Bug 382731
Summary: | SELinux is preventing /usr/sbin/slapd (slapd_t) "search" to (user_home_dir_t). | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Rogue <roguexz> |
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 8 | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Current | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-03-05 22:17:36 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Rogue
2007-11-14 16:12:51 UTC
Fixed in selinux-policy-3.0.8-54.fc8 This has either not been fixed, or has reappeared in selinux-policy-3.0.8-69.fc8 I actually had this working earlier, but I suspect the auto-updater may have updated the security policy and broken my system. Source Context: system_u:system_r:slapd_t:s0 Target Context: system_u:object_r:user_home_dir_t:s0 Target Objects: None [ dir ] Affected RPM Packages: openldap-servers-2.3.39-1.fc8 [application] Policy RPM: selinux-policy-3.0.8-69.fc8 Selinux Enabled: True Policy Type: targetedMLS Enabled: TrueEnforcing Mode: EnforcingPlugin Name: plugins.catchall_file Host Name: beauty.ardens.abling.com Platform: Linux beauty.ardens.abling.com 2.6.23.9-85.fc8 #1 SMP Fri Dec 7 15:49:36 EST 2007 x86_64 x86_64 Alert Count: 21 First Seen: Thu 27 Dec 2007 07:17:44 PM GMT Last Seen: Thu 27 Dec 2007 08:48:05 PM GMT Local ID: 4977ba7b-560c-43e2-b9f4-0874db6df59b Line Numbers: Raw Audit Messages :avc: denied { search } for comm=slapd dev=sda3 egid=0 euid=0 exe=/usr/sbin/slapd exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=root pid=3404 scontext=system_u:system_r:slapd_t:s0 sgid=0 subj=system_u:system_r:slapd_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:user_home_dir_t:s0 tty=pts1 uid=0 Having checked when rev 69 was issued (i.e. today), it's pretty clear that it's been re-broken. I note that the patch was supposed to fix some issues with semanage and user_home_dir_t, so it's likely that it wasn't properly tested before release. mFixed in selinux-policy-3.0.8-73.fc8 I downloaded and installed the updated policy, but there's no change. It still gets an AVC denial. SELinux is preventing /usr/sbin/slapd (slapd_t) "search" to (user_home_dir_t). Source Context: system_u:system_r:slapd_t:s0 Target Context: system_u:object_r:user_home_dir_t:s0 Target Objects: None [ dir ]Affected RPM Packages: openldap-servers-2.3.39-1.fc8 [application] Policy RPM: selinux-policy-3.0.8-73.fc8 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Enforcing Plugin Name: plugins.catchall_file Host Name: beauty.ardens.abling.com Platform: Linux beauty.ardens.abling.com 2.6.23.9-85.fc8 #1 SMP Fri Dec 7 15:49:36 EST 2007 x86_64 x86_64 Alert Count: 23 First Seen: Thu 27 Dec 2007 07:17:44 PM GMT Last Seen: Fri 04 Jan 2008 12:05:25 PM GMT Local ID: 4977ba7b-560c-43e2-b9f4-0874db6df59b Line Numbers: Raw Audit Messages : avc: denied { search } for comm=slapd dev=sda3 egid=0 euid=0 exe=/usr/sbin/slapd exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=root pid=5737 scontext=system_u:system_r:slapd_t:s0 sgid=0 subj=system_u:system_r:slapd_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:user_home_dir_t:s0 tty=pts1 uid=0 Note: I get a very similar error for the SAMBA daemon. Jan 4 16:04:59 beauty setroubleshoot: #012 SELinux is preventing /usr/bin/net (samba_net_t) "search" to <Unknown> (user_home_dir_t). Works for me. I just installed the rpm and I get the error. If you run grep slapd /var/log/audit/audit.log | audit2why What does it say? type=AVC msg=audit(1199467847.519:254): avc: denied { search } for pid=6969 comm="slapd" name="root" dev=sda3 ino=51511297 scontext=system_u:system_r:slapd_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir Was caused by: Missing or disabled TE allow rule. Allow rules may exist but be disabled by boolean settings; check boolean settings. You can see the necessary allow rules by running audit2allow with this audit message as input. I tried running audit2allow, as it suggested, feeding the message. It responded: #============= slapd_t ============== allow slapd_t user_home_dir_t:dir search; However, I got the same AVC denial afterwards. Bugs have been in modified for over one month. Closing as fixed in current release please reopen if the problem still persists. |