Bug 769440 - SELinux Denials with HTTP Password Migration
Summary: SELinux Denials with HTTP Password Migration
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: freeipa
Version: 16
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: ---
Assignee: Rob Crittenden
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-12-20 20:43 UTC by Jenny Severance
Modified: 2012-02-02 17:32 UTC (History)
4 users (show)

Fixed In Version: slapi-nis-0.28-1.fc16
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-02-02 17:32:18 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Jenny Severance 2011-12-20 20:43:16 UTC 
Description of problem:
On Fedora 16, getting the following AVC messages and SELinux denial when trying to migrate users passwords from the migration web UI ..

https://myhost.testrelm/ipa/migration/

AVC ....

type=SYSCALL msg=audit(1324413446.676:1988): arch=c000003e syscall=42 success=yes exit=0 a0=2e a1=7fcbf24eae70 a2=6e a3=7fcbf24eae72 items=0 ppid=28511 pid=28649 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1324413446.676:1988): avc:  denied  { connectto } for  pid=28649 comm="httpd" path="/run/slapd-TESTRELM.socket" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:dirsrv_t:s0 tclass=unix_stream_socket

I am not seeing the issue on RHEL 6.2.


Version-Release number of selected component (if applicable):
freeipa-server-2.1.4-1.20111209T1252Zgitd27b23d.fc16.x86_64

How reproducible:
always

Steps to Reproduce:
1.  Stand up 389 directory server and add some users with passwords
2.  make sure SELinux is enforcing
3.  migrate the users from the directory server instance ( ipa migrate-ds --help)
4.  Access the migration URL and attempt password migration for a migrated user
  
Actual results:

"There was a problem with your request. Please, try again later."

Expected results:

Successful password migration and user to have keytab.

Additional info:
Comment 1 Fedora Update System 2011-12-21 14:40:27 UTC 
slapi-nis-0.28-1.fc16,freeipa-2.1.4-3.fc16,389-ds-base-1.2.10-0.6.a6.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/slapi-nis-0.28-1.fc16,freeipa-2.1.4-3.fc16,389-ds-base-1.2.10-0.6.a6.fc16
Comment 2 Fedora Update System 2011-12-22 22:43:01 UTC 
Package slapi-nis-0.28-1.fc16, freeipa-2.1.4-3.fc16, 389-ds-base-1.2.10-0.6.a6.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing slapi-nis-0.28-1.fc16 freeipa-2.1.4-3.fc16 389-ds-base-1.2.10-0.6.a6.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2011-17313/slapi-nis-0.28-1.fc16,freeipa-2.1.4-3.fc16,389-ds-base-1.2.10-0.6.a6.fc16
then log in and leave karma (feedback).
Comment 3 Fedora Update System 2012-02-02 17:32:18 UTC 
slapi-nis-0.28-1.fc16, 389-ds-base-1.2.10-0.6.a6.fc16, freeipa-2.1.4-4.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.