Bug 856098
Summary: | service slapd start causes AVC message | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | David Spurek <dspurek> | |
Component: | openldap | Assignee: | Jan Synacek <jsynacek> | |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Milos Malik <mmalik> | |
Severity: | high | Docs Contact: | ||
Priority: | high | |||
Version: | 7.0 | CC: | dwalsh, ebenes, jsynacek, mmalik | |
Target Milestone: | rc | |||
Target Release: | --- | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | openldap-2.4.33-1.el7 | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 859019 (view as bug list) | Environment: | ||
Last Closed: | 2014-06-13 10:52:01 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 859019 |
Description
David Spurek
2012-09-11 08:15:26 UTC
Following AVCs appeared in enforcing mode: ---- time->Tue Sep 11 10:27:23 2012 type=PATH msg=audit(1347352043.811:10189): item=1 name=(null) inode=3670626 dev=08:04 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 type=PATH msg=audit(1347352043.811:10189): item=0 name="/usr/sbin/slaptest" inode=3678745 dev=08:04 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:slapd_exec_t:s0 type=CWD msg=audit(1347352043.811:10189): cwd="/" type=EXECVE msg=audit(1347352043.811:10189): argc=2 a0="/usr/sbin/slaptest" a1="-u" type=SYSCALL msg=audit(1347352043.811:10189): arch=c000003e syscall=59 success=yes exit=0 a0=1fa9e50 a1=1fa9420 a2=1fa8f90 a3=18 items=2 ppid=31277 pid=31278 auid=4294967295 uid=55 gid=55 euid=55 suid=55 fsuid=55 egid=55 sgid=55 fsgid=55 tty=(none) ses=4294967295 comm="slaptest" exe="/usr/sbin/slapd" subj=system_u:system_r:slapd_t:s0 key=(null) type=AVC msg=audit(1347352043.811:10189): avc: denied { write } for pid=31278 comm="slaptest" path="/tmp/tmp.ERiA2LfAdC" dev="tmpfs" ino=320241 scontext=system_u:system_r:slapd_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file type=AVC msg=audit(1347352043.811:10189): avc: denied { write } for pid=31278 comm="slaptest" path="/tmp/tmp.ERiA2LfAdC" dev="tmpfs" ino=320241 scontext=system_u:system_r:slapd_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file ---- Does slaptest do something like command < _EOF line1 line2 _EOF BTW is this a real test or just some testing code you guys are doing? slaptest is a part of openldap-servers package and it's executed from slapd.service file. # rpm -ql openldap-servers | grep slaptest /usr/sbin/slaptest /usr/share/man/man8/slaptest.8.gz # cat /usr/lib/systemd/system/slapd.service [Unit] Description=OpenLDAP Server Daemon After=syslog.target [Service] Type=forking PIDFile=/var/run/openldap/slapd.pid Environment="SLAPD_URLS=ldap:/// ldapi:///" "SLAPD_OPTIONS=" EnvironmentFile=/etc/sysconfig/slapd ExecStartPre=/usr/libexec/openldap/check-config.sh ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS [Install] WantedBy=multi-user.target # head /usr/libexec/openldap/check-config.sh #!/bin/sh # Author: Jan Vcelak <jvcelak> . /usr/libexec/openldap/functions function check_config_syntax() { retcode=0 tmp_slaptest=`mktemp` run_as_ldap "/usr/sbin/slaptest $SLAPD_GLOBAL_OPTIONS -u" &>$tmp_slaptest # ls -l /usr/sbin/slaptest lrwxrwxrwx. 1 root root 5 Aug 22 10:36 /usr/sbin/slaptest -> slapd # How about run_as_ldap "/usr/sbin/slaptest $SLAPD_GLOBAL_OPTIONS -u" &> /var/run/openldap/slaptest.log Services should not be using /tmp. Resolved in openldap-2.4.33-1.el7 This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |