Bug 188335
| Summary: | SELinux targeted policy breaks rpc.idmap + LDAP SSL | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | W. Michael Petullo <redhat> | ||||
| Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> | ||||
| Status: | CLOSED RAWHIDE | QA Contact: | |||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 5 | CC: | dwalsh | ||||
| Target Milestone: | --- | Keywords: | Reopened | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2006-05-10 23:23:28 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
W. Michael Petullo
2006-04-08 01:57:16 UTC
Created attachment 127494 [details]
SELinux AVC messages caused by rpc.idpamd + LDAP SSL
If you run audit2allow -M idmapd semodule -i idmapd Does it then work? Yes. If I use the audit log from comment #1 as input to "audit2allow -M idmapd -i" and load the resulting module, then rpc.idmapd seems to work fine. fixed in selinux-policy-2.2.32-1.FC5 Confirmed fixed in selinux-policy-2.2.32-1.FC5. I just tried selinux-policy-targeted-2.2.35-2 on an NFS client.
Although, this bug has been fixed on the NFS server, the client does not seem to
work when SELinux is enabled on the client. In other words:
SERVER CLIENT STATUS
SELINUX on off works
SELINUX on on broken
The strange this is that the audit messages produced on the client are a subset
of what I reported before for the server:
type=AVC msg=audit(1146445559.968:111): avc: denied { search } for pid=1456
comm="rpc.idmapd" name="pki" dev=hda5 ino=711090
scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir
type=SYSCALL msg=audit(1146445559.968:111): arch=14 syscall=5 success=yes
exit=-13 a0=7872adc a1=10000 a2=1b6 a3=1b6 items=1 pid=1456 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="rpc.idmapd"
exe="/usr/sbin/rpc.idmapd"
type=CWD msg=audit(1146445559.968:111): cwd="/"
type=PATH msg=audit(1146445559.968:111): item=0 name="/etc/pki/tls/cert.pem" flags=1
type=AVC msg=audit(1146445559.996:112): avc: denied { read } for pid=1456
comm="rpc.idmapd" name="urandom" dev=tmpfs ino=1654
scontext=system_u:system_r:rpcd_t:s0
tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1146445559.996:112): arch=14 syscall=5 success=yes
exit=-13 a0=78486f8 a1=900 a2=0 a3=7f8e6720 items=1 pid=1456 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="rpc.idmapd"
exe="/usr/sbin/rpc.idmapd"
type=CWD msg=audit(1146445559.996:112): cwd="/"
type=PATH msg=audit(1146445559.996:112): item=0 name="/dev/urandom" flags=101
inode=1654 dev=00:0e mode=020444 ouid=0 ogid=0 rdev=01:09
type=AVC msg=audit(1146445559.996:113): avc: denied { read } for pid=1456
comm="rpc.idmapd" name="random" dev=tmpfs ino=1662
scontext=system_u:system_r:rpcd_t:s0
tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1146445559.996:113): arch=14 syscall=5 success=yes
exit=-13 a0=7871be0 a1=900 a2=0 a3=7f8e6720 items=1 pid=1456 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="rpc.idmapd"
exe="/usr/sbin/rpc.idmapd"
The following additions seem to fix the problem on the client:
allow rpcd_t cert_t:dir search;
allow rpcd_t random_device_t:chr_file read;
allow rpcd_t urandom_device_t:chr_file read;
fixed in selinux-policy-2.2.38-2 in rawhide. Will back port at the end of the week. Confirmed fixed in Rawhide's selinux-policy-2.2.38-2. |