Bug 845202 - Incorrect default label on /etc/openldap/cacerts and /etc/openldap/certs
Incorrect default label on /etc/openldap/cacerts and /etc/openldap/certs
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
All Linux
medium Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
Depends On:
  Show dependency treegraph
Reported: 2012-08-02 04:35 EDT by David Spurek
Modified: 2015-03-02 00:27 EST (History)
5 users (show)

See Also:
Fixed In Version: selinux-policy-3.11.1-37.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2014-06-13 07:02:46 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description David Spurek 2012-08-02 04:35:58 EDT
Description of problem:
Incorrect default label on /etc/openldap/cacerts and  /etc/openldap/certs.
Thel label should be slapd_cert_t, but now is:

matchpathcon /etc/openldap/certs
/etc/openldap/certs	system_u:object_r:etc_t:s0

Version-Release number of selected component (if applicable):

How reproducible:

Actual results:
matchpathcon /etc/openldap/certs
/etc/openldap/certs	system_u:object_r:etc_t:s0

Expected results:
matchpathcon /etc/openldap/certs
/etc/openldap/certs	system_u:object_r:slapd_cert_t:s0

Additional info:
Comment 1 Milos Malik 2012-08-02 05:30:03 EDT
# sesearch -s slapd_t -t slapd_cert_t --allow -C
WARNING: Policy would be downgraded from version 27 to 26.
Found 4 semantic av rules:
   allow slapd_t file_type : filesystem getattr ; 
   allow slapd_t slapd_cert_t : file { ioctl read getattr lock open } ; 
   allow slapd_t slapd_cert_t : dir { ioctl read getattr lock search open } ; 
   allow slapd_t slapd_cert_t : lnk_file { read getattr } ; 

Comment 2 Milos Malik 2012-08-03 04:06:24 EDT
# rpm -qf /etc/openldap
# rpm -qf /etc/openldap/certs
Comment 3 Daniel Walsh 2012-10-12 16:08:42 EDT
Fixed in selinux-policy-3.11.1-37.fc18.noarch
Comment 5 Ludek Smid 2014-06-13 07:02:46 EDT
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.