Bug 649432
| Summary: | SELinux prevents node_bind for ns-slapd | |||
|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Nalin Dahyabhai <nalin> | |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | |
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | low | |||
| Version: | rawhide | CC: | dwalsh, edewata, jgalipea, mgrepl, nhosoi, nkinder, rmeggins | |
| Target Milestone: | --- | |||
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 658593 658596 658599 (view as bug list) | Environment: | ||
| Last Closed: | 2010-11-30 21:55:23 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 639035, 658593, 658596, 658599 | |||
Now that the dirsrv policy has been moved into the selinux-policy package, the product and component of this bug needs to be changed. Moving this bug to the appropriate queue. Fixed in selinux-policy-3.9.10-3.fc15.noarch |
Description of problem: When attemtping to run the slapi-nis NIS server plugin, I'm running into some AVC denials. Version-Release number of selected component (if applicable): 389-ds-base-1.2.6.1-2.fc14 selinux-policy-targeted-3.9.7-7.fc14 How reproducible: Always Steps to Reproduce: 1. Install freeipa v2 development build. 2. Enable the NIS server using ipa-nis-manage 3. Try to restart the dirsrv service Actual results: Server fails to start. Error log includes: [03/Nov/2010:13:57:32 -0400] nis-plugin - error connecting rpcbind client socket to the service [03/Nov/2010:13:57:32 -0400] nis-plugin - error creating portmap/rpcbind client socket [03/Nov/2010:13:57:32 -0400] - Init function "nis_plugin_init" for "NIS Server" plugin in library "/usr/lib64/dirsrv/plugins/nisserver-plugin.so" failed [03/Nov/2010:13:57:32 -0400] - Unable to load plugin "cn=NIS Server,cn=plugins,cn=config" Audit log includes: type=AVC msg=audit(1288806941.323:42217): avc: denied { connectto } for pid=3238 comm="ns-slapd" path="/var/run/rpcbind.sock" scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=system_u:system_r:rpcbind_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1288806941.323:42217): avc: denied { write } for pid=3238 comm="ns-slapd" name="rpcbind.sock" dev=dm-0 ino=129644 scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:rpcbind_var_run_t:s0 tclass=sock_file type=AVC msg=audit(1288807052.024:42237): avc: denied { write } for pid=3773 comm="ns-slapd" name="rpcbind.sock" dev=dm-0 ino=129644 scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:rpcbind_var_run_t:s0 tclass=sock_file type=AVC msg=audit(1288807052.655:42749): avc: denied { node_bind } for pid=3773 comm="ns-slapd" src=700 scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=udp_socket type=AVC msg=audit(1288806941.904:42221): avc: denied { write } for pid=3241 comm="ns-slapd" scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:system_r:dirsrv_t:s0 tclass=unix_dgram_socket Expected results: successful start Additional info: These seem to be the accesses that need to be allowed: allow dirsrv_t node_t:udp_socket node_bind; allow dirsrv_t rpcbind_t:unix_stream_socket connectto; allow dirsrv_t rpcbind_var_run_t:sock_file write; allow dirsrv_t self:unix_dgram_socket { write create connect };