Bug 199843 - Targeted policy prevents access to ldapi:// socket
Summary: Targeted policy prevents access to ldapi:// socket
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted   
(Show other bugs)
Version: 6
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2006-07-23 07:40 UTC by Jeremias Reith
Modified: 2008-08-02 23:40 UTC (History)
1 user (show)

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-04-09 13:48:00 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Jeremias Reith 2006-07-23 07:40:13 UTC
Description of problem:

The targated policy does not allow access to the ldapi:// socket of openldap. This affects daemons and 
normal users that want to connect to the socket.

How reproducible:

This can be reproduced with any daemon contained in the targeted policy and as normal user (e.g. 
ldapsearch -h ldapi://)

Steps to Reproduce:
  In /etc/sysconfig/ldap:

  (Using cyrus-imapd as example)
  In /etc/sasl2/Cyrus.conf:
  pwcheck_method: auxprop
  auxprop_plugin: ldapdb
  mech_list:  digest-md5 cram-md5 plain
  ldapdb_uri: ldapi://
  ldapdb_mech: external

  Restart cyrus-imapd and slapd

  Login attempt on imap server:

[root@host ~]# telnet localhost 143
Connected to localhost.localdomain (
Escape character is '^]'.
* OK host Cyrus IMAP4 v2.3.1-Invoca-RPM-2.3.1-2.6.fc5 server ready
01 LOGIN foo bar
 01 NO Login failed: user not found

Actual results:

audit(1153638053.997:101): avc:  denied  { write } for  pid=25292 comm="imapd" name="ldapi" 
dev=md1 ino=369099032 scontext=user_u:system_r:cyrus_t:s0 tcontext=user_u:object_r:var_run_t:s0 

Expected results:

imapd successfully connects via ldapi://

Comment 1 Daniel Walsh 2006-07-24 14:57:31 UTC
What is the full path to the socket?  I take it, this socket is owned by ldap?

Comment 2 Jeremias Reith 2006-07-24 17:54:07 UTC
The full path is /var/run/ldapi which is the default:

[jr@mytestbox ~]$ ls -Z /var/run/ldapi 
srwxr-xr-x  root root system_u:object_r:var_run_t      /var/run/ldapi

The socket is created before slapd changes its uid to ldap.

Comment 3 Daniel Walsh 2006-07-24 20:14:21 UTC
Fixed in selinux-policy-2.3.3-10

Comment 4 Jeremias Reith 2006-07-25 15:36:45 UTC
Thanks, access to the socket as normal user (ldap* tools) works now, but daemons are still unable to 
access the socket. This is the state after starting slapd (and after a chmod a+wx):

[root@galaxy ~]# ls -Z /var/run/ldapi 
srwxrwxrwx  root root user_u:object_r:var_run_t        /var/run/ldapi

cyrus-imapd can't access the socket.

Running restorecon changes the lables (slapd seems to recreate the socket on every launch):

[root@mytestbox ~]# restorecon -v /var/run/ldapi 
restorecon reset /var/run/ldapi context user_u:object_r:var_run_t:s0-
[root@mytestbox ~]# ls -Z /var/run/ldapi 
srwxrwxrwx  root root system_u:object_r:slapd_var_run_t /var/run/ldapi

But cyrus-imapd still can't access:

audit(1153841511.457:53): avc:  denied  { write } for  pid=21159 comm="imapd" name="ldapi" 
dev=md1 ino=369099030 scontext=user_u:system_r:cyrus_t:s0 
tcontext=system_u:object_r:slapd_var_run_t:s0 tclass=sock_file
audit(1153841511.461:54): avc:  denied  { connectto } for  pid=21159 comm="imapd" name="ldapi" 
scontext=user_u:system_r:cyrus_t:s0 tcontext=user_u:system_r:slapd_t:s0 tclass=unix_stream_socket

Tested with cyrus-imapd using selinux-policy-targeted.noarch version 2.3.3-10

Comment 5 Matthew Miller 2007-04-06 16:42:23 UTC
Fedora Core 5 and Fedora Core 6 are, as we're sure you've noticed, no longer
test releases. We're cleaning up the bug database and making sure important bug
reports filed against these test releases don't get lost. It would be helpful if
you could test this issue with a released version of Fedora or with the latest
development / test release. Thanks for your help and for your patience.

[This is a bulk message for all open FC5/FC6 test release bugs. I'm adding
myself to the CC list for each bug, so I'll see any comments you make after this
and do my best to make sure every issue gets proper attention.]

Note You need to log in before you can comment on or make changes to this bug.