429999 – SELinux policies for all server components

Bug 429999 - SELinux policies for all server components

Summary: SELinux policies for all server components

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	freeIPA
Classification:	Retired
Component:	ipa-server
Sub Component:
Version:	1.0
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Rob Crittenden
QA Contact:	Chandrasekar Kannan
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	freeipa10 429034
TreeView+	depends on / blocked

Reported:	2008-01-24 06:28 UTC by Chandrasekar Kannan
Modified:	2012-03-27 07:13 UTC (History)
CC List:	5 users (show)
Fixed In Version:	freeipa-2.0.0-1.fc15
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-03-27 07:13:48 UTC
Embargoed:

Attachments	(Terms of Use)
patch submitted by Dan Walsh (14.28 KB, patch) 2008-02-07 15:59 UTC, Rob Crittenden	no flags	Details \| Diff
Final, merged patch of SELinux policies for ipa_kpasswd and ipa_webgui (17.01 KB, patch) 2008-02-08 16:15 UTC, Rob Crittenden	no flags	Details \| Diff
fix for RHEL 5 contributed by Dan Walsh (1.52 KB, patch) 2008-02-20 17:54 UTC, Rob Crittenden	no flags	Details \| Diff
Show Obsolete (1) View All

Description Chandrasekar Kannan 2008-01-24 06:28:24 UTC

Ticket #44 (new enhancement)

Opened 3 months ago
SELinux policies for all server components
Reported by: 	kmacmill 	Assigned to: 	kmacmill
Priority: 	major 	Milestone: 	release-1
Component: 	ipa-server 	Version: 	
Keywords: 		Cc:

Comment 3 Rob Crittenden 2008-02-07 15:59:55 UTC

Created attachment 294221 [details]
patch submitted by Dan Walsh

Karl submitted a patch to handle ipa-webgui and ipa-kpasswd before he left.

Dan reviewed it and changed a few things. Added auth_use_nsswitch() and removed
rules that are covered by this interface.

We have since made some changes, including rename ipa-* to ipa_*, adding
sessions, pid files and a few other things.

Comment 4 Rob Crittenden 2008-02-08 16:15:12 UTC

Created attachment 294372 [details]
Final, merged patch of SELinux policies for ipa_kpasswd and ipa_webgui

Comment 5 Rob Crittenden 2008-02-20 15:01:22 UTC

Committed in changeset 644

Comment 6 Rob Crittenden 2008-02-20 15:01:41 UTC

Fails to compile on RHEL 5

Comment 7 Rob Crittenden 2008-02-20 17:54:09 UTC

Created attachment 295432 [details]
fix for RHEL 5 contributed by Dan Walsh

Comment 8 Rob Crittenden 2008-02-20 17:54:41 UTC

Committed in changeset 661

Comment 9 Simo Sorce 2008-03-04 19:46:05 UTC

With SELinux Enforcing I get the following audit.log denial and ipa_webgui does
not start (latest QE packages):

type=AVC msg=audit(1204659871.334:213): avc:  denied  { search } for  pid=12765
comm="ipa_webgui" name="sbin" dev=dm-0 ino=1212418
scontext=root:system_r:ipa_webgui_t:s0 tcontext=system_u:object_r:sbin_t:s0
tclass=dir
type=SYSCALL msg=audit(1204659871.334:213): arch=c000003e syscall=2 success=no
exit=-13 a0=7fff3f473c41 a1=0 a2=1b6 a3=0 items=0 ppid=12764 pid=12765 auid=0
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
comm="ipa_webgui" exe="/usr/bin/python" subj=root:system_r:ipa_webgui_t:s0
key=(null)

Comment 10 Rob Crittenden 2008-03-04 20:34:55 UTC

Pushed as changeset 707

Comment 11 Chandrasekar Kannan 2008-04-08 20:19:31 UTC

we are running ok with selinux enabled. no avc's seen so far with today's build.

marking bug verified

Note You need to log in before you can comment on or make changes to this bug.