Bug 767756 - SELinux is preventing 389 admin server from opening ldap port
Summary: SELinux is preventing 389 admin server from opening ldap port
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 16
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 767823
TreeView+ depends on / blocked
 
Reported: 2011-12-14 20:14 UTC by Rich Megginson
Modified: 2011-12-22 22:49 UTC (History)
4 users (show)

Fixed In Version: selinux-policy-3.10.0-67.fc16
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-12-22 22:49:52 UTC
Type: ---


Attachments (Terms of Use)

Description Rich Megginson 2011-12-14 20:14:22 UTC
The 389 admin server cannot open the ldap port to communicate with the ldap server.

[ 2230.468431] type=1400 audit(1323893235.080:40): avc:  denied  { name_connect } for  pid=2378 comm="httpd.worker" dest=389 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket

Comment 1 Rich Megginson 2011-12-14 20:14:48 UTC
I marked as Urgent because this prevents admin server/console from working

Comment 2 Rich Megginson 2011-12-14 20:15:52 UTC
This is on F-16.  The system is up-to-date with the latest versions of all packages in updates.

Comment 3 Daniel Walsh 2011-12-14 20:52:12 UTC
 audit2allow  -i /tmp/t


#============= httpd_t ==============
#!!!! This avc can be allowed using one of the these booleans:
#     authlogin_nsswitch_use_ldap, allow_ypbind, httpd_can_network_connect

allow httpd_t ldap_port_t:tcp_socket name_connect;


We do not allow this by default, We used to in < f16.  We now turn off authlogin_nsswitch_use_ldap.

You can turn that on and make this work.  It has the side effect of allowing all confined domains that use getpw to be able to connect to ldap port.

Or you can turn on httpd_can_network_connect which will allow httpd to connect to all ports.

We can add a new boolean to allow apache to connect to ldap.  If this is considered real common.

Last option is you could install a policy module to allow httpd_t to connect to the ldap port.

Comment 4 Rich Megginson 2011-12-14 23:10:20 UTC
If we turn on httpd_can_network_connect will that allow _any_ httpd (and httpd.worker?) to connect to _any_ port?  If so, is that safe?

Comment 5 Miroslav Grepl 2011-12-15 08:36:39 UTC
But my question is why this runs in the httpd_t domain. I thought it should be running in the httpd_dirsrvadmin_script_t domain because we have


corenet_tcp_connect_ldap_port(httpd_dirsrvadmin_script_t)

Comment 6 Rich Megginson 2011-12-15 15:11:56 UTC
When I start dirsrv-admin.service via systemctl, this is what I see:

[root@f16x8664 ~]# systemctl start dirsrv-admin.service
[root@f16x8664 ~]# ps -efZ | grep httpd
system_u:system_r:httpd_t:s0    root      2058     1  0 07:31 ?        00:00:00 /usr/sbin/httpd.worker -k start -f /etc/dirsrv/admin-serv/httpd.conf
system_u:system_r:httpd_t:s0    root      2059  2058  0 07:31 ?        00:00:00 /usr/sbin/httpd.worker -k start -f /etc/dirsrv/admin-serv/httpd.conf
system_u:system_r:httpd_t:s0    nobody    2060  2058  1 07:31 ?        00:00:00 /usr/sbin/httpd.worker -k start -f /etc/dirsrv/admin-serv/httpd.conf

Why isn't httpd running in httpd_dirsrvadmin_script_t when I start it from systemctl?

Comment 7 Miroslav Grepl 2011-12-15 15:23:29 UTC
Well, the httpd_dirsrvadmin_script_t domain is for dirsrv-admin cgi scripts. I think we could add a boolean.

Comment 8 Rich Megginson 2011-12-15 15:29:32 UTC
(In reply to comment #7)
> Well, the httpd_dirsrvadmin_script_t domain is for dirsrv-admin cgi scripts. I
> think we could add a boolean.

Is this something I should do during 389-admin installation?  What boolean should I add?

Comment 9 Miroslav Grepl 2011-12-15 15:36:17 UTC
I am adding a new boolean

httpd_can_connect_ldap

which you will need to turn on during installation.

Comment 10 Miroslav Grepl 2011-12-15 15:39:20 UTC
Fixed in selinux-policy-3.10.0-67.fc16

Comment 11 Fedora Update System 2011-12-15 17:09:39 UTC
selinux-policy-3.10.0-67.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-67.fc16

Comment 12 Fedora Update System 2011-12-16 20:01:46 UTC
Package selinux-policy-3.10.0-67.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-67.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2011-17191/selinux-policy-3.10.0-67.fc16
then log in and leave karma (feedback).

Comment 13 Fedora Update System 2011-12-22 22:49:52 UTC
selinux-policy-3.10.0-67.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.