Bug 637287 - SELinux is preventing ldd "getattr" access on /etc/dirsrv.
SELinux is preventing ldd "getattr" access on /etc/dirsrv.
Product: Fedora
Classification: Fedora
Component: 389-ds (Show other bugs)
x86_64 Linux
low Severity medium
: ---
: ---
Assigned To: Rich Megginson
Fedora Extras Quality Assurance
: screened
Depends On:
  Show dependency treegraph
Reported: 2010-09-24 15:34 EDT by Jim Kinney
Modified: 2011-04-25 19:27 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-09-30 10:56:15 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jim Kinney 2010-09-24 15:34:35 EDT

SELinux is preventing ldd "getattr" access on /etc/dirsrv.

Detailed Description:

SELinux denied access requested by ldd. It is not expected that this access is
required by ldd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug

Additional Information:

Source Context                unconfined_u:system_r:dirsrvadmin_t:s0
Target Context                system_u:object_r:dirsrv_config_t:s0
Target Objects                /etc/dirsrv [ dir ]
Source                        start-ds-admin
Source Path                   start-ds-admin
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           389-ds-base-1.2.6-1.fc12
Policy RPM                    selinux-policy-3.6.32-121.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed)
                     #1 SMP Wed Sep 15
                              16:12:07 UTC 2010 x86_64 x86_64
Alert Count                   2
First Seen                    Fri 24 Sep 2010 04:32:39 PM EDT
Last Seen                     Fri 24 Sep 2010 04:32:39 PM EDT
Local ID                      7e8adf8a-7883-44d3-8893-4e936e908b96
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1285360359.125:16818): avc:  denied  { getattr } for  pid=10148 comm="ldd" path="/etc/dirsrv" dev=dm-0 ino=135399 scontext=unconfined_u:system_r:dirsrvadmin_t:s0 tcontext=system_u:object_r:dirsrv_config_t:s0 tclass=dir

Hash String generated from  catchall,start-ds-admin,dirsrvadmin_t,dirsrv_config_t,dir,getattr
audit2allow suggests:

#============= dirsrvadmin_t ==============
allow dirsrvadmin_t dirsrv_config_t:dir getattr;
Comment 1 Nathan Kinder 2010-09-27 12:59:39 EDT
When does this AVC occur?  Is it at admin server startup time?  How is the admin server being started?

In the dirsrv_manage_config macro, we have the following rules:

    allow $1 dirsrv_config_t:dir manage_dir_perms;
    allow $1 dirsrv_config_t:file manage_file_perms;

We call this macro for httpd_t and httpd_dirsrvadmin_script_t, but we do not call it for dirsrvadmin_t.  We can call this macro for dirsrvadmin_t to fix this AVC, but I'm not sure that we need to add full manage permissions.  The dirsrvadmin_t context is only used by the start and restart scripts prior to transitioning the process to httpd_t.  It seems like only read/search/getattr permissions are going to be needed, but I would like to reproduce this AVC to test it out.
Comment 2 Jim Kinney 2010-09-27 13:50:52 EDT
I belive it was during a restart of the dirsrv-admin process. 
service dirsrv-admin restart
Comment 3 Nathan Kinder 2010-09-27 18:00:08 EDT
(In reply to comment #2)
> I belive it was during a restart of the dirsrv-admin process. 
> service dirsrv-admin restart

Does this occur every time you restart dirsrv-admin?
Comment 4 Jim Kinney 2010-09-28 13:11:46 EDT
Just restarted dirsrv-adm and no error appeared. This test system is under heavy (ab)use right now getting dogtag up and running. It was reboot yesterday after a remove and reinstall of all of the dogtag rpms's. It's possible that the post-install script had failed earlier and ran correctly.
Comment 5 Jim Kinney 2010-09-28 16:54:30 EDT
reinstalled Fedora 12 using the updates repo during the install and none of the AVC bugs reappeared. There may have been a policy update I was missing.
Comment 6 Nathan Kinder 2010-09-30 10:56:15 EDT
Thanks for the update.  I'm going to close this and we'll chalk it up to a missing update, but please reopen this bug if you see the issue again.

Note You need to log in before you can comment on or make changes to this bug.