Bug 684269

Summary:	ns-slapd SELinux port errors
Product:	Red Hat Enterprise Linux 6	Reporter:	Jenny Severance <jgalipea>
Component:	ipa	Assignee:	Rob Crittenden <rcritten>
Status:	CLOSED ERRATA	QA Contact:	Chandrasekar Kannan <ckannan>
Severity:	high	Docs Contact:
Priority:	high
Version:	6.1	CC:	benl, dpal, dwalsh, mgrepl
Target Milestone:	rc
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	ipa-2.0.0-16.el6	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2011-05-19 13:44:37 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description Jenny Severance 2011-03-11 16:23:09 UTC

Description of problem:
With latest build, getting ns-slapd AVCs ...

<snip>

type=SYSCALL msg=audit(1299852348.354:93): arch=c000003e syscall=49 success=yes exit=0 a0=7 a1=7fffd86a25c0 a2=1c a3=0 items=0 ppid=12043 pid=12044 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null)
type=AVC msg=audit(1299852348.354:93): avc:  denied  { name_bind } for  pid=12044 comm="ns-slapd" src=7390 scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
----
time->Fri Mar 11 09:05:48 2011
type=SYSCALL msg=audit(1299852348.355:94): arch=c000003e syscall=4 success=yes exit=0 a0=7fffd86a18f0 a1=7fffd86a1830 a2=7fffd86a1830 a3=7fffd86a1660 items=0 ppid=12043 pid=12044 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null)
type=AVC msg=audit(1299852348.355:94): avc:  denied  { read } for  pid=12044 comm="ns-slapd" name="cert8.db" dev=dm-0 ino=173411 scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:object_r:dirsrv_config_t:s0 tclass=lnk_file

</snip>


In order to do TLS we had to define a SSL port so I picked 7390. Trying to set it to resulted in an error that it had to be between 1 and 64k. We really don't need an SSL listener so if there is another way to avoid this I'd rather go that route.

I symlinked the NSS databases because they can share the same cert and it means we don't need another certmonger invocation. Looks like I'll need to do a separate database.

https://fedorahosted.org/freeipa/ticket/1085



Version-Release number of selected component (if applicable):
ipa-server-2.0.0-13.20110311T0734zgitdcf7a18.el6

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 2 Rob Crittenden 2011-03-15 18:12:52 UTC

master: 861d1bbdca4793fb45fb233d236d3793cc23da36

Comment 3 Daniel Walsh 2011-03-15 19:21:14 UTC

Is 7390 a normal port for dirsrv to bind to?

Comment 4 Rob Crittenden 2011-03-15 19:27:47 UTC

No. We use 2 separate instances of dirsrv in IPA, one for storing user data and one for use by dogtag to store certificates.

Comment 6 Daniel Walsh 2011-03-15 21:33:09 UTC

Ok lets add 

network_port(dogtag, tcp,7390,s0)

corenet_tcp_bind_dogtag_port(dirsrv_t)

Comment 7 Jenny Severance 2011-03-15 21:42:49 UTC

however slightly different:

Info: Searching AVC errors produced since 1300223410.91 (Tue Mar 15 17:10:10 2011)
Searching logs...
Running '/usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts 03/15/2011 17:10:10 < /dev/null >/mnt/testarea/tmp.rhts-db-submit-result.nc659X 2>&1'
----
time->Tue Mar 15 17:24:23 2011
type=SYSCALL msg=audit(1300224263.080:102): arch=c000003e syscall=49 success=yes exit=0 a0=7 a1=7fff3e7a29a0 a2=1c a3=0 items=0 ppid=13856 pid=13857 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null)
type=AVC msg=audit(1300224263.080:102): avc:  denied  { name_bind } for  pid=13857 comm="ns-slapd" src=7390 scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
----
time->Tue Mar 15 17:24:23 2011
type=SYSCALL msg=audit(1300224263.081:103): arch=c000003e syscall=4 success=yes exit=0 a0=7fff3e7a1cd0 a1=7fff3e7a1c10 a2=7fff3e7a1c10 a3=7fff3e7a1a40 items=0 ppid=13856 pid=13857 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null)
type=AVC msg=audit(1300224263.081:103): avc:  denied  { read } for  pid=13857 comm="ns-slapd" name="key3.db" dev=dm-0 ino=174685 scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:object_r:dirsrv_config_t:s0 tclass=lnk_file
Fail: AVC messages found.
Checking for errors...
Using stronger AVC checks.
	Define empty RHTS_OPTION_STRONGER_AVC parameter if this causes any problems.
Running 'cat /mnt/testarea/tmp.rhts-db-submit-result.nc659X | /sbin/ausearch -m AVC -m SELINUX_ERR'
Fail: AVC messages found.
Running 'cat %s | /sbin/ausearch -m USER_AVC >/mnt/testarea/tmp.rhts-db-submit-result.NKahNU 2>&1'
Info: No AVC messages found.
/bin/grep 'avc: ' /mnt/testarea/dmesg.log | /bin/grep --invert-match TESTOUT.log
No AVC messages found in dmesg
Running '/usr/sbin/sestatus'
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted
Running 'rpm -q selinux-policy || true'
selinux-policy-3.7.19-78.el6.noarch

Comment 8 Dmitri Pal 2011-03-15 22:21:38 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
For beta release notes: Please run IPA testing with the SELinux in permissive mode.

Comment 9 Jenny Severance 2011-03-15 22:39:54 UTC

verified: no technical note required.  No ns-slapd AVCs observed with latest RHEL 6.1 build.

version:
ipa-server-2.0.0-16.el6.x86_64

Comment 10 Jenny Severance 2011-03-15 22:40:48 UTC

Also to note:  ipa-server-selinux-2.0.0-16.el6.x86_64

Comment 11 Dmitri Pal 2011-03-15 22:50:23 UTC

Please disregard comment #8

Comment 12 Dmitri Pal 2011-03-15 22:50:23 UTC

Deleted Technical Notes Contents.

Old Contents:
For beta release notes: Please run IPA testing with the SELinux in permissive mode.

Comment 13 errata-xmlrpc 2011-05-19 13:44:37 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2011-0631.html