Bug 675782

Summary: [SELinux AVC Alert] SELinux is preventing /usr/sbin/ns-slapd from getattr access on the file /etc/selinux/targeted/contexts/files/file_contexts
Product: Red Hat Enterprise Linux 6 Reporter: Nathan Kinder <nkinder>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.1CC: amessina, ckannan, dwalsh, ksrot, mgrepl, nkinder, syeghiay
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-69.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 671584 Environment:
Last Closed: 2011-05-19 11:57:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 671584    
Bug Blocks: 639035    

Description Nathan Kinder 2011-02-07 18:24:36 UTC 
+++ This bug was initially created as a clone of Bug #671584 +++

I am getting SELinux AVCs as 389 is trying to read|getattr|search for  /etc/selinux/targeted/contexts/files/file_contexts

I am not certain why the server would need to read here since the SELinux packages are now merged into the selinux-policy.

I realize these are SELinux issues, but wanted to report here first to see if this access is needed.

type=AVC msg=audit(1295647725.782:47411): avc:  denied  { search } for  pid=27767 comm="ns-slapd" name="contexts" dev=md0 ino=38248 scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=dir


type=AVC msg=audit(1295647725.782:47411): avc:  denied  { search } for  pid=27767 comm="ns-slapd" name="files" dev=md0 ino=38254 scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=dir


type=SYSCALL msg=audit(1295647725.782:47411): arch=x86_64 syscall=open success=no exit=ENOENT a0=7f9204054200 a1=0 a2=1b6 a3=0 items=0 ppid=1 pid=27767 auid=4294967295 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=4294967295 comm=ns-slapd exe=2F7573722F7362696E2F6E732D736C617064202864656C6574656429 subj=unconfined_u:system_r:dirsrv_t:s0 key=(null)



type=AVC msg=audit(1295647725.783:47412): avc:  denied  { read } for  pid=27767 comm="ns-slapd" name="file_contexts" dev=md0 ino=9358 scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:object_r:file_context_t:s0 tclass=file


type=AVC msg=audit(1295647725.783:47412): avc:  denied  { open } for  pid=27767 comm="ns-slapd" name="file_contexts" dev=md0 ino=9358 scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:object_r:file_context_t:s0 tclass=file


type=SYSCALL msg=audit(1295647725.783:47412): arch=x86_64 syscall=open success=yes exit=EMLINK a0=7f92040549a0 a1=0 a2=1b6 a3=0 items=0 ppid=1 pid=27767 auid=4294967295 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=4294967295 comm=ns-slapd exe=2F7573722F7362696E2F6E732D736C617064202864656C6574656429 subj=unconfined_u:system_r:dirsrv_t:s0 key=(null)



type=AVC msg=audit(1295647725.783:47413): avc:  denied  { getattr } for  pid=27767 comm="ns-slapd" path="/etc/selinux/targeted/contexts/files/file_contexts" dev=md0 ino=9358 scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:object_r:file_context_t:s0 tclass=file


type=SYSCALL msg=audit(1295647725.783:47413): arch=x86_64 syscall=fstat success=yes exit=0 a0=1f a1=7f922dff3fb0 a2=7f922dff3fb0 a3=0 items=0 ppid=1 pid=27767 auid=4294967295 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=4294967295 comm=ns-slapd exe=2F7573722F7362696E2F6E732D736C617064202864656C6574656429 subj=unconfined_u:system_r:dirsrv_t:s0 key=(null)

--- Additional comment from rmeggins on 2011-01-21 17:26:06 EST ---

What platform?
rpm -qi 389-ds-base
rpm -qi selinux-policy

--- Additional comment from amessina on 2011-01-21 20:40:52 EST ---

~]# rpm -qi 389-ds-base
Name        : 389-ds-base                  Relocations: (not relocatable)
Version     : 1.2.7.5                           Vendor: Fedora Project
Release     : 1.fc14                        Build Date: Thu 16 Dec 2010 11:23:44 AM CST
Install Date: Fri 17 Dec 2010 03:13:33 PM CST      Build Host: x86-10.phx2.fedoraproject.org
Group       : System Environment/Daemons    Source RPM: 389-ds-base-1.2.7.5-1.fc14.src.rpm
Size        : 5756817                          License: GPLv2 with exceptions
Signature   : RSA/SHA256, Thu 16 Dec 2010 09:19:45 PM CST, Key ID 421caddb97a1071f
Packager    : Fedora Project
URL         : http://port389.org/
Summary     : 389 Directory Server (base)
Description :
389 Directory Server is an LDAPv3 compliant server.  The base package includes
the LDAP server and command line utilities for server administration.


