Bug 746017
| Summary: | AVC when dirsrv attempts to run prelink with NSS db in FIPS mode | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Rich Megginson <rmeggins> | ||||||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||||||
| Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||
| Severity: | high | Docs Contact: | |||||||||
| Priority: | unspecified | ||||||||||
| Version: | 15 | CC: | dominick.grift, dwalsh, dwmw2, mgrepl, nkinder | ||||||||
| Target Milestone: | --- | ||||||||||
| Target Release: | --- | ||||||||||
| Hardware: | Unspecified | ||||||||||
| OS: | Unspecified | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | |||||||||||
| : | 796351 (view as bug list) | Environment: | |||||||||
| Last Closed: | 2012-08-07 20:20:57 UTC | Type: | --- | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Bug Depends On: | |||||||||||
| Bug Blocks: | 796351 | ||||||||||
| Attachments: |
|
||||||||||
I believe that we just need to add the following to the dirsrv policy: prelink_exec(dirsrv_t); We will test this to see if anything else is required. Created attachment 528089 [details]
after loading new policy
I did the following on F-15:
1) create a file dirsrv-prelink.te with the following contents:
policy_module(dirsrv-prelink,1.0.0)
require {
type dirsrv_t;
}
prelink_exec(dirsrv_t);
2) make -f /usr/share/selinux/devel/Makefile
3) semodule -i dirsrv-prelink.pp
After restarting dirsrv, I got the attached AVCs
Created attachment 528094 [details]
after running restorecon /usr/sbin/ns-slapd
Then I ran restorecon /usr/sbin/ns-slapd, and I got the attached AVC
(In reply to comment #2) > Created attachment 528089 [details] > after loading new policy > > I did the following on F-15: > 1) create a file dirsrv-prelink.te with the following contents: > policy_module(dirsrv-prelink,1.0.0) > > require { > type dirsrv_t; > } > > prelink_exec(dirsrv_t); > > 2) make -f /usr/share/selinux/devel/Makefile > 3) semodule -i dirsrv-prelink.pp > > After restarting dirsrv, I got the attached AVCs Perhaps we should use 'prelink_domtrans(dirsrv_t)' instead of 'prelink_exec(dirsrv_t)'. This will make prelink run in it's own context instead of using the dirsrv_t context. Could you try changing the policy module and testing with the prelink_domtrans macro? (In reply to comment #4) > (In reply to comment #2) > > Created attachment 528089 [details] > > after loading new policy > > > > I did the following on F-15: > > 1) create a file dirsrv-prelink.te with the following contents: > > policy_module(dirsrv-prelink,1.0.0) > > > > require { > > type dirsrv_t; > > } > > > > prelink_exec(dirsrv_t); > > > > 2) make -f /usr/share/selinux/devel/Makefile > > 3) semodule -i dirsrv-prelink.pp > > > > After restarting dirsrv, I got the attached AVCs > > Perhaps we should use 'prelink_domtrans(dirsrv_t)' instead of > 'prelink_exec(dirsrv_t)'. This will make prelink run in it's own context > instead of using the dirsrv_t context. Could you try changing the policy > module and testing with the prelink_domtrans macro? Yep, changing prelink_exec to prelink_domtrans in the above worked. No messages, no AVCs, in Permissive and in Enforcing mode. Well, this is not something what we want to allow by default. Dan, AFAIK we had the similar bug. I would prefer not to transition to prelink and allow the relabel for the current domain. prelink is a pretty powerfull domain, since it can read and write binaries. If you could somehow fool prelink you could take a system over. Allowing relabelto and relabelfrom types that you can read/write, I do not think is a problem. Fixed in selinux-policy-3.9.16-44.fc15 This message is a notice that Fedora 15 is now at end of life. Fedora has stopped maintaining and issuing updates for Fedora 15. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At this time, all open bugs with a Fedora 'version' of '15' have been closed as WONTFIX. (Please note: Our normal process is to give advanced warning of this occurring, but we forgot to do that. A thousand apologies.) Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, feel free to reopen this bug and simply change the 'version' to a later Fedora version. Bug Reporter: Thank you for reporting this issue and we are sorry that we were unable to fix it before Fedora 15 reached end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged to click on "Clone This Bug" (top right of this page) and open it against that version of Fedora. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping |
Created attachment 528064 [details] AVC and SYSCALL messages If dirsrv uses modutil -dbdir /etc/dirsrv/slapd-instname -fips true to enable FIPS mode in the NSS key/cert db, we get AVC messages because NSS_Initialize attempts to use prelink.