Bug 316011 - semanage port -a -t ldap_port_t -p tcp 4389 fails if SELinux disabled
semanage port -a -t ldap_port_t -p tcp 4389 fails if SELinux disabled
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: policycoreutils (Show other bugs)
5.0
All Linux
low Severity high
: rc
: ---
Assigned To: Daniel Walsh
Ben Levenson
: TestBlocker
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-10-02 16:11 EDT by Scott Bambrough
Modified: 2009-09-02 05:47 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-09-02 05:47:28 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
/var/log/dmessg log (18.60 KB, text/plain)
2008-09-08 02:14 EDT, manoj
no flags Details
/var/log/messages log (812.37 KB, text/plain)
2008-09-08 02:15 EDT, manoj
no flags Details

  None (edit)
Description Scott Bambrough 2007-10-02 16:11:31 EDT
Description of problem:

One of the rpms our product installs calls 'semanage port -a -t ldap_port_t -p
tcp 4389' in its post install script.

This seems to work except in one use case:
 
1) SELinux disabled initially.
2) Install my application policy using semanage -i as before.
3) Set SELinux to enforcing mode.
4) Reboot, and SELinux denies applications access to LDAP server running
on port 4389.

This is particularly painful to debug as this slows down the boot process
immensely, and breaks user authentication.
 
My testing on RHEL5, without my app installed shows the command 'semanage port
-a -t ldap_port_t -p tcp 4389' gives the following error if SELinux is disabled.

libsepol.context_from_record: MLS is enabled, but no MLS context found
libsepol.context_from_record: could not create context structure
libsepol.port_from_record: could not create port structure for range 4389:4389 (tcp)
libsepol.sepol_port_modify: could not load port range 4389 - 4389 (tcp)
libsemanage.dbase_policydb_modify: could not modify record value
libsemanage.semanage_base_merge_components: could not merge local
modifications into policy
/usr/sbin/semanage: Could not add port tcp/4389

Version-Release number of selected component: policy-coreutils-1.33.12-3.el5

How reproducible: 100%

Steps to Reproduce:
1.  Disable SELinux.
2.  Run 'semanage port -a -t ldap_port_t -p tcp 4389'
3.  Error listed above occurs.  Context not set for port 4389.

Expected results:

Expect semanage to succeed and set the context for port 4389 to ldap_port_t.

Additional info:

After some private email with Dan Walsh, he thinks I am pointing out a bug and
recommended I log one.  According to Dan, 

semodule -s targeted should allow you to install your policy module even
when selinux is disabled, as long as selinux-policy-targeted is
installed.

But semanage does not have this qualifier, and he is of the opinion it should.
Comment 1 Daniel Walsh 2007-10-22 10:34:33 EDT
Fixed in policycoreutils-2.0.31-7.fc8

Added -S and --store to specify the store you are manipulating.
Comment 2 Scott Bambrough 2007-11-16 18:06:37 EST
RHEL 5.1 seems to ship with policycoreutils-1.33.12-12.el5.  I was hoping this
fix would make it into 5.1.  Is there a plan to issue an update?  

This is a real problem for me.  Essentially a sysadmin can use our BridgeWays
server management product to configure a server and various services with
SELinux disabled, then break them just by enabling SELinux afterwards.

The severity of the breakage depends on their choices, but when we originally
came across this problem, no one could log into our test network or the servers.
 Network authentication of users via LDAP was not working, as the server was
configured to run on port 4389.

I also have bugs here where other server's that can be configured to run on
non-standard ports (proxy server, httpd, and ftp) fail to work when configured
when SELinux is enabled after the fact.


