Bug 706260 - SELinux is preventing /usr/bin/ldapsearch from 'read' accesses on the lnk_file /usr/tmp.
Summary: SELinux is preventing /usr/bin/ldapsearch from 'read' accesses on the lnk_fil...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 15
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:dd44eb4c73b...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-05-19 21:09 UTC by Chris Cowan
Modified: 2011-06-03 05:29 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-3.9.16-26.fc15
Clone Of:
Environment:
Last Closed: 2011-06-03 05:29:57 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Chris Cowan 2011-05-19 21:09:57 UTC
I'm using automounted home directories with autofs and NFS, and the /etc/auto.home file does an ldap search to find where to mount the user's home directory from. I'm using Fedora 15 Beta. This error seems to happen occasionally until I followed the steps to fix it:

SELinux is preventing /usr/bin/ldapsearch from 'read' accesses on the lnk_file /usr/tmp.

*****  Plugin catchall_labels (83.8 confidence) suggests  ********************

If you want to allow ldapsearch to have read access on the tmp lnk_file
Then you need to change the label on /usr/tmp
Do
# semanage fcontext -a -t FILE_TYPE '/usr/tmp'
where FILE_TYPE is one of the following: locale_t, etc_t, proc_t, automount_t, sysfs_t, var_run_t, abrt_t, lib_t, root_t, proc_net_t, device_t, samba_var_t, ld_so_t, proc_t, textrel_shlib_t, etc_runtime_t, rpm_script_tmp_t, udev_var_run_t, var_run_t, bin_t, cert_t, autofs_t, device_t, devlog_t, var_run_t, var_run_t, var_run_t, cert_t. 
Then execute: 
restorecon -v '/usr/tmp'


*****  Plugin catchall (17.1 confidence) suggests  ***************************

If you believe that ldapsearch should be allowed read access on the tmp lnk_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep ldapsearch /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:automount_t:s0
Target Context                system_u:object_r:usr_t:s0
Target Objects                /usr/tmp [ lnk_file ]
Source                        ldapsearch
Source Path                   /usr/bin/ldapsearch
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           openldap-clients-2.4.24-2.fc15
Target RPM Packages           filesystem-2.4.40-1.fc15
Policy RPM                    selinux-policy-3.9.16-13.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux sjera.tcct.nmt.edu 2.6.38.2-9.fc15.x86_64 #1
                              SMP Wed Mar 30 16:55:57 UTC 2011 x86_64 x86_64
Alert Count                   55
First Seen                    Wed 18 May 2011 05:16:42 PM MDT
Last Seen                     Thu 19 May 2011 01:41:25 PM MDT
Local ID                      e911d322-b470-4525-81e4-54fd24298d94

Raw Audit Messages
type=AVC msg=audit(1305834085.680:130): avc:  denied  { read } for  pid=4239 comm="ldapsearch" name="tmp" dev=dm-1 ino=132135 scontext=system_u:system_r:automount_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=lnk_file


type=SYSCALL msg=audit(1305834085.680:130): arch=x86_64 syscall=stat success=no exit=EACCES a0=3300a419a3 a1=7fff5baac780 a2=7fff5baac780 a3=0 items=0 ppid=4238 pid=4239 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ldapsearch exe=/usr/bin/ldapsearch subj=system_u:system_r:automount_t:s0 key=(null)

Hash: ldapsearch,automount_t,usr_t,lnk_file,read

audit2allow

#============= automount_t ==============
#!!!! This avc is allowed in the current policy

allow automount_t usr_t:lnk_file read;

audit2allow -R

#============= automount_t ==============
#!!!! This avc is allowed in the current policy

allow automount_t usr_t:lnk_file read;

Comment 1 Miroslav Grepl 2011-05-23 06:49:21 UTC
Fixed in selinux-policy-3.9.16-25.fc15.

Comment 2 Fedora Update System 2011-05-27 16:56:00 UTC
selinux-policy-3.9.16-26.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-26.fc15

Comment 3 Fedora Update System 2011-05-28 23:58:02 UTC
Package selinux-policy-3.9.16-26.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-26.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-26.fc15
then log in and leave karma (feedback).

Comment 4 Fedora Update System 2011-06-03 05:29:14 UTC
selinux-policy-3.9.16-26.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.