Bug 796423

Summary: AVC when dirsrv attempts to run prelink with NSS db in FIPS mode
Product: Red Hat Enterprise Linux 6 Reporter: Benjamin Kahn <bkahn>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: urgent    
Version: 6.3CC: amarecek, dominick.grift, dwalsh, dwmw2, emaldona, mgrepl, mmalik, msvoboda, nkinder, pm-eus, rmeggins, syeghiay
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-126.el6_2.9 Doc Type: Bug Fix
Doc Text:
Previously, SELinux received deny AVC messages if the dirsrv utility executed the "modutil -dbdir /etc/dirsrv/slapd-instname -fips" command to enable FIPS mode in an NSS (Network Security Service) key/cert database. This happened because the NSS_Initialize() function attempted to use prelink which uses the dirsrv_t context. With this update, prelink with the dirsrv_t context is allowed to relabel its own temporary files under these circumstances and the problem no longer occurs.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-24 16:45:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 796351    
Bug Blocks:    

Description Benjamin Kahn 2012-02-22 20:41:40 UTC 
This bug has been copied from bug #796351 and has been proposed
to be backported to 6.2 z-stream (EUS).
Comment 4 Miroslav Grepl 2012-02-22 21:01:52 UTC 
Fixed in selinux-policy-3.7.19-126.el6_2.7
Comment 17 Miroslav Svoboda 2012-02-24 14:28:41 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Previously, SELinux received deny AVC messages if the dirsrv utility executed the "modutil -dbdir /etc/dirsrv/slapd-instname -fips" command to enable FIPS mode in an NSS (Network Security Service) key/cert database. This happened because the NSS_Initialize() function attempted to use prelink which uses the dirsrv_t context. With this update, prelink with the dirsrv_t context is allowed to relabel its own temporary files under these circumstances and the problem no longer occurs.
Comment 18 errata-xmlrpc 2012-02-24 16:45:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0338.html