Description of problem: We found a regression in FreeiPA in F-16 selinux policy. named is now not allowed to talk to dirsrv via socket as it was allowed in F-15. F-15 policy there is this rule: (11:04:41 AM) atkac: allow named_t dirsrv_var_run_t : sock_file { write getattr append open } ; Now we get these errors in audit.log: /var/log/audit.log: type=AVC msg=audit(1319446111.897:884): avc: denied { write } for pid=17975 comm="named" name="slapd-IDM-LAB-BOS-REDHAT-COM.socket" dev=tmpfs ino=78324 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:dirsrv_var_run_t:s0 tclass=sock_file type=AVC msg=audit(1319446111.897:884): avc: denied { connectto } for pid=17975 comm="named" path="/run/slapd-IDM-LAB-BOS-REDHAT-COM.socket" scontext=system_u:system_r:named_t:s0 tcontext=system_u:system_r:dirsrv_t:s0 tclass=unix_stream_socket Version-Release number of selected component (if applicable): selinux-policy-3.10.0-46.fc16.noarch How reproducible: Install FreeIPA server in F-16 with named support and check DNS functionality or look for AVCs in audit.log Steps to Reproduce: 1. Install freeipa-server package from updates-testing 2. Install FreeIPA with DNS support: ipa-server-install --setup-dns 3. Check that FreeIPA with DNS is working: dig `hostname` Actual results: named cannot contact dirsrv. /var/log/messages says: Oct 24 04:44:51 vm-093 named[17903]: bind to LDAP server failed: Can't contact LDAP server Expected results: named is allowed to contact dirsrv and DNS functionality in FreeIPA server works. Additional info:
Just for comparsion with F15. F15: sesearch --allow -s named_t -t dirsrv_var_run_t Found 3 semantic av rules: allow named_t file_type : filesystem getattr ; allow named_t dirsrv_var_run_t : dir { getattr search open } ; allow named_t dirsrv_var_run_t : sock_file { write getattr append open } ; F16: sesearch --allow -s named_t -t dirsrv_var_run_t Found 3 semantic av rules: allow named_t file_type : filesystem getattr ; allow nsswitch_domain dirsrv_var_run_t : dir { getattr search open } ; allow nsswitch_domain dirsrv_var_run_t : sock_file { write getattr append open } ; It seems that named_t should be part of nsswitch_domain (which seems like a wrong idea for me) but it isn't...
Well, what nsswitch_domain means for named_t: We have auth_use_nsswitch(named_t) which means ######################################## ## <summary> ## Use nsswitch to look up user, password, group, or ## host information. ## </summary> ## <desc> ## <p> ## Allow the specified domain to look up user, password, ## group, or host information using the name service. ## The most common use of this interface is for services ## that do host name resolution (usually DNS resolution). ## </p> ## </desc> And the bug should be fixed in the latest release # sesearch -A -s named_t -t dirsrv_t Found 3 semantic av rules: allow domain domain : key { search link } ; allow domain domain : fd use ; allow nsswitch_domain dirsrv_t : unix_stream_socket connectto ;
So if I understand it correctly: if we want to let named communicate with dirsrv we have to set this option on? Running: # setsebool -P authlogin_nsswitch_use_ldap on fixes the AVC and name service for FreeIPA works correctly now, but IMHO it is not very logical.I don't see the relevance between name server talking to dirsrv and authlogin_nsswitch_use_ldap. I liked the policy in F-15 more.
Yeap, you are right, I missied "-C" # sesearch -AC -s named_t -t dirsrv_t Found 3 semantic av rules: allow domain domain : key { search link } ; ET allow domain domain : fd use ; [ allow_domain_fd_use ] DT allow nsswitch_domain dirsrv_t : unix_stream_socket connectto ; [ authlogin_nsswitch_use_ldap ]
Actually this makes sense. Since "389 Directory Server" is Open Source LDAP so we treat it with "authlogin_nsswitch_use_ldap" boolean.
(In reply to comment #5) > Actually this makes sense. Since "389 Directory Server" is Open Source LDAP so > we treat it with "authlogin_nsswitch_use_ldap" boolean. If I use my common sense, this doesn't seem too logical for me. If I generalize this issue then "any service (named_t in this case but it can be also httpd_t) which needs to be able to connect to 389 DS sockets must enable the authlogin_nsswitch_use_ldap boolean". Although I agree to use boolean for such functionality, I don't agree with it's name. What is the connection between "connecting to LDAP sockets" and "authentization", "login" and "nsswitch"? Additionally, when I allow this boolean many other rules gets allowed. However I don't want to allow other services to connect to the LDAP, only named_t should be allowed to connect there. In my opinion the best idea is to allow named_t to manipulate with dirsrv_var_run_t, as was in F15. If you don't agree with this, I tend to create SELinux policy module for bind-dyndb-ldap and ship it as part of that pkg. Please reconsider if current policy is better than F15 policy.
The boolean allows users to login using a sssd server.
Do I understand it correctly that this issue will be resolved by allowing named_t manipulate with dirsrv_var_run_t globally (i.e. enabled by default)?. I think this would be the best course of action.
If named is not talking to dirsrv for nsswitch resolution then we should just allow this access.
Yes, fixed in selinux-policy-3.10.0-48.fc16.
selinux-policy-3.10.0-51.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-51.fc16
Package selinux-policy-3.10.0-51.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-51.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-15029 then log in and leave karma (feedback).
selinux-policy-3.10.0-51.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.