Bug 188335
Summary: | SELinux targeted policy breaks rpc.idmap + LDAP SSL | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | W. Michael Petullo <redhat> | ||||
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> | ||||
Status: | CLOSED RAWHIDE | QA Contact: | |||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 5 | CC: | dwalsh | ||||
Target Milestone: | --- | Keywords: | Reopened | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2006-05-10 23:23:28 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
W. Michael Petullo
2006-04-08 01:57:16 UTC
Created attachment 127494 [details]
SELinux AVC messages caused by rpc.idpamd + LDAP SSL
If you run audit2allow -M idmapd semodule -i idmapd Does it then work? Yes. If I use the audit log from comment #1 as input to "audit2allow -M idmapd -i" and load the resulting module, then rpc.idmapd seems to work fine. fixed in selinux-policy-2.2.32-1.FC5 Confirmed fixed in selinux-policy-2.2.32-1.FC5. I just tried selinux-policy-targeted-2.2.35-2 on an NFS client. Although, this bug has been fixed on the NFS server, the client does not seem to work when SELinux is enabled on the client. In other words: SERVER CLIENT STATUS SELINUX on off works SELINUX on on broken The strange this is that the audit messages produced on the client are a subset of what I reported before for the server: type=AVC msg=audit(1146445559.968:111): avc: denied { search } for pid=1456 comm="rpc.idmapd" name="pki" dev=hda5 ino=711090 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir type=SYSCALL msg=audit(1146445559.968:111): arch=14 syscall=5 success=yes exit=-13 a0=7872adc a1=10000 a2=1b6 a3=1b6 items=1 pid=1456 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="rpc.idmapd" exe="/usr/sbin/rpc.idmapd" type=CWD msg=audit(1146445559.968:111): cwd="/" type=PATH msg=audit(1146445559.968:111): item=0 name="/etc/pki/tls/cert.pem" flags=1 type=AVC msg=audit(1146445559.996:112): avc: denied { read } for pid=1456 comm="rpc.idmapd" name="urandom" dev=tmpfs ino=1654 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1146445559.996:112): arch=14 syscall=5 success=yes exit=-13 a0=78486f8 a1=900 a2=0 a3=7f8e6720 items=1 pid=1456 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="rpc.idmapd" exe="/usr/sbin/rpc.idmapd" type=CWD msg=audit(1146445559.996:112): cwd="/" type=PATH msg=audit(1146445559.996:112): item=0 name="/dev/urandom" flags=101 inode=1654 dev=00:0e mode=020444 ouid=0 ogid=0 rdev=01:09 type=AVC msg=audit(1146445559.996:113): avc: denied { read } for pid=1456 comm="rpc.idmapd" name="random" dev=tmpfs ino=1662 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1146445559.996:113): arch=14 syscall=5 success=yes exit=-13 a0=7871be0 a1=900 a2=0 a3=7f8e6720 items=1 pid=1456 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="rpc.idmapd" exe="/usr/sbin/rpc.idmapd" The following additions seem to fix the problem on the client: allow rpcd_t cert_t:dir search; allow rpcd_t random_device_t:chr_file read; allow rpcd_t urandom_device_t:chr_file read; fixed in selinux-policy-2.2.38-2 in rawhide. Will back port at the end of the week. Confirmed fixed in Rawhide's selinux-policy-2.2.38-2. |