Red Hat Bugzilla – Bug 584460
SELinux context of ldapi socket needs to be changed
Last modified: 2015-01-04 18:42:07 EST
Description of problem: I upgraded to 389-ds-base-1.2.6-0.3.a3.fc12.x86_64 and now get the following from Apache: type=AVC msg=audit(1271856358.011:46003): avc: denied { write } for pid=14098 comm="httpd" name="slapd-EXAMPLE-COM.socket" dev=sda1 ino=40977 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:dirsrv_var_run_t:s0 tclass=sock_file type=AVC msg=audit(1271858144.879:46015): avc: denied { connectto } for pid=14249 comm="httpd" path="/var/run/slapd-EXAMPLE-COM.socket" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:dirsrv_t:s0 tclass=unix_stream_socket The context of /var/run/slapd-INSTANCE.socket has changed from var_run_t to dirsrv_var_run_t Version-Release number of selected component (if applicable): build from 4/20/2010
The old version of 389 had no SELinux policy, so the context of the ldapi socket file was var_run_t due to the label being inherited from the parent directory (/var/run). The current versions of 389 with SELinux policy use the dirsrv_var_run_t label for any files created by ns-slapd in /var/run. This happens because we use the following macro: files_pid_filetrans(dirsrv_t, dirsrv_var_run_t, { file sock_file }) We do this intentionally so we can confine ns-slapd to only manage it's own /var/run files. We also have some interfaces available that allow certain permissions on these files for use by the Admin Server (dirsrv-admin) policy. I'm wondering if the best thing to do is to change the httpd, bind, and samba policies to allow them to have the proper permissions on dirsrv_var_run_t sock_files. I'm cc-ing dwalsh to see what he thinks about this. I'll look into what we do for allowing these daemons to access OpenLDAP's ldapi socket files.
grep -r ldap_stream_connect . ./services/cyrus.te: ldap_stream_connect(cyrus_t) ./services/ldap.if:interface(`ldap_stream_connect',` ./system/authlogin.if: ldap_stream_connect($1) Currently we allow cyrus_t this access directly and lots of other domains this access via auth_use_nsswitch sesearch -A -c unix_stream_socket -t slapd_t | wc -l 257 If you want to give the same access as openldap, I would need to add an interface for you app to the base policy ######################################## ## <summary> ## Connect to slapd over an unix stream socket. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`ldap_stream_connect',` gen_require(` type slapd_t, slapd_var_run_t; ') files_search_pids($1) allow $1 slapd_var_run_t:sock_file write; allow $1 slapd_t:unix_stream_socket connectto; ')
(In reply to comment #2) > If you want to give the same access as openldap, I would need to add an > interface for you app to the base policy I think this would be the best approach. It looks like most apps/daemons using the OpenLDAP ldapi socket are not using the interface, but use rules like this directly: allow smbd_t slapd_var_run_t : sock_file write ; allow smbd_t slapd_t : unix_stream_socket connectto ; We would want the same apps/daemons to be allowed to use our ldapi socket, so we need something equivalent to these rules for all of those apps/daemons (picking on samba as an example): allow smbd_t dirsrv_var_run_t : sock_file write ; allow smbd_t dirsrv_t : unix_stream_socket connectto ;
######################################## ## <summary> ## Connect to slapd over an unix stream socket. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`ldap_stream_connect',` gen_require(` type slapd_t, slapd_var_run_t; ') files_search_pids($1) allow $1 slapd_var_run_t:sock_file write; allow $1 slapd_t:unix_stream_socket connectto; optional_policy(` ldap_stream_connect_dirsrv($1) ') ') ######################################## ## <summary> ## Connect to dirsrv over an unix stream socket. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`ldap_stream_connect_dirsrv',` gen_require(` type dirsrv_t, dirsrv_var_run_t; ') files_search_pids($1) allow $1 dirsrv_var_run_t:sock_file write; allow $1 dirsrv_t:unix_stream_socket connectto; ') You need this in F13, RHEL6 and RHEL5.6?
(In reply to comment #4) > > You need this in F13, RHEL6 and RHEL5.6? Yes, but we'd also like it in F11 and F12. Will your proposed interface be automatically used by all of the apps that we found using this sesearch command? sesearch -A -c unix_stream_socket -t slapd_t Unless I'm missing something, only cyrus_t currently uses ldap_stream_connect(). Are other changes needed to have apps that use auth_use_nsswitch() have these rules set? I tried to trace through that macro, but didn't see where these rules are actually defined.
(In reply to comment #5) > Unless I'm missing something, only cyrus_t currently uses > ldap_stream_connect(). Are other changes needed to have apps that use > auth_use_nsswitch() have these rules set? I tried to trace through that macro, > but didn't see where these rules are actually defined. Nevermind this. I found where auth_use_nsswitch() calls ldap_stream_connect(). I was looking in the serefpolicy source and didn't see it there, but I do see it in /usr/share/selinux/devel/include/system/authlogin.if on my system. Your policy changes look good.
Miroslav can you back port these to F11, F12 and RHEL5.6? Fixed in selinux-policy-3.7.19-4.fc13 Fixed in selinux-policy-3.7.19-4.rhel6
Fixed in selinux-policy-3.6.12-97.fc11 Fixed in selinux-policy-3.6.32-113.fc12