Bug 1002834 - selinux prevents execmod with nslcd
selinux prevents execmod with nslcd
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: nss-pam-ldapd (Show other bugs)
7.0
s390x Linux
unspecified Severity medium
: rc
: ---
Assigned To: Nalin Dahyabhai
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-30 01:49 EDT by David Spurek
Modified: 2015-03-02 00:28 EST (History)
6 users (show)

See Also:
Fixed In Version: nss-pam-ldapd-0.8.13-4.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-13 06:55:47 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Spurek 2013-08-30 01:49:48 EDT
Description of problem:
selinux prevents execmod with nslcd

time->Mon Aug 26 13:32:57 2013
type=SYSCALL msg=audit(1377538377.028:1491): arch=80000016 syscall=125 success=no exit=-13 a0=2aac7599000 a1=27000 a2=5 a3=2aac759a428 items=0 ppid=1 pid=18432 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nslcd" exe="/usr/sbin/nslcd" subj=system_u:system_r:nslcd_t:s0 key=(null)
type=AVC msg=audit(1377538377.028:1491): avc:  denied  { execmod } for  pid=18432 comm="nslcd" path="/usr/sbin/nslcd" dev="dm-2" ino=69797947 scontext=system_u:system_r:nslcd_t:s0 tcontext=system_u:object_r:nslcd_exec_t:s0 tclass=file
Fail: AVC messages found.
Checking for errors...
Using stronger AVC checks.
	Define empty RHTS_OPTION_STRONGER_AVC parameter if this causes any problems.
Running 'cat /mnt/testarea/tmp.rhts-db-submit-result.Zj5wRF | /sbin/ausearch -m AVC -m SELINUX_ERR'
Fail: AVC messages found.
Running 'cat %s | /sbin/ausearch -m USER_AVC >/mnt/testarea/tmp.rhts-db-submit-result.qGVBh1 2>&1'
Info: No AVC messages found.
/bin/grep 'avc: ' /mnt/testarea/dmesg.log | /bin/grep --invert-match TESTOUT.log
No AVC messages found in dmesg
Running '/usr/sbin/sestatus'
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
Running 'rpm -q selinux-policy || true'
selinux-policy-3.12.1-70.el7.noarch
Comment 2 Miroslav Grepl 2013-10-04 03:33:41 EDT
http://danwalsh.livejournal.com/6117.html?thread=23525
Comment 3 Nalin Dahyabhai 2013-10-04 15:42:05 EDT
Are you still seeing this bug?  Which version of nss-pam-ldapd was this?  What was its configuration?
Comment 4 David Spurek 2013-10-07 07:14:46 EDT
I still see this bug on s390x with selinux-policy-3.12.1-80.el7 and  nss-pam-ldapd-0.8.13-2.el7.s390x. nslcd was configured with 'authconfig --enableldap --disablecache --enableldapauth --updateall --ldapbasedn dc=my-domain,dc=com --ldapserver ldap://my-domain.com'. 

nslcd.conf then looks like:

uid nslcd
gid ldap
uri ldap://my-domain.com
base dc=my-domain,dc=com
ssl no
tls_cacertdir /etc/openldap/cacerts
Comment 5 Nalin Dahyabhai 2013-10-16 15:58:34 EDT
I'm not able to reproduce this on my x86_64 system with the same versions of selinux-policy and nss-pam-ldapd, on kernel 3.10.0-33.el7.x86_64.

My attempt to reserve an s390x system to see if it's arch-specific seems to have been stalled for a couple of days - do you have one which I'm able to access where you're still seeing this?
Comment 6 Jakub Hrozek 2013-10-18 11:45:53 EDT
(In reply to Nalin Dahyabhai from comment #5)
> I'm not able to reproduce this on my x86_64 system with the same versions of
> selinux-policy and nss-pam-ldapd, on kernel 3.10.0-33.el7.x86_64.
> 
> My attempt to reserve an s390x system to see if it's arch-specific seems to
> have been stalled for a couple of days - do you have one which I'm able to
> access where you're still seeing this?

David, feel free to ping me on IRC if you have a system that exhibits this bug.
Comment 7 Nalin Dahyabhai 2013-10-18 13:19:56 EDT
Beaker came through.  It looks like the -fPIE that the hardened build macros add to the compile of nslcd/log.c adds isn't enough to avoid having a TEXTREL section in the nslcd binary.  I'm not yet clear on the specifics, but it appears to be related to its use of thread-local storage.
Comment 9 Jakub Hrozek 2013-10-21 16:26:33 EDT
I verified Nalin's findings on a s390x test machines.
Comment 12 Ludek Smid 2014-06-13 06:55:47 EDT
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.