~]# rpm -qi selinux-policy
Name        : selinux-policy               Relocations: (not relocatable)
Version     : 3.9.7                             Vendor: Fedora Project
Release     : 20.fc14                       Build Date: Tue 04 Jan 2011 10:28:31 AM CST
Install Date: Mon 17 Jan 2011 09:40:37 PM CST      Build Host: x86-17.phx2.fedoraproject.org
Group       : System Environment/Base       Source RPM: selinux-policy-3.9.7-20.fc14.src.rpm
Size        : 7981448                          License: GPLv2+
Signature   : RSA/SHA256, Wed 05 Jan 2011 11:16:11 AM CST, Key ID 421caddb97a1071f
Packager    : Fedora Project
URL         : http://oss.tresys.com/repos/refpolicy/
Summary     : SELinux policy configuration
Description :
SELinux Reference Policy - modular.
Based off of reference policy: Checked out revision  2.20091117

--- Additional comment from nkinder on 2011-01-24 12:58:13 EST ---

I believe that the kerberos libraries that are used by ns-slapd require this access.  I believe that this is a duplicate of bug 669385, which is fixed in selinux-policy-3.9.7-25.  Could you test with this newer selinux-policy package to confirm that it is fixed?

--- Additional comment from amessina on 2011-01-28 13:28:54 EST ---

(In reply to comment #3)
> I believe that the kerberos libraries that are used by ns-slapd require this
> access.  I believe that this is a duplicate of bug 669385, which is fixed in
> selinux-policy-3.9.7-25.  Could you test with this newer selinux-policy package
> to confirm that it is fixed?

I confirm that the originally reported AVCs are fixed with 3.9.7-25, however, I now see the following AVCs at startup or restart even after a fresh relable & reboot:

type=AVC msg=audit(1296239122.428:4): avc:  denied  { open } for  pid=1281 comm="start-ds-admin" name="console" dev=devtmpfs ino=4063 scontext=system_u:system_r:dirsrvadmin_t:s0 tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file

type=SYSCALL msg=audit(1296239122.428:4): arch=c000003e syscall=2 success=yes exit=3 a0=bd7010 a1=802 a2=7fff3be43bf0 a3=1000 items=0 ppid=1260 pid=1281 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="start-ds-admin" exe="/bin/bash" subj=system_u:system_r:dirsrvadmin_t:s0 key=(null)

type=AVC msg=audit(1296239122.441:5): avc:  denied  { sys_resource } for  pid=1281 comm="start-ds-admin" capability=24  scontext=system_u:system_r:dirsrvadmin_t:s0 tcontext=system_u:system_r:dirsrvadmin_t:s0 tclass=capability

type=AVC msg=audit(1296239122.441:5): avc:  denied  { setrlimit } for  pid=1281 comm="start-ds-admin" scontext=system_u:system_r:dirsrvadmin_t:s0 tcontext=system_u:system_r:dirsrvadmin_t:s0 tclass=process

type=SYSCALL msg=audit(1296239122.441:5): arch=c000003e syscall=160 success=yes exit=0 a0=7 a1=7fff3be43610 a2=0 a3=100 items=0 ppid=1260 pid=1281 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="start-ds-admin" exe="/bin/bash" subj=system_u:system_r:dirsrvadmin_t:s0 key=(null)

type=AVC msg=audit(1296239124.427:6): avc:  denied  { write } for  pid=1368 comm="ldap-agent-bin" name="dirsrv" dev=md0 ino=57514 scontext=system_u:system_r:dirsrv_snmp_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir

type=SYSCALL msg=audit(1296239124.427:6): arch=c000003e syscall=21 success=yes exit=0 a0=9182c0 a1=2 a2=7fffd36d16d0 a3=7fffd36d1440 items=0 ppid=1367 pid=1368 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ldap-agent-bin" exe="/usr/sbin/ldap-agent-bin" subj=system_u:system_r:dirsrv_snmp_t:s0 key=(null)

--- Additional comment from nkinder on 2011-02-02 12:17:27 EST ---

Are these the AVCs that you see in permissive mode during a restart, or is this in enforcing mode?  I want to be sure we deal with them all, so I'd like to see all related AVCs that occur when restarting dirsrv-admin in permissive mode if there is anything else not reported in this bug.

