Bug 429999 - SELinux policies for all server components
SELinux policies for all server components
Status: CLOSED ERRATA
Product: freeIPA
Classification: Community
Component: ipa-server (Show other bugs)
1.0
All Linux
high Severity high
: ---
: ---
Assigned To: Rob Crittenden
Chandrasekar Kannan
:
Depends On:
Blocks: freeipa10 429034
  Show dependency treegraph
 
Reported: 2008-01-24 01:28 EST by Chandrasekar Kannan
Modified: 2012-03-27 03:13 EDT (History)
5 users (show)

See Also:
Fixed In Version: freeipa-2.0.0-1.fc15
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-03-27 03:13:48 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch submitted by Dan Walsh (14.28 KB, patch)
2008-02-07 10:59 EST, Rob Crittenden
no flags Details | Diff
Final, merged patch of SELinux policies for ipa_kpasswd and ipa_webgui (17.01 KB, patch)
2008-02-08 11:15 EST, Rob Crittenden
no flags Details | Diff
fix for RHEL 5 contributed by Dan Walsh (1.52 KB, patch)
2008-02-20 12:54 EST, Rob Crittenden
no flags Details | Diff

  None (edit)
Description Chandrasekar Kannan 2008-01-24 01:28:24 EST
Ticket #44 (new enhancement)

Opened 3 months ago
SELinux policies for all server components
Reported by: 	kmacmill 	Assigned to: 	kmacmill
Priority: 	major 	Milestone: 	release-1
Component: 	ipa-server 	Version: 	
Keywords: 		Cc:
Comment 3 Rob Crittenden 2008-02-07 10:59:55 EST
Created attachment 294221 [details]
patch submitted by Dan Walsh

Karl submitted a patch to handle ipa-webgui and ipa-kpasswd before he left.

Dan reviewed it and changed a few things. Added auth_use_nsswitch() and removed
rules that are covered by this interface.

We have since made some changes, including rename ipa-* to ipa_*, adding
sessions, pid files and a few other things.
Comment 4 Rob Crittenden 2008-02-08 11:15:12 EST
Created attachment 294372 [details]
Final, merged patch of SELinux policies for ipa_kpasswd and ipa_webgui
Comment 5 Rob Crittenden 2008-02-20 10:01:22 EST
Committed in changeset 644
Comment 6 Rob Crittenden 2008-02-20 10:01:41 EST
Fails to compile on RHEL 5
Comment 7 Rob Crittenden 2008-02-20 12:54:09 EST
Created attachment 295432 [details]
fix for RHEL 5 contributed by Dan Walsh
Comment 8 Rob Crittenden 2008-02-20 12:54:41 EST
Committed in changeset 661
Comment 9 Simo Sorce 2008-03-04 14:46:05 EST
With SELinux Enforcing I get the following audit.log denial and ipa_webgui does
not start (latest QE packages):

type=AVC msg=audit(1204659871.334:213): avc:  denied  { search } for  pid=12765
comm="ipa_webgui" name="sbin" dev=dm-0 ino=1212418
scontext=root:system_r:ipa_webgui_t:s0 tcontext=system_u:object_r:sbin_t:s0
tclass=dir
type=SYSCALL msg=audit(1204659871.334:213): arch=c000003e syscall=2 success=no
exit=-13 a0=7fff3f473c41 a1=0 a2=1b6 a3=0 items=0 ppid=12764 pid=12765 auid=0
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
comm="ipa_webgui" exe="/usr/bin/python" subj=root:system_r:ipa_webgui_t:s0
key=(null)
Comment 10 Rob Crittenden 2008-03-04 15:34:55 EST
Pushed as changeset 707
Comment 11 Chandrasekar Kannan 2008-04-08 16:19:31 EDT
we are running ok with selinux enabled. no avc's seen so far with today's build.

marking bug verified

Note You need to log in before you can comment on or make changes to this bug.