Bug 576427

Summary: starting dirsrv-admin in current selinux policy fails
Product: [Fedora] Fedora Reporter: lejeczek <peljasz>
Component: 389-adminAssignee: Rich Megginson <rmeggins>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 13CC: nhosoi, nkinder, rmeggins
Target Milestone: ---Keywords: screened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-03-29 16:38:07 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:

Description lejeczek 2010-03-23 21:19:18 EDT
Description of problem:
this standard-way generated module is a quick fix:

require {
	type user_tmp_t;
	type dirsrv_var_run_t;
	type dirsrv_var_log_t;
	type security_t;
	type user_devpts_t;
	type httpd_t;
	type dirsrv_share_t;
	type dirsrv_lib_t;
	type dirsrv_config_t;
	class sock_file { create setattr };
	class chr_file { read write append };
	class dir { write search getattr remove_name add_name };
	class file { execute read lock create write getattr open };
}

allow httpd_t dirsrv_config_t:dir getattr;

allow httpd_t dirsrv_config_t:dir search;

allow httpd_t dirsrv_config_t:file { read lock getattr open };
allow httpd_t dirsrv_lib_t:dir search;

allow httpd_t dirsrv_lib_t:file { read getattr open execute };
allow httpd_t dirsrv_share_t:dir search;

allow httpd_t dirsrv_var_log_t:dir { write add_name };

allow httpd_t dirsrv_var_log_t:file create;
allow httpd_t dirsrv_var_run_t:dir remove_name;

allow httpd_t dirsrv_var_run_t:dir { write search add_name };

allow httpd_t dirsrv_var_run_t:file { write create open };

allow httpd_t dirsrv_var_run_t:sock_file { create setattr };
allow httpd_t security_t:file { read open };

allow httpd_t user_devpts_t:chr_file { read write append };

allow httpd_t user_tmp_t:file write;


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Nathan Kinder 2010-03-24 12:42:30 EDT
There is already a dirsrv-admin selinux module in testing for the 389-admin component.

What version of 389-ds-base and 389-admin are you using?  What AVCs do you receive when you attempt to start the dirsrv-admin service?
Comment 2 lejeczek 2010-03-24 13:10:21 EDT
389-admin-selinux-1.1.11-0.2.a2.fc13.x86_64

389-ds-base-1.2.6-0.2.a2.fc13.x86_64
389-admin-1.1.11-0.2.a2.fc13.x86_64

these denials don't seem to be audited
Comment 3 Nathan Kinder 2010-03-24 14:15:56 EDT
What does 'semodule -l | grep dirsrv' show?

We do have some known issues we are working on with regards to the policy modules not being properly loaded due to recent changes in the base selinux policy.  We plan to resolve these before the next testing release of 389.
Comment 4 lejeczek 2010-03-24 15:41:57 EDT
dirsrv	1.0.0
Comment 5 Nathan Kinder 2010-03-24 15:58:05 EDT
(In reply to comment #4)
> dirsrv 1.0.0    

Ok, this shows that the dirsrv-admin module is not loaded, even though 389-admin-selinux is installed.

Please run the following as root and put the error(s) in this bug:

  'semodule -i /usr/share/selinux/targeted/dirsrv-admin.pp'
Comment 6 lejeczek 2010-03-25 06:04:55 EDT
libsepol.expand_terule_helper: conflicting TE rule for (httpd_t, var_run_t:dir):  old was httpd_var_run_t, new is dirsrv_var_run_t
libsepol.expand_module: Error during expand
libsemanage.semanage_expand_sandbox: Expand module failed
semodule:  Failed!
Comment 7 Nathan Kinder 2010-03-29 16:38:07 EDT
This is a duplicate of bug 570912.

*** This bug has been marked as a duplicate of bug 570912 ***