For the admin server restart issues, I believe we need to add:

term_use_console(dirsrvadmin_t)
allow dirsrvadmin_t self:capability { sys_resource };
allow dirsrvadmin_t self:process { setrlimit };

The issue with ldap-agent seems like it may be unable to create a new log file in /var/log/dirsrv, which is labelled as var_log_t.  Do you get the ldap-agent related AVC when starting ldap-agent when it's logfile already exists?

--- Additional comment from nkinder on 2011-02-02 12:25:29 EST ---

I am able to reproduce the ldap-agent related AVC when starting the dirsrv-snmp service for the first time.  If I put selinux in permissive mode, there are a number of AVCs reported:

type=AVC msg=audit(1296667386.988:174): avc:  denied  { write } for  pid=19549 comm="ldap-agent-bin" name="dirsrv" dev=dm-0 ino=2899995 scontext=unconfined_u:system_r:dirsrv_snmp_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1296667386.988:174): arch=c000003e syscall=21 success=yes exit=0 a0=1d182c0 a1=2 a2=7fffa5f71ec0 a3=7fffa5f71c10 items=0 ppid=19548 pid=19549 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=1 comm="ldap-agent-bin" exe="/usr/sbin/ldap-agent-bin" subj=unconfined_u:system_r:dirsrv_snmp_t:s0 key=(null)
type=AVC msg=audit(1296667386.988:175): avc:  denied  { add_name } for  pid=19549 comm="ldap-agent-bin" name="ldap-agent.log" scontext=unconfined_u:system_r:dirsrv_snmp_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=dir
type=AVC msg=audit(1296667386.988:175): avc:  denied  { create } for  pid=19549 comm="ldap-agent-bin" name="ldap-agent.log" scontext=unconfined_u:system_r:dirsrv_snmp_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1296667386.988:175): arch=c000003e syscall=2 success=yes exit=3 a0=1d1a060 a1=441 a2=1b6 a3=0 items=0 ppid=19548 pid=19549 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=1 comm="ldap-agent-bin" exe="/usr/sbin/ldap-agent-bin" subj=unconfined_u:system_r:dirsrv_snmp_t:s0 key=(null)
type=AVC msg=audit(1296667387.016:176): avc:  denied  { write } for  pid=19553 comm="ldap-agent-bin" name="lib" dev=dm-0 ino=2883586 scontext=unconfined_u:system_r:dirsrv_snmp_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
type=AVC msg=audit(1296667387.016:176): avc:  denied  { add_name } for  pid=19553 comm="ldap-agent-bin" name="net-snmp" scontext=unconfined_u:system_r:dirsrv_snmp_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
type=AVC msg=audit(1296667387.016:176): avc:  denied  { create } for  pid=19553 comm="ldap-agent-bin" name="net-snmp" scontext=unconfined_u:system_r:dirsrv_snmp_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1296667387.016:176): arch=c000003e syscall=83 success=yes exit=0 a0=7fffa5f70b30 a1=1c0 a2=ffffffffffffff80 a3=7fffa5f70800 items=0 ppid=1 pid=19553 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="ldap-agent-bin" exe="/usr/sbin/ldap-agent-bin" subj=unconfined_u:system_r:dirsrv_snmp_t:s0 key=(null)
type=AVC msg=audit(1296667387.018:177): avc:  denied  { write } for  pid=19553 comm="ldap-agent-bin" name="net-snmp" dev=dm-0 ino=2900063 scontext=unconfined_u:system_r:dirsrv_snmp_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir
type=AVC msg=audit(1296667387.018:177): avc:  denied  { add_name } for  pid=19553 comm="ldap-agent-bin" name="mib_indexes" scontext=unconfined_u:system_r:dirsrv_snmp_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1296667387.018:177): arch=c000003e syscall=83 success=yes exit=0 a0=7fffa5f70b30 a1=1c0 a2=ffffffffffffff80 a3=7fffa5f70800 items=0 ppid=1 pid=19553 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="ldap-agent-bin" exe="/usr/sbin/ldap-agent-bin" subj=unconfined_u:system_r:dirsrv_snmp_t:s0 key=(null)
type=AVC msg=audit(1296667387.018:178): avc:  denied  { create } for  pid=19553 comm="ldap-agent-bin" name="0" scontext=unconfined_u:system_r:dirsrv_snmp_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1296667387.018:178): avc:  denied  { write open } for  pid=19553 comm="ldap-agent-bin" name="0" dev=dm-0 ino=2898623 scontext=unconfined_u:system_r:dirsrv_snmp_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1296667387.018:178): arch=c000003e syscall=2 success=yes exit=9 a0=7fffa5f718e0 a1=241 a2=1b6 a3=0 items=0 ppid=1 pid=19553 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="ldap-agent-bin" exe="/usr/sbin/ldap-agent-bin" subj=unconfined_u:system_r:dirsrv_snmp_t:s0 key=(null)

