Bug 572355 - selinux package does not label files correctly
Summary: selinux package does not label files correctly
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: 389
Classification: Retired
Component: Directory Server
Version: 1.2.6
Hardware: All
OS: Linux
high
medium
Target Milestone: ---
Assignee: Rich Megginson
QA Contact: Viktor Ashirov
URL:
Whiteboard:
Depends On:
Blocks: 389_1.2.6 639035
TreeView+ depends on / blocked
 
Reported: 2010-03-10 23:34 UTC by Orion Poplawski
Modified: 2015-12-07 17:15 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-12-07 17:15:38 UTC


Attachments (Terms of Use)
0001-Bug-572355-Relabel-instance-files-and-ports-at-upgra.patch (1.98 KB, patch)
2010-03-23 01:25 UTC, Endi Sukma Dewata
no flags Details | Diff

Description Orion Poplawski 2010-03-10 23:34:41 UTC
Description of problem:

-selinux package uses "fixfiles -R <package>" to label files, but this does not set the labels of the installed servers in /etc/dirsrv/slapd-<name> and /var/.../dirsrv/slapd-<name>.

I think you want something like:

restorecon -R /etc/dirsrv /var/*/dirsrv

Version-Release number of selected component (if applicable):
389-ds-base-selinux-1.2.6-0.2.a2.el5

Comment 1 Nathan Kinder 2010-03-11 01:13:57 UTC
I think that this is something that needs to be taken care of when running 'setup-ds.pl -u' since some of the instance path's may be customized.  The spec file doesn't have any knowledge of where the instance files live right now, which is probably how it should be kept.

Comment 3 Endi Sukma Dewata 2010-03-23 01:25:39 UTC
Created attachment 401899 [details]
0001-Bug-572355-Relabel-instance-files-and-ports-at-upgra.patch

The updateDSInstance() has been modified to invoke updateSelinuxPolicy() to set the SELinux labels on instance files and ports.

Comment 4 Rich Megginson 2010-03-23 16:23:07 UTC
Looks ok to me - Nathan?

Comment 5 Nathan Kinder 2010-03-23 18:10:47 UTC
The patch looks good.  Was it tested in an upgrade scenario to ensure no AVCs are seen in the audit log?

Comment 6 Endi Sukma Dewata 2010-03-29 23:39:40 UTC
There seems to be an existing problem with SELinux policy. This was tested on F12. Install the 1.2.6 rpms from testing repo (which doesn't include this patch):

% yum install --enablerepo=updates-testing 389-ds-base 389-ds-base-selinux

Create a new instance (not an upgrade) with setup-ds.pl. The server will start automatically, but the following messages will appear in the audit log:

type=MAC_POLICY_LOAD msg=audit(1269577256.583:778): policy loaded auid=0 ses=1
type=SYSCALL msg=audit(1269577256.583:778): arch=40000003 syscall=4 success=yes exit=4795358 a0=4 a1=b7326000 a2=492bde a3=4 items=0 ppid=4378 pid=4380 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts7 ses=1 comm="load_policy" exe="/sbin/load_policy" subj=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1269577367.896:779): avc:  denied  { create } for  pid=4469 comm="ns-slapd" scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:system_r:dirsrv_t:s0 tclass=unix_dgram_socket
type=SYSCALL msg=audit(1269577367.896:779): arch=40000003 syscall=102 success=no exit=-13 a0=1 a1=bffc7acc a2=b7dff4 a3=1 items=0 ppid=4466 pid=4469 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts7 ses=1 comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null)
type=AVC msg=audit(1269577367.896:780): avc:  denied  { create } for  pid=4469 comm="ns-slapd" scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:system_r:dirsrv_t:s0 tclass=unix_dgram_socket
type=SYSCALL msg=audit(1269577367.896:780): arch=40000003 syscall=102 success=no exit=-13 a0=1 a1=bffc7b0c a2=b7dff4 a3=1 items=0 ppid=4466 pid=4469 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts7 ses=1 comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null)

Comment 7 Nathan Kinder 2010-04-05 22:43:43 UTC
(In reply to comment #6)
> There seems to be an existing problem with SELinux policy. This was tested on
> F12. Install the 1.2.6 rpms from testing repo (which doesn't include this
> patch):
> 
> % yum install --enablerepo=updates-testing 389-ds-base 389-ds-base-selinux
> 
> Create a new instance (not an upgrade) with setup-ds.pl. The server will start
> automatically, but the following messages will appear in the audit log:
> 

<snip>

> type=AVC msg=audit(1269577367.896:780): avc:  denied  { create } for  pid=4469
> comm="ns-slapd" scontext=unconfined_u:system_r:dirsrv_t:s0
> tcontext=unconfined_u:system_r:dirsrv_t:s0 tclass=unix_dgram_socket
> type=SYSCALL msg=audit(1269577367.896:780): arch=40000003 syscall=102
> success=no exit=-13 a0=1 a1=bffc7b0c a2=b7dff4 a3=1 items=0 ppid=4466 pid=4469
> auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts7 ses=1
> comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0
> key=(null)    

I have been unable to reproduce this on my F12 VM.  My instance is created and started just fine under the confined dirsrv_t domain with no AVCs.  Were you just using the defaults for the install?

Comment 8 Nathan Kinder 2010-04-06 16:45:11 UTC
I have tested the patch in an upgrade scenario on my F-12 system, and the instance files are labelled properly with the instance running in the confined domain after installing the new RPM.  No AVCs are reported in the audit log.

Pushed patch to master.  Thanks for the patch Endi!

Counting objects: 15, done.
Delta compression using 2 threads.
Compressing objects: 100% (7/7), done.
Writing objects: 100% (8/8), 816 bytes, done.
Total 8 (delta 6), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   1f56658..e72f8af  master -> master

Comment 9 Endi Sukma Dewata 2010-04-06 19:27:10 UTC
Thanks Nathan. I was using the defaults, but probably my machine was not properly configured. Sorry about that, thanks for verifying.

Comment 10 Amita Sharma 2011-05-20 12:45:09 UTC
Hi Nathan,

Request you to please guide how should I verify this with RHDS 8.2.

Thanks and Regards,
Amita


Note You need to log in before you can comment on or make changes to this bug.