Hide Forgot
Description of problem: When trying to finger a user the finger program is blocked by SElinux from accessing nslcd cache data. Version-Release number of selected component (if applicable): finger-0.17-39.el6.x86_64 finger-server-0.17-39.el6.x86_64 How reproducible: All RHEL 6 servers I've tried this on. Steps to Reproduce: 1. install finger & finger-server 2. finger user@localhost (where user is not in /etc/passwd but from ldap or something) Actual results: # finger bdwheele finger: bdwheele: no such user. # tail /var/log/messages ... Oct 27 10:40:30 testhost setroubleshoot: SELinux is preventing /usr/bin/finger "search" access on /var/run/nslcd. For complete SELinux messages. run sealert -l 7bce72f5-c7c8-4f5b-8f78-4efc75bbc49b # sealert -l 7bce72f5-c7c8-4f5b-8f78-4efc75bbc49b Summary: SELinux is preventing /usr/bin/finger "search" access on /var/run/nslcd. Detailed Description: SELinux denied access requested by finger. It is not expected that this access is required by finger and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:system_r:fingerd_t:s0-s0:c0.c1023 Target Context system_u:object_r:nslcd_var_run_t:s0 Target Objects /var/run/nslcd [ dir ] Source finger Source Path /usr/bin/finger Port <Unknown> Host testhost Source RPM Packages finger-0.17-39.el6 Target RPM Packages nss-pam-ldapd-0.7.5-7.el6 Policy RPM selinux-policy-3.7.19-93.el6_1.7 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name testhost Platform Linux testhost 2.6.32-71.24.1.el6.x86_64 #1 SMP Sat Mar 26 16:05:19 EDT 2011 x86_64 x86_64 Alert Count 15 First Seen Thu Oct 27 09:22:11 2011 Last Seen Thu Oct 27 10:40:29 2011 Local ID 7bce72f5-c7c8-4f5b-8f78-4efc75bbc49b Line Numbers Raw Audit Messages node=testhost type=AVC msg=audit(1319726429.350:10215950): avc: denied { search } for pid=22288 comm="finger" name="nslcd" dev=dm-0 ino=656057 scontext=unconfined_u:system_r:fingerd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nslcd_var_run_t:s0 tclass=dir node=testhost type=SYSCALL msg=audit(1319726429.350:10215950): arch=c000003e syscall=42 success=no exit=-13 a0=4 a1=7fffb581f800 a2=6e a3=58 items=0 ppid=26447 pid=22288 auid=11907 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=464562 comm="finger" exe="/usr/bin/finger" subj=unconfined_u:system_r:fingerd_t:s0-s0:c0.c1023 key=(null) Expected results: # finger bdwheele Login: bdwheele Name: Brian Wheeler Directory: /home/bdwheele Shell: /bin/bash On since Wed Oct 26 14:24 (EDT) on pts/0 from somewhere Mail forwarded to bdwheele No mail. No Plan. Additional info: The above fingering worked on RHEL5 with nslcd active.
We have this in Fedora.
Fixed in selinux-policy-3.7.19-122.el6
Any ETA on availability of the updated selinux-policy package?
Updated selinux-policy can be found here: http://people.redhat.com/dwalsh/SELinux/RHEL6/noarch/ Please let us know if it solved your problem.
Yes, I can finger via the network now. Thanks!
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1511.html