Hide Forgot
Description of problem: Admin server cannot be restarted from console and subsequent restarts from command line are also unsuccessful. Version-Release number of selected component (if applicable): RHEL 6.4 i386 with RHDS 9.1 How reproducible: always Steps to Reproduce: 1) Try restarting from console (should succeed): [jrusnack@dstet ~]$ sudo service dirsrv-admin restart Shutting down dirsrv-admin: [ OK ] Starting dirsrv-admin: [ OK ] (restart from command line OK) 2) Restart from console, this error message appears: Status: Failure Can not open pidlog file text/html Admin server shoul restart on user request. 3) Now try to restart again from command line: [jrusnack@dstet ~]$ sudo service dirsrv-admin restart Shutting down dirsrv-admin: Starting dirsrv-admin: (98)Address already in use: make_sock: could not bind to address 0.0.0.0:9830 no listening sockets available, shutting down Unable to open logs Server failed to start !!! Please check errors log for problems [FAILED] From /var/log/dirsrv/admin-serv/error: [Thu Mar 07 13:52:23 2013] [notice] [client 127.0.0.1] admserv_host_ip_check: ap_get_remote_host could not resolve 127.0.0.1 [Thu Mar 07 13:52:23 2013] [crit] [client 127.0.0.1] configuration error: couldn't check access. No groups file?: /tasks/Operation/Restart rm: cannot remove `/var/lock/subsys/dirsrv-admin': Permission denied httpd.worker: Syntax error on line 120 of /etc/dirsrv/admin-serv/httpd.conf: Cannot load /usr/lib/httpd/modules/mod_authz_host.so into server: /usr/lib/httpd/modules/mod_authz_host.so: cannot open shared object file: Permission denied [Thu Mar 07 13:52:37 2013] [notice] [client 127.0.0.1] admserv_host_ip_check: ap_get_remote_host could not resolve 127.0.0.1 From /var/log/audit/audit.log : type=AVC msg=audit(1362683505.581:86): avc: denied { search } for pid=3520 comm="httpd.worker" name="httpd" dev=dm-0 ino=141841 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=system_u:object_r:httpd_modules_t:s0 tclass=dir type=SYSCALL msg=audit(1362683505.581:86): arch=40000003 syscall=5 success=no exit=-13 a0=1842198 a1=0 a2=0 a3=b77527f8 items=0 ppid=3518 pid=3520 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="httpd.worker" exe="/usr/sbin/httpd.worker" subj=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 key=(null) [jrusnack@dstet /]$ rpm -qa | grep 389 389-ds-base-devel-1.2.11.15-12.el6_4.i686 389-console-1.1.7-1.el6.noarch 389-admin-1.1.32-1.el6.i386 389-ds-base-libs-1.2.11.15-12.el6_4.i686 389-ds-console-1.2.7-1.el6.noarch 389-admin-debuginfo-1.1.32-1.el6.i386 389-ds-base-1.2.11.15-12.el6_4.i686 389-ds-base-debuginfo-1.2.11.15-12.el6_4.i686 389-adminutil-devel-1.1.17-1.el6.i386 389-adminutil-1.1.17-1.el6.i386 389-admin-console-1.1.8-1.el6.noarch 389-adminutil-debuginfo-1.1.17-1.el6.i386 389-admin-console-doc-1.1.8-1.el6.noarch Expected results: Admin server should restart from console and command line. Additional info: After server restart admin server can be restarted again from console, but issue persists.
This reproduces for me testing with the latest version of DS and Admin server.
