670957 – The krb5kdc is prevented access to the 389-ds ldapi socket

Bug 670957 - The krb5kdc is prevented access to the 389-ds ldapi socket

Summary: The krb5kdc is prevented access to the 389-ds ldapi socket

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-01-19 18:54 UTC by Simo Sorce
Modified:	2011-01-20 10:31 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-01-19 20:19:18 UTC
Type:	---
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Simo Sorce 2011-01-19 18:54:57 UTC

The current selinux policy prevents krb5kdc_t access to disrv_var_run_t to write to sock_file.

Dan suggested adding the following to the policy:

optional_policy(`
 ldap_stream_connect(krb5kdc_t)
')
optional_policy(`
 dirsrv_stream_connect(krb5kdc_t)
')


I locally fixed it by creating a local policy with the following 2 allows:
allow krb5kdc_t dirsrv_var_run_t:sock_file write;
allow krb5kdc_t dirsrv_t:unix_stream_socket connectto;

HTH

Comment 1 Daniel Walsh 2011-01-19 20:19:18 UTC

Fixed in selinux-policy-3.9.13-4.fc15

Comment 2 Dmitri Pal 2011-01-19 20:26:46 UTC

Is it going to be fixed in F14? It is still our testing platform for another three weeks.

Comment 3 Daniel Walsh 2011-01-19 20:39:44 UTC

I have asked miroslav to back port changes to F13/14/RHEL6

Comment 4 Miroslav Grepl 2011-01-20 10:31:59 UTC

Fixed in F13/14/RHEL6.

Note You need to log in before you can comment on or make changes to this bug.