Bug 584460 - SELinux context of ldapi socket needs to be changed
SELinux context of ldapi socket needs to be changed
Status: CLOSED UPSTREAM
Product: freeIPA
Classification: Community
Component: SELinux (Show other bugs)
2.0
All Linux
low Severity medium
: ---
: ---
Assigned To: Rob Crittenden
Chandrasekar Kannan
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-04-21 11:51 EDT by Rob Crittenden
Modified: 2015-01-04 18:42 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-03-28 05:35:54 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Rob Crittenden 2010-04-21 11:51:27 EDT
Description of problem:

I upgraded to 389-ds-base-1.2.6-0.3.a3.fc12.x86_64 and now get the following from Apache:

type=AVC msg=audit(1271856358.011:46003): avc:  denied  { write } for  pid=14098 comm="httpd" name="slapd-EXAMPLE-COM.socket" dev=sda1 ino=40977 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:dirsrv_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1271858144.879:46015): avc:  denied  { connectto } for  pid=14249 comm="httpd" path="/var/run/slapd-EXAMPLE-COM.socket" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:dirsrv_t:s0 tclass=unix_stream_socket

The context of /var/run/slapd-INSTANCE.socket has changed from var_run_t to dirsrv_var_run_t

Version-Release number of selected component (if applicable):

build from 4/20/2010
Comment 1 Nathan Kinder 2010-04-21 12:31:15 EDT
The old version of 389 had no SELinux policy, so the context of the ldapi socket file was var_run_t due to the label being inherited from the parent directory (/var/run).  The current versions of 389 with SELinux policy use the dirsrv_var_run_t label for any files created by ns-slapd in /var/run.  This happens because we use the following macro:

    files_pid_filetrans(dirsrv_t, dirsrv_var_run_t, { file sock_file })

We do this intentionally so we can confine ns-slapd to only manage it's own /var/run files.  We also have some interfaces available that allow certain permissions on these files for use by the Admin Server (dirsrv-admin) policy.

I'm wondering if the best thing to do is to change the httpd, bind, and samba policies to allow them to have the proper permissions on dirsrv_var_run_t sock_files.  I'm cc-ing dwalsh to see what he thinks about this.

I'll look into what we do for allowing these daemons to access OpenLDAP's ldapi socket files.
Comment 2 Daniel Walsh 2010-04-21 13:07:59 EDT
grep -r ldap_stream_connect .
./services/cyrus.te:	ldap_stream_connect(cyrus_t)
./services/ldap.if:interface(`ldap_stream_connect',`
./system/authlogin.if:		ldap_stream_connect($1)


Currently we allow cyrus_t this access directly and lots of other domains this access via auth_use_nsswitch

sesearch -A -c unix_stream_socket -t slapd_t | wc -l
257

If you want to give the same access as openldap, I would need to add an interface for you app to the base policy



########################################
## <summary>
##	Connect to slapd over an unix stream socket.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`ldap_stream_connect',`
	gen_require(`
		type slapd_t, slapd_var_run_t;
	')

	files_search_pids($1)
	allow $1 slapd_var_run_t:sock_file write;
	allow $1 slapd_t:unix_stream_socket connectto;
')
Comment 3 Nathan Kinder 2010-04-21 13:23:16 EDT
(In reply to comment #2)

> If you want to give the same access as openldap, I would need to add an
> interface for you app to the base policy

I think this would be the best approach.  It looks like most apps/daemons using the OpenLDAP ldapi socket are not using the interface, but use rules like this directly:

    allow smbd_t slapd_var_run_t : sock_file write ;
    allow smbd_t slapd_t : unix_stream_socket connectto ;

We would want the same apps/daemons to be allowed to use our ldapi socket, so we need something equivalent to these rules for all of those apps/daemons (picking on samba as an example):

    allow smbd_t dirsrv_var_run_t : sock_file write ;
    allow smbd_t dirsrv_t : unix_stream_socket connectto ;
Comment 4 Daniel Walsh 2010-04-21 13:41:48 EDT
########################################
## <summary>
##	Connect to slapd over an unix stream socket.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`ldap_stream_connect',`
	gen_require(`
		type slapd_t, slapd_var_run_t;
	')

	files_search_pids($1)
	allow $1 slapd_var_run_t:sock_file write;
	allow $1 slapd_t:unix_stream_socket connectto;

	optional_policy(`
		ldap_stream_connect_dirsrv($1)	
	')
')

########################################
## <summary>
##	Connect to dirsrv over an unix stream socket.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`ldap_stream_connect_dirsrv',`
	gen_require(`
		type dirsrv_t, dirsrv_var_run_t;
	')

	files_search_pids($1)
	allow $1 dirsrv_var_run_t:sock_file write;
	allow $1 dirsrv_t:unix_stream_socket connectto;
')

You need this in F13, RHEL6 and RHEL5.6?
Comment 5 Nathan Kinder 2010-04-21 14:16:30 EDT
(In reply to comment #4)
> 
> You need this in F13, RHEL6 and RHEL5.6?    

Yes, but we'd also like it in F11 and F12.

Will your proposed interface be automatically used by all of the apps that we found using this sesearch command?

  sesearch -A -c unix_stream_socket -t slapd_t

Unless I'm missing something, only cyrus_t currently uses ldap_stream_connect().  Are other changes needed to have apps that use auth_use_nsswitch() have these rules set?  I tried to trace through that macro, but didn't see where these rules are actually defined.
Comment 6 Nathan Kinder 2010-04-21 14:20:35 EDT
(In reply to comment #5)
> Unless I'm missing something, only cyrus_t currently uses
> ldap_stream_connect().  Are other changes needed to have apps that use
> auth_use_nsswitch() have these rules set?  I tried to trace through that macro,
> but didn't see where these rules are actually defined.    

Nevermind this.  I found where auth_use_nsswitch() calls ldap_stream_connect().  I was looking in the serefpolicy source and didn't see it there, but I do see it in /usr/share/selinux/devel/include/system/authlogin.if on my system.

Your policy changes look good.
Comment 7 Daniel Walsh 2010-04-21 14:25:37 EDT
Miroslav can you back port these to F11, F12 and RHEL5.6?

Fixed in selinux-policy-3.7.19-4.fc13
Fixed in selinux-policy-3.7.19-4.rhel6
Comment 8 Miroslav Grepl 2010-04-23 04:06:44 EDT
Fixed in selinux-policy-3.6.12-97.fc11
Fixed in selinux-policy-3.6.32-113.fc12

Note You need to log in before you can comment on or make changes to this bug.