Ok here are the AVC errors and the rules needed to resolve them: type=AVC msg=audit(1363875676.580:42420): avc: denied { unlink } for pid=31502 comm="rm" name="dirsrv-admin" dev=dm-0 ino=276410 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file type=AVC msg=audit(1363875676.582:42421): avc: denied { signull } for pid=31494 comm="dirsrv-admin" scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=process type=AVC msg=audit(1363875676.592:42422): avc: denied { fowner } for pid=31517 comm="chmod" capability=3 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tclass=capability type=AVC msg=audit(1363875676.598:42423): avc: denied { search } for pid=31520 comm="httpd.worker" name="httpd" dev=dm-0 ino=9358 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=system_u:object_r:httpd_modules_t:s0 tclass=dir type=AVC msg=audit(1363877589.860:42459): avc: denied { search } for pid=2835 comm="httpd.worker" name="httpd" dev=dm-0 ino=133230 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir type=AVC msg=audit(1363876540.017:42431): avc: denied { signal } for pid=32129 comm="dirsrv-admin" scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=process type=AVC msg=audit(1363876747.209:42433): avc: denied { getattr } for pid=32593 comm="rm" path="/var/lock/subsys/dirsrv-admin" dev=dm-0 ino=276469 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file type=AVC msg=audit(1363876747.222:42434): avc: denied { fsetid } for pid=32606 comm="chmod" capability=4 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tclass=capability type=AVC msg=audit(1363876747.225:42435): avc: denied { read } for pid=32609 comm="httpd.worker" name="mod_authz_host.so" dev=dm-0 ino=28257 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=system_u:object_r:httpd_modules_t:s0 tclass=file type=AVC msg=audit(1363877006.506:42443): avc: denied { open } for pid=532 comm="httpd.worker" name="mod_authz_host.so" dev=dm-0 ino=28257 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=system_u:object_r:httpd_modules_t:s0 tclass=file type=AVC msg=audit(1363877181.386:42445): avc: denied { getattr } for pid=983 comm="httpd.worker" path="/usr/lib64/httpd/modules/mod_authz_host.so" dev=dm-0 ino=28257 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=system_u:object_r:httpd_modules_t:s0 tclass=file type=AVC msg=audit(1363877302.344:42447): avc: denied { execute } for pid=1480 comm="httpd.worker" path="/usr/lib64/httpd/modules/mod_authz_host.so" dev=dm-0 ino=28257 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=system_u:object_r:httpd_modules_t:s0 tclass=file type=AVC msg=audit(1363877397.534:42449): avc: denied { name_bind } for pid=1860 comm="httpd.worker" src=9830 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1363877503.463:42457): avc: denied { node_bind } for pid=2464 comm="httpd.worker" src=9830 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=tcp_socket type=AVC msg=audit(1363877706.602:42462): avc: denied { read } for pid=3149 comm="httpd.worker" name="magic" dev=dm-0 ino=151193 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file type=AVC msg=audit(1363877832.049:42465): avc: denied { open } for pid=3453 comm="httpd.worker" name="magic" dev=dm-0 ino=151193 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file allow httpd_dirsrvadmin_script_t http_port_t:tcp_socket name_bind; allow httpd_dirsrvadmin_script_t httpd_config_t:dir search; allow httpd_dirsrvadmin_script_t httpd_config_t:file { read open }; allow httpd_dirsrvadmin_script_t httpd_modules_t:dir search; allow httpd_dirsrvadmin_script_t httpd_modules_t:file { read getattr open execute }; allow httpd_dirsrvadmin_script_t httpd_t:process { signal signull }; allow httpd_dirsrvadmin_script_t node_t:tcp_socket node_bind; allow httpd_dirsrvadmin_script_t self:capability { fowner fsetid }; allow httpd_dirsrvadmin_script_t var_lock_t:file { getattr unlink }; I saw the following errors on RHEL 6.2 (using SSL in AS), but my SSL tests failed to setup correctly on 6.4 so I do not know