Summary: SELinux is preventing ldd "getattr" access on /etc/dirsrv. Detailed Description: SELinux denied access requested by ldd. It is not expected that this access is required by ldd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:system_r:dirsrvadmin_t:s0 Target Context system_u:object_r:dirsrv_config_t:s0 Target Objects /etc/dirsrv [ dir ] Source start-ds-admin Source Path start-ds-admin Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages 389-ds-base-1.2.6-1.fc12 Policy RPM selinux-policy-3.6.32-121.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.32.21-168.fc12.x86_64 #1 SMP Wed Sep 15 16:12:07 UTC 2010 x86_64 x86_64 Alert Count 2 First Seen Fri 24 Sep 2010 04:32:39 PM EDT Last Seen Fri 24 Sep 2010 04:32:39 PM EDT Local ID 7e8adf8a-7883-44d3-8893-4e936e908b96 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1285360359.125:16818): avc: denied { getattr } for pid=10148 comm="ldd" path="/etc/dirsrv" dev=dm-0 ino=135399 scontext=unconfined_u:system_r:dirsrvadmin_t:s0 tcontext=system_u:object_r:dirsrv_config_t:s0 tclass=dir Hash String generated from catchall,start-ds-admin,dirsrvadmin_t,dirsrv_config_t,dir,getattr audit2allow suggests: #============= dirsrvadmin_t ============== allow dirsrvadmin_t dirsrv_config_t:dir getattr;
When does this AVC occur? Is it at admin server startup time? How is the admin server being started? In the dirsrv_manage_config macro, we have the following rules: allow $1 dirsrv_config_t:dir manage_dir_perms; allow $1 dirsrv_config_t:file manage_file_perms; We call this macro for httpd_t and httpd_dirsrvadmin_script_t, but we do not call it for dirsrvadmin_t. We can call this macro for dirsrvadmin_t to fix this AVC, but I'm not sure that we need to add full manage permissions. The dirsrvadmin_t context is only used by the start and restart scripts prior to transitioning the process to httpd_t. It seems like only read/search/getattr permissions are going to be needed, but I would like to reproduce this AVC to test it out.
I belive it was during a restart of the dirsrv-admin process. service dirsrv-admin restart
(In reply to comment #2) > I belive it was during a restart of the dirsrv-admin process. > service dirsrv-admin restart Does this occur every time you restart dirsrv-admin?
Just restarted dirsrv-adm and no error appeared. This test system is under heavy (ab)use right now getting dogtag up and running. It was reboot yesterday after a remove and reinstall of all of the dogtag rpms's. It's possible that the post-install script had failed earlier and ran correctly.
reinstalled Fedora 12 using the updates repo during the install and none of the AVC bugs reappeared. There may have been a policy update I was missing.
Thanks for the update. I'm going to close this and we'll chalk it up to a missing update, but please reopen this bug if you see the issue again.