| Summary: | SELinux is preventing /usr/bin/perl from search|write|connectto access on the directory /var/run/nslcd | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Anthony Messina <amessina> |
| Component: | selinux-policy-targeted | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Ben Levenson <benl> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 14 | CC: | dwalsh |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.9.7-31.fc14 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-02-24 20:53:54 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Ok. Does happen it by default? This happens after a fresh relabel/reboot as well as when the amavisd-new is restarted. The above audit2allow rules are what were suggested n the setroubleshoot email. I have not applied these rules. I am not sure what else you might mean by "by default." Add optional_policy(` nslcd_stream_connect(amavis_t) ') Fixed in selinux-policy-3.9.7-31.fc14 selinux-policy-3.9.7-31.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-31.fc14 selinux-policy-3.9.7-31.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-31.fc14 selinux-policy-3.9.7-31.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report. |
I use nslcd and amavisd-new and receive the following AVCs with selinux-policy-targeted-3.9.7-29.fc14.noarch type=AVC msg=audit(1297510913.231:36992): avc: denied { search } for pid=20575 comm="amavisd" name="nslcd" dev=sdd3 ino=3808861 scontext=system_u:system_r:amavis_t:s0 tcontext=system_u:object_r:nslcd_var_run_t:s0 tclass=dir type=AVC msg=audit(1297510913.231:36992): avc: denied { write } for pid=20575 comm="amavisd" name="socket" dev=sdd3 ino=3808863 scontext=system_u:system_r:amavis_t:s0 tcontext=system_u:object_r:nslcd_var_run_t:s0 tclass=sock_file type=AVC msg=audit(1297510913.231:36992): avc: denied { connectto } for pid=20575 comm="amavisd" path="/var/run/nslcd/socket" scontext=system_u:system_r:amavis_t:s0 tcontext=system_u:system_r:nslcd_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1297510913.231:36992): arch=x86_64 syscall=connect success=yes exit=0 a0=6 a1=7fffd6c84130 a2=6e a3=7fffd6c83e70 items=0 ppid=20568 pid=20575 auid=0 uid=496 gid=495 euid=496 suid=496 fsuid=496 egid=495 sgid=495 fsgid=495 tty=(none) ses=6029 comm=amavisd exe=/usr/bin/perl subj=system_u:system_r:amavis_t:s0 key=(null) Hash: amavisd,amavis_t,nslcd_var_run_t,dir,search audit2allow #============= amavis_t ============== allow amavis_t nslcd_t:unix_stream_socket connectto; allow amavis_t nslcd_var_run_t:dir search; allow amavis_t nslcd_var_run_t:sock_file write; audit2allow -R #============= amavis_t ============== allow amavis_t nslcd_t:unix_stream_socket connectto; allow amavis_t nslcd_var_run_t:dir search; allow amavis_t nslcd_var_run_t:sock_file write;