Bug 545771

Summary: SELinux is preventing /usr/sbin/slapd "write" access. (to cn=config database)
Product: [Fedora] Fedora Reporter: andreas.mack <andreas.mack>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: dwalsh, jzeleny, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:d2e38b8889ed661ac38f96d73abff166b4ad366e03323f44eb2e986e26bfac8e
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-12-22 20:42:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description andreas.mack@konsec.com 2009-12-09 10:39:58 UTC 
Summary:

SELinux is preventing /usr/sbin/slapd "write" access.

Addendum: write to /etc/openldap/slapd.d (add a new schema)


Detailed Description:

SELinux denied access requested by slapd. It is not expected that this access is
required by slapd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:system_r:slapd_t:s0
Target Context                unconfined_u:object_r:etc_t:s0
Target Objects                None [ dir ]
Source                        slapd
Source Path                   /usr/sbin/slapd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           openldap-servers-2.4.18-5.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-55.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.31.6-162.fc12.x86_64 #1 SMP Fri Dec 4 00:06:26
                              EST 2009 x86_64 x86_64
Alert Count                   1
First Seen                    Wed 09 Dec 2009 11:28:51 AM CET
Last Seen                     Wed 09 Dec 2009 11:28:51 AM CET
Local ID                      e8a3dd5f-aaf7-42a3-8b09-e158cb1ead53
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1260354531.676:34473): avc:  denied  { write } for  pid=21438 comm="slapd" name="cn=schema" dev=dm-5 ino=254402 scontext=unconfined_u:system_r:slapd_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=dir

node=(removed) type=SYSCALL msg=audit(1260354531.676:34473): arch=c000003e syscall=2 success=no exit=-13 a0=7fb600105a00 a1=c2 a2=180 a3=7fb60bffcdb0 items=0 ppid=1 pid=21438 auid=5001 uid=55 gid=55 euid=55 suid=55 fsuid=55 egid=55 sgid=55 fsgid=55 tty=(none) ses=23 comm="slapd" exe="/usr/sbin/slapd" subj=unconfined_u:system_r:slapd_t:s0 key=(null)



Hash String generated from  selinux-policy-3.6.32-55.fc12,catchall,slapd,slapd_t,etc_t,dir,write
audit2allow suggests:

#============= slapd_t ==============
allow slapd_t etc_t:dir write;
Comment 1 andreas.mack@konsec.com 2009-12-09 10:42:08 UTC 
openldap keeps the config dynamically now in slapd.d. Added a rootpw to cn=config.ldif. Then I tried to add a schema with ldapadd, like described here:
http://www.linuxquestions.org/questions/linux-server-73/how-to-add-a-new-schema-to-openldap-2.4.11-700452/

SELinux didn't allow that.
Comment 2 andreas.mack@konsec.com 2009-12-09 10:53:15 UTC 
Policy to allow:
module myslapd 1.0;

require {
        type slapd_t;
        type etc_t;
        class dir { write remove_name add_name };
        class file { write rename create unlink };
}

#============= slapd_t ==============
allow slapd_t etc_t:dir { write remove_name add_name };
allow slapd_t etc_t:file { write rename create unlink };
Comment 3 Daniel Walsh 2009-12-09 15:03:01 UTC 
# semanage fcontext -a -t slapd_db_t '/etc/openldap/slapd\.d(/.*)?'
# restorecon -R -v /etc/openldap

Is a much better idea, then adding the allow rules, since the allow rules would allow openldap to write /etc/passwd. 

I will make this the default label, although I would prefer openldap not to write to /etc at all.

Fixed in selinux-policy-3.6.32-57.fc12.noarch

I am working on a version of audit2allow that would have said.

# audit2allow -i /tmp/t


#============= slapd_t ==============
#!!!! The source type 'slapd_t' can write to a 'dir' of the following types:
# tmp_t, slapd_tmp_t, slapd_replog_t, var_run_t, slapd_db_t, var_lock_t, slapd_var_run_t, root_t

allow slapd_t etc_t:dir { write open };

Would that have helped you?
Comment 4 andreas.mack@konsec.com 2009-12-09 15:17:39 UTC 
Hi Daniel,

your relabeling fix seems to be much better. I just wanted to supply a hint of what has worked for me, using quick and dirty iterative audit2allows. 

Your audit2allow version sounds good, and it would definitely help. In this case, I would have had a hard time picking one though. Is slapd.d config or data?

Another idea would be to move slapd.d to /var/lib. Oldstyle slapd.conf would live in etc, not writable to slapd.

Andreas.
Comment 5 Daniel Walsh 2009-12-09 15:31:07 UTC 
I agree, reassiging to openldap
Comment 6 Jan Zeleny 2009-12-09 16:21:55 UTC 
Hi,
(In reply to comment #4)
> Your audit2allow version sounds good, and it would definitely help. In this
> case, I would have had a hard time picking one though. Is slapd.d config or
> data?

It's config stored in the ldif data format

> Another idea would be to move slapd.d to /var/lib. Oldstyle slapd.conf would
> live in etc, not writable to slapd.

The whole point of slapd.d is to replace slapd.conf entirely. That's why slapd.conf isn't included in the package any more. /etc/openldap/slapd.d is its position, because it's where openldap looks for config by default. Why it is writable you pretty much described in comment #1 - the configuration is dynamic and to be also persistent, it has to be written to slapd.d.

Moving slapd.d to /var/lib doesn't seem to be a good option, because it's a config, not data content.

The best option from my point of view is to permit writing in /etc/openldap/slapd.d in SELinux (as it seems to be enabled in the next version of selinux-policy). I'm sorry I didn't think about this earlier. Otherwise I certainly would have announced this change so SELinux would be prepared for it.
Comment 7 andreas.mack@konsec.com 2009-12-09 16:39:13 UTC 
(In reply to comment #6)

> The best option from my point of view is to permit writing in
> /etc/openldap/slapd.d in SELinux (as it seems to be enabled in the next version
> of selinux-policy). I'm sorry I didn't think about this earlier. Otherwise I
> certainly would have announced this change so SELinux would be prepared for it.  

Hi,

I'm fine with your reasoning and decision. I think it felt unusal to have the program manage it's own config files in etc. /etc/cluster/cluster.conf is similar though. 

I suggest closing this bug.

Andreas.
Comment 8 Daniel Walsh 2009-12-09 17:02:50 UTC 
Ok Marking as modified until -57 or later is released.
Comment 9 Fedora Update System 2009-12-16 13:53:24 UTC 
selinux-policy-3.6.32-59.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-59.fc12
Comment 10 Fedora Update System 2009-12-18 04:41:38 UTC 
selinux-policy-3.6.32-59.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-13384