Description of problem: ELinux is preventing /usr/sbin/slapd from write access on the file /var/log/slapd/slapd.log. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that slapd should be allowed write access on the slapd.log file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep slapcat /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:slapd_t:s0 Target Context system_u:object_r:slapd_log_t:s0 Target Objects /var/log/slapd/slapd.log [ file ] Source slapcat Source Path /usr/sbin/slapd Port <Unknown> Host one Source RPM Packages openldap-servers-2.4.39-2.fc20.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-122.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name one Platform Linux one 3.13.3-201.fc20.x86_64 #1 SMP Fri Feb 14 19:08:32 UTC 2014 x86_64 x86_64 Alert Count 1 First Seen 2014-02-20 21:49:25 CET Last Seen 2014-02-20 21:49:25 CET Local ID 2dbc250c-0780-4e38-bc46-8f3c354d79c8 Raw Audit Messages type=AVC msg=audit(1392929365.382:14702): avc: denied { write } for pid=30732 comm="slapcat" path="/var/log/slapd/slapd.log" dev="dm-0" ino=54789041 scontext=system_u:system_r:slapd_t:s0 tcontext=system_u:object_r:slapd_log_t:s0 tclass=file type=SYSCALL msg=audit(1392929365.382:14702): arch=x86_64 syscall=open success=no exit=EACCES a0=7f1eac0bb900 a1=241 a2=1b6 a3=1 items=0 ppid=30731 pid=30732 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=slapcat exe=/usr/sbin/slapd subj=system_u:system_r:slapd_t:s0 key=(null) Hash: slapcat,slapd_t,slapd_log_t,file,write Version-Release number of selected component (if applicable): selinux-policy-3.12.1-122.fc20.noarch openldap-servers-2.4.39-2.fc20.x86_64 How reproducible: Always. Steps to Reproduce: 1. Set slapd to write logs to /var/log/slapd 2. Start slapd. 3. Actual results: Denial. Expected results: No denial. Additional info: The policy audit2allow comes up with looks like this: allow slapd_t slapd_log_t:file write; Obviously slapd should have write access to files labelled slapd_log_t, so apparently this was missed, maybe because slapd is not set to write log files by default in Fedora 20.
It looks like there's no way to get slapd to write to /var/log/slapd itself---the olcLogFile directive in /etc/openldap/slapd.d/cn=config.ldif is ignored and slapd continues writing to the syslog. So, maybe this is not actually an oversight in the SELinux policy, since slapd won't successfully write a log there regardless.
A lot of policy assumes that we give processes append access and block write. The idea is if you have write access you can truncate the logs. But in a lot of cases we need to grant write or the app blows up.
commit dc1844f92d1d8a2825c6c7fa2cdfb84cb38486d0 Author: Lukas Vrabec <lvrabec> Date: Fri Feb 28 13:48:17 2014 +0100 allow slapd_t to manage own logs
selinux-policy-3.12.1-135.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-135.fc20
Package selinux-policy-3.12.1-135.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-135.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-3813/selinux-policy-3.12.1-135.fc20 then log in and leave karma (feedback).
selinux-policy-3.12.1-135.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.