Bug 533157 - SELinux conflicts with OpenLDAP init script
Summary: SELinux conflicts with OpenLDAP init script
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: openldap
Version: 12
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Jan Zeleny
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-11-05 12:27 UTC by Jan Zeleny
Modified: 2010-02-16 07:55 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-02-16 07:55:19 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Jan Zeleny 2009-11-05 12:27:26 UTC 
Description of problem:
SELinux in enforcing mode prevents normal operation of OpenLDAP init script.

Version-Release number of selected component (if applicable):
openldap-2.4.18-5


Steps to Reproduce:
1. Install openldap and openldap-servers
2. Turn SELinux on
3. setenforce 1
4. restorecon -v -R /etc/openldap/ /var/run/ /var/lib/
5. service slapd start
  
Actual results:
SELinux prevents in creating hard link /var/run/slapd.pid to /var/run/openldap/slapd.pid

Expected results:
Hard link is created

Detailed info gathered using salert -l (partially in czech):
Summary:

SELinux is preventing /bin/ln "link" access on slapd.pid.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by ln. It is not expected that this access is
required by ln and this access may signal an intrusion attempt. It is also   
possible that the specific version or configuration of the application is    
causing it to require additional access.                                     

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report.                                                                     

Additional Information:

Source Context                unconfined_u:system_r:initrc_t:s0
Target Context                unconfined_u:object_r:slapd_var_run_t:s0
Target Objects                slapd.pid [ file ]                      
Source                        ln                                      
Source Path                   /bin/ln                                 
Port                          <Unknown>                               
Host                          vbox-f12                                
Source RPM Packages           coreutils-7.6-5.fc12                    
Target RPM Packages
Policy RPM                    selinux-policy-3.6.32-40.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     vbox-f12
Platform                      Linux vbox-f12 2.6.31.5-115.fc12.x86_64 #1 SMP Tue
                              Nov 3 23:56:19 EST 2009 x86_64 x86_64
Alert Count                   3
First Seen                    Thu Nov  5 11:20:43 2009
Last Seen                     Thu Nov  5 11:30:52 2009
Local ID                      5642691b-0414-4bb8-bf5d-7ef62b8ca744
Line Numbers

Raw Audit Messages

node=vbox-f12 type=AVC msg=audit(1257417052.171:81): avc:  denied  { link } for  pid=2221 comm="ln" name="slapd.pid" dev=dm-0 ino=227 scontext=unconfined_u:system_r:initrc_t:s0 tcontext=unconfined_u:object_r:slapd_var_run_t:s0 tclass=file

node=vbox-f12 type=SYSCALL msg=audit(1257417052.171:81): arch=c000003e syscall=86 success=yes exit=0 a0=7fffb6348f4d a1=7fffb6348f69 a2=0 a3=7fffb6347810 items=0 ppid=2182 pid=2221 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="ln" exe="/bin/ln" subj=unconfined_u:system_r:initrc_t:s0 key=(null)

Some other information:
ps -eZ | grep initrc:
system_u:system_r:initrc_t:s0    1226 ?        00:00:00 vboxadd-service
rpm -q selinux-policy:
selinux-policy-3.6.32-40.fc12.noarch

When switching to Permissive mode, everything seems to work.
Comment 1 Bug Zapper 2009-11-16 15:08:31 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle.
Changing version to '12'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 2 Jan Zeleny 2010-02-16 07:36:31 UTC 
Is this issue still present? It should have been fixed by new policy in selinux combined with some modifications to openldap init script. Please let me know if these problems persist.
Comment 3 Daniel Qarras 2010-02-16 07:47:14 UTC 
Works for me now. Thanks!
Comment 4 Jan Zeleny 2010-02-16 07:55:19 UTC 
Perfect. I'm closing this bug then.
Note You need to log in before you can comment on or make changes to this bug.