Bug 746017 - AVC when dirsrv attempts to run prelink with NSS db in FIPS mode
Summary: AVC when dirsrv attempts to run prelink with NSS db in FIPS mode
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 15
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 796351
TreeView+ depends on / blocked
 
Reported: 2011-10-13 16:36 UTC by Rich Megginson
Modified: 2012-08-07 20:21 UTC (History)
5 users (show)

Fixed In Version:
Clone Of:
: 796351 (view as bug list)
Environment:
Last Closed: 2012-08-07 20:20:57 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
AVC and SYSCALL messages (2.65 KB, text/plain)
2011-10-13 16:36 UTC, Rich Megginson 		no flags Details
after loading new policy (2.41 KB, text/plain)
2011-10-13 19:36 UTC, Rich Megginson 		no flags Details
after running restorecon /usr/sbin/ns-slapd (585 bytes, text/plain)
2011-10-13 19:37 UTC, Rich Megginson 		no flags Details
View All

Description Rich Megginson 2011-10-13 16:36:37 UTC 
Created attachment 528064 [details]
AVC and SYSCALL messages

If dirsrv uses
modutil -dbdir /etc/dirsrv/slapd-instname -fips true
to enable FIPS mode in the NSS key/cert db, we get AVC messages because NSS_Initialize attempts to use prelink.
Comment 1 Nathan Kinder 2011-10-13 17:17:34 UTC 
I believe that we just need to add the following to the dirsrv policy:

prelink_exec(dirsrv_t);

We will test this to see if anything else is required.
Comment 2 Rich Megginson 2011-10-13 19:36:14 UTC 
Created attachment 528089 [details]
after loading new policy

I did the following on F-15:
1) create a file dirsrv-prelink.te with the following contents:
policy_module(dirsrv-prelink,1.0.0)

require {
    type dirsrv_t;
}

prelink_exec(dirsrv_t);

2) make -f /usr/share/selinux/devel/Makefile
3) semodule -i dirsrv-prelink.pp

After restarting dirsrv, I got the attached AVCs
Comment 3 Rich Megginson 2011-10-13 19:37:17 UTC 
Created attachment 528094 [details]
after running restorecon /usr/sbin/ns-slapd

Then I ran restorecon /usr/sbin/ns-slapd, and I got the attached AVC
Comment 4 Nathan Kinder 2011-10-13 22:36:50 UTC 
(In reply to comment #2)
> Created attachment 528089 [details]
> after loading new policy
> 
> I did the following on F-15:
> 1) create a file dirsrv-prelink.te with the following contents:
> policy_module(dirsrv-prelink,1.0.0)
> 
> require {
>     type dirsrv_t;
> }
> 
> prelink_exec(dirsrv_t);
> 
> 2) make -f /usr/share/selinux/devel/Makefile
> 3) semodule -i dirsrv-prelink.pp
> 
> After restarting dirsrv, I got the attached AVCs

Perhaps we should use 'prelink_domtrans(dirsrv_t)' instead of 'prelink_exec(dirsrv_t)'.  This will make prelink run in it's own context instead of using the dirsrv_t context.  Could you try changing the policy module and testing with the prelink_domtrans macro?
Comment 5 Rich Megginson 2011-10-13 22:52:12 UTC 
(In reply to comment #4)
> (In reply to comment #2)
> > Created attachment 528089 [details]
> > after loading new policy
> > 
> > I did the following on F-15:
> > 1) create a file dirsrv-prelink.te with the following contents:
> > policy_module(dirsrv-prelink,1.0.0)
> > 
> > require {
> >     type dirsrv_t;
> > }
> > 
> > prelink_exec(dirsrv_t);
> > 
> > 2) make -f /usr/share/selinux/devel/Makefile
> > 3) semodule -i dirsrv-prelink.pp
> > 
> > After restarting dirsrv, I got the attached AVCs
> 
> Perhaps we should use 'prelink_domtrans(dirsrv_t)' instead of
> 'prelink_exec(dirsrv_t)'.  This will make prelink run in it's own context
> instead of using the dirsrv_t context.  Could you try changing the policy
> module and testing with the prelink_domtrans macro?

Yep, changing prelink_exec to prelink_domtrans in the above worked.  No messages, no AVCs, in Permissive and in Enforcing mode.
Comment 6 Miroslav Grepl 2011-10-14 12:10:10 UTC 
Well, this is not something what we want to allow by default.

Dan,
AFAIK we had the similar bug.
Comment 7 Daniel Walsh 2011-10-14 12:56:11 UTC 
I would prefer not to transition to prelink and allow the relabel for the current domain.  prelink is a pretty powerfull domain, since it can read and write binaries.  If you could somehow fool prelink you could take a system over.  Allowing relabelto and relabelfrom types that you can read/write, I do not think is a problem.
Comment 8 Miroslav Grepl 2011-10-21 09:47:13 UTC 
Fixed in selinux-policy-3.9.16-44.fc15
Comment 9 Fedora End Of Life 2012-08-07 20:21:00 UTC 
This message is a notice that Fedora 15 is now at end of life. Fedora
has stopped maintaining and issuing updates for Fedora 15. It is
Fedora's policy to close all bug reports from releases that are no
longer maintained. At this time, all open bugs with a Fedora 'version'
of '15' have been closed as WONTFIX.

(Please note: Our normal process is to give advanced warning of this
occurring, but we forgot to do that. A thousand apologies.)

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, feel free to reopen
this bug and simply change the 'version' to a later Fedora version.

Bug Reporter: Thank you for reporting this issue and we are sorry that
we were unable to fix it before Fedora 15 reached end of life. If you
would still like to see this bug fixed and are able to reproduce it
against a later version of Fedora, you are encouraged to click on
"Clone This Bug" (top right of this page) and open it against that
version of Fedora.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

The process we are following is described here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Note You need to log in before you can comment on or make changes to this bug.