Bug 830764 - httpd can no longer connect to dirsrv socket
httpd can no longer connect to dirsrv socket
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Ben Levenson
: Regression
Depends On:
  Show dependency treegraph
Reported: 2012-06-11 07:23 EDT by Martin Kosek
Modified: 2012-07-19 05:18 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-06-19 20:30:00 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Martin Kosek 2012-06-11 07:23:27 EDT
Description of problem:

httpd wsgi application can no longer connect to dirsrv socket. I assume this is a regression in Fedora 17, the wsgi script worked for us earlier.

type=AVC msg=audit(1339412496.858:270): avc:  denied  { connectto } for  pid=10769 comm="httpd" path="/run/slapd-IDM-LAB-BOS-REDHAT-COM.socket" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:dirsrv_t:s0 tclass=unix_stream_socket
type=SYSCALL msg=audit(1339412496.858:270): arch=c000003e syscall=42 success=no exit=-13 a0=2e a1=7f8de1cac2e0 a2=6e a3=7f8de1cac2e2 items=0 ppid=10690 pid=10769 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Install freeipa-server package
2. Run ipa-server-install with default options to install an IPA server on host $HOST
3. Open https://$HOST/ipa/migration/
4. Insert admin user credentials that were entered during ipa-server-install
Actual results:
Page reports error, AVC is added to audit.log

Expected results:
Operation is allowed

Additional info:
Comment 1 Martin Kosek 2012-06-11 08:22:00 EDT
We just tested that an older selinux-polixy version (selinux-policy-targeted-3.10.0-125.fc17.noarch) allowed this connection.
Comment 5 Martin Kosek 2012-06-12 03:01:37 EDT
I tested that when I set authlogin_nsswitch_use_ldap sebool to true, connection to socket worked. But I don't think we want to always set this option to true when installing IPA, httpd connectes to dirsrv socket for a reason not related to authentication or nsswitch.

There was already a similar discussion in Bug 748366 where named_t could not connect to dirsrv_t.
Comment 6 Martin Kosek 2012-06-12 04:37:22 EDT
Miroslav, you may be right. When I run the tests today, I could not find a selinux-policy version where I would not get the AVC (earlier negative test with selinux-policy-targeted-3.10.0-125.fc17.noarch was done by my colleague).

Still, current selinux-policy does not allow our WSGI script to connect to dirsrv, although now I get slightly different AVC:

type=AVC msg=audit(1339488123.752:1453): avc:  denied  { write } for  pid=21251 comm="httpd" name="slapd-IDM-LAB-BOS-REDHAT-COM.socket" dev="tmpfs" ino=161531 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:slapd_var_run_t:s0 tclass=sock_file

I can test any scratch build of the policy it this would help or provide access to the VM I am testing on.
Comment 7 Miroslav Grepl 2012-06-12 06:00:27 EDT
Fixed in selinux-policy-targeted-3.10.0-131.fc17
Comment 8 Fedora Update System 2012-06-19 03:59:44 EDT
selinux-policy-3.10.0-132.fc17 has been submitted as an update for Fedora 17.
Comment 9 Fedora Update System 2012-06-19 20:30:00 EDT
selinux-policy-3.10.0-132.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2012-07-19 05:18:03 EDT
selinux-policy-3.10.0-132.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.