Bug 545771
Summary: | SELinux is preventing /usr/sbin/slapd "write" access. (to cn=config database) | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | andreas.mack <andreas.mack> |
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 12 | CC: | dwalsh, jzeleny, mgrepl |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | setroubleshoot_trace_hash:d2e38b8889ed661ac38f96d73abff166b4ad366e03323f44eb2e986e26bfac8e | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-12-22 20:42:15 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
andreas.mack@konsec.com
2009-12-09 10:39:58 UTC
openldap keeps the config dynamically now in slapd.d. Added a rootpw to cn=config.ldif. Then I tried to add a schema with ldapadd, like described here: http://www.linuxquestions.org/questions/linux-server-73/how-to-add-a-new-schema-to-openldap-2.4.11-700452/ SELinux didn't allow that. Policy to allow: module myslapd 1.0; require { type slapd_t; type etc_t; class dir { write remove_name add_name }; class file { write rename create unlink }; } #============= slapd_t ============== allow slapd_t etc_t:dir { write remove_name add_name }; allow slapd_t etc_t:file { write rename create unlink }; # semanage fcontext -a -t slapd_db_t '/etc/openldap/slapd\.d(/.*)?' # restorecon -R -v /etc/openldap Is a much better idea, then adding the allow rules, since the allow rules would allow openldap to write /etc/passwd. I will make this the default label, although I would prefer openldap not to write to /etc at all. Fixed in selinux-policy-3.6.32-57.fc12.noarch I am working on a version of audit2allow that would have said. # audit2allow -i /tmp/t #============= slapd_t ============== #!!!! The source type 'slapd_t' can write to a 'dir' of the following types: # tmp_t, slapd_tmp_t, slapd_replog_t, var_run_t, slapd_db_t, var_lock_t, slapd_var_run_t, root_t allow slapd_t etc_t:dir { write open }; Would that have helped you? Hi Daniel, your relabeling fix seems to be much better. I just wanted to supply a hint of what has worked for me, using quick and dirty iterative audit2allows. Your audit2allow version sounds good, and it would definitely help. In this case, I would have had a hard time picking one though. Is slapd.d config or data? Another idea would be to move slapd.d to /var/lib. Oldstyle slapd.conf would live in etc, not writable to slapd. Andreas. I agree, reassiging to openldap Hi, (In reply to comment #4) > Your audit2allow version sounds good, and it would definitely help. In this > case, I would have had a hard time picking one though. Is slapd.d config or > data? It's config stored in the ldif data format > Another idea would be to move slapd.d to /var/lib. Oldstyle slapd.conf would > live in etc, not writable to slapd. The whole point of slapd.d is to replace slapd.conf entirely. That's why slapd.conf isn't included in the package any more. /etc/openldap/slapd.d is its position, because it's where openldap looks for config by default. Why it is writable you pretty much described in comment #1 - the configuration is dynamic and to be also persistent, it has to be written to slapd.d. Moving slapd.d to /var/lib doesn't seem to be a good option, because it's a config, not data content. The best option from my point of view is to permit writing in /etc/openldap/slapd.d in SELinux (as it seems to be enabled in the next version of selinux-policy). I'm sorry I didn't think about this earlier. Otherwise I certainly would have announced this change so SELinux would be prepared for it. (In reply to comment #6) > The best option from my point of view is to permit writing in > /etc/openldap/slapd.d in SELinux (as it seems to be enabled in the next version > of selinux-policy). I'm sorry I didn't think about this earlier. Otherwise I > certainly would have announced this change so SELinux would be prepared for it. Hi, I'm fine with your reasoning and decision. I think it felt unusal to have the program manage it's own config files in etc. /etc/cluster/cluster.conf is similar though. I suggest closing this bug. Andreas. Ok Marking as modified until -57 or later is released. selinux-policy-3.6.32-59.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-59.fc12 selinux-policy-3.6.32-59.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-13384 |