727039 – AVCs when trying to create new 389-ds instance through 389-console

Bug 727039 - AVCs when trying to create new 389-ds instance through 389-console

Summary: AVCs when trying to create new 389-ds instance through 389-console

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.1
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:	715038
Blocks:
TreeView+	depends on / blocked

Reported:	2011-08-01 06:43 UTC by RHEL Program Management
Modified:	2011-08-22 12:45 UTC (History)
CC List:	12 users (show)
Fixed In Version:	selinux-policy-3.7.19-93.el6_1.7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-08-22 12:45:46 UTC
Target Upstream Version:

Attachments	(Terms of Use)
audit log (54.71 KB, application/octet-stream) 2011-08-05 16:28 UTC, Nathan Kinder	no flags	Details
audit2allow messages (12.75 KB, text/plain) 2011-08-05 16:29 UTC, Nathan Kinder	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2011:1193	0	normal	SHIPPED_LIVE	selinux-policy bug fix update	2011-08-22 12:45:35 UTC

Description RHEL Program Management 2011-08-01 06:43:15 UTC

This bug has been copied from bug #715038 and has been proposed
to be backported to 6.1 z-stream (EUS).

Comment 4 Miroslav Grepl 2011-08-02 12:23:41 UTC

Fixed in selinux-policy-3.7.19-93.el6_1.4.

Comment 6 Karel Srot 2011-08-05 10:58:25 UTC

May I kindly ask to retest this bug on RHEL6.1 with selinux-policy-3.7.19-93.el6_1.4? Thank you in advance.

Comment 7 Nathan Kinder 2011-08-05 15:44:31 UTC

This is failing still on RHEL 6.1 i386 with selinux-policy-3.7.19-93.el6_1.4.

The problem is that the DS CGI scripts are not labelled right.  Everything in /usr/lib/dirsrv/cgi-bin is labelled as lib_t, which is incorrect.  Using semanage, I can see that the policy is referring to the 64-bit libdir, even on a 32-bit system:

-------------------------------------------------------------------
/usr/lib64/dirsrv/cgi-bin(/.*)?                    all files          system_u:object_r:httpd_dirsrvadmin_script_exec_t:s0 
/usr/lib64/dirsrv/cgi-bin/ds_create                regular file       system_u:object_r:dirsrvadmin_unconfined_script_exec_t:s0 
/usr/lib64/dirsrv/cgi-bin/ds_remove                regular file       system_u:object_r:dirsrvadmin_unconfined_script_exec_t:s0 
/usr/lib64/dirsrv/dsgw-cgi-bin(/.*)?               all files          system_u:object_r:httpd_dirsrvadmin_script_exec_t:s0
-------------------------------------------------------------------

These rules need to use "/usr/lib/dirsrv" on an i386 system, and "/usr/lib64/dirsrv" on an x86_64 system.

Comment 8 Nathan Kinder 2011-08-05 16:28:06 UTC

I also tested selinux-policy-3.7.19-93.el6_1.4 on a RHEL 6.1 x86_64 system, but encountered a number of AVC messages there as well when creating a new DS instance via redhat-idm-console.  I will attach the audit log and audit2allow messages from that system.

Comment 9 Nathan Kinder 2011-08-05 16:28:46 UTC

Created attachment 516920 [details]
audit log

Comment 10 Nathan Kinder 2011-08-05 16:29:19 UTC

Created attachment 516921 [details]
audit2allow messages

Comment 11 Miroslav Grepl 2011-08-08 06:50:20 UTC

I am fixing labels and adding missing rules

dirsrvadmin_domtrans_unconfined_script_t(httpd_t)

which causes these AVC msgs.

Comment 12 Miroslav Grepl 2011-08-08 12:36:08 UTC

Fixed in selinux-policy-3.7.19-93.el6_1.5

Comment 13 Nathan Kinder 2011-08-08 16:40:22 UTC

(In reply to comment #12)
> Fixed in selinux-policy-3.7.19-93.el6_1.5

This new package passes my instance creation tests on both i386 and x86_64 architectures.

Comment 14 Karel Srot 2011-08-11 09:49:20 UTC

Tested with selinux-policy-3.7.19-93.el6_1.7 on i386 platform.

I have successfuly performed following actions:
-service dirsrv-admin restart
-service dirsrv restart

Using redhat-idm-console"
- create directory server instance
- stop/start/restart directory server instance
- remove directory server instance

No AVC nor crashes/freeze.

Anyway I would like to restest it with the new 389 build on x86_64 before switching this bug to VERIFIED.

Comment 16 errata-xmlrpc 2011-08-22 12:45:46 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1193.html

Note You need to log in before you can comment on or make changes to this bug.