Bug 740925 - ns-slapd dirsrv_t netlink_route_socket denials
Summary: ns-slapd dirsrv_t netlink_route_socket denials
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.2
Hardware: All
OS: Linux
low
low
Target Milestone: rc
: 6.2
Assignee: Miroslav Grepl
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks: 840956
TreeView+ depends on / blocked
 
Reported: 2011-09-23 19:43 UTC by Orion Poplawski
Modified: 2012-07-17 17:04 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.7.19-118.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 840956 (view as bug list)
Environment:
Last Closed: 2011-12-06 10:19:26 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1511 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-12-06 00:39:17 UTC

Description Orion Poplawski 2011-09-23 19:43:41 UTC
Description of problem:

On directory server startup I'm seeing (in permissive mode):

type=AVC msg=audit(1316806800.921:105382): avc:  denied  { create } for  pid=2923 comm="ns-slapd" scontext=root:system_r:dirsrv_t:s0 tcontext=root:system_r:dirsrv_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1316806800.922:105383): avc:  denied  { bind } for  pid=2923 comm="ns-slapd" scontext=root:system_r:dirsrv_t:s0 tcontext=root:system_r:dirsrv_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1316806800.922:105384): avc:  denied  { getattr } for  pid=2923 comm="ns-slapd" scontext=root:system_r:dirsrv_t:s0 tcontext=root:system_r:dirsrv_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1316806800.922:105385): avc:  denied  { write } for  pid=2923 comm="ns-slapd" scontext=root:system_r:dirsrv_t:s0 tcontext=root:system_r:dirsrv_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1316806800.922:105385): avc:  denied  { nlmsg_read } for  pid=2923 comm="ns-slapd" scontext=root:system_r:dirsrv_t:s0 tcontext=root:system_r:dirsrv_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1316806800.922:105386): avc:  denied  { read } for  pid=2923 comm="ns-slapd" scontext=root:system_r:dirsrv_t:s0 tcontext=root:system_r:dirsrv_t:s0 tclass=netlink_route_socket

Did not appear to affect my operation so far.

Version-Release number of selected component (if applicable):
389-ds-base-1.2.9.9-1.el5
selinux-policy-2.4.6-316.el5

Comment 1 Karel Srot 2011-10-06 13:58:55 UTC
> Did not appear to affect my operation so far.

Hi, 
do you say it did not appear to affect your operation when in enforcing, right?
Thank you.

Comment 2 Daniel Walsh 2011-10-06 14:30:17 UTC
These avc's are often related to using getpw calls, and usually end up needing
auth_use_nsswitch()

Comment 3 Orion Poplawski 2011-10-06 14:48:51 UTC
(In reply to comment #1)
> > Did not appear to affect my operation so far.
> 
> Hi, 
> do you say it did not appear to affect your operation when in enforcing, right?
> Thank you.

Correct, everything is apparently fine even in enforcing.

Comment 4 Rich Megginson 2011-10-07 17:13:12 UTC
(In reply to comment #2)
> These avc's are often related to using getpw calls, and usually end up needing
> auth_use_nsswitch()

So is there something that needs to be fixed in package 389-ds-base?

Comment 5 Nathan Kinder 2011-10-07 17:22:57 UTC
(In reply to comment #4)
> (In reply to comment #2)
> > These avc's are often related to using getpw calls, and usually end up needing
> > auth_use_nsswitch()
> 
> So is there something that needs to be fixed in package 389-ds-base?

It sounds like we need to add auth_use_nsswitch() to the dirsrv_t policy in selinux-policy, as we do call getpwnam() during startup of a DS instance.

Comment 10 Miroslav Grepl 2011-10-18 18:41:01 UTC
Fixed in selinux-policy-3.7.19-118.el6.noarch

# sesearch -A -s dirsrv_t -t dirsrv_t -c netlink_route_socket
Found 1 semantic av rules:
   allow dirsrv_t dirsrv_t : netlink_route_socket { ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown nlmsg_read } ;

Comment 14 errata-xmlrpc 2011-12-06 10:19:26 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html


Note You need to log in before you can comment on or make changes to this bug.