Bug 740925
| Summary: | ns-slapd dirsrv_t netlink_route_socket denials | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Orion Poplawski <orion> | |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | |
| Status: | CLOSED ERRATA | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | |
| Severity: | low | Docs Contact: | ||
| Priority: | low | |||
| Version: | 6.2 | CC: | dwalsh, ksrot, mmalik, nkinder, shaines | |
| Target Milestone: | rc | |||
| Target Release: | 6.2 | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | selinux-policy-3.7.19-118.el6 | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 840956 (view as bug list) | Environment: | ||
| Last Closed: | 2011-12-06 10:19:26 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 840956 | |||
> Did not appear to affect my operation so far.
Hi,
do you say it did not appear to affect your operation when in enforcing, right?
Thank you.
These avc's are often related to using getpw calls, and usually end up needing auth_use_nsswitch() (In reply to comment #1) > > Did not appear to affect my operation so far. > > Hi, > do you say it did not appear to affect your operation when in enforcing, right? > Thank you. Correct, everything is apparently fine even in enforcing. (In reply to comment #2) > These avc's are often related to using getpw calls, and usually end up needing > auth_use_nsswitch() So is there something that needs to be fixed in package 389-ds-base? (In reply to comment #4) > (In reply to comment #2) > > These avc's are often related to using getpw calls, and usually end up needing > > auth_use_nsswitch() > > So is there something that needs to be fixed in package 389-ds-base? It sounds like we need to add auth_use_nsswitch() to the dirsrv_t policy in selinux-policy, as we do call getpwnam() during startup of a DS instance. Fixed in selinux-policy-3.7.19-118.el6.noarch
# sesearch -A -s dirsrv_t -t dirsrv_t -c netlink_route_socket
Found 1 semantic av rules:
allow dirsrv_t dirsrv_t : netlink_route_socket { ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown nlmsg_read } ;
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1511.html |
Description of problem: On directory server startup I'm seeing (in permissive mode): type=AVC msg=audit(1316806800.921:105382): avc: denied { create } for pid=2923 comm="ns-slapd" scontext=root:system_r:dirsrv_t:s0 tcontext=root:system_r:dirsrv_t:s0 tclass=netlink_route_socket type=AVC msg=audit(1316806800.922:105383): avc: denied { bind } for pid=2923 comm="ns-slapd" scontext=root:system_r:dirsrv_t:s0 tcontext=root:system_r:dirsrv_t:s0 tclass=netlink_route_socket type=AVC msg=audit(1316806800.922:105384): avc: denied { getattr } for pid=2923 comm="ns-slapd" scontext=root:system_r:dirsrv_t:s0 tcontext=root:system_r:dirsrv_t:s0 tclass=netlink_route_socket type=AVC msg=audit(1316806800.922:105385): avc: denied { write } for pid=2923 comm="ns-slapd" scontext=root:system_r:dirsrv_t:s0 tcontext=root:system_r:dirsrv_t:s0 tclass=netlink_route_socket type=AVC msg=audit(1316806800.922:105385): avc: denied { nlmsg_read } for pid=2923 comm="ns-slapd" scontext=root:system_r:dirsrv_t:s0 tcontext=root:system_r:dirsrv_t:s0 tclass=netlink_route_socket type=AVC msg=audit(1316806800.922:105386): avc: denied { read } for pid=2923 comm="ns-slapd" scontext=root:system_r:dirsrv_t:s0 tcontext=root:system_r:dirsrv_t:s0 tclass=netlink_route_socket Did not appear to affect my operation so far. Version-Release number of selected component (if applicable): 389-ds-base-1.2.9.9-1.el5 selinux-policy-2.4.6-316.el5