The 389 admin server cannot open the ldap port to communicate with the ldap server. [ 2230.468431] type=1400 audit(1323893235.080:40): avc: denied { name_connect } for pid=2378 comm="httpd.worker" dest=389 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket
I marked as Urgent because this prevents admin server/console from working
This is on F-16. The system is up-to-date with the latest versions of all packages in updates.
audit2allow -i /tmp/t #============= httpd_t ============== #!!!! This avc can be allowed using one of the these booleans: # authlogin_nsswitch_use_ldap, allow_ypbind, httpd_can_network_connect allow httpd_t ldap_port_t:tcp_socket name_connect; We do not allow this by default, We used to in < f16. We now turn off authlogin_nsswitch_use_ldap. You can turn that on and make this work. It has the side effect of allowing all confined domains that use getpw to be able to connect to ldap port. Or you can turn on httpd_can_network_connect which will allow httpd to connect to all ports. We can add a new boolean to allow apache to connect to ldap. If this is considered real common. Last option is you could install a policy module to allow httpd_t to connect to the ldap port.
If we turn on httpd_can_network_connect will that allow _any_ httpd (and httpd.worker?) to connect to _any_ port? If so, is that safe?
But my question is why this runs in the httpd_t domain. I thought it should be running in the httpd_dirsrvadmin_script_t domain because we have corenet_tcp_connect_ldap_port(httpd_dirsrvadmin_script_t)
When I start dirsrv-admin.service via systemctl, this is what I see: [root@f16x8664 ~]# systemctl start dirsrv-admin.service [root@f16x8664 ~]# ps -efZ | grep httpd system_u:system_r:httpd_t:s0 root 2058 1 0 07:31 ? 00:00:00 /usr/sbin/httpd.worker -k start -f /etc/dirsrv/admin-serv/httpd.conf system_u:system_r:httpd_t:s0 root 2059 2058 0 07:31 ? 00:00:00 /usr/sbin/httpd.worker -k start -f /etc/dirsrv/admin-serv/httpd.conf system_u:system_r:httpd_t:s0 nobody 2060 2058 1 07:31 ? 00:00:00 /usr/sbin/httpd.worker -k start -f /etc/dirsrv/admin-serv/httpd.conf Why isn't httpd running in httpd_dirsrvadmin_script_t when I start it from systemctl?
Well, the httpd_dirsrvadmin_script_t domain is for dirsrv-admin cgi scripts. I think we could add a boolean.
(In reply to comment #7) > Well, the httpd_dirsrvadmin_script_t domain is for dirsrv-admin cgi scripts. I > think we could add a boolean. Is this something I should do during 389-admin installation? What boolean should I add?
I am adding a new boolean httpd_can_connect_ldap which you will need to turn on during installation.
Fixed in selinux-policy-3.10.0-67.fc16
selinux-policy-3.10.0-67.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-67.fc16
Package selinux-policy-3.10.0-67.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-67.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-17191/selinux-policy-3.10.0-67.fc16 then log in and leave karma (feedback).
selinux-policy-3.10.0-67.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.