Bug 569990 - SELinux is preventing /usr/sbin/ns-slapd "write" access on /etc/dirsrv/slapd-jgbp/dse.ldif.
Summary: SELinux is preventing /usr/sbin/ns-slapd "write" access on /etc/dirsrv/s...
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Fedora
Classification: Fedora
Component: 389-ds-base
Version: 12
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: ---
Assignee: Rich Megginson
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:83c6de987ee...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-03-02 21:16 UTC by Jordi Genis
Modified: 2011-04-25 23:27 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-03-02 22:04:08 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Jordi Genis 2010-03-02 21:16:10 UTC 
Resum:

SELinux is preventing /usr/sbin/ns-slapd "write" access on
/etc/dirsrv/slapd-jgbp/dse.ldif.

Descripció detallada:

SELinux denied access requested by ns-slapd. It is not expected that this access
is required by ns-slapd and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Permet l'accés:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Informació addicional:

Context de la font            system_u:system_r:slapd_t:s0
Context de l'objectiu         system_u:object_r:etc_t:s0
Objectes objectius            /etc/dirsrv/slapd-jgbp/dse.ldif [ file ]
Font                          ns-slapd
Camí de la font              /usr/sbin/ns-slapd
Port                          <Desconegut>
Ordinador                     (removed)
Paquests RPM font             389-ds-base-1.2.5-1.fc12
Paquets RPM destí            
RPM de política              selinux-policy-3.6.32-89.fc12
S'ha habilitat el Selinux     True
Tipus de la política         targeted
Mode forçat                  Enforcing
Nom del connector             catchall
Nom de la màquina            (removed)
Plataforma                    Linux (removed) 2.6.31.12-174.2.22.fc12.x86_64
                              #1 SMP Fri Feb 19 18:55:03 UTC 2010 x86_64 x86_64
Contador d'alertes            1
Vist per primera vegada       dt 02 mar 2010 21:46:21 CET
Vist per darrera vegada       dt 02 mar 2010 21:46:21 CET
Identificador local           e84e4e04-bba4-4e8b-a8c6-d750b3b73625
Número de línies            

Missatges d'auditoria sense p 

node=(removed) type=AVC msg=audit(1267562781.94:35): avc:  denied  { write } for  pid=4151 comm="ns-slapd" name="dse.ldif" dev=dm-0 ino=2932897 scontext=system_u:system_r:slapd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1267562781.94:35): arch=c000003e syscall=21 success=no exit=-13 a0=10c34a0 a1=2 a2=0 a3=41 items=0 ppid=4150 pid=4151 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=system_u:system_r:slapd_t:s0 key=(null)



Hash String generated from  catchall,ns-slapd,slapd_t,etc_t,file,write
audit2allow suggests:

#============= slapd_t ==============
allow slapd_t etc_t:file write;
Comment 1 Nathan Kinder 2010-03-02 22:04:08 UTC 
This was caused by a change made to the selinux-policy package for bug 559298.  Please update to selinux-policy-3.6.32-92 and the problem should be fixed.
Comment 2 Rich Megginson 2010-03-02 22:25:24 UTC 
389-ds-base 1.2.6.a2 (currently in testing) has a -selinux subpackage which contains the policy for the directory server.
Note You need to log in before you can comment on or make changes to this bug.