Bug 649432 - SELinux prevents node_bind for ns-slapd
Summary: SELinux prevents node_bind for ns-slapd
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: Unspecified
OS: Unspecified
low
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 639035 658593 658596 658599
TreeView+ depends on / blocked
 
Reported: 2010-11-03 18:03 UTC by Nalin Dahyabhai
Modified: 2010-11-30 21:55 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 658593 658596 658599 (view as bug list)
Environment:
Last Closed: 2010-11-30 21:55:23 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Nalin Dahyabhai 2010-11-03 18:03:34 UTC 
Description of problem:
When attemtping to run the slapi-nis NIS server plugin, I'm running into some AVC denials.

Version-Release number of selected component (if applicable):
389-ds-base-1.2.6.1-2.fc14
selinux-policy-targeted-3.9.7-7.fc14

How reproducible:
Always

Steps to Reproduce:
1. Install freeipa v2 development build.
2. Enable the NIS server using ipa-nis-manage
3. Try to restart the dirsrv service
  
Actual results:
Server fails to start.  Error log includes:
[03/Nov/2010:13:57:32 -0400] nis-plugin - error connecting rpcbind client socket to the service
[03/Nov/2010:13:57:32 -0400] nis-plugin - error creating portmap/rpcbind client socket
[03/Nov/2010:13:57:32 -0400] - Init function "nis_plugin_init" for "NIS Server" plugin in library "/usr/lib64/dirsrv/plugins/nisserver-plugin.so" failed
[03/Nov/2010:13:57:32 -0400] - Unable to load plugin "cn=NIS Server,cn=plugins,cn=config"

Audit log includes:
type=AVC msg=audit(1288806941.323:42217): avc:  denied  { connectto } for  pid=3238 comm="ns-slapd" path="/var/run/rpcbind.sock" scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=system_u:system_r:rpcbind_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1288806941.323:42217): avc:  denied  { write } for  pid=3238 comm="ns-slapd" name="rpcbind.sock" dev=dm-0 ino=129644 scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:rpcbind_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1288807052.024:42237): avc:  denied  { write } for  pid=3773 comm="ns-slapd" name="rpcbind.sock" dev=dm-0 ino=129644 scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:rpcbind_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1288807052.655:42749): avc:  denied  { node_bind } for  pid=3773 comm="ns-slapd" src=700 scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=udp_socket
type=AVC msg=audit(1288806941.904:42221): avc:  denied  { write } for  pid=3241 comm="ns-slapd" scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:system_r:dirsrv_t:s0 tclass=unix_dgram_socket

Expected results:
successful start

Additional info:
These seem to be the accesses that need to be allowed:
  allow dirsrv_t node_t:udp_socket node_bind;
  allow dirsrv_t rpcbind_t:unix_stream_socket connectto;
  allow dirsrv_t rpcbind_var_run_t:sock_file write;
  allow dirsrv_t self:unix_dgram_socket { write create connect };
Comment 3 Nathan Kinder 2010-11-30 18:58:05 UTC 
Now that the dirsrv policy has been moved into the selinux-policy package, the product and component of this bug needs to be changed.  Moving this bug to the appropriate queue.
Comment 4 Daniel Walsh 2010-11-30 21:55:23 UTC 
Fixed in selinux-policy-3.9.10-3.fc15.noarch
Note You need to log in before you can comment on or make changes to this bug.