Red Hat Bugzilla – Bug 585476
SELinux is preventing /bin/egrep "read" access .
Last modified: 2012-10-16 04:47:52 EDT
Souhrn: SELinux is preventing /bin/egrep "read" access . Podrobný popis: [SELinux je v tolerantním režimu. Přístup byl povolen.] SELinux denied access requested by egrep. It is not expected that this access is required by egrep and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Povolení přístupu: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Další informace: Kontext zdroje system_u:system_r:initrc_t:s0 Kontext cíle system_u:object_r:slapd_db_t:s0 Objekty cíle None [ file ] Zdroj egrep Cesta zdroje /bin/egrep Port <Neznámé> Počítač (removed) RPM balíčky zdroje grep-2.6.3-1.el6 RPM balíčky cíle RPM politiky selinux-policy-3.7.19-1.el6 Selinux povolen True Typ politiky targeted Vynucovací režim Permissive Název zásuvného modulu catchall Název počítače (removed) Platforma Linux (removed) 2.6.32-21.el6.x86_64 #1 SMP Mon Apr 12 16:07:36 EDT 2010 x86_64 x86_64 Počet upozornění 2 Poprvé viděno So 24. duben 2010, 10:43:00 CEST Naposledy viděno So 24. duben 2010, 10:43:00 CEST Místní ID 582b0043-db6c-4cff-ae79-e56d89e5db60 Čísla řádků Původní zprávy auditu node=(removed) type=AVC msg=audit(1272098580.5:4): avc: denied { read } for pid=1498 comm="egrep" name="olcDatabase={0}config.ldif" dev=dm-1 ino=173056 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:slapd_db_t:s0 tclass=file node=(removed) type=AVC msg=audit(1272098580.5:4): avc: denied { open } for pid=1498 comm="egrep" name="olcDatabase={0}config.ldif" dev=dm-1 ino=173056 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:slapd_db_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1272098580.5:4): arch=c000003e syscall=2 success=yes exit=68719476864 a0=7fff09fa8edb a1=0 a2=618868 a3=0 items=0 ppid=1497 pid=1498 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="egrep" exe="/bin/egrep" subj=system_u:system_r:initrc_t:s0 key=(null) Hash String generated from catchall,egrep,initrc_t,slapd_db_t,file,read audit2allow suggests: #============= initrc_t ============== allow initrc_t slapd_db_t:file { read open };
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux major release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Major release. This request is not yet committed for inclusion.
Matej, is this a default init script that is trying to read slapd_db_t?
Yes, it is. johanka:~$ rpm -Vf /etc/init.d/slapd S.?...GT. c /etc/openldap/slapd.conf .M....... /var/lib/ldap johanka:~$
Fixed in selinux-policy-3.7.19-6.fc13.noarch
Red Hat Enterprise Linux 6.0 is now available and should resolve the problem described in this bug report. This report is therefore being closed with a resolution of CURRENTRELEASE. You may reopen this bug report if the solution does not work for you.