Description of problem: ################################# /var/log/messages: ######################### setroubleshoot: SELinux is preventing /usr/sbin/ns-slapd (deleted) from search access on the directory /etc/selinux/targeted/contexts/files. For complete SELinux messages. run sealert -l 1b1cf2e8-7b76-4d67-bc1b-d3a30c2f0fba ############################## sealert ######################################## # sealert -l 1b1cf2e8-7b76-4d67-bc1b-d3a30c2f0fba SELinux is preventing /usr/sbin/ns-slapd (deleted) from search access on the directory /etc/selinux/targeted/contexts/files. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that ns-slapd (deleted) should be allowed search access on the files directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep /usr/sbin/ns-slapd (deleted) /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp ############################## audit2allow #################################### # cat /var/log/audit/audit.log | audit2allow #============= dirsrv_t ============== allow dirsrv_t default_context_t:dir search; allow dirsrv_t file_context_t:dir search; allow dirsrv_t file_context_t:file { read getattr open }; Version-Release number of selected component (if applicable): ipa-server-2.0-0.2011011307gitd92f5bf.fc14.i686 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Since this is being thrown by 389-ds I think that team will need to tackle this one.
What triggers this AVC, and can we see the raw AVC? This will need to be addressed in selinux-policy-targetted since the dirsrv policy lives there now. Moving the bug to be logged against the Fedora 14 product and the selinux-policy component.
Is dirsrv actually trying to do a relabel?
(In reply to comment #3) > Is dirsrv actually trying to do a relabel? None of the ns-slapd code itself attempts to do a relabel. Perhaps one of the libraries that we use (such as Kerberos) is trying to access these files?
Ah yes the kerberos libraries. Is dirsrv creating some kerberos content?
(In reply to comment #5) > Ah yes the kerberos libraries. Is dirsrv creating some kerberos content? Simo could probably answer this better, as IPA has some ns-slapd plug-ins related to Kerberos. I've cc'd him on this bug.
Is it just generating /var/tmp/host0 file?
(In reply to comment #5) > Ah yes the kerberos libraries. Is dirsrv creating some kerberos content? Not sure what you mean by 'content' but we do initialize a kerberos context (so we read the kerberos config files) in the password plugin. But I am not sure if this is any different than what gssapi libraries already do.
I am asking are there files like srvtab files or the /var/tmp/host file created by dirsrv. I can simply give the access requested by the kerberos library but I want to make sure we don't get further along and get more AVC's.
Miroslav change the kerberos call in dirsrv_t to optional_policy(` kerberos_use(dirsrv_t) ')
(In reply to comment #9) > I am asking are there files like srvtab files or the /var/tmp/host file created > by dirsrv. I can simply give the access requested by the kerberos library but > I want to make sure we don't get further along and get more AVC's. Not as part of my plugin, but when connecting to replicas using SASL/GSSAPI I guess a credential cache file is created, although I thought it was a memory keytab. The keytab file for DS is usually put in /etc/dirsrv/ds.keytab or similar, at least in an IPA install. I see host_0 and krbtgt_0 files in my system, although I am not sure what created them. They are owned by root so it is unlikely dirsrv created them as dirsrv runs with an unprivileged user.
Ok if Miroslav makes the change above you should be all set.
Fixed in selinux-policy-3.9.7-22.fc14. Will available today from koji.
selinux-policy-3.9.7-25.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-25.fc14
selinux-policy-3.9.7-25.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-25.fc14
selinux-policy-3.9.7-25.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.