Bug 199843 - Targeted policy prevents access to ldapi:// socket
Targeted policy prevents access to ldapi:// socket
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
6
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-07-23 03:40 EDT by Jeremias Reith
Modified: 2008-08-02 19:40 EDT (History)
1 user (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-04-09 09:48:00 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jeremias Reith 2006-07-23 03:40:13 EDT
Description of problem:

The targated policy does not allow access to the ldapi:// socket of openldap. This affects daemons and 
normal users that want to connect to the socket.


How reproducible:

This can be reproduced with any daemon contained in the targeted policy and as normal user (e.g. 
ldapsearch -h ldapi://)


Steps to Reproduce:
1.
  In /etc/sysconfig/ldap:
  SLAPD_LDAPI=yes

2.
  (Using cyrus-imapd as example)
  In /etc/sasl2/Cyrus.conf:
  pwcheck_method: auxprop
  auxprop_plugin: ldapdb
  mech_list:  digest-md5 cram-md5 plain
  ldapdb_uri: ldapi://
  ldapdb_mech: external

3.
  Restart cyrus-imapd and slapd

4.
  Login attempt on imap server:

[root@host ~]# telnet localhost 143
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
* OK host Cyrus IMAP4 v2.3.1-Invoca-RPM-2.3.1-2.6.fc5 server ready
01 LOGIN foo bar
 01 NO Login failed: user not found
   

Actual results:

audit(1153638053.997:101): avc:  denied  { write } for  pid=25292 comm="imapd" name="ldapi" 
dev=md1 ino=369099032 scontext=user_u:system_r:cyrus_t:s0 tcontext=user_u:object_r:var_run_t:s0 
tclass=sock_file


Expected results:

imapd successfully connects via ldapi://
Comment 1 Daniel Walsh 2006-07-24 10:57:31 EDT
What is the full path to the socket?  I take it, this socket is owned by ldap?

Comment 2 Jeremias Reith 2006-07-24 13:54:07 EDT
The full path is /var/run/ldapi which is the default:

[jr@mytestbox ~]$ ls -Z /var/run/ldapi 
srwxr-xr-x  root root system_u:object_r:var_run_t      /var/run/ldapi

The socket is created before slapd changes its uid to ldap.

Comment 3 Daniel Walsh 2006-07-24 16:14:21 EDT
Fixed in selinux-policy-2.3.3-10
Comment 4 Jeremias Reith 2006-07-25 11:36:45 EDT
Thanks, access to the socket as normal user (ldap* tools) works now, but daemons are still unable to 
access the socket. This is the state after starting slapd (and after a chmod a+wx):

[root@galaxy ~]# ls -Z /var/run/ldapi 
srwxrwxrwx  root root user_u:object_r:var_run_t        /var/run/ldapi

cyrus-imapd can't access the socket.

Running restorecon changes the lables (slapd seems to recreate the socket on every launch):

[root@mytestbox ~]# restorecon -v /var/run/ldapi 
restorecon reset /var/run/ldapi context user_u:object_r:var_run_t:s0-
>system_u:object_r:slapd_var_run_t:s0
[root@mytestbox ~]# ls -Z /var/run/ldapi 
srwxrwxrwx  root root system_u:object_r:slapd_var_run_t /var/run/ldapi


But cyrus-imapd still can't access:

audit(1153841511.457:53): avc:  denied  { write } for  pid=21159 comm="imapd" name="ldapi" 
dev=md1 ino=369099030 scontext=user_u:system_r:cyrus_t:s0 
tcontext=system_u:object_r:slapd_var_run_t:s0 tclass=sock_file
audit(1153841511.461:54): avc:  denied  { connectto } for  pid=21159 comm="imapd" name="ldapi" 
scontext=user_u:system_r:cyrus_t:s0 tcontext=user_u:system_r:slapd_t:s0 tclass=unix_stream_socket


Tested with cyrus-imapd using selinux-policy-targeted.noarch version 2.3.3-10
Comment 5 Matthew Miller 2007-04-06 12:42:23 EDT
Fedora Core 5 and Fedora Core 6 are, as we're sure you've noticed, no longer
test releases. We're cleaning up the bug database and making sure important bug
reports filed against these test releases don't get lost. It would be helpful if
you could test this issue with a released version of Fedora or with the latest
development / test release. Thanks for your help and for your patience.

[This is a bulk message for all open FC5/FC6 test release bugs. I'm adding
myself to the CC list for each bug, so I'll see any comments you make after this
and do my best to make sure every issue gets proper attention.]

Note You need to log in before you can comment on or make changes to this bug.