RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 727039 - AVCs when trying to create new 389-ds instance through 389-console
Summary: AVCs when trying to create new 389-ds instance through 389-console
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.1
Hardware: All
OS: Linux
urgent
high
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On: 715038
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-08-01 06:43 UTC by RHEL Program Management
Modified: 2011-08-22 12:45 UTC (History)
12 users (show)

Fixed In Version: selinux-policy-3.7.19-93.el6_1.7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-08-22 12:45:46 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
audit log (54.71 KB, application/octet-stream)
2011-08-05 16:28 UTC, Nathan Kinder 		no flags Details
audit2allow messages (12.75 KB, text/plain)
2011-08-05 16:29 UTC, Nathan Kinder 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1193 0 normal SHIPPED_LIVE selinux-policy bug fix update 2011-08-22 12:45:35 UTC

Description RHEL Program Management 2011-08-01 06:43:15 UTC 
This bug has been copied from bug #715038 and has been proposed
to be backported to 6.1 z-stream (EUS).
Comment 4 Miroslav Grepl 2011-08-02 12:23:41 UTC 
Fixed in selinux-policy-3.7.19-93.el6_1.4.
Comment 6 Karel Srot 2011-08-05 10:58:25 UTC 
May I kindly ask to retest this bug on RHEL6.1 with selinux-policy-3.7.19-93.el6_1.4? Thank you in advance.
Comment 7 Nathan Kinder 2011-08-05 15:44:31 UTC 
This is failing still on RHEL 6.1 i386 with selinux-policy-3.7.19-93.el6_1.4.

The problem is that the DS CGI scripts are not labelled right.  Everything in /usr/lib/dirsrv/cgi-bin is labelled as lib_t, which is incorrect.  Using semanage, I can see that the policy is referring to the 64-bit libdir, even on a 32-bit system:

-------------------------------------------------------------------
/usr/lib64/dirsrv/cgi-bin(/.*)?                    all files          system_u:object_r:httpd_dirsrvadmin_script_exec_t:s0 
/usr/lib64/dirsrv/cgi-bin/ds_create                regular file       system_u:object_r:dirsrvadmin_unconfined_script_exec_t:s0 
/usr/lib64/dirsrv/cgi-bin/ds_remove                regular file       system_u:object_r:dirsrvadmin_unconfined_script_exec_t:s0 
/usr/lib64/dirsrv/dsgw-cgi-bin(/.*)?               all files          system_u:object_r:httpd_dirsrvadmin_script_exec_t:s0
-------------------------------------------------------------------

These rules need to use "/usr/lib/dirsrv" on an i386 system, and "/usr/lib64/dirsrv" on an x86_64 system.
Comment 8 Nathan Kinder 2011-08-05 16:28:06 UTC 
I also tested selinux-policy-3.7.19-93.el6_1.4 on a RHEL 6.1 x86_64 system, but encountered a number of AVC messages there as well when creating a new DS instance via redhat-idm-console.  I will attach the audit log and audit2allow messages from that system.
Comment 9 Nathan Kinder 2011-08-05 16:28:46 UTC 
Created attachment 516920 [details]
audit log
Comment 10 Nathan Kinder 2011-08-05 16:29:19 UTC 
Created attachment 516921 [details]
audit2allow messages
Comment 11 Miroslav Grepl 2011-08-08 06:50:20 UTC 
I am fixing labels and adding missing rules

dirsrvadmin_domtrans_unconfined_script_t(httpd_t)

which causes these AVC msgs.
Comment 12 Miroslav Grepl 2011-08-08 12:36:08 UTC 
Fixed in selinux-policy-3.7.19-93.el6_1.5
Comment 13 Nathan Kinder 2011-08-08 16:40:22 UTC 
(In reply to comment #12)
> Fixed in selinux-policy-3.7.19-93.el6_1.5

This new package passes my instance creation tests on both i386 and x86_64 architectures.
Comment 14 Karel Srot 2011-08-11 09:49:20 UTC 
Tested with selinux-policy-3.7.19-93.el6_1.7 on i386 platform.

I have successfuly performed following actions:
-service dirsrv-admin restart
-service dirsrv restart

Using redhat-idm-console"
- create directory server instance
- stop/start/restart directory server instance
- remove directory server instance

No AVC nor crashes/freeze.

Anyway I would like to restest it with the new 389 build on x86_64 before switching this bug to VERIFIED.
Comment 16 errata-xmlrpc 2011-08-22 12:45:46 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1193.html
Note You need to log in before you can comment on or make changes to this bug.