576427 – starting dirsrv-admin in current selinux policy fails

Bug 576427 - starting dirsrv-admin in current selinux policy fails

Summary: starting dirsrv-admin in current selinux policy fails

Keywords:
Status:	CLOSED DUPLICATE of bug 570912
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	389-admin
Sub Component:
Version:	13
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Rich Megginson
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-03-24 01:19 UTC by lejeczek
Modified:	2011-04-25 23:27 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-03-29 20:38:07 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description lejeczek 2010-03-24 01:19:18 UTC

Description of problem:
this standard-way generated module is a quick fix:

require {
	type user_tmp_t;
	type dirsrv_var_run_t;
	type dirsrv_var_log_t;
	type security_t;
	type user_devpts_t;
	type httpd_t;
	type dirsrv_share_t;
	type dirsrv_lib_t;
	type dirsrv_config_t;
	class sock_file { create setattr };
	class chr_file { read write append };
	class dir { write search getattr remove_name add_name };
	class file { execute read lock create write getattr open };
}

allow httpd_t dirsrv_config_t:dir getattr;

allow httpd_t dirsrv_config_t:dir search;

allow httpd_t dirsrv_config_t:file { read lock getattr open };
allow httpd_t dirsrv_lib_t:dir search;

allow httpd_t dirsrv_lib_t:file { read getattr open execute };
allow httpd_t dirsrv_share_t:dir search;

allow httpd_t dirsrv_var_log_t:dir { write add_name };

allow httpd_t dirsrv_var_log_t:file create;
allow httpd_t dirsrv_var_run_t:dir remove_name;

allow httpd_t dirsrv_var_run_t:dir { write search add_name };

allow httpd_t dirsrv_var_run_t:file { write create open };

allow httpd_t dirsrv_var_run_t:sock_file { create setattr };
allow httpd_t security_t:file { read open };

allow httpd_t user_devpts_t:chr_file { read write append };

allow httpd_t user_tmp_t:file write;


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Nathan Kinder 2010-03-24 16:42:30 UTC

There is already a dirsrv-admin selinux module in testing for the 389-admin component.

What version of 389-ds-base and 389-admin are you using?  What AVCs do you receive when you attempt to start the dirsrv-admin service?

Comment 2 lejeczek 2010-03-24 17:10:21 UTC

389-admin-selinux-1.1.11-0.2.a2.fc13.x86_64

389-ds-base-1.2.6-0.2.a2.fc13.x86_64
389-admin-1.1.11-0.2.a2.fc13.x86_64

these denials don't seem to be audited

Comment 3 Nathan Kinder 2010-03-24 18:15:56 UTC

What does 'semodule -l | grep dirsrv' show?

We do have some known issues we are working on with regards to the policy modules not being properly loaded due to recent changes in the base selinux policy.  We plan to resolve these before the next testing release of 389.

Comment 4 lejeczek 2010-03-24 19:41:57 UTC

dirsrv	1.0.0

Comment 5 Nathan Kinder 2010-03-24 19:58:05 UTC

(In reply to comment #4)
> dirsrv 1.0.0    

Ok, this shows that the dirsrv-admin module is not loaded, even though 389-admin-selinux is installed.

Please run the following as root and put the error(s) in this bug:

  'semodule -i /usr/share/selinux/targeted/dirsrv-admin.pp'

Comment 6 lejeczek 2010-03-25 10:04:55 UTC

libsepol.expand_terule_helper: conflicting TE rule for (httpd_t, var_run_t:dir):  old was httpd_var_run_t, new is dirsrv_var_run_t
libsepol.expand_module: Error during expand
libsemanage.semanage_expand_sandbox: Expand module failed
semodule:  Failed!

Comment 7 Nathan Kinder 2010-03-29 20:38:07 UTC

This is a duplicate of bug 570912.

*** This bug has been marked as a duplicate of bug 570912 ***

Note You need to log in before you can comment on or make changes to this bug.