Bug 1510883 – slapd can not create and read links with slapd_tmp_t

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1510883 - slapd can not create and read links with slapd_tmp_t

Summary:	slapd can not create and read links with slapd_tmp_t

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy (Show other bugs)
Sub Component:
Version:	7.5
Hardware:	All Linux

Priority	medium Severity high
Target Milestone:	rc
Target Release:	---
Assigned To:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:	1400578
	Show dependency tree / graph

Reported:	2017-11-08 06:40 EST by Patrik Kis
Modified:	2018-04-10 08:46 EDT (History)
CC List:	7 users (show)

See Also:
Fixed In Version:	selinux-policy-3.13.1-179.el7
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2018-04-10 08:46:03 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:0763	None	None	None	2018-04-10 08:46 EDT

Groups: None (edit)

Description Patrik Kis 2017-11-08 06:40:53 EST

Description of problem:
After adding a new feature to openldap where nss certs are converted to pem files, slapd need create and read links with slapd_tmp_t, but the policy prevents it.

Version-Release number of selected component (if applicable):
openldap-servers-2.4.44-9.el7
selinux-policy-3.13.1-166.el7

How reproducible:
always

Steps to Reproduce:

Comment 3 Milos Malik 2017-11-08 06:57:37 EST

----
type=PROCTITLE msg=audit(11/08/2017 12:56:22.981:102) : proctitle=/usr/sbin/slapd -u ldap -h ldapi:/// ldap:/// 
type=SYSCALL msg=audit(11/08/2017 12:56:22.981:102) : arch=x86_64 syscall=symlink success=no exit=EACCES(Permission denied) a0=0x55f87750434b a1=0x55f877518d40 a2=0x0 a3=0x7fecdf00c2d9 items=0 ppid=1 pid=21835 auid=unset uid=ldap gid=ldap euid=ldap suid=ldap fsuid=ldap egid=ldap sgid=ldap fsgid=ldap tty=(none) ses=unset comm=slapd exe=/usr/sbin/slapd subj=system_u:system_r:slapd_t:s0 key=(null) 
type=AVC msg=audit(11/08/2017 12:56:22.981:102) : avc:  denied  { create } for  pid=21835 comm=slapd name=ce275665.0 scontext=system_u:system_r:slapd_t:s0 tcontext=system_u:object_r:slapd_tmp_t:s0 tclass=lnk_file permissive=0 
----

Comment 4 Milos Malik 2017-11-08 07:05:36 EST

SELinux denial mentioned in comment#3 was caught in enforcing mode. Following SELinux denials appeared in permissive mode:
----
type=PROCTITLE msg=audit(11/08/2017 13:03:42.667:248) : proctitle=/usr/sbin/slapd -u ldap -h ldapi:/// ldap:/// 
type=PATH msg=audit(11/08/2017 13:03:42.667:248) : item=2 name=/tmp/certs--tlsmc-4FEAC3A966D2FF8BF5320A899F0CAD6CDB5A2A5716296E725516E4795F85B6E2/cacerts/ce275665.0 inode=26297909 dev=fd:03 mode=link,777 ouid=ldap ogid=ldap rdev=00:00 obj=system_u:object_r:slapd_tmp_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=PATH msg=audit(11/08/2017 13:03:42.667:248) : item=1 name=/tmp/certs--tlsmc-4FEAC3A966D2FF8BF5320A899F0CAD6CDB5A2A5716296E725516E4795F85B6E2/cacerts/ inode=26221754 dev=fd:03 mode=dir,700 ouid=ldap ogid=ldap rdev=00:00 obj=system_u:object_r:slapd_tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=PATH msg=audit(11/08/2017 13:03:42.667:248) : item=0 name=cert0.pem nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(11/08/2017 13:03:42.667:248) : cwd=/ 
type=SYSCALL msg=audit(11/08/2017 13:03:42.667:248) : arch=x86_64 syscall=symlink success=yes exit=0 a0=0x564d3a02dccb a1=0x564d3a69bdd0 a2=0x0 a3=0x7f09136a82d9 items=3 ppid=1 pid=18564 auid=unset uid=ldap gid=ldap euid=ldap suid=ldap fsuid=ldap egid=ldap sgid=ldap fsgid=ldap tty=(none) ses=unset comm=slapd exe=/usr/sbin/slapd subj=system_u:system_r:slapd_t:s0 key=(null) 
type=AVC msg=audit(11/08/2017 13:03:42.667:248) : avc:  denied  { create } for  pid=18564 comm=slapd name=ce275665.0 scontext=system_u:system_r:slapd_t:s0 tcontext=system_u:object_r:slapd_tmp_t:s0 tclass=lnk_file permissive=1 
----
type=PROCTITLE msg=audit(11/08/2017 13:03:42.717:249) : proctitle=/usr/sbin/slapd -u ldap -h ldapi:/// ldap:/// 
type=PATH msg=audit(11/08/2017 13:03:42.717:249) : item=0 name=/tmp/certs--tlsmc-4FEAC3A966D2FF8BF5320A899F0CAD6CDB5A2A5716296E725516E4795F85B6E2/cacerts/ce275665.0 inode=26297908 dev=fd:03 mode=file,400 ouid=ldap ogid=ldap rdev=00:00 obj=system_u:object_r:slapd_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(11/08/2017 13:03:42.717:249) : cwd=/ 
type=SYSCALL msg=audit(11/08/2017 13:03:42.717:249) : arch=x86_64 syscall=open success=yes exit=11 a0=0x7fffcc8e0e20 a1=O_RDONLY a2=0x1b6 a3=0x24 items=1 ppid=1 pid=18564 auid=unset uid=ldap gid=ldap euid=ldap suid=ldap fsuid=ldap egid=ldap sgid=ldap fsgid=ldap tty=(none) ses=unset comm=slapd exe=/usr/sbin/slapd subj=system_u:system_r:slapd_t:s0 key=(null) 
type=AVC msg=audit(11/08/2017 13:03:42.717:249) : avc:  denied  { read } for  pid=18564 comm=slapd name=ce275665.0 dev="vda3" ino=26297909 scontext=system_u:system_r:slapd_t:s0 tcontext=system_u:object_r:slapd_tmp_t:s0 tclass=lnk_file permissive=1 
----

Comment 13 errata-xmlrpc 2018-04-10 08:46:03 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0763

Note You need to log in before you can comment on or make changes to this bug.