Bug 826028
Summary: | SELinux denies socket access to nslcd | |||
---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Dennis Schridde <devurandom> | |
Component: | selinux-policy-targeted | Assignee: | Miroslav Grepl <mgrepl> | |
Status: | CLOSED ERRATA | QA Contact: | Ben Levenson <benl> | |
Severity: | unspecified | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 16 | CC: | dwalsh, jhrozek, mgrepl, nalin | |
Target Milestone: | --- | |||
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 833387 (view as bug list) | Environment: | ||
Last Closed: | 2012-06-28 03:27:15 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 833387 |
Description
Dennis Schridde
2012-05-29 12:21:33 UTC
P.S: We setup auth like this: authconfig --enableldap --enableldapauth --disableldaptls --enablemkhomedir --ldapserver=... --ldapbasedn=... --disablesssd --disablekrb5 --updateall P.P.S: Might also have been: authconfig --enableforcelegacy --enableldap --enableldapauth --disableldaptls --enablemkhomedir --ldapserver=... --ldapbasedn=... --updateall But I think that should be equivalent? This doesn't look like nss-pam-ldapd problem to me. I agree that the booleans description looks suspicious. Turning on authlogin_nsswitch_use_ldap means you are using ldap for passwd resolution without using sssd. (In reply to comment #4) > Turning on authlogin_nsswitch_use_ldap means you are using ldap for passwd > resolution without using sssd. In that case the description "Allow users to login using a sssd server" is wrong. That still leaves the connectto and write denials for the nslcd socket. Changed to " Allow users to resolve user passwd entries directly from ldap rather then using a sssd server" Why is abrt trying to connect to the nslcd? Should every domain that needs to connect to ldap be allowed to connect to nslcd? Nevermind it already is. Miroslav, we need to back port F17 abrt.te to F16. Fixed in selinux-policy-3.10.0-89.fc16 selinux-policy-3.10.0-89.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-89.fc16 Package selinux-policy-3.10.0-89.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-89.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-9507/selinux-policy-3.10.0-89.fc16 then log in and leave karma (feedback). selinux-policy-3.10.0-89.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. |