1654451 – dscreate permissions and SELinux labels "too relaxed/open", "incorrect"

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1654451 - dscreate permissions and SELinux labels "too relaxed/open", "incorrect"

Summary: dscreate permissions and SELinux labels "too relaxed/open", "incorrect"

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	389-ds-base
Sub Component:
Version:	8.1
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	8.0
Assignee:	mreynolds
QA Contact:	RHDS QE
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-11-28 20:12 UTC by Marc Sauton
Modified:	2019-11-23 22:39 UTC (History)
CC List:	9 users (show)
Fixed In Version:	389-ds-base-1.4.0.20-1.module+el8+2553+e9a4c637
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-06-14 01:58:46 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	pm-rhel: mirror+

Attachments	(Terms of Use)

Description Marc Sauton 2018-11-28 20:12:46 UTC

Description of problem:

Directory permissions and SELinux labels are too "relaxed", or "incorrect" under /var/lib/dirsrv/slapd-*
should be 750 and system_u
instead of 755 and unconfined_u
note a "dsconf backup create" does create the correct directory permission and SELinux labels correctly, example with "bak2"


Version-Release number of selected component (if applicable):

Red Hat Enterprise Linux release 8.0 Beta (Ootpa)
389-ds-base-1.4.0.19-2.module+el8+1+36e60e1d.x86_64
python3-lib389-1.4.0.19-2.module+el8+1+36e60e1d.noarch


How reproducible:
always


Steps to Reproduce:

1. create a 389 instance:

cat << EOF > ~/instance.inf
[general]
[slapd]
root_password = password
[backend-userroot]
sample_entries = yes
suffix = dc=example,dc=com
EOF

dscreate from-file ~/instance.inf


2. create an online backup in a custom destination, just to see if permissions are created in a different way:

dsconf -D "cn=Directory Manager" ldap://rhds-test-day-8 backup create /var/lib/dirsrv/slapd-localhost/bak2


3. compare with RHEL-7 permissions, example:
ls -laZ /var/lib/dirsrv/slapd-m1/
drwxrwx---. ldapuser1 ldapgroup1 unconfined_u:object_r:dirsrv_var_lib_t:s0 .
drwxr-xr-x. root      root       system_u:object_r:dirsrv_var_lib_t:s0 ..
drwxrwx---. ldapuser1 ldapgroup1 unconfined_u:object_r:dirsrv_var_lib_t:s0 bak
drwxr-xr-x. ldapuser1 ldapgroup1 system_u:object_r:dirsrv_var_lib_t:s0 changelogdb
drwxrwx---. ldapuser1 ldapgroup1 unconfined_u:object_r:dirsrv_var_lib_t:s0 db
drwxrwx---. ldapuser1 ldapgroup1 unconfined_u:object_r:dirsrv_var_lib_t:s0 ldif


Actual results:
ls -laZ /var/lib/dirsrv/slapd-localhost
total 0
drwxr-xr-x. 6 dirsrv dirsrv unconfined_u:object_r:dirsrv_var_lib_t:s0  51 Nov 28 14:50 .
drwxr-xr-x. 3 root   root   system_u:object_r:dirsrv_var_lib_t:s0      29 Nov 28 14:19 ..
drwxr-xr-x. 3 dirsrv dirsrv unconfined_u:object_r:dirsrv_var_lib_t:s0  43 Nov 28 14:32 bak
drwx------. 3 dirsrv dirsrv system_u:object_r:dirsrv_var_lib_t:s0     108 Nov 28 14:50 bak2
drwxr-xr-x. 3 dirsrv dirsrv unconfined_u:object_r:dirsrv_var_lib_t:s0 109 Nov 28 14:41 db
drwxr-xr-x. 2 dirsrv dirsrv unconfined_u:object_r:dirsrv_var_lib_t:s0   6 Nov 28 14:19 ldif


Expected results:

should be 750 and system_u
instead of 755 and unconfined_u


Additional info:

"dsconf backup create" does create the correct directory permission and SELinux labels correctly, example with "bak2"

Comment 2 Amita Sharma 2019-01-04 14:09:55 UTC

[root@server-rhel8 ds]# rpm -qa | grep 389
389-ds-base-1.4.0.20-3.module+el8+2+b5271fcb.x86_64
389-ds-base-snmp-1.4.0.20-3.module+el8+2+b5271fcb.x86_64
389-ds-base-legacy-tools-1.4.0.20-3.module+el8+2+b5271fcb.x86_64
389-ds-base-libs-1.4.0.20-3.module+el8+2+b5271fcb.x86_64


