Bug 382731

Summary: SELinux is preventing /usr/sbin/slapd (slapd_t) "search" to (user_home_dir_t).
Product: [Fedora] Fedora Reporter: Rogue <roguexz>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 8   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-03-05 22:17:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Rogue 2007-11-14 16:12:51 UTC 
openldap-2.3.39-1.fc8
---------------------

Starting up the ldap service on a fresh F8 install causes a AVC denial.

Summary
    SELinux is preventing /usr/sbin/slapd (slapd_t) "search" to <Unknown>
    (user_home_dir_t).

Detailed Description
    SELinux denied access requested by /usr/sbin/slapd. It is not expected that
    this access is required by /usr/sbin/slapd and this access may signal an
    intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for <Unknown>, restorecon -v
    <Unknown> If this does not work, there is currently no automatic way to
    allow this access. Instead,  you can generate a local policy module to allow
    this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
    Or you can disable SELinux protection altogether. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                system_u:system_r:slapd_t:s0
Target Context                system_u:object_r:user_home_dir_t:s0
Target Objects                None [ dir ]
Affected RPM Packages         openldap-servers-2.3.39-1.fc8 [application]
Policy RPM                    selinux-policy-3.0.8-47.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     Xymnotune
Platform                      Linux Xymnotune 2.6.23.1-49.fc8 #1 SMP Thu Nov 8
                              21:41:26 EST 2007 i686 i686
Alert Count                   2
First Seen                    Wed 14 Nov 2007 09:39:03 PM IST
Last Seen                     Wed 14 Nov 2007 09:39:03 PM IST
Local ID                      4fe6c89d-0ac7-4199-91bf-e4fe25e435d4
Line Numbers                  

Raw Audit Messages            

avc: denied { search } for comm=slapd dev=dm-0 egid=0 euid=0 exe=/usr/sbin/slapd
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=root pid=8388
scontext=system_u:system_r:slapd_t:s0 sgid=0 subj=system_u:system_r:slapd_t:s0
suid=0 tclass=dir tcontext=system_u:object_r:user_home_dir_t:s0 tty=pts1 uid=0
Comment 1 Daniel Walsh 2007-11-14 17:31:40 UTC 
Fixed in selinux-policy-3.0.8-54.fc8
Comment 2 Kevin Grumball 2007-12-27 21:00:43 UTC 
This has either not been fixed, or has reappeared in selinux-policy-3.0.8-69.fc8

I actually had this working earlier, but I suspect the auto-updater may have
updated the security policy and broken my system.

Source Context:  system_u:system_r:slapd_t:s0
Target Context:  system_u:object_r:user_home_dir_t:s0
Target Objects:  None [ dir ]
Affected RPM Packages:  openldap-servers-2.3.39-1.fc8 [application]
Policy RPM:  selinux-policy-3.0.8-69.fc8
Selinux Enabled:  True
Policy Type:  targetedMLS 
Enabled:  TrueEnforcing 
Mode:  EnforcingPlugin 
Name:  plugins.catchall_file
Host Name:  beauty.ardens.abling.com
Platform:  Linux beauty.ardens.abling.com 2.6.23.9-85.fc8 #1 SMP Fri Dec 7
15:49:36 EST 2007 x86_64 x86_64
Alert Count:  21
First Seen:  Thu 27 Dec 2007 07:17:44 PM GMT
Last Seen:  Thu 27 Dec 2007 08:48:05 PM GMT
Local ID:  4977ba7b-560c-43e2-b9f4-0874db6df59b
Line Numbers:  

Raw Audit Messages :avc: denied { search } for comm=slapd dev=sda3 egid=0 euid=0
exe=/usr/sbin/slapd exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=root pid=3404
scontext=system_u:system_r:slapd_t:s0 sgid=0 subj=system_u:system_r:slapd_t:s0
suid=0 tclass=dir tcontext=system_u:object_r:user_home_dir_t:s0 tty=pts1 uid=0
Comment 3 Kevin Grumball 2007-12-27 21:14:24 UTC 
Having checked when rev 69 was issued (i.e. today), it's pretty clear that it's
been re-broken. I note that the patch was supposed to fix some issues with
semanage and user_home_dir_t, so it's likely that it wasn't properly tested
before release.
Comment 4 Daniel Walsh 2007-12-31 14:19:11 UTC 
mFixed in selinux-policy-3.0.8-73.fc8
Comment 5 Kevin Grumball 2008-01-04 12:10:40 UTC 
I downloaded and installed the updated policy, but there's no change. It still
gets an AVC denial.

SELinux is preventing /usr/sbin/slapd (slapd_t) "search" to (user_home_dir_t).

Source Context:  system_u:system_r:slapd_t:s0
Target Context:  system_u:object_r:user_home_dir_t:s0
Target Objects:  None [ dir ]Affected RPM
Packages:  openldap-servers-2.3.39-1.fc8 [application]
Policy RPM:  selinux-policy-3.0.8-73.fc8
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  plugins.catchall_file
Host Name:  beauty.ardens.abling.com
Platform:  Linux beauty.ardens.abling.com 2.6.23.9-85.fc8 #1 SMP Fri Dec 7
15:49:36 EST 2007 x86_64 x86_64
Alert Count:  23
First Seen:  Thu 27 Dec 2007 07:17:44 PM GMT
Last Seen:  Fri 04 Jan 2008 12:05:25 PM GMT
Local ID:  4977ba7b-560c-43e2-b9f4-0874db6df59b
Line Numbers:  
Raw Audit Messages :

avc: denied { search } for comm=slapd dev=sda3 egid=0 euid=0 exe=/usr/sbin/slapd
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=root pid=5737
scontext=system_u:system_r:slapd_t:s0 sgid=0 subj=system_u:system_r:slapd_t:s0
suid=0 tclass=dir tcontext=system_u:object_r:user_home_dir_t:s0 tty=pts1 uid=0
Comment 6 Kevin Grumball 2008-01-04 16:14:53 UTC 
Note: I get a very similar error for the SAMBA daemon.

Jan  4 16:04:59 beauty setroubleshoot: #012    SELinux is preventing
/usr/bin/net (samba_net_t) "search" to <Unknown> (user_home_dir_t).
Comment 7 Daniel Walsh 2008-01-04 19:10:58 UTC 
Works for me.  I just installed the rpm and I get the error.

If you run 

grep slapd /var/log/audit/audit.log | audit2why

What does it say?
Comment 8 Kevin Grumball 2008-01-06 16:29:28 UTC 
type=AVC msg=audit(1199467847.519:254): avc:  denied  { search } for  pid=6969
comm="slapd" name="root" dev=sda3 ino=51511297
scontext=system_u:system_r:slapd_t:s0
tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir
        Was caused by:
                Missing or disabled TE allow rule.
                Allow rules may exist but be disabled by boolean settings; check
boolean settings.
                You can see the necessary allow rules by running audit2allow
with this audit message as input.
Comment 9 Kevin Grumball 2008-01-06 16:34:40 UTC 
I tried running audit2allow, as it suggested, feeding the message. It responded:

#============= slapd_t ==============
allow slapd_t user_home_dir_t:dir search;


However, I got the same AVC denial afterwards.
Comment 10 Daniel Walsh 2008-03-05 22:17:36 UTC 
Bugs have been in modified for over one month.  Closing as fixed in current
release please reopen if the problem still persists.