Bug 860226

Summary: SELinux is preventing /usr/sbin/nslcd from 'name_connect' accesses on the tcp_socket .
Product: [Fedora] Fedora Reporter: Sergey <lis82>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17CC: bugzilla, dominick.grift, dwalsh, mgrepl, robk
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Unspecified   
Whiteboard: abrt_hash:010536a214dc79dfb9ba41ec6b56b99c29046df27c12ea1c0d4ca48805311f44
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-12-20 15:03:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: type
none
File: hashmarkername none

Description Sergey 2012-09-25 10:37:15 UTC 
Additional info:
libreport version: 2.0.13
kernel:         3.5.3-1.fc17.i686

description:
:SELinux is preventing /usr/sbin/nslcd from 'name_connect' accesses on the tcp_socket .
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that nslcd should be allowed name_connect access on the  tcp_socket by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep nslcd /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:nslcd_t:s0
:Target Context                system_u:object_r:ldap_port_t:s0
:Target Objects                 [ tcp_socket ]
:Source                        nslcd
:Source Path                   /usr/sbin/nslcd
:Port                          389
:Host                          (removed)
:Source RPM Packages           nss-pam-ldapd-0.7.16-2.fc17.i686
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-149.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Permissive
:Host Name                     (removed)
:Platform                      Linux (removed) 3.5.3-1.fc17.i686 #1 SMP Wed Aug
:                              29 19:25:38 UTC 2012 i686 i686
:Alert Count                   1
:First Seen                    2012-09-25 13:34:47 FET
:Last Seen                     2012-09-25 13:34:47 FET
:Local ID                      9c6b1bdd-8f61-4f86-a979-162cb0be388d
:
:Raw Audit Messages
:type=AVC msg=audit(1348569287.890:144): avc:  denied  { name_connect } for  pid=10543 comm="nslcd" dest=389 scontext=system_u:system_r:nslcd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket
:
:
:type=SYSCALL msg=audit(1348569287.890:144): arch=i386 syscall=socketcall success=no exit=EINPROGRESS a0=3 a1=b566fce0 a2=b76fcff4 a3=0 items=0 ppid=1 pid=10543 auid=4294967295 uid=65 gid=55 euid=65 suid=65 fsuid=65 egid=55 sgid=55 fsgid=55 tty=(none) ses=4294967295 comm=nslcd exe=/usr/sbin/nslcd subj=system_u:system_r:nslcd_t:s0 key=(null)
:
:Hash: nslcd,nslcd_t,ldap_port_t,tcp_socket,name_connect
:
:audit2allow
:
:#============= nslcd_t ==============
:#!!!! This avc can be allowed using one of the these booleans:
:#     authlogin_nsswitch_use_ldap, allow_ypbind
:
:allow nslcd_t ldap_port_t:tcp_socket name_connect;
:
:audit2allow -R
:
:#============= nslcd_t ==============
:#!!!! This avc can be allowed using one of the these booleans:
:#     authlogin_nsswitch_use_ldap, allow_ypbind
:
:allow nslcd_t ldap_port_t:tcp_socket name_connect;
:
Comment 1 Sergey 2012-09-25 10:37:18 UTC 
Created attachment 616958 [details]
File: type
Comment 2 Sergey 2012-09-25 10:37:20 UTC 
Created attachment 616959 [details]
File: hashmarkername
Comment 3 Daniel Walsh 2012-09-25 18:54:41 UTC 
I see this allowed in selinux-policy-3.10.0-150.fc17
Comment 4 Fedora Update System 2012-10-08 14:06:07 UTC 
selinux-policy-3.10.0-153.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-153.fc17
Comment 5 Fedora Update System 2012-10-08 21:57:10 UTC 
Package selinux-policy-3.10.0-153.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-153.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-15652/selinux-policy-3.10.0-153.fc17
then log in and leave karma (feedback).
Comment 6 David Mansfield 2012-10-18 19:29:03 UTC 
I have the same exact problem, and the update to selinux-policy-3.10.0-153.fc17.noarch did not fix it:

Here is relevant aureport:

1707. 10/18/2012 15:26:21 nslcd system_u:system_r:nslcd_t:s0 42 tcp_socket name_connect system_u:object_r:ldap_port_t:s0 denied 11939

I restarted nslcd daemon in case it matters, but did not reboot (shouldn't have to).
Comment 7 Miroslav Grepl 2012-10-19 09:26:52 UTC 
Fixed.

commit c58b47335ab984dd47feeb0b67952b586a835d2c
Author: Miroslav Grepl <mgrepl>
Date:   Fri Oct 19 11:26:25 2012 +0200

    Allow nslcd to connect to ldap port without boolean
Comment 9 Rob K 2012-10-25 05:44:00 UTC 
Not fixed for me:

rpm -q selinux-policy
selinux-policy-3.10.0-156.fc17.noarch

Had to do policy tweak as per selinux-troubleshooter instructions to get this to work.
Comment 10 Rob K 2012-10-25 06:07:45 UTC 
Woops. If anyone could remove the hostname from comment 8 that would be splendid.
Comment 11 Daniel Walsh 2012-10-25 18:12:40 UTC 
I can make it private, not sure I can modify it.
Comment 12 Daniel Walsh 2012-10-25 18:13:19 UTC 
Rob please show us the latest AVC messages.
Comment 13 Rob K 2012-10-26 00:21:26 UTC 
Last AVC in the log before I tweaked policy:

type=SYSCALL msg=audit(1351136435.126:100): arch=c000003e syscall=42 success=no 
exit=-13 a0=b a1=7fcd2000a410 a2=1c a3=7fcd25345254 items=0 ppid=1 pid=1717 auid
=4294967295 uid=65 gid=55 euid=65 suid=65 fsuid=65 egid=55 sgid=55 fsgid=55 tty=
(none) ses=4294967295 comm="nslcd" exe="/usr/sbin/nslcd" subj=system_u:system_r:
nslcd_t:s0 key=(null)
type=AVC msg=audit(1351136435.126:101): avc:  denied  { name_connect } for  pid=
1717 comm="nslcd" dest=389 scontext=system_u:system_r:nslcd_t:s0 tcontext=system
_u:object_r:ldap_port_t:s0 tclass=tcp_socket
Comment 14 Rob K 2012-10-26 00:32:13 UTC 
(In reply to comment #11)
> I can make it private, not sure I can modify it.

If you could make #8 private that would be great; but I can live otherwise.
Comment 15 Daniel Walsh 2012-10-26 18:37:05 UTC 
Fixed in 3.10.0-157
Comment 16 Fedora Update System 2012-11-06 08:22:13 UTC 
selinux-policy-3.10.0-159.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-159.fc17
Comment 17 Fedora Update System 2012-11-08 02:04:33 UTC 
Package selinux-policy-3.10.0-159.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-159.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-17782/selinux-policy-3.10.0-159.fc17
then log in and leave karma (feedback).
Comment 18 Fedora Update System 2012-12-20 15:03:08 UTC 
selinux-policy-3.10.0-153.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.