Comment 3 Daniel Walsh 2007-11-17 06:54:16 EST
Yes I would like to update policycoreutils in the 5.2 update release.
Comment 4 RHEL Product and Program Management 2007-11-17 06:54:22 EST
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 5 Jay Turner 2007-11-30 02:28:59 EST
QE ack for RHEL5.2.  Reproducer in comment 0.
Comment 6 Daniel Walsh 2008-01-21 10:25:33 EST
Fixed in  policycoreutils-1.33.12-13
Comment 13 Josef Kubin 2008-03-31 15:02:09 EDT
Here is a patch fixing the bug:
http://people.redhat.com/jkubin/stuff/316011.patch
Dan currently isn't available and I unfortunately don't have sufficient rights
to upload it. Tomorrow morning I'll ask him to merge it and for upload.
Comment 19 RHEL Product and Program Management 2008-06-04 18:48:33 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 20 manoj 2008-06-05 05:18:58 EDT
This bug is reproducible on RHEL5u2 system as well.
the policycoreutils default version is 1.33.12-14.el5. 
Comment 21 manoj 2008-09-05 10:36:44 EDT
After following original method described in bug when I try to list selinux ports, it gives me following error

[root@lifo ~]# semanage port -l
/usr/sbin/semanage: SELinux policy is not managed or store cannot be accessed.
Comment 22 Daniel Walsh 2008-09-05 11:12:10 EDT
Does 
# semanage port -l -S targeted 

Work?
Comment 23 manoj 2008-09-08 02:10:31 EDT
[root@lifo ~]# semanage port -l -S targeted
/usr/sbin/semanage: Options Error option -S not recognized 

[root@lifo ~]# semanage port -l -s targeted
-s not valid for port objects
/usr/sbin/semanage: SELinux policy is not managed or store cannot be accessed.
Comment 24 manoj 2008-09-08 02:12:14 EDT
At present this bug doesn't slow down the booting process as described in the original bug.
Comment 25 manoj 2008-09-08 02:14:45 EDT
Created attachment 316030 [details]
/var/log/dmessg log
Comment 26 manoj 2008-09-08 02:15:25 EDT
Created attachment 316031 [details]
/var/log/messages log
Comment 27 Daniel Walsh 2008-09-08 09:11:37 EDT
Manoj, you have a badly mislabeled file system.  You need to 

touch /.autorelabel
reboot
Comment 28 manoj 2008-09-08 09:55:14 EDT
Even after relabelling the system, my ldap authentication fails(tested on multiple system).
Comment 29 Daniel Walsh 2008-09-08 09:57:49 EDT
Well that has nothing to do with this Bugzilla. 

Send me mail of your avc messages on ldap.  Or open a new bugzilla.
Comment 30 manoj 2008-09-08 10:29:52 EDT
Hi Dan as described in this original bug when I follow the method without my application installed.

Steps to Reproduce:
1.  Disable SELinux.
2.  Run 'semanage port -a -t ldap_port_t -p tcp 4389'
3.  Error listed above occurs.  Context not set for port 4389.

Result:
libsepol.context_from_record: MLS is enabled, but no MLS context found
libsepol.context_from_record: could not create context structure
libsepol.port_from_record: could not create port structure for range 4389:4389 (tcp)
libsepol.sepol_port_modify: could not load port range 4389 - 4389 (tcp)
libsemanage.dbase_policydb_modify: could not modify record value
libsemanage.semanage_base_merge_components: could not merge local
modifications into policy
/usr/sbin/semanage: Could not add port tcp/4389

Expected results:

Expect semanage to succeed and set the context for port 4389 to ldap_port_t.
Comment 31 manoj 2008-09-08 11:20:55 EDT
comment 2(of original bug ,very critical) is reproducible on RHEL5u2 system as well(because of semanage inability to add ports with SELinux disabled).

policycoreutils on my test system is of version 1.33.12-14.el5
Comment 32 Daniel Walsh 2008-09-08 11:42:16 EDT
Right and the goal is to add a new field -S targeted which should allow the adding of the port

semanage port -a -S targeted -t ldap_port_t -p tcp 4389

This works in Fedora 9 and Rawhide, but does not seem to have been properly backported to RHEL5 U3
Comment 33 Daniel Walsh 2008-09-17 15:41:07 EDT
Fixed in policycoreutils-1.33.12-14.1.el5
Comment 35 Tony Fu 2008-10-05 21:28:33 EDT
User jkubin@redhat.com's account has been closed
Comment 41 Daniel Walsh 2009-04-09 13:21:41 EDT
Fixed in policycoreutils-1.33.12-14.4.el5.src.rpm
Comment 47 errata-xmlrpc 2009-09-02 05:47:28 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-1292.html

Note You need to log in before you can comment on or make changes to this bug.