Summary: SELinux is preventing /usr/sbin/slapd "write" access. Addendum: write to /etc/openldap/slapd.d (add a new schema) Detailed Description: SELinux denied access requested by slapd. It is not expected that this access is required by slapd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:system_r:slapd_t:s0 Target Context unconfined_u:object_r:etc_t:s0 Target Objects None [ dir ] Source slapd Source Path /usr/sbin/slapd Port <Unknown> Host (removed) Source RPM Packages openldap-servers-2.4.18-5.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-55.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.31.6-162.fc12.x86_64 #1 SMP Fri Dec 4 00:06:26 EST 2009 x86_64 x86_64 Alert Count 1 First Seen Wed 09 Dec 2009 11:28:51 AM CET Last Seen Wed 09 Dec 2009 11:28:51 AM CET Local ID e8a3dd5f-aaf7-42a3-8b09-e158cb1ead53 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1260354531.676:34473): avc: denied { write } for pid=21438 comm="slapd" name="cn=schema" dev=dm-5 ino=254402 scontext=unconfined_u:system_r:slapd_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=dir node=(removed) type=SYSCALL msg=audit(1260354531.676:34473): arch=c000003e syscall=2 success=no exit=-13 a0=7fb600105a00 a1=c2 a2=180 a3=7fb60bffcdb0 items=0 ppid=1 pid=21438 auid=5001 uid=55 gid=55 euid=55 suid=55 fsuid=55 egid=55 sgid=55 fsgid=55 tty=(none) ses=23 comm="slapd" exe="/usr/sbin/slapd" subj=unconfined_u:system_r:slapd_t:s0 key=(null) Hash String generated from selinux-policy-3.6.32-55.fc12,catchall,slapd,slapd_t,etc_t,dir,write audit2allow suggests: #============= slapd_t ============== allow slapd_t etc_t:dir write;
openldap keeps the config dynamically now in slapd.d. Added a rootpw to cn=config.ldif. Then I tried to add a schema with ldapadd, like described here: http://www.linuxquestions.org/questions/linux-server-73/how-to-add-a-new-schema-to-openldap-2.4.11-700452/ SELinux didn't allow that.
Policy to allow: module myslapd 1.0; require { type slapd_t; type etc_t; class dir { write remove_name add_name }; class file { write rename create unlink }; } #============= slapd_t ============== allow slapd_t etc_t:dir { write remove_name add_name }; allow slapd_t etc_t:file { write rename create unlink };
# semanage fcontext -a -t slapd_db_t '/etc/openldap/slapd\.d(/.*)?' # restorecon -R -v /etc/openldap Is a much better idea, then adding the allow rules, since the allow rules would allow openldap to write /etc/passwd. I will make this the default label, although I would prefer openldap not to write to /etc at all. Fixed in selinux-policy-3.6.32-57.fc12.noarch I am working on a version of audit2allow that would have said. # audit2allow -i /tmp/t #============= slapd_t ============== #!!!! The source type 'slapd_t' can write to a 'dir' of the following types: # tmp_t, slapd_tmp_t, slapd_replog_t, var_run_t, slapd_db_t, var_lock_t, slapd_var_run_t, root_t allow slapd_t etc_t:dir { write open }; Would that have helped you?
Hi Daniel, your relabeling fix seems to be much better. I just wanted to supply a hint of what has worked for me, using quick and dirty iterative audit2allows. Your audit2allow version sounds good, and it would definitely help. In this case, I would have had a hard time picking one though. Is slapd.d config or data? Another idea would be to move slapd.d to /var/lib. Oldstyle slapd.conf would live in etc, not writable to slapd. Andreas.
I agree, reassiging to openldap
Hi, (In reply to comment #4) > Your audit2allow version sounds good, and it would definitely help. In this > case, I would have had a hard time picking one though. Is slapd.d config or > data? It's config stored in the ldif data format > Another idea would be to move slapd.d to /var/lib. Oldstyle slapd.conf would > live in etc, not writable to slapd. The whole point of slapd.d is to replace slapd.conf entirely. That's why slapd.conf isn't included in the package any more. /etc/openldap/slapd.d is its position, because it's where openldap looks for config by default. Why it is writable you pretty much described in comment #1 - the configuration is dynamic and to be also persistent, it has to be written to slapd.d. Moving slapd.d to /var/lib doesn't seem to be a good option, because it's a config, not data content. The best option from my point of view is to permit writing in /etc/openldap/slapd.d in SELinux (as it seems to be enabled in the next version of selinux-policy). I'm sorry I didn't think about this earlier. Otherwise I certainly would have announced this change so SELinux would be prepared for it.
(In reply to comment #6) > The best option from my point of view is to permit writing in > /etc/openldap/slapd.d in SELinux (as it seems to be enabled in the next version > of selinux-policy). I'm sorry I didn't think about this earlier. Otherwise I > certainly would have announced this change so SELinux would be prepared for it. Hi, I'm fine with your reasoning and decision. I think it felt unusal to have the program manage it's own config files in etc. /etc/cluster/cluster.conf is similar though. I suggest closing this bug. Andreas.
Ok Marking as modified until -57 or later is released.
selinux-policy-3.6.32-59.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-59.fc12
selinux-policy-3.6.32-59.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-13384