735509 – Need systemd policy for 389-ds-base and 389-admin

Bug 735509 - Need systemd policy for 389-ds-base and 389-admin

Summary: Need systemd policy for 389-ds-base and 389-admin

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	16
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-09-02 20:47 UTC by Rich Megginson
Modified:	2011-11-29 22:03 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-11-29 22:03:53 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Rich Megginson 2011-09-02 20:47:35 UTC

Using systemctl to start a 389-ds-base instance on F16 gives this message:

Sep  2 14:30:04 f16x8664 kernel: [ 3669.247238] type=1400 audit(1314995404.405:96): avc:  denied  { read } for  pid=3939 comm="ns-slapd" name="online" dev=sysfs ino=34 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file

Using systemctl to start 389-admin on F16 gives these messages:

Sep  2 14:25:06 f16x8664 kernel: [ 3370.879324] type=1400 audit(1314995106.037:92): avc:  denied  { name_connect } for  pid=3393 comm="httpd.worker" dest=389 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket

Comment 1 Miroslav Grepl 2011-09-05 05:51:38 UTC

(In reply to comment #0)
> Using systemctl to start a 389-ds-base instance on F16 gives this message:
> 
> Sep  2 14:30:04 f16x8664 kernel: [ 3669.247238] type=1400
> audit(1314995404.405:96): avc:  denied  { read } for  pid=3939 comm="ns-slapd"
> name="online" dev=sysfs ino=34 scontext=system_u:system_r:dirsrv_t:s0
> tcontext=system_u:object_r:sysfs_t:s0 tclass=file
> 
Fixing.

> Using systemctl to start 389-admin on F16 gives these messages:
> 
> Sep  2 14:25:06 f16x8664 kernel: [ 3370.879324] type=1400
> audit(1314995106.037:92): avc:  denied  { name_connect } for  pid=3393
> comm="httpd.worker" dest=389 scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket

How are labelled CGI scripts in /usr/lib(64)?/dirsrv/cgi-bin directroy?

# ls -lZ /usr/lib64/dirsrv/cgi-bin

Comment 2 Rich Megginson 2011-09-06 15:55:35 UTC

The directory is labeled
system_u:object_r:httpd_dirsrvadmin_script_exec_t:s0

the files are labeled the same

Comment 3 Rich Megginson 2011-09-08 13:12:32 UTC

Was there more info you needed?

Comment 4 Daniel Walsh 2011-11-23 14:45:08 UTC

Is this issue still open?

Comment 5 Rich Megginson 2011-11-28 15:18:45 UTC

(In reply to comment #4)
> Is this issue still open?

Yes.  Do you need any more info?

Comment 6 Miroslav Grepl 2011-11-29 08:41:01 UTC

(In reply to comment #5)
> (In reply to comment #4)
> > Is this issue still open?
> 
> Yes.  Do you need any more info?

So are you still getting both AVC msgs?

Comment 7 Rich Megginson 2011-11-29 22:03:53 UTC

(In reply to comment #6)
> (In reply to comment #5)
> > (In reply to comment #4)
> > > Is this issue still open?
> > 
> > Yes.  Do you need any more info?
> 
> So are you still getting both AVC msgs?

Nope.  Was this fixed in policy?  If so, what version?

Note You need to log in before you can comment on or make changes to this bug.