Bug 767756

Summary: SELinux is preventing 389 admin server from opening ldap port
Product: [Fedora] Fedora Reporter: Rich Megginson <rmeggins>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 16CC: dominick.grift, dwalsh, mgrepl, nkinder
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.10.0-67.fc16 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-22 22:49:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 767823    

Description Rich Megginson 2011-12-14 20:14:22 UTC 
The 389 admin server cannot open the ldap port to communicate with the ldap server.

[ 2230.468431] type=1400 audit(1323893235.080:40): avc:  denied  { name_connect } for  pid=2378 comm="httpd.worker" dest=389 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket
Comment 1 Rich Megginson 2011-12-14 20:14:48 UTC 
I marked as Urgent because this prevents admin server/console from working
Comment 2 Rich Megginson 2011-12-14 20:15:52 UTC 
This is on F-16.  The system is up-to-date with the latest versions of all packages in updates.
Comment 3 Daniel Walsh 2011-12-14 20:52:12 UTC 
 audit2allow  -i /tmp/t


#============= httpd_t ==============
#!!!! This avc can be allowed using one of the these booleans:
#     authlogin_nsswitch_use_ldap, allow_ypbind, httpd_can_network_connect

allow httpd_t ldap_port_t:tcp_socket name_connect;


We do not allow this by default, We used to in < f16.  We now turn off authlogin_nsswitch_use_ldap.

You can turn that on and make this work.  It has the side effect of allowing all confined domains that use getpw to be able to connect to ldap port.

Or you can turn on httpd_can_network_connect which will allow httpd to connect to all ports.

We can add a new boolean to allow apache to connect to ldap.  If this is considered real common.

Last option is you could install a policy module to allow httpd_t to connect to the ldap port.
Comment 4 Rich Megginson 2011-12-14 23:10:20 UTC 
If we turn on httpd_can_network_connect will that allow _any_ httpd (and httpd.worker?) to connect to _any_ port?  If so, is that safe?
Comment 5 Miroslav Grepl 2011-12-15 08:36:39 UTC 
But my question is why this runs in the httpd_t domain. I thought it should be running in the httpd_dirsrvadmin_script_t domain because we have


corenet_tcp_connect_ldap_port(httpd_dirsrvadmin_script_t)
Comment 6 Rich Megginson 2011-12-15 15:11:56 UTC 
When I start dirsrv-admin.service via systemctl, this is what I see:

[root@f16x8664 ~]# systemctl start dirsrv-admin.service
[root@f16x8664 ~]# ps -efZ | grep httpd
system_u:system_r:httpd_t:s0    root      2058     1  0 07:31 ?        00:00:00 /usr/sbin/httpd.worker -k start -f /etc/dirsrv/admin-serv/httpd.conf
system_u:system_r:httpd_t:s0    root      2059  2058  0 07:31 ?        00:00:00 /usr/sbin/httpd.worker -k start -f /etc/dirsrv/admin-serv/httpd.conf
system_u:system_r:httpd_t:s0    nobody    2060  2058  1 07:31 ?        00:00:00 /usr/sbin/httpd.worker -k start -f /etc/dirsrv/admin-serv/httpd.conf

Why isn't httpd running in httpd_dirsrvadmin_script_t when I start it from systemctl?
Comment 7 Miroslav Grepl 2011-12-15 15:23:29 UTC 
Well, the httpd_dirsrvadmin_script_t domain is for dirsrv-admin cgi scripts. I think we could add a boolean.
Comment 8 Rich Megginson 2011-12-15 15:29:32 UTC 
(In reply to comment #7)
> Well, the httpd_dirsrvadmin_script_t domain is for dirsrv-admin cgi scripts. I
> think we could add a boolean.

Is this something I should do during 389-admin installation?  What boolean should I add?
Comment 9 Miroslav Grepl 2011-12-15 15:36:17 UTC 
I am adding a new boolean

httpd_can_connect_ldap

which you will need to turn on during installation.
Comment 10 Miroslav Grepl 2011-12-15 15:39:20 UTC 
Fixed in selinux-policy-3.10.0-67.fc16
Comment 11 Fedora Update System 2011-12-15 17:09:39 UTC 
selinux-policy-3.10.0-67.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-67.fc16
Comment 12 Fedora Update System 2011-12-16 20:01:46 UTC 
Package selinux-policy-3.10.0-67.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-67.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2011-17191/selinux-policy-3.10.0-67.fc16
then log in and leave karma (feedback).
Comment 13 Fedora Update System 2011-12-22 22:49:52 UTC 
selinux-policy-3.10.0-67.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.