Bug 191585 - SELinux blocking named with LDAP
SELinux blocking named with LDAP
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Depends On:
  Show dependency treegraph
Reported: 2006-05-13 06:21 EDT by Joachim Selke
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version: 2.2.40-1.fc5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-05-25 05:47:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Joachim Selke 2006-05-13 06:21:20 EDT
Description of problem:
I have a system using LDAP for user information. Trying to start named ("service
named start") gives

May 13 12:13:36 brown named[2853]: nss_ldap: reconnecting to LDAP server
(sleeping 4 seconds)...
May 13 12:13:40 brown named[2853]: nss_ldap: reconnecting to LDAP server
(sleeping 8 seconds)...
May 13 12:13:48 brown named[2853]: nss_ldap: reconnecting to LDAP server
(sleeping 16 seconds)...
May 13 12:14:04 brown named[2853]: nss_ldap: reconnecting to LDAP server
(sleeping 32 seconds)...
May 13 12:14:36 brown named[2853]: nss_ldap: reconnecting to LDAP server
(sleeping 64 seconds)...
May 13 12:15:40 brown named[2853]: nss_ldap: could not search LDAP server -
Server is unavailable

in /var/log/messages and several entries like

type=AVC msg=audit(1147513844.360:67533): avc:  denied  { search } for  pid=4646
comm="named" name="pki" dev=dm-0 ino=23724069 scontext=root:system_r:named_t:s0
tcontext=system_u:object_r:cert_t:s0 tclass=dir
type=SYSCALL msg=audit(1147513844.360:67533): arch=40000003 syscall=5 success=no
exit=-13 a0=9da8310 a1=8000 a2=1b6 a3=9db11e0 items=1 pid=4646 auid=0 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="named" exe="/usr/sbin/named"
type=CWD msg=audit(1147513844.360:67533):  cwd="/"
type=PATH msg=audit(1147513844.360:67533): item=0
name="/etc/pki/tls/certs/ca-bundle.crt" flags=101

in /var/log/audit/audit.log.

Version-Release number of selected component (if applicable):

Expected results:
named should be allowed to access /etc/pki/tls/certs/ca-bundle.crt.
Comment 1 Daniel Walsh 2006-05-15 12:32:07 EDT
Fixed in selinux-policy-targeted-2.2.39-2.fc5
Comment 2 Ian Pilcher 2006-05-16 18:14:14 EDT
Where can selinux-policy-targeted-2.2.39-2.fc5 be found?
Comment 3 Joachim Selke 2006-05-18 03:55:58 EDT
The latest development versions of packages can be found at "Rawhide":

But for stability reasons I think it would be better to wait for the official
update of the selinux-policy-targeted package. That's what I do.
Comment 4 Joachim Selke 2006-05-25 05:47:25 EDT
Today I updated the policy to version 2.2.40-1.fc5 and can confirm this bug to
be fixed. Thanks.

Note You need to log in before you can comment on or make changes to this bug.