if these still apply type=AVC msg=audit(1363814396.380:41685): avc: denied { search } for pid=14723 comm="httpd.worker" name="httpd" dev=dm-0 ino=9358 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=system_u:object_r:httpd_modules_t:s0 tclass=dir type=AVC msg=audit(1363644161.748:3742): avc: denied { read } for pid=7656 comm="config" name="adm.conf" dev=dm-1 ino=391938 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file type=AVC msg=audit(1363644161.748:3742): avc: denied { open } for pid=7656 comm="config" name="adm.conf" dev=dm-1 ino=391938 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file type=AVC msg=audit(1363644227.597:3743): avc: denied { write } for pid=7750 comm="sec-activate" name="console.conf" dev=dm-1 ino=391937 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file allow httpd_dirsrvadmin_script_t httpd_modules_t:dir search; #!!!! The source type 'httpd_dirsrvadmin_script_t' can write to a 'file' of the following types: # dirsrv_config_t, dirsrvadmin_tmp_t, dirsrv_var_lock_t, dirsrv_var_log_t, dirsrv_var_lib_t, dirsrv_var_run_t, dirsrvadmin_config_t, httpd_dirsrvadmin_rw_content_t allow httpd_dirsrvadmin_script_t user_tmp_t:file { read write open };
Found another error: type=AVC msg=audit(1363883452.584:42542): avc: denied { signal } for pid=4889 comm="start-ds-admin" scontext=unconfined_u:system_r:dirsrvadmin_t:s0 tcontext=unconfined_u:system_r:dirsrvadmin_t:s0 tclass=process
type=AVC msg=audit(1363644227.597:3743): avc: denied { write } for pid=7750 comm="sec-activate" name="console.conf" dev=dm-1 ino=391937 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file what's going on here? Where is console.conf really located?
console.conf is located in /etc/dirsv/admin-serv/ As for what's going on when the error occurs on this file, I'm not entirely sure. I think the process is simply making an update to the config file, but it could possibly be recreating the file as well.
I don't believe that we need to worry about any of the user_tmp_t failures here. Those files are mislabelled since they were created in /tmp by a developer convenience script (setupssl2.sh), then moved into /etc/dirsrv/admin-serv. If that script is used, you need to run restorecon -rv on /etc/dirsrv. The believe that the real issues that need to be addressed in the policy are the other issues mentioned in comment#2: allow httpd_dirsrvadmin_script_t http_port_t:tcp_socket name_bind; allow httpd_dirsrvadmin_script_t httpd_config_t:dir search; allow httpd_dirsrvadmin_script_t httpd_config_t:file { read open }; allow httpd_dirsrvadmin_script_t httpd_modules_t:dir search; allow httpd_dirsrvadmin_script_t httpd_modules_t:file { read getattr open execute }; allow httpd_dirsrvadmin_script_t httpd_t:process { signal signull }; allow httpd_dirsrvadmin_script_t node_t:tcp_socket node_bind; allow httpd_dirsrvadmin_script_t self:capability { fowner fsetid }; allow httpd_dirsrvadmin_script_t var_lock_t:file { getattr unlink };
[jrusnack@dstet ~]$ rpm -qa selinux-policy* selinux-policy-targeted-3.7.19-197.el6.noarch selinux-policy-3.7.19-197.el6.noarch [jrusnack@dstet ~]$ sudo service dirsrv-admin restart Shutting down dirsrv-admin: [ OK ] Starting dirsrv-admin: [ OK ] Restart from console still fails, now with: "URL:http://dstet.example.com:9830/admin-serv/tasks/Operation/Restart HTTP/1.1 500 Internal Server Error" audit.log doesn`t show any SElinux issues. However [jrusnack@dstet ~]$ tail /var/log/dirsrv/admin-serv/error ... [Thu Apr 04 05:34:56 2013] [notice] [client 127.0.0.1] admserv_host_ip_check: ap_get_remote_host could not resolve 127.0.0.1 [Thu Apr 04 05:34:56 2013] [crit] [client 127.0.0.1] configuration error: couldn't check access. No groups file?: /tasks/Operation/Restart [Thu Apr 04 05:34:56 2013] [error] [client 127.0.0.1] Premature end of script headers: restartsrv [Thu Apr 04 05:35:08 2013] [notice] [client 127.0.0.1] admserv_host_ip_check: ap_get_remote_host could not resolve 127.0.0.1 Subsequent restart from console passes.
