Bug 188335 - SELinux targeted policy breaks rpc.idmap + LDAP SSL
SELinux targeted policy breaks rpc.idmap + LDAP SSL
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
5
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-04-07 21:57 EDT by W. Michael Petullo
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-05-10 19:23:28 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
SELinux AVC messages caused by rpc.idpamd + LDAP SSL (3.39 KB, text/plain)
2006-04-07 21:59 EDT, W. Michael Petullo
no flags Details

  None (edit)
Description W. Michael Petullo 2006-04-07 21:57:16 EDT
Description of problem:
I have an NFS server that also provides network information using LDAP over SSL.
 It seems that the targeted SELinux policy does not allow rpc.idmapd to access
LDAP over SSL when resolving user information.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.2.25-2.fc5

How reproducible:
Every time

Steps to Reproduce:
1. Configure system to use LDAP to resolve NSS.
2. Enable SELinux targeted policy.
3. Start rpc.idmapd.
  
Actual results:
The rpc.idmapd does not function correctly when SELinux is enforcing the
targeted policy.

Expected results:


Additional info:
Comment 1 W. Michael Petullo 2006-04-07 21:59:51 EDT
Created attachment 127494 [details]
SELinux AVC messages caused by rpc.idpamd + LDAP SSL
Comment 2 Daniel Walsh 2006-04-11 11:30:20 EDT
If you run 

audit2allow -M idmapd

semodule -i idmapd

Does it then work?

Comment 3 W. Michael Petullo 2006-04-12 21:32:42 EDT
Yes.  If I use the audit log from comment #1 as input to "audit2allow -M idmapd
-i" and load the resulting module, then rpc.idmapd seems to work fine.
Comment 4 Daniel Walsh 2006-04-14 12:52:51 EDT
fixed in selinux-policy-2.2.32-1.FC5
Comment 5 W. Michael Petullo 2006-04-19 14:31:01 EDT
Confirmed fixed in selinux-policy-2.2.32-1.FC5.
Comment 6 W. Michael Petullo 2006-04-30 21:19:11 EDT
I just tried selinux-policy-targeted-2.2.35-2 on an NFS client.

Although, this bug has been fixed on the NFS server, the client does not seem to
work when SELinux is enabled on the client.  In other words:

         SERVER  CLIENT  STATUS
SELINUX  on      off     works
SELINUX  on      on      broken

The strange this is that the audit messages produced on the client are a subset
of what I reported before for the server:

type=AVC msg=audit(1146445559.968:111): avc:  denied  { search } for  pid=1456
comm="rpc.idmapd" name="pki" dev=hda5 ino=711090
scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir
type=SYSCALL msg=audit(1146445559.968:111): arch=14 syscall=5 success=yes
exit=-13 a0=7872adc a1=10000 a2=1b6 a3=1b6 items=1 pid=1456 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="rpc.idmapd"
exe="/usr/sbin/rpc.idmapd"
type=CWD msg=audit(1146445559.968:111):  cwd="/"
type=PATH msg=audit(1146445559.968:111): item=0 name="/etc/pki/tls/cert.pem" flags=1
type=AVC msg=audit(1146445559.996:112): avc:  denied  { read } for  pid=1456
comm="rpc.idmapd" name="urandom" dev=tmpfs ino=1654
scontext=system_u:system_r:rpcd_t:s0
tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1146445559.996:112): arch=14 syscall=5 success=yes
exit=-13 a0=78486f8 a1=900 a2=0 a3=7f8e6720 items=1 pid=1456 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="rpc.idmapd"
exe="/usr/sbin/rpc.idmapd"
type=CWD msg=audit(1146445559.996:112):  cwd="/"
type=PATH msg=audit(1146445559.996:112): item=0 name="/dev/urandom" flags=101 
inode=1654 dev=00:0e mode=020444 ouid=0 ogid=0 rdev=01:09
type=AVC msg=audit(1146445559.996:113): avc:  denied  { read } for  pid=1456
comm="rpc.idmapd" name="random" dev=tmpfs ino=1662
scontext=system_u:system_r:rpcd_t:s0
tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1146445559.996:113): arch=14 syscall=5 success=yes
exit=-13 a0=7871be0 a1=900 a2=0 a3=7f8e6720 items=1 pid=1456 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="rpc.idmapd"
exe="/usr/sbin/rpc.idmapd"

The following additions seem to fix the problem on the client:

allow rpcd_t cert_t:dir search;
allow rpcd_t random_device_t:chr_file read;
allow rpcd_t urandom_device_t:chr_file read;
Comment 8 Daniel Walsh 2006-05-09 13:21:31 EDT
fixed in selinux-policy-2.2.38-2 in rawhide.  Will back port at the end of the week.
Comment 9 W. Michael Petullo 2006-05-10 16:23:50 EDT
Confirmed fixed in Rawhide's selinux-policy-2.2.38-2.

Note You need to log in before you can comment on or make changes to this bug.