--- Additional comment from nkinder on 2011-02-02 12:38:29 EST ---

Running audit2allow gives me the following rules for dirsrv_snmp_t:

#============= dirsrv_snmp_t ==============
allow dirsrv_snmp_t var_lib_t:dir { write create add_name };
#!!!! The source type 'dirsrv_snmp_t' can write to a 'file' of the following types:
# dirsrv_snmp_var_run_t, dirsrv_snmp_var_log_t, root_t

allow dirsrv_snmp_t var_lib_t:file { write create open getattr };
#!!!! The source type 'dirsrv_snmp_t' can write to a 'dir' of the following types:
# dirsrv_var_log_t, dirsrv_snmp_var_run_t, var_run_t, root_t

allow dirsrv_snmp_t var_log_t:dir { write add_name };
allow dirsrv_snmp_t var_log_t:file create;
#=========================================

The /var/lib access is something that the Net-SNMP libraries that are used by ldap-agent-bin must be doing.  The /var/log access is ldap-agent-bin trying to create it's log file /var/log/dirsrv/ldap-agent.log.  The odd thing is that this file is created with a context of var_log_t, but the intent is for it to be labelled as dirsrv_snmp_var_log_t.  The dirsrv_snmp_t policy should have this in it already:

type dirsrv_snmp_var_log_t;
logging_log_file(dirsrv_snmp_var_log_t)
manage_files_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t);
filetrans_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t, file)

Is the problem here that the parent directory that contains the logfile (/var/log/dirsrv) is labelled as var_log_t, which doesn't match what the above filetrans expects?  The initial dirsrv policy had the following in it's .fc file:

var/log/dirsrv              gen_context(system_u:object_r:dirsrv_var_log_t,s0)

It appears that this did not make it through when the policy was moved out of the 389-ds-base package and into selinux-policy-targetted.

--- Additional comment from dwalsh on 2011-02-02 13:56:33 EST ---

Looks like /var/log/dirsrv has the wrong label on it.

F14 policy has

/var/log/dirsrv(/.*)	gen_context(system_u:object_r:dirsrv_var_log_t,s0)


Run restorecon -R -v /var/log/dirsrv 
To fix the label, Did you destroy and recreate this directory by hand?

Whatever /var/lib directory you are using is also mislabeled.

--- Additional comment from nkinder on 2011-02-02 14:18:30 EST ---

(In reply to comment #8)
> Looks like /var/log/dirsrv has the wrong label on it.
> 
> F14 policy has
> 
> /var/log/dirsrv(/.*) gen_context(system_u:object_r:dirsrv_var_log_t,s0)
> 
> 
> Run restorecon -R -v /var/log/dirsrv 
> To fix the label, Did you destroy and recreate this directory by hand?

The odd thing is that I tried this, and it does not get relabelled:

[root@localhost dirsrv]# ls -lZ /var/log | grep dirsrv
drwxrwx---. nobody  nobody  unconfined_u:object_r:var_log_t:s0 dirsrv
[root@localhost dirsrv]# restorecon -R -v /var/log
[root@localhost dirsrv]# ls -lZ /var/log | grep dirsrv
drwxrwx---. nobody  nobody  unconfined_u:object_r:var_log_t:s0 dirsrv

[root@localhost dirsrv]# semanage fcontext -l | grep dirsrv
...
/var/log/dirsrv(/.*)                               all files          system_u:object_r:dirsrv_var_log_t:s0
...

> 
> Whatever /var/lib directory you are using is also mislabeled.

The Net-SNMP libraries try to create /var/lib/net-snmp the first time that we start ldap-agent.  This directory gets created with a context of var_lib_t by ldap-agent if it doesn't already exist.  Now the odd thing is that starting snmpd will create this directory as well, but it gets created with a context of snmpd_var_lib_t in that case.  Here's what semanage shows for the fcontext for this:

/var/lib/net-snmp(/.*)?                            all files          system_u:object_r:snmpd_var_lib_t:s0

In this case, a restorecon does fix the context of /var/lib/net-snmp.  The problem is that we can't guarantee that snmpd was started on a system where ldap-agent is being started.  Is the right thing to do here to add a transition so ldap-agent will create /var/lib/net-snmp with a context of snmpd_var_lib_t?

