Hide Forgot
Description of problem: On directory server startup I'm seeing (in permissive mode): type=AVC msg=audit(1316806800.921:105382): avc: denied { create } for pid=2923 comm="ns-slapd" scontext=root:system_r:dirsrv_t:s0 tcontext=root:system_r:dirsrv_t:s0 tclass=netlink_route_socket type=AVC msg=audit(1316806800.922:105383): avc: denied { bind } for pid=2923 comm="ns-slapd" scontext=root:system_r:dirsrv_t:s0 tcontext=root:system_r:dirsrv_t:s0 tclass=netlink_route_socket type=AVC msg=audit(1316806800.922:105384): avc: denied { getattr } for pid=2923 comm="ns-slapd" scontext=root:system_r:dirsrv_t:s0 tcontext=root:system_r:dirsrv_t:s0 tclass=netlink_route_socket type=AVC msg=audit(1316806800.922:105385): avc: denied { write } for pid=2923 comm="ns-slapd" scontext=root:system_r:dirsrv_t:s0 tcontext=root:system_r:dirsrv_t:s0 tclass=netlink_route_socket type=AVC msg=audit(1316806800.922:105385): avc: denied { nlmsg_read } for pid=2923 comm="ns-slapd" scontext=root:system_r:dirsrv_t:s0 tcontext=root:system_r:dirsrv_t:s0 tclass=netlink_route_socket type=AVC msg=audit(1316806800.922:105386): avc: denied { read } for pid=2923 comm="ns-slapd" scontext=root:system_r:dirsrv_t:s0 tcontext=root:system_r:dirsrv_t:s0 tclass=netlink_route_socket Did not appear to affect my operation so far. Version-Release number of selected component (if applicable): 389-ds-base-1.2.9.9-1.el5 selinux-policy-2.4.6-316.el5
> Did not appear to affect my operation so far. Hi, do you say it did not appear to affect your operation when in enforcing, right? Thank you.
These avc's are often related to using getpw calls, and usually end up needing auth_use_nsswitch()
(In reply to comment #1) > > Did not appear to affect my operation so far. > > Hi, > do you say it did not appear to affect your operation when in enforcing, right? > Thank you. Correct, everything is apparently fine even in enforcing.
(In reply to comment #2) > These avc's are often related to using getpw calls, and usually end up needing > auth_use_nsswitch() So is there something that needs to be fixed in package 389-ds-base?
(In reply to comment #4) > (In reply to comment #2) > > These avc's are often related to using getpw calls, and usually end up needing > > auth_use_nsswitch() > > So is there something that needs to be fixed in package 389-ds-base? It sounds like we need to add auth_use_nsswitch() to the dirsrv_t policy in selinux-policy, as we do call getpwnam() during startup of a DS instance.
Fixed in selinux-policy-3.7.19-118.el6.noarch # sesearch -A -s dirsrv_t -t dirsrv_t -c netlink_route_socket Found 1 semantic av rules: allow dirsrv_t dirsrv_t : netlink_route_socket { ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown nlmsg_read } ;
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1511.html