(In reply to comment #11) > [jrusnack@dstet ~]$ rpm -qa selinux-policy* > selinux-policy-targeted-3.7.19-197.el6.noarch > selinux-policy-3.7.19-197.el6.noarch > [jrusnack@dstet ~]$ sudo service dirsrv-admin restart > Shutting down dirsrv-admin: > [ OK ] > Starting dirsrv-admin: > [ OK ] > Restart from console still fails, now with: > > "URL:http://dstet.example.com:9830/admin-serv/tasks/Operation/Restart > > HTTP/1.1 500 Internal Server Error" > Does this error still happen in permissive mode? If so, this should be dealt with as a separate Admin Server bug (not SELinux). If everything works fine in permissive mode, then it's possible that a dontaudit rule is causing a silent deny. You can disable dontaudit rules by running the following command as root: semodule -DB To re-enable dontaudit rules after testing run this: semodule -B
Ok I was able to resolve the error: "configuration error: couldn't check access. No groups file?: /tasks/Operation/Restart" In /etc/dirsrv/admin-serv/httpd.conf add: LoadModule authz_user_module /usr/lib64/httpd/modules/mod_authz_user.so LoadModule authz_default_module /usr/lib64/httpd/modules/mod_authz_default.so Now, I still get the server error 500, and in the error log I still see: "Premature end of script headers: restartsrv" Still investigating...
Ok, there are still selinux errors. I see errors trying to "restart" and "stop" admin server from the console. I also noticed that while the server was running there were selinux errors around "statusping". If I disable selinux the server restarts/stops from the console, otherwise I see these errors: "stop" type=AVC msg=audit(1365170859.413:46887): avc: denied { read write } for pid=1510 comm="stopsrv" path="socket:[211889]" dev=sockfs ino=211889 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1365170859.413:46887): avc: denied { read write } for pid=1510 comm="stopsrv" path="socket:[211889]" dev=sockfs ino=211889 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1365170859.413:46887): avc: denied { read write } for pid=1510 comm="stopsrv" path="socket:[211835]" dev=sockfs ino=211835 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1365170859.413:46887): avc: denied { rlimitinh } for pid=1510 comm="stopsrv" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tclass=process type=AVC msg=audit(1365170859.413:46887): avc: denied { siginh } for pid=1510 comm="stopsrv" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tclass=process type=AVC msg=audit(1365170859.413:46887): avc: denied { noatsecure } for pid=1510 comm="stopsrv" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tclass=process type=AVC msg=audit(1365170865.586:46888): avc: denied { getattr } for pid=1533 comm="rm" path="/var/lock/subsys/dirsrv-admin" dev=dm-0 ino=99 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file type=AVC msg=audit(1365170865.586:46889): avc: denied { unlink } for pid=1533 comm="rm" name="dirsrv-admin" dev=dm-0 ino=99 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file "restart" type=AVC msg=audit(1365170740.528:46885): avc: denied { read write } for pid=1500 comm="restartsrv" path="socket:[211837]" dev=sockfs ino=211837 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1365170740.528:46885): avc: denied { read write } for pid=1500 comm="restartsrv" path="socket:[211837]" dev=sockfs ino=211837 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1365170740.528:46885): avc: denied { read write } for pid=1500 comm="restartsrv" path="socket:[211835]" dev=sockfs ino=211835 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1365170740.528:46885): avc: denied { rlimitinh } for pid=1500 comm="restartsrv" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tclass=process type=AVC msg=audit(1365170740.528:46885): avc: denied { siginh } for pid=1500 comm="restartsrv" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tclass=process type=AVC msg=audit(1365170740.528:46885): avc: denied { noatsecure } for pid=1500 comm="restartsrv" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tclass=process "Random httpd errors" type=AVC msg=audit(1365170711.737:46883): avc: denied { rlimitinh } for pid=1395 comm="httpd.worker" scontext=unconfined_u:system_r:dirsrvadmin_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=process