--- Additional comment from dwalsh on 2011-02-02 14:30:16 EST ---

That is because

/var/log/dirsrv(/.*)                               all files         
system_u:object_r:dirsrv_var_log_t:s0

should be

/var/log/dirsrv(/.*)?                               all files         
system_u:object_r:dirsrv_var_log_t:s0

Yes if you create the directory it should transiiton.

--- Additional comment from dwalsh on 2011-02-02 14:36:56 EST ---

Miroslav you need to back port the dirsrv policy and the snmp.if from Rawhide to F13/F14.

--- Additional comment from nkinder on 2011-02-02 14:46:28 EST ---

*** Bug 639524 has been marked as a duplicate of this bug. ***

--- Additional comment from mgrepl on 2011-02-03 04:31:59 EST ---

Fixed in selinux-policy-3.9.7-29.fc14

--- Additional comment from updates on 2011-02-04 05:33:18 EST ---

selinux-policy-3.9.7-29.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-29.fc14

--- Additional comment from nkinder on 2011-02-04 13:42:38 EST ---

I tested the new package on Fedora 14 and I no longer see the AVCs originally reported.  I do however see this AVC when restarting the dirsrv-admin service:

type=AVC msg=audit(1296844128.917:129): avc:  denied  { search } for  pid=17132 comm="httpd.worker" name="dirsrv" dev=dm-0 ino=2506754 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:dirsrv_config_t:s0 tclass=dir

The initial dirsrv and dirsrv-admin policy had the following macro call in the dirsrv-admin policy (inside of the dirsrvadmin_extend_httpd macro):

==============================
dirsrv_manage_config(httpd_t)
==============================

This macro had these rules:

===============================================
allow $1 dirsrv_config_t:dir manage_dir_perms;
allow $1 dirsrv_config_t:file manage_file_perms;
===============================================

This allowed httpd_t to "search" a dirsrv_config_t directory.  I do not see this in the current selinux-policy source for Fedora 14.  Is there some reason that this part of the policy was not added when we initially moved the policy from 389-ds-base and 389-ds-admin into selinux-policy?

--- Additional comment from nkinder on 2011-02-04 13:58:14 EST ---

Comparing the original dirsrv-admin policy to the selinux-policy-3.9.7-29 source, I see a few differences.  In the original dirsrvadmin_extend_httpd macro, we had this:

===================================
dirsrv_manage_config(httpd_t)
dirsrv_manage_log(httpd_t)
dirsrv_manage_var_run(httpd_t)
dirsrv_read_share(httpd_t)
dirsrv_signal(httpd_t)
dirsrv_signull(httpd_t)
dirsrvadmin_manage_config(httpd_t)
dirsrvadmin_manage_tmp(httpd_t)
===================================

In the current selinux-policy source, I see this:

=======================================
optional_policy(`
    dirsrvadmin_read_config(httpd_t)
    dirsrv_manage_log(httpd_t)
    dirsrv_manage_var_run(httpd_t)
    dirsrv_read_share(httpd_t)
    dirsrv_signal(httpd_t)
    dirsrv_signull(httpd_t)
    dirsrvadmin_manage_config(httpd_t)
    dirsrvadmin_manage_tmp(httpd_t)
')
=======================================

The big difference here are that dirsrv_manage_config(httpd_t) has been omitted.  I think that dirsrvadmin_read_config(httpd_t) was something that was added later for a different issue.  To fix this, we need dirsrv_manage_config(httpd_t) added to the current policy.

--- Additional comment from updates on 2011-02-04 14:53:59 EST ---

selinux-policy-3.9.7-29.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-29.fc14

--- Additional comment from mgrepl on 2011-02-07 09:45:25 EST ---

You are right,

dirsrv_manage_config(httpd_t)

is missing in F14. I am fixing it. Thank you.
Comment 1 Miroslav Grepl 2011-02-08 11:28:17 UTC 
Nathan,
could you test it with the latest RHEL6 policy.

selinux-policy-3.7.19-69.el6

which is available from brew. Thanks.
Comment 5 Nathan Kinder 2011-02-15 18:42:01 UTC 
(In reply to comment #1)
> Nathan,
> could you test it with the latest RHEL6 policy.
> 
> selinux-policy-3.7.19-69.el6
> 
> which is available from brew. Thanks.

I tested with selinux-policy-3.7.19-70.el6 using a RHEL6.1 nightly and everything looks good.  Thanks!
Comment 6 Miroslav Grepl 2011-02-15 22:10:28 UTC 
Great. Thank you.
Comment 8 errata-xmlrpc 2011-05-19 11:57:32 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0526.html