1012526 – Allow 389-ds-base to create subdir of /dev/shm

Bug 1012526 - Allow 389-ds-base to create subdir of /dev/shm

Summary: Allow 389-ds-base to create subdir of /dev/shm

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.5
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1012528
TreeView+	depends on / blocked

Reported:	2013-09-26 15:13 UTC by Rich Megginson
Modified:	2015-02-18 16:26 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1012528 (view as bug list)
Environment:
Last Closed:	2013-10-30 09:43:29 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Rich Megginson 2013-09-26 15:13:11 UTC

Description of problem:

The 389-ds-base (dirsrv) needs to create and use a subdirectory of /dev/shm e.g. /dev/shm/slapd-hostname

We are able to workaround the problem by creating a policy module like this:

policy_module(dirsrv_tmpfs,1.0.0)
type dirsrv_t;
type tmpfs_t;
allow dirsrv_t tmpfs_t:dir create;

semanage -i dirsrv_tmpfs.pp

but it would be better if this were part of the base OS policy

Version-Release number of selected component (if applicable):
RHEL 6.4/6.5

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Miroslav Grepl 2013-09-26 15:18:19 UTC

We need to add additional rules for dirsrv_tmpfs_t.

Comment 2 Miroslav Grepl 2013-09-26 15:19:05 UTC

Added to Fedora.

commit 585bdff20eebd268561d577650642a89bc16f150
Author: Miroslav Grepl <mgrepl>
Date:   Thu Sep 26 17:18:13 2013 +0200

    Allow dirsrv to create dirs in /dev/shm with dirsrv_tmpfs label

Comment 3 Milos Malik 2013-09-27 07:17:45 UTC

Hi Rich, are you willing to test the scenario once the new selinux-policy packages become available?

Comment 4 Rich Megginson 2013-09-27 13:28:18 UTC

(In reply to Milos Malik from comment #3)
> Hi Rich, are you willing to test the scenario once the new selinux-policy
> packages become available?

Yes.

Comment 6 Miroslav Grepl 2013-10-30 09:43:29 UTC

More fixes have been added during RHEL6.5 cycle related to dirsrv and this bug should be fixed. If no, please re-open the bug and it will be addressed in RHEL6.6.

Note You need to log in before you can comment on or make changes to this bug.