type=AVC msg=audit(1365170711.737:46883): avc: denied { siginh } for pid=1395 comm="httpd.worker" scontext=unconfined_u:system_r:dirsrvadmin_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=process type=AVC msg=audit(1365170711.737:46883): avc: denied { noatsecure } for pid=1395 comm="httpd.worker" scontext=unconfined_u:system_r:dirsrvadmin_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=process type=AVC msg=audit(1365170711.759:46884): avc: denied { read } for pid=1395 comm="httpd.worker" name="mls" dev=selinuxfs ino=12 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file "statusping errors while the process is running" type=AVC msg=audit(1365170518.491:46852): avc: denied { rlimitinh } for pid=413 comm="statusping" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tclass=process type=AVC msg=audit(1365170518.491:46852): avc: denied { siginh } for pid=413 comm="statusping" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tclass=process type=AVC msg=audit(1365170518.491:46852): avc: denied { noatsecure } for pid=413 comm="statusping" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tclass=process
Here are the restart errors(permissive mode) running selinux-3.7.19-197 type=AVC msg=audit(1365181161.020:47038): avc: denied { read write } for pid=3104 comm="restartsrv" path="socket:[217931]" dev=sockfs ino=217931 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1365181161.020:47038): avc: denied { rlimitinh } for pid=3104 comm="restartsrv" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tclass=process type=AVC msg=audit(1365181161.020:47038): avc: denied { siginh } for pid=3104 comm="restartsrv" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tclass=process type=AVC msg=audit(1365181161.020:47038): avc: denied { noatsecure } for pid=3104 comm="restartsrv" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tclass=process type=AVC msg=audit(1365181161.071:47039): avc: denied { getattr } for pid=3104 comm="restartsrv" path="socket:[217931]" dev=sockfs ino=217931 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1365181161.071:47040): avc: denied { read } for pid=3104 comm="restartsrv" path="socket:[217931]" dev=sockfs ino=217931 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1365181161.073:47041): avc: denied { write } for pid=3104 comm="restartsrv" path="socket:[217931]" dev=sockfs ino=217931 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1365181161.096:47042): avc: denied { ioctl } for pid=3107 comm="sh" path="socket:[217931]" dev=sockfs ino=217931 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1365181172.169:47043): avc: denied { getattr } for pid=3148 comm="rm" path="/var/lock/subsys/dirsrv-admin" dev=dm-0 ino=99 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file type=AVC msg=audit(1365181172.170:47044): avc: denied { unlink } for pid=3148 comm="rm" name="dirsrv-admin" dev=dm-0 ino=99 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file type=AVC msg=audit(1365181172.180:47045): avc: denied { read } for pid=3154 comm="ls" name="mls" dev=selinuxfs ino=12 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file type=AVC msg=audit(1365181172.180:47045): avc: denied { open } for pid=3154 comm="ls" name="mls" dev=selinuxfs ino=12 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file type=AVC msg=audit(1365181172.198:47046): avc: denied { execute } for pid=3161 comm="httpd.worker" path="/usr/lib64/httpd/modules/mod_authz_host.so" dev=dm-0 ino=165457 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=system_u:object_r:httpd_modules_t:s0 tclass=file audit2allow: allow httpd_dirsrvadmin_script_t httpd_modules_t:file execute; allow httpd_dirsrvadmin_script_t httpd_t:unix_stream_socket { read write getattr ioctl }; allow httpd_dirsrvadmin_script_t security_t:file { read open }; allow httpd_dirsrvadmin_script_t var_lock_t:file { getattr unlink }; allow dirsrvadmin_t httpd_t:process { siginh rlimitinh noatsecure }; allow httpd_t httpd_dirsrvadmin_script_t:process { siginh rlimitinh noatsecure }; allow httpd_t security_t:file read; allow httpd_t security_t:file open; With these rules added I no longer see any errors, and the server restarts cleaning from the console and the command line.
(In reply to comment #15) > Here are the restart errors(permissive mode) running selinux-3.7.19-197 > > type=AVC msg=audit(1365181161.020:47038): avc: denied { read write } for > pid=3104 comm="restartsrv" path="socket:[217931]" dev=sockfs ino=217931 > scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 > tcontext=unconfined_u:system_r:httpd_t:s0 tclass=unix_stream_socket > type=AVC msg=audit(1365181161.020:47038): avc: denied { rlimitinh } for > pid=3104 comm="restartsrv" scontext=unconfined_u:system_r:httpd_t:s0 > tcontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tclass=process > type=AVC msg=audit(1365181161.020:47038): avc: denied { siginh } for > pid=3104 comm="restartsrv" scontext=unconfined_u:system_r:httpd_t:s0 > tcontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tclass=process > type=AVC msg=audit(1365181161.020:47038): avc: denied { noatsecure } for > pid=3104 comm="restartsrv" scontext=unconfined_u:system_r:httpd_t:s0 > tcontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tclass=process > type=AVC msg=audit(1365181161.071:47039): avc: denied { getattr } for > pid=3104 comm="restartsrv" path="socket:[217931]" dev=sockfs ino=217931 > scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 > tcontext=unconfined_u:system_r:httpd_t:s0 tclass=unix_stream_socket > type=AVC msg=audit(1365181161.071:47040): avc: denied { read } for > pid=3104 comm="restartsrv" path="socket:[217931]" dev=sockfs ino=217931 > scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 > tcontext=unconfined_u:system_r:httpd_t:s0 tclass=unix_stream_socket > type=AVC msg=audit(1365181161.073:47041): avc: denied { write } for > pid=3104 comm="restartsrv" path="socket:[217931]" dev=sockfs ino=217931 > scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 > tcontext=unconfined_u:system_r:httpd_t:s0 tclass=unix_stream_socket > type=AVC msg=audit(1365181161.096:47042): avc: denied { ioctl } for > pid=3107 comm="sh" path="socket:[217931]" dev=sockfs ino=217931 > scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 > tcontext=unconfined_u:system_r:httpd_t:s0 tclass=unix_stream_socket > type=AVC msg=audit(1365181172.169:47043): avc: denied { getattr } for > pid=3148 comm="rm" path="/var/lock/subsys/dirsrv-admin" dev=dm-0 ino=99 > scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 > tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file > type=AVC msg=audit(1365181172.170:47044): avc: denied { unlink } for > pid=3148 comm="rm" name="dirsrv-admin" dev=dm-0 ino=99 > scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 > tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file > type=AVC msg=audit(1365181172.180:47045): avc: denied { read } for > pid=3154 comm="ls" name="mls" dev=selinuxfs ino=12 > scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 > tcontext=system_u:object_r:security_t:s0 tclass=file > type=AVC msg=audit(1365181172.180:47045): avc: denied { open } for > pid=3154 comm="ls" name="mls" dev=selinuxfs ino=12 > scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 > tcontext=system_u:object_r:security_t:s0 tclass=file > type=AVC msg=audit(1365181172.198:47046): avc: denied { execute } for > pid=3161 comm="httpd.worker" > path="/usr/lib64/httpd/modules/mod_authz_host.so" dev=dm-0 ino=165457 > scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 > tcontext=system_u:object_r:httpd_modules_t:s0 tclass=file > Forgot to add these errors: type=AVC msg=audit(1365193110.972:47211): avc: denied { rlimitinh } for pid=4055 comm="httpd.worker" scontext=unconfined_u:system_r:dirsrvadmin_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=process type=AVC msg=audit(1365193110.972:47211): avc: denied { siginh } for pid=4055 comm="httpd.worker" scontext=unconfined_u:system_r:dirsrvadmin_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=process type=AVC msg=audit(1365193110.972:47211): avc: denied { noatsecure } for pid=4055 comm="httpd.worker" scontext=unconfined_u:system_r:dirsrvadmin_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=process type=AVC msg=audit(1365193111.358:47212): avc: denied { read } for pid=4055 comm="httpd.worker" name="mls" dev=selinuxfs ino=12 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file type=AVC msg=audit(1365193260.515:47225): avc: denied { open } for pid=4486 comm="httpd.worker" name="mls" dev=selinuxfs ino=12 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file > > audit2allow: > > allow httpd_dirsrvadmin_script_t httpd_modules_t:file execute; > allow httpd_dirsrvadmin_script_t httpd_t:unix_stream_socket { read write > getattr ioctl }; > allow httpd_dirsrvadmin_script_t security_t:file { read open }; > allow httpd_dirsrvadmin_script_t var_lock_t:file { getattr unlink }; > allow dirsrvadmin_t httpd_t:process { siginh rlimitinh noatsecure }; > allow httpd_t httpd_dirsrvadmin_script_t:process { siginh rlimitinh > noatsecure }; > allow httpd_t security_t:file read; > allow httpd_t security_t:file open; > > With these rules added I no longer see any errors, and the server restarts > cleaning from the console and the command line.
New test builds: https://brewweb.devel.redhat.com/taskinfo?taskID=5650563
With new policy, I am able to restart admin server from console, when SSL is not enabled. No selinux related messages in logs either with enforcing or permissive mode. This is admin server logfile: [jrusnack@dstet ~]$ tail -n 15 /var/log/dirsrv/admin-serv/error [Wed Apr 17 05:10:19 2013] [notice] [client 127.0.0.1] admserv_host_ip_check: ap_get_remote_host could not resolve 127.0.0.1 [Wed Apr 17 05:10:19 2013] [crit] [client 127.0.0.1] configuration error: couldn't check access. No groups file?: /tasks/Operation/Restart [Wed Apr 17 05:10:23 2013] [warn] child process 3694 still did not exit, sending a SIGTERM [Wed Apr 17 05:10:25 2013] [warn] child process 3694 still did not exit, sending a SIGTERM [Wed Apr 17 05:10:27 2013] [warn] child process 3694 still did not exit, sending a SIGTERM [Wed Apr 17 05:10:29 2013] [error] child process 3694 still did not exit, sending a SIGKILL [Wed Apr 17 05:10:30 2013] [notice] caught SIGTERM, shutting down [Wed Apr 17 05:10:30 2013] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 [Wed Apr 17 05:10:31 2013] [notice] Access Host filter is: *.example.com [Wed Apr 17 05:10:31 2013] [notice] Access Address filter is: * [Wed Apr 17 05:10:32 2013] [notice] Apache/2.2.15 (Unix) configured -- resuming normal operations [Wed Apr 17 05:10:32 2013] [notice] Access Host filter is: *.example.com [Wed Apr 17 05:10:32 2013] [notice] Access Address filter is: * [Wed Apr 17 05:10:33 2013] [notice] [client 127.0.0.1] admserv_host_ip_check: ap_get_remote_host could not resolve 127.0.0.1 [Wed Apr 17 05:10:33 2013] [crit] [client 127.0.0.1] configuration error: couldn't check access. No groups file?: /tasks/Operation/Restart Restart from console is successful and without any errors. When SSL is enabled, I am not able to restart admin server: "The Administration Server cannot be restarted remotely from Console. The server can be restarted only locally from command shell by running restart-admin command." This is already mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=887394#c4 When I try to restart admin server from console with SSL enabled, it succeeds but I see following errors: [jrusnack@dstet ~]$ tail -n 15 /var/log/dirsrv/admin-serv/error [Wed Apr 17 05:17:34 2013] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0 [Wed Apr 17 05:17:35 2013] [warn] NSSProtocol: Unknown protocol '"sslv2' not supported [Wed Apr 17 05:17:35 2013] [warn] NSSProtocol: Unknown protocol 'tlsv1"' not supported [Wed Apr 17 05:17:35 2013] [notice] Access Host filter is: *.example.com [Wed Apr 17 05:17:35 2013] [notice] Access Address filter is: * [Wed Apr 17 05:17:36 2013] [notice] Apache/2.2.15 (Unix) mod_nss/2.2.15 NSS/3.14.0.0 Basic ECC configured -- resuming normal operations [Wed Apr 17 05:17:36 2013] [warn] NSSProtocol: Unknown protocol '"sslv2' not supported [Wed Apr 17 05:17:36 2013] [warn] NSSProtocol: Unknown protocol 'tlsv1"' not supported [Wed Apr 17 05:17:36 2013] [notice] Access Host filter is: *.example.com [Wed Apr 17 05:17:36 2013] [notice] Access Address filter is: * [Wed Apr 17 05:17:50 2013] [notice] [client 