staff_r:staff_t tclass=capability audit(1124661503.406:12366209): arch=40000003 syscall=102 success=yes exit=0 a0=2 a1=bf80ceb0 a2=f97d8c a3=fba96c items=0 pid=20989 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="slapd" exe="/usr/sbin/slapd" audit(1124661503.406:12366209): saddr=0A000185000000000000000000000000000000000000000000000000 audit(1124661503.406:12366209): nargs=3 a0=6 a1=9d6b188 a2=1c audit(1124661503.534:12366568): avc: denied { getattr } for pid=20989 comm="slapd" name="ca-bundle.crt" dev=hda2 ino=87828 scontext=root:staff_r:staff_t tcontext=system_u:object_r:cert_t tclass=file audit(1124661503.534:12366568): arch=40000003 syscall=197 success=yes exit=0 a0=a a1=bf80cadc a2=373ff4 a3=9dbccc8 items=0 pid=20989 auid=0 uid=55 gid=55 euid=55 suid=55 fsuid=55 egid=55 sgid=55 fsgid=55 comm="slapd" exe="/usr/sbin/slapd" audit(1124661503.534:12366568): path="/etc/pki/tls/certs/ca-bundle.crt" audit(1124661503.657:12366681): avc: denied { read } for pid=20989 comm="slapd" name="cert.pem" dev=hda2 ino=43939 scontext=root:staff_r:staff_t tcontext=system_u:object_r:cert_t tclass=lnk_file audit(1124661503.657:12366681): arch=40000003 syscall=5 success=yes exit=10 a0=529160 a1=0 a2=1b6 a3=9df4b08 items=1 pid=20989 auid=0 uid=55 gid=55 euid=55 suid=55 fsuid=55 egid=55 sgid=55 fsgid=55 comm="slapd" exe="/usr/sbin/slapd" audit(1124661503.657:12366681): cwd="/etc/pki/tls/certs" audit(1124661503.657:12366681): item=0 name="/etc/pki/tls/cert.pem" flags=101 inode=87828 dev=03:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 audit(1124661503.979:12366946): avc: denied { getattr } for pid=20989 comm="slapd" name="slapd.pem" dev=hda2 ino=58671 scontext=root:staff_r:staff_t tcontext=root:object_r:cert_t tclass=file audit(1124661503.979:12366946): arch=40000003 syscall=197 success=yes exit=0 a0=a a1=bf80c70c a2=373ff4 a3=9e5b568 items=0 pid=20989 auid=0 uid=55 gid=55 euid=55 suid=55 fsuid=55 egid=55 sgid=55 fsgid=55 comm="slapd" exe="/usr/sbin/slapd" audit(1124661503.979:12366946): path="/etc/pki/tls/certs/slapd.pem" audit(1124661504.017:12367258): avc: denied { add_name } for pid=20993 comm="touch" name="ldap" scontext=root:staff_r:staff_t tcontext=system_u:object_r:var_lock_t tclass=dir audit(1124661504.017:12367258): avc: denied { create } for pid=20993 comm="touch" name="ldap" scontext=root:staff_r:staff_t tcontext=root:object_r:var_lock_t tclass=file audit(1124661504.017:12367258): arch=40000003 syscall=5 success=yes exit=3 a0=bff65c5b a1=8941 a2=1b6 a3=8941 items=1 pid=20993 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="touch" exe="/bin/touch" audit(1124661504.017:12367258): cwd="/etc/pki/tls/certs" audit(1124661504.017:12367258): item=0 name="/var/lock/subsys/ldap" flags=310 inode=14655 dev=03:02 mode=040755 ouid=0 ogid=0 rdev=00:00 audit(1124661504.019:12367260): avc: denied { write } for pid=20993 comm="touch" name="ldap" dev=hda2 ino=14788 scontext=root:staff_r:staff_t tcontext=root:object_r:var_lock_t tclass=file audit(1124661504.019:12367260): arch=40000003 syscall=30 success=yes exit=0 a0=bff65c5b a1=0 a2=804f8bc a3=bff65c5b items=1 pid=20993 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="touch" exe="/bin/touch" audit(1124661504.019:12367260): cwd="/etc/pki/tls/certs" audit(1124661504.019:12367260): item=0 name="/var/lock/subsys/ldap" flags=1 inode=14788 dev=03:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 Expected results: Additional info: