Bug 727039
| Summary: | AVCs when trying to create new 389-ds instance through 389-console | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | RHEL Program Management <pm-rhel> | ||||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | ||||||
| Severity: | high | Docs Contact: | |||||||
| Priority: | urgent | ||||||||
| Version: | 6.1 | CC: | ckannan, dwalsh, jgalipea, jwest, ksrot, mgrepl, mmalik, nkinder, pm-eus, rmeggins, shaines, yzhang | ||||||
| Target Milestone: | rc | Keywords: | ZStream | ||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | selinux-policy-3.7.19-93.el6_1.7 | Doc Type: | Bug Fix | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2011-08-22 12:45:46 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | 715038 | ||||||||
| Bug Blocks: | |||||||||
| Attachments: |
|
||||||||
|
Description
RHEL Program Management
2011-08-01 06:43:15 UTC
Fixed in selinux-policy-3.7.19-93.el6_1.4. May I kindly ask to retest this bug on RHEL6.1 with selinux-policy-3.7.19-93.el6_1.4? Thank you in advance. This is failing still on RHEL 6.1 i386 with selinux-policy-3.7.19-93.el6_1.4. The problem is that the DS CGI scripts are not labelled right. Everything in /usr/lib/dirsrv/cgi-bin is labelled as lib_t, which is incorrect. Using semanage, I can see that the policy is referring to the 64-bit libdir, even on a 32-bit system: ------------------------------------------------------------------- /usr/lib64/dirsrv/cgi-bin(/.*)? all files system_u:object_r:httpd_dirsrvadmin_script_exec_t:s0 /usr/lib64/dirsrv/cgi-bin/ds_create regular file system_u:object_r:dirsrvadmin_unconfined_script_exec_t:s0 /usr/lib64/dirsrv/cgi-bin/ds_remove regular file system_u:object_r:dirsrvadmin_unconfined_script_exec_t:s0 /usr/lib64/dirsrv/dsgw-cgi-bin(/.*)? all files system_u:object_r:httpd_dirsrvadmin_script_exec_t:s0 ------------------------------------------------------------------- These rules need to use "/usr/lib/dirsrv" on an i386 system, and "/usr/lib64/dirsrv" on an x86_64 system. I also tested selinux-policy-3.7.19-93.el6_1.4 on a RHEL 6.1 x86_64 system, but encountered a number of AVC messages there as well when creating a new DS instance via redhat-idm-console. I will attach the audit log and audit2allow messages from that system. Created attachment 516920 [details]
audit log
Created attachment 516921 [details]
audit2allow messages
I am fixing labels and adding missing rules dirsrvadmin_domtrans_unconfined_script_t(httpd_t) which causes these AVC msgs. Fixed in selinux-policy-3.7.19-93.el6_1.5 (In reply to comment #12) > Fixed in selinux-policy-3.7.19-93.el6_1.5 This new package passes my instance creation tests on both i386 and x86_64 architectures. Tested with selinux-policy-3.7.19-93.el6_1.7 on i386 platform. I have successfuly performed following actions: -service dirsrv-admin restart -service dirsrv restart Using redhat-idm-console" - create directory server instance - stop/start/restart directory server instance - remove directory server instance No AVC nor crashes/freeze. Anyway I would like to restest it with the new 389 build on x86_64 before switching this bug to VERIFIED. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-1193.html |