Hide Forgot
Description of problem: selinux prevents execmod with nslcd time->Mon Aug 26 13:32:57 2013 type=SYSCALL msg=audit(1377538377.028:1491): arch=80000016 syscall=125 success=no exit=-13 a0=2aac7599000 a1=27000 a2=5 a3=2aac759a428 items=0 ppid=1 pid=18432 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nslcd" exe="/usr/sbin/nslcd" subj=system_u:system_r:nslcd_t:s0 key=(null) type=AVC msg=audit(1377538377.028:1491): avc: denied { execmod } for pid=18432 comm="nslcd" path="/usr/sbin/nslcd" dev="dm-2" ino=69797947 scontext=system_u:system_r:nslcd_t:s0 tcontext=system_u:object_r:nslcd_exec_t:s0 tclass=file Fail: AVC messages found. Checking for errors... Using stronger AVC checks. Define empty RHTS_OPTION_STRONGER_AVC parameter if this causes any problems. Running 'cat /mnt/testarea/tmp.rhts-db-submit-result.Zj5wRF | /sbin/ausearch -m AVC -m SELINUX_ERR' Fail: AVC messages found. Running 'cat %s | /sbin/ausearch -m USER_AVC >/mnt/testarea/tmp.rhts-db-submit-result.qGVBh1 2>&1' Info: No AVC messages found. /bin/grep 'avc: ' /mnt/testarea/dmesg.log | /bin/grep --invert-match TESTOUT.log No AVC messages found in dmesg Running '/usr/sbin/sestatus' SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28 Running 'rpm -q selinux-policy || true' selinux-policy-3.12.1-70.el7.noarch
http://danwalsh.livejournal.com/6117.html?thread=23525
Are you still seeing this bug? Which version of nss-pam-ldapd was this? What was its configuration?
I still see this bug on s390x with selinux-policy-3.12.1-80.el7 and nss-pam-ldapd-0.8.13-2.el7.s390x. nslcd was configured with 'authconfig --enableldap --disablecache --enableldapauth --updateall --ldapbasedn dc=my-domain,dc=com --ldapserver ldap://my-domain.com'. nslcd.conf then looks like: uid nslcd gid ldap uri ldap://my-domain.com base dc=my-domain,dc=com ssl no tls_cacertdir /etc/openldap/cacerts
I'm not able to reproduce this on my x86_64 system with the same versions of selinux-policy and nss-pam-ldapd, on kernel 3.10.0-33.el7.x86_64. My attempt to reserve an s390x system to see if it's arch-specific seems to have been stalled for a couple of days - do you have one which I'm able to access where you're still seeing this?
(In reply to Nalin Dahyabhai from comment #5) > I'm not able to reproduce this on my x86_64 system with the same versions of > selinux-policy and nss-pam-ldapd, on kernel 3.10.0-33.el7.x86_64. > > My attempt to reserve an s390x system to see if it's arch-specific seems to > have been stalled for a couple of days - do you have one which I'm able to > access where you're still seeing this? David, feel free to ping me on IRC if you have a system that exhibits this bug.
Beaker came through. It looks like the -fPIE that the hardened build macros add to the compile of nslcd/log.c adds isn't enough to avoid having a TEXTREL section in the nslcd binary. I'm not yet clear on the specifics, but it appears to be related to its use of thread-local storage.
I verified Nalin's findings on a s390x test machines.
This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request.