Bug 677030 - SELinux is preventing /usr/bin/perl from search|write|connectto access on the directory /var/run/nslcd
Summary: SELinux is preventing /usr/bin/perl from search|write|connectto access on the...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 14
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-02-12 17:18 UTC by Anthony Messina
Modified: 2011-02-24 20:53 UTC (History)
1 user (show)

Fixed In Version: selinux-policy-3.9.7-31.fc14
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-02-24 20:53:54 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Anthony Messina 2011-02-12 17:18:52 UTC 
I use nslcd and amavisd-new and receive the following AVCs with selinux-policy-targeted-3.9.7-29.fc14.noarch


type=AVC msg=audit(1297510913.231:36992): avc:  denied  { search } for  pid=20575 comm="amavisd" name="nslcd" dev=sdd3 ino=3808861 scontext=system_u:system_r:amavis_t:s0 tcontext=system_u:object_r:nslcd_var_run_t:s0 tclass=dir


type=AVC msg=audit(1297510913.231:36992): avc:  denied  { write } for  pid=20575 comm="amavisd" name="socket" dev=sdd3 ino=3808863 scontext=system_u:system_r:amavis_t:s0 tcontext=system_u:object_r:nslcd_var_run_t:s0 tclass=sock_file


type=AVC msg=audit(1297510913.231:36992): avc:  denied  { connectto } for  pid=20575 comm="amavisd" path="/var/run/nslcd/socket" scontext=system_u:system_r:amavis_t:s0 tcontext=system_u:system_r:nslcd_t:s0 tclass=unix_stream_socket


type=SYSCALL msg=audit(1297510913.231:36992): arch=x86_64 syscall=connect success=yes exit=0 a0=6 a1=7fffd6c84130 a2=6e a3=7fffd6c83e70 items=0 ppid=20568 pid=20575 auid=0 uid=496 gid=495 euid=496 suid=496 fsuid=496 egid=495 sgid=495 fsgid=495 tty=(none) ses=6029 comm=amavisd exe=/usr/bin/perl subj=system_u:system_r:amavis_t:s0 key=(null)

Hash: amavisd,amavis_t,nslcd_var_run_t,dir,search

audit2allow

#============= amavis_t ==============
allow amavis_t nslcd_t:unix_stream_socket connectto;
allow amavis_t nslcd_var_run_t:dir search;
allow amavis_t nslcd_var_run_t:sock_file write;

audit2allow -R

#============= amavis_t ==============
allow amavis_t nslcd_t:unix_stream_socket connectto;
allow amavis_t nslcd_var_run_t:dir search;
allow amavis_t nslcd_var_run_t:sock_file write;
Comment 1 Miroslav Grepl 2011-02-14 12:21:17 UTC 
Ok. Does happen it by default?
Comment 2 Anthony Messina 2011-02-14 22:14:19 UTC 
This happens after a fresh relabel/reboot as well as when the amavisd-new is restarted.  The above audit2allow rules are what were suggested n the setroubleshoot email.  I have not applied these rules.  I am not sure what else you might mean by "by default."
Comment 3 Daniel Walsh 2011-02-16 20:43:48 UTC 
Add 

optional_policy(`
	nslcd_stream_connect(amavis_t)
')
Comment 4 Miroslav Grepl 2011-02-17 08:54:45 UTC 
Fixed in selinux-policy-3.9.7-31.fc14
Comment 5 Fedora Update System 2011-02-21 20:28:17 UTC 
selinux-policy-3.9.7-31.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-31.fc14
Comment 6 Fedora Update System 2011-02-22 04:53:51 UTC 
selinux-policy-3.9.7-31.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-31.fc14
Comment 7 Fedora Update System 2011-02-24 20:53:15 UTC 
selinux-policy-3.9.7-31.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.