1. Created instance in interactive mode -
#ls -laZ /var/lib/dirsrv/slapd-server-rhel8/
total 0
drwxrwx---. 5 dirsrv dirsrv system_u:object_r:unlabeled_t:s0  39 Jan  4 13:52 .
drwxr-xr-x. 3 root   root   system_u:object_r:unlabeled_t:s0  32 Jan  4 13:52 ..
drwxrwx---. 2 dirsrv dirsrv system_u:object_r:unlabeled_t:s0   6 Jan  4 13:52 bak
drwxrwx---. 3 dirsrv dirsrv system_u:object_r:unlabeled_t:s0 109 Jan  4 13:53 db
drwxrwx---. 2 dirsrv dirsrv system_u:object_r:unlabeled_t:s0   6 Jan  4 13:52 ldif

2. Created instance with inf file -
ls -laZ /var/lib/dirsrv/slapd-localhost/
total 0
drwxrwx---. 5 dirsrv dirsrv system_u:object_r:unlabeled_t:s0 39 Jan  4 14:07 .
drwxr-xr-x. 3 root   root   system_u:object_r:unlabeled_t:s0 29 Jan  4 14:07 ..
drwxrwx---. 2 dirsrv dirsrv system_u:object_r:unlabeled_t:s0  6 Jan  4 14:07 bak
drwxrwx---. 2 dirsrv dirsrv system_u:object_r:unlabeled_t:s0 93 Jan  4 14:08 db
drwxrwx---. 2 dirsrv dirsrv system_u:object_r:unlabeled_t:s0  6 Jan  4 14:07 ldif


Permissions look perfect.

Comment 3 Amita Sharma 2019-01-04 15:00:54 UTC

[root@host-8-245-94 upstream]# ls -laZ /var/lib/dirsrv/slapd-host-8-245-94/
total 0
drwxrwx---. 5 dirsrv dirsrv unconfined_u:object_r:dirsrv_var_lib_t:s0  39 Jan  4 09:43 .
drwxr-xr-x. 3 root   root   system_u:object_r:dirsrv_var_lib_t:s0      33 Jan  4 09:43 ..
drwxrwx---. 2 dirsrv dirsrv unconfined_u:object_r:dirsrv_var_lib_t:s0   6 Jan  4 09:43 bak
drwxrwx---. 3 dirsrv dirsrv unconfined_u:object_r:dirsrv_var_lib_t:s0 109 Jan  4 09:43 db
drwxrwx---. 2 dirsrv dirsrv unconfined_u:object_r:dirsrv_var_lib_t:s0   6 Jan  4 09:43 ldif

[root@host-8-245-94 upstream]# restorecon -FvvR /var/lib/dirsrv/slapd-host-8-245-94/
Relabeled /var/lib/dirsrv/slapd-host-8-245-94 from unconfined_u:object_r:dirsrv_var_lib_t:s0 to system_u:object_r:dirsrv_var_lib_t:s0
Relabeled /var/lib/dirsrv/slapd-host-8-245-94/bak from unconfined_u:object_r:dirsrv_var_lib_t:s0 to system_u:object_r:dirsrv_var_lib_t:s0
Relabeled /var/lib/dirsrv/slapd-host-8-245-94/db from unconfined_u:object_r:dirsrv_var_lib_t:s0 to system_u:object_r:dirsrv_var_lib_t:s0
Relabeled /var/lib/dirsrv/slapd-host-8-245-94/ldif from unconfined_u:object_r:dirsrv_var_lib_t:s0 to system_u:object_r:dirsrv_var_lib_t:s0

[root@host-8-245-94 upstream]# ls -laZ /var/lib/dirsrv/slapd-host-8-245-94/
total 0
drwxrwx---. 5 dirsrv dirsrv system_u:object_r:dirsrv_var_lib_t:s0  39 Jan  4 09:43 .
drwxr-xr-x. 3 root   root   system_u:object_r:dirsrv_var_lib_t:s0  33 Jan  4 09:43 ..
drwxrwx---. 2 dirsrv dirsrv system_u:object_r:dirsrv_var_lib_t:s0   6 Jan  4 09:43 bak
drwxrwx---. 3 dirsrv dirsrv system_u:object_r:dirsrv_var_lib_t:s0 109 Jan  4 09:43 db
drwxrwx---. 2 dirsrv dirsrv system_u:object_r:dirsrv_var_lib_t:s0   6 Jan  4 09:43 ldif

Note You need to log in before you can comment on or make changes to this bug.