Bug 1012526 - Allow 389-ds-base to create subdir of /dev/shm
Allow 389-ds-base to create subdir of /dev/shm
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.5
All Linux
medium Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
:
Depends On:
Blocks: 1012528
  Show dependency treegraph
 
Reported: 2013-09-26 11:13 EDT by Rich Megginson
Modified: 2015-02-18 11:26 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1012528 (view as bug list)
Environment:
Last Closed: 2013-10-30 05:43:29 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Rich Megginson 2013-09-26 11:13:11 EDT
Description of problem:

The 389-ds-base (dirsrv) needs to create and use a subdirectory of /dev/shm e.g. /dev/shm/slapd-hostname

We are able to workaround the problem by creating a policy module like this:

policy_module(dirsrv_tmpfs,1.0.0)
type dirsrv_t;
type tmpfs_t;
allow dirsrv_t tmpfs_t:dir create;

semanage -i dirsrv_tmpfs.pp

but it would be better if this were part of the base OS policy

Version-Release number of selected component (if applicable):
RHEL 6.4/6.5

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Miroslav Grepl 2013-09-26 11:18:19 EDT
We need to add additional rules for dirsrv_tmpfs_t.
Comment 2 Miroslav Grepl 2013-09-26 11:19:05 EDT
Added to Fedora.

commit 585bdff20eebd268561d577650642a89bc16f150
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Thu Sep 26 17:18:13 2013 +0200

    Allow dirsrv to create dirs in /dev/shm with dirsrv_tmpfs label
Comment 3 Milos Malik 2013-09-27 03:17:45 EDT
Hi Rich, are you willing to test the scenario once the new selinux-policy packages become available?
Comment 4 Rich Megginson 2013-09-27 09:28:18 EDT
(In reply to Milos Malik from comment #3)
> Hi Rich, are you willing to test the scenario once the new selinux-policy
> packages become available?

Yes.
Comment 6 Miroslav Grepl 2013-10-30 05:43:29 EDT
More fixes have been added during RHEL6.5 cycle related to dirsrv and this bug should be fixed. If no, please re-open the bug and it will be addressed in RHEL6.6.

Note You need to log in before you can comment on or make changes to this bug.