Bug 671444

Summary: SELinux errors when slapi-nis plugin enables nis listener
Product: [Fedora] Fedora Reporter: Rob Crittenden <rcritten>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 14CC: dpal, dwalsh, mgrepl, nalin
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.9.7-28.fc14 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-02-03 20:26:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Rob Crittenden 2011-01-21 14:28:47 UTC 
Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Rob Crittenden 2011-01-21 14:31:51 UTC 
Bugzilla can be so annoying sometimes...

selinux-policy-3.9.7-19.fc14.noarch
slapi-nis-0.21-1.fc14.x86_64

In an IPA v2 context I ran ipa-nis-enable manage then restarted 389-ds and it failed to come back up.

After a bit of research and fix-one-find-another I think this is it. What I did was pass each new AVC through audit2allow and installed a local policy to find all the problems.

type=AVC msg=audit(1295547915.331:4111): avc:  denied  { node_bind } for  pid=23494 comm="ns-slapd" src=965 scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=udp_socket
type=AVC msg=audit(1295548287.301:4113): avc:  denied  { create } for  pid=23543 comm="ns-slapd" scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:system_r:dirsrv_t:s0 tclass=unix_dgram_socket
type=AVC msg=audit(1295549851.635:4114): avc:  denied  { create } for  pid=23550 comm="ns-slapd" scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:system_r:dirsrv_t:s0 tclass=unix_dgram_socket
type=AVC msg=audit(1295550044.067:4116): avc:  denied  { connect } for  pid=23675 comm="ns-slapd" scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:system_r:dirsrv_t:s0 tclass=unix_dgram_socket
type=AVC msg=audit(1295550136.493:4123): avc:  denied  { connect } for  pid=23682 comm="ns-slapd" scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:system_r:dirsrv_t:s0 tclass=unix_dgram_socket
type=AVC msg=audit(1295550324.494:4126): avc:  denied  { write } for  pid=23809 comm="ns-slapd" name="log" dev=devtmpfs ino=9816 scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file
type=AVC msg=audit(1295550540.437:4130): avc:  denied  { sendto } for  pid=23933 comm="ns-slapd" path="/dev/log" scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket
type=AVC msg=audit(1295550939.062:4133): avc:  denied  { write } for  pid=24055 comm="ns-slapd" scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:system_r:dirsrv_t:s0 tclass=unix_dgram_socket
type=AVC msg=audit(1295550939.065:4134): avc:  denied  { write } for  pid=24055 comm="ns-slapd" scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:system_r:dirsrv_t:s0 tclass=unix_dgram_socket
Comment 2 Dmitri Pal 2011-01-28 20:41:53 UTC 
According to Nalin this is an SELinux policy issue.
Comment 4 Nalin Dahyabhai 2011-01-28 20:57:44 UTC 
With the NIS server plugin enabled, the directory server needs to be able to provide an RPC service listening on a privileged port, over both UDP and TCP sockets, and register that service with the local portmapper, which depending on the version used is either contacted over an PF_INET datagram socket or a PF_LOCAL stream socket.

I'm not sure why it's attempting to connect to /dev/log, though -- it doesn't try to use syslog.
Comment 5 Miroslav Grepl 2011-01-31 09:52:08 UTC 
We have in Rawhide 

logging_send_syslog_msg(dirsrv_t)

I am adding it also to F13/F14/RHEL6.
Comment 6 Daniel Walsh 2011-02-01 22:21:33 UTC 
Looks like it is fixed in selinux-policy-3.9.7-27
Comment 7 Rob Crittenden 2011-02-01 23:09:13 UTC 
I installed it from koji and it seems to have resolved my issues. I'll give it karma once it hits updates-testing.
Comment 8 Fedora Update System 2011-02-02 12:58:04 UTC 
selinux-policy-3.9.7-28.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-28.fc14
Comment 9 Fedora Update System 2011-02-02 19:31:16 UTC 
selinux-policy-3.9.7-28.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-28.fc14
Comment 10 Fedora Update System 2011-02-03 20:25:25 UTC 
selinux-policy-3.9.7-28.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.