Bug 569990

Summary: SELinux is preventing /usr/sbin/ns-slapd "write" access on /etc/dirsrv/slapd-jgbp/dse.ldif.
Product: [Fedora] Fedora Reporter: Jordi Genis <genis.jordi>
Component: 389-ds-baseAssignee: Rich Megginson <rmeggins>
Status: CLOSED WORKSFORME QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: dwalsh, mgrepl, nhosoi, nkinder, rmeggins
Target Milestone: ---Keywords: screened
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:83c6de987ee4f2f0d5ecaea2ace0f8335dd58f0ff8484e2d17ae4ff5e5755661
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-03-02 17:04:08 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:

Description Jordi Genis 2010-03-02 16:16:10 EST
Resum:

SELinux is preventing /usr/sbin/ns-slapd "write" access on
/etc/dirsrv/slapd-jgbp/dse.ldif.

Descripció detallada:

SELinux denied access requested by ns-slapd. It is not expected that this access
is required by ns-slapd and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Permet l'accés:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Informació addicional:

Context de la font            system_u:system_r:slapd_t:s0
Context de l'objectiu         system_u:object_r:etc_t:s0
Objectes objectius            /etc/dirsrv/slapd-jgbp/dse.ldif [ file ]
Font                          ns-slapd
Camí de la font              /usr/sbin/ns-slapd
Port                          <Desconegut>
Ordinador                     (removed)
Paquests RPM font             389-ds-base-1.2.5-1.fc12
Paquets RPM destí            
RPM de política              selinux-policy-3.6.32-89.fc12
S'ha habilitat el Selinux     True
Tipus de la política         targeted
Mode forçat                  Enforcing
Nom del connector             catchall
Nom de la màquina            (removed)
Plataforma                    Linux (removed) 2.6.31.12-174.2.22.fc12.x86_64
                              #1 SMP Fri Feb 19 18:55:03 UTC 2010 x86_64 x86_64
Contador d'alertes            1
Vist per primera vegada       dt 02 mar 2010 21:46:21 CET
Vist per darrera vegada       dt 02 mar 2010 21:46:21 CET
Identificador local           e84e4e04-bba4-4e8b-a8c6-d750b3b73625
Número de línies            

Missatges d'auditoria sense p 

node=(removed) type=AVC msg=audit(1267562781.94:35): avc:  denied  { write } for  pid=4151 comm="ns-slapd" name="dse.ldif" dev=dm-0 ino=2932897 scontext=system_u:system_r:slapd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1267562781.94:35): arch=c000003e syscall=21 success=no exit=-13 a0=10c34a0 a1=2 a2=0 a3=41 items=0 ppid=4150 pid=4151 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=system_u:system_r:slapd_t:s0 key=(null)



Hash String generated from  catchall,ns-slapd,slapd_t,etc_t,file,write
audit2allow suggests:

#============= slapd_t ==============
allow slapd_t etc_t:file write;
Comment 1 Nathan Kinder 2010-03-02 17:04:08 EST
This was caused by a change made to the selinux-policy package for bug 559298.  Please update to selinux-policy-3.6.32-92 and the problem should be fixed.
Comment 2 Rich Megginson 2010-03-02 17:25:24 EST
389-ds-base 1.2.6.a2 (currently in testing) has a -selinux subpackage which contains the policy for the directory server.