Additional info: libreport version: 2.0.13 kernel: 3.5.3-1.fc17.i686 description: :SELinux is preventing /usr/sbin/nslcd from 'name_connect' accesses on the tcp_socket . : :***** Plugin catchall (100. confidence) suggests *************************** : :If you believe that nslcd should be allowed name_connect access on the tcp_socket by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep nslcd /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:nslcd_t:s0 :Target Context system_u:object_r:ldap_port_t:s0 :Target Objects [ tcp_socket ] :Source nslcd :Source Path /usr/sbin/nslcd :Port 389 :Host (removed) :Source RPM Packages nss-pam-ldapd-0.7.16-2.fc17.i686 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-149.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Permissive :Host Name (removed) :Platform Linux (removed) 3.5.3-1.fc17.i686 #1 SMP Wed Aug : 29 19:25:38 UTC 2012 i686 i686 :Alert Count 1 :First Seen 2012-09-25 13:34:47 FET :Last Seen 2012-09-25 13:34:47 FET :Local ID 9c6b1bdd-8f61-4f86-a979-162cb0be388d : :Raw Audit Messages :type=AVC msg=audit(1348569287.890:144): avc: denied { name_connect } for pid=10543 comm="nslcd" dest=389 scontext=system_u:system_r:nslcd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket : : :type=SYSCALL msg=audit(1348569287.890:144): arch=i386 syscall=socketcall success=no exit=EINPROGRESS a0=3 a1=b566fce0 a2=b76fcff4 a3=0 items=0 ppid=1 pid=10543 auid=4294967295 uid=65 gid=55 euid=65 suid=65 fsuid=65 egid=55 sgid=55 fsgid=55 tty=(none) ses=4294967295 comm=nslcd exe=/usr/sbin/nslcd subj=system_u:system_r:nslcd_t:s0 key=(null) : :Hash: nslcd,nslcd_t,ldap_port_t,tcp_socket,name_connect : :audit2allow : :#============= nslcd_t ============== :#!!!! This avc can be allowed using one of the these booleans: :# authlogin_nsswitch_use_ldap, allow_ypbind : :allow nslcd_t ldap_port_t:tcp_socket name_connect; : :audit2allow -R : :#============= nslcd_t ============== :#!!!! This avc can be allowed using one of the these booleans: :# authlogin_nsswitch_use_ldap, allow_ypbind : :allow nslcd_t ldap_port_t:tcp_socket name_connect; :
Created attachment 616958 [details] File: type
Created attachment 616959 [details] File: hashmarkername
I see this allowed in selinux-policy-3.10.0-150.fc17
selinux-policy-3.10.0-153.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-153.fc17
Package selinux-policy-3.10.0-153.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-153.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-15652/selinux-policy-3.10.0-153.fc17 then log in and leave karma (feedback).
I have the same exact problem, and the update to selinux-policy-3.10.0-153.fc17.noarch did not fix it: Here is relevant aureport: 1707. 10/18/2012 15:26:21 nslcd system_u:system_r:nslcd_t:s0 42 tcp_socket name_connect system_u:object_r:ldap_port_t:s0 denied 11939 I restarted nslcd daemon in case it matters, but did not reboot (shouldn't have to).
Fixed. commit c58b47335ab984dd47feeb0b67952b586a835d2c Author: Miroslav Grepl <mgrepl> Date: Fri Oct 19 11:26:25 2012 +0200 Allow nslcd to connect to ldap port without boolean
Not fixed for me: rpm -q selinux-policy selinux-policy-3.10.0-156.fc17.noarch Had to do policy tweak as per selinux-troubleshooter instructions to get this to work.
Woops. If anyone could remove the hostname from comment 8 that would be splendid.
I can make it private, not sure I can modify it.
Rob please show us the latest AVC messages.
Last AVC in the log before I tweaked policy: type=SYSCALL msg=audit(1351136435.126:100): arch=c000003e syscall=42 success=no exit=-13 a0=b a1=7fcd2000a410 a2=1c a3=7fcd25345254 items=0 ppid=1 pid=1717 auid =4294967295 uid=65 gid=55 euid=65 suid=65 fsuid=65 egid=55 sgid=55 fsgid=55 tty= (none) ses=4294967295 comm="nslcd" exe="/usr/sbin/nslcd" subj=system_u:system_r: nslcd_t:s0 key=(null) type=AVC msg=audit(1351136435.126:101): avc: denied { name_connect } for pid= 1717 comm="nslcd" dest=389 scontext=system_u:system_r:nslcd_t:s0 tcontext=system _u:object_r:ldap_port_t:s0 tclass=tcp_socket
(In reply to comment #11) > I can make it private, not sure I can modify it. If you could make #8 private that would be great; but I can live otherwise.
Fixed in 3.10.0-157
selinux-policy-3.10.0-159.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-159.fc17
Package selinux-policy-3.10.0-159.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-159.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-17782/selinux-policy-3.10.0-159.fc17 then log in and leave karma (feedback).
selinux-policy-3.10.0-153.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.