Bug 856098
| Summary: | service slapd start causes AVC message | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | David Spurek <dspurek> | |
| Component: | openldap | Assignee: | Jan Synacek <jsynacek> | |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Milos Malik <mmalik> | |
| Severity: | high | Docs Contact: | ||
| Priority: | high | |||
| Version: | 7.0 | CC: | dwalsh, ebenes, jsynacek, mmalik | |
| Target Milestone: | rc | |||
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | openldap-2.4.33-1.el7 | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 859019 (view as bug list) | Environment: | ||
| Last Closed: | 2014-06-13 10:52:01 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 859019 | |||
Following AVCs appeared in enforcing mode:
----
time->Tue Sep 11 10:27:23 2012
type=PATH msg=audit(1347352043.811:10189): item=1 name=(null) inode=3670626 dev=08:04 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0
type=PATH msg=audit(1347352043.811:10189): item=0 name="/usr/sbin/slaptest" inode=3678745 dev=08:04 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:slapd_exec_t:s0
type=CWD msg=audit(1347352043.811:10189): cwd="/"
type=EXECVE msg=audit(1347352043.811:10189): argc=2 a0="/usr/sbin/slaptest" a1="-u"
type=SYSCALL msg=audit(1347352043.811:10189): arch=c000003e syscall=59 success=yes exit=0 a0=1fa9e50 a1=1fa9420 a2=1fa8f90 a3=18 items=2 ppid=31277 pid=31278 auid=4294967295 uid=55 gid=55 euid=55 suid=55 fsuid=55 egid=55 sgid=55 fsgid=55 tty=(none) ses=4294967295 comm="slaptest" exe="/usr/sbin/slapd" subj=system_u:system_r:slapd_t:s0 key=(null)
type=AVC msg=audit(1347352043.811:10189): avc: denied { write } for pid=31278 comm="slaptest" path="/tmp/tmp.ERiA2LfAdC" dev="tmpfs" ino=320241 scontext=system_u:system_r:slapd_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
type=AVC msg=audit(1347352043.811:10189): avc: denied { write } for pid=31278 comm="slaptest" path="/tmp/tmp.ERiA2LfAdC" dev="tmpfs" ino=320241 scontext=system_u:system_r:slapd_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
----
Does slaptest do something like command < _EOF line1 line2 _EOF BTW is this a real test or just some testing code you guys are doing? slaptest is a part of openldap-servers package and it's executed from slapd.service file. # rpm -ql openldap-servers | grep slaptest
/usr/sbin/slaptest
/usr/share/man/man8/slaptest.8.gz
# cat /usr/lib/systemd/system/slapd.service
[Unit]
Description=OpenLDAP Server Daemon
After=syslog.target
[Service]
Type=forking
PIDFile=/var/run/openldap/slapd.pid
Environment="SLAPD_URLS=ldap:/// ldapi:///" "SLAPD_OPTIONS="
EnvironmentFile=/etc/sysconfig/slapd
ExecStartPre=/usr/libexec/openldap/check-config.sh
ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS
[Install]
WantedBy=multi-user.target
# head /usr/libexec/openldap/check-config.sh
#!/bin/sh
# Author: Jan Vcelak <jvcelak>
. /usr/libexec/openldap/functions
function check_config_syntax()
{
retcode=0
tmp_slaptest=`mktemp`
run_as_ldap "/usr/sbin/slaptest $SLAPD_GLOBAL_OPTIONS -u" &>$tmp_slaptest
# ls -l /usr/sbin/slaptest
lrwxrwxrwx. 1 root root 5 Aug 22 10:36 /usr/sbin/slaptest -> slapd
#
How about run_as_ldap "/usr/sbin/slaptest $SLAPD_GLOBAL_OPTIONS -u" &> /var/run/openldap/slaptest.log Services should not be using /tmp. Resolved in openldap-2.4.33-1.el7 This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |
Description of problem: service slapd start cause avc message, slaptest fail to write. /usr/lib/systemd/system/slapd.service have in config ExecStartPre=/usr/libexec/openldap/check-config.sh which run slaptest type=AVC msg=audit(1347360019.846:833): avc: denied { write } for pid=12425 comm="slaptest" path="/tmp/tmp.t4gJT7yp7p" dev="dm-2" ino=654207 scontext=system_u:system_r:slapd_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file Version-Release number of selected component (if applicable): selinux-policy-3.11.1-11.el7 openldap-2.4.32-2.el7 How reproducible: always