796423 – AVC when dirsrv attempts to run prelink with NSS db in FIPS mode

Bug 796423 - AVC when dirsrv attempts to run prelink with NSS db in FIPS mode

Summary: AVC when dirsrv attempts to run prelink with NSS db in FIPS mode

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.3
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:	796351
Blocks:
TreeView+	depends on / blocked

Reported:	2012-02-22 20:41 UTC by Benjamin Kahn
Modified:	2012-02-24 16:45 UTC (History)
CC List:	12 users (show)
Fixed In Version:	selinux-policy-3.7.19-126.el6_2.9
Doc Type:	Bug Fix
Doc Text:	Previously, SELinux received deny AVC messages if the dirsrv utility executed the "modutil -dbdir /etc/dirsrv/slapd-instname -fips" command to enable FIPS mode in an NSS (Network Security Service) key/cert database. This happened because the NSS_Initialize() function attempted to use prelink which uses the dirsrv_t context. With this update, prelink with the dirsrv_t context is allowed to relabel its own temporary files under these circumstances and the problem no longer occurs.
Clone Of:
Environment:
Last Closed:	2012-02-24 16:45:53 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2012:0338	0	normal	SHIPPED_LIVE	selinux-policy bug fix update	2012-02-24 21:44:51 UTC

Description Benjamin Kahn 2012-02-22 20:41:40 UTC

This bug has been copied from bug #796351 and has been proposed
to be backported to 6.2 z-stream (EUS).

Comment 4 Miroslav Grepl 2012-02-22 21:01:52 UTC

Fixed in selinux-policy-3.7.19-126.el6_2.7

Comment 17 Miroslav Svoboda 2012-02-24 14:28:41 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Previously, SELinux received deny AVC messages if the dirsrv utility executed the "modutil -dbdir /etc/dirsrv/slapd-instname -fips" command to enable FIPS mode in an NSS (Network Security Service) key/cert database. This happened because the NSS_Initialize() function attempted to use prelink which uses the dirsrv_t context. With this update, prelink with the dirsrv_t context is allowed to relabel its own temporary files under these circumstances and the problem no longer occurs.

Comment 18 errata-xmlrpc 2012-02-24 16:45:53 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0338.html

Note You need to log in before you can comment on or make changes to this bug.