192.168.122.187] admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.122.187 [Wed Apr 17 05:17:50 2013] [notice] [client 192.168.122.187] admserv_host_ip_check: host [dstet] did not match pattern [*.example.com] -will scan aliases [Wed Apr 17 05:17:50 2013] [notice] [client 192.168.122.187] admserv_check_authz(): passing [/admin-serv/authenticate] to the userauth handler [Wed Apr 17 05:17:55 2013] [notice] [client 127.0.0.1] admserv_host_ip_check: ap_get_remote_host could not resolve 127.0.0.1 [Wed Apr 17 05:17:55 2013] [notice] [client 127.0.0.1] admserv_host_ip_check: ap_get_remote_host could not resolve 127.0.0.1 [jrusnack@dstet ~]$ rpm -qa | grep 389 389-console-1.1.7-1.el6.noarch 389-ds-base-1.2.11.15-14.el6_4.i686 389-adminutil-1.1.17-1.el6.i386 389-admin-console-1.1.8-1.el6.noarch 389-adminutil-debuginfo-1.1.17-1.el6.i386 389-admin-1.1.33-1.el6.i386 389-ds-console-1.2.7-1.el6.noarch 389-ds-console-doc-1.2.7-1.el6.noarch 389-admin-debuginfo-1.1.33-1.el6.i386 389-ds-base-libs-1.2.11.15-14.el6_4.i686 389-admin-console-doc-1.1.8-1.el6.noarch [jrusnack@dstet ~]$ rpm -qa | grep selinux-policy selinux-policy-targeted-3.7.19-198.el6.noarch selinux-policy-3.7.19-198.el6.noarch
I believe that the issues in comment#9 are unrelated. Let's discuss those outside of this bug. Do you see any AVC messages when you restart Admin Server from the command-line? If not, I think we can say that Miroslav's test build works for us. Do you agree?
I tested the new libraries, and the admin server does restart, but I am still seeing selinux errors: type=AVC msg=audit(1366211395.127:62095): avc: denied { rlimitinh } for pid=24353 comm="httpd.worker" scontext=unconfined_u:system_r:dirsrvadmin_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=process type=AVC msg=audit(1366211395.127:62095): avc: denied { siginh } for pid=24353 comm="httpd.worker" scontext=unconfined_u:system_r:dirsrvadmin_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=process type=AVC msg=audit(1366211395.127:62095): avc: denied { noatsecure } for pid=24353 comm="httpd.worker" scontext=unconfined_u:system_r:dirsrvadmin_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=process type=AVC msg=audit(1366211395.152:62096): avc: denied { read } for pid=24353 comm="httpd.worker" name="mls" dev=selinuxfs ino=12 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file type=AVC msg=audit(1366211476.118:62105): avc: denied { getattr } for pid=24497 comm="rm" path="/var/lock/subsys/dirsrv-admin" dev=dm-0 ino=99 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file type=AVC msg=audit(1366211476.119:62106): avc: denied { unlink } for pid=24497 comm="rm" name="dirsrv-admin" dev=dm-0 ino=99 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file type=AVC msg=audit(1366211476.142:62108): avc: denied { read } for pid=24506 comm="ls" name="mls" dev=selinuxfs ino=12 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file type=AVC msg=audit(1366211476.191:62109): avc: denied { read } for pid=24510 comm="httpd.worker" name="mls" dev=selinuxfs ino=12 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file type=AVC msg=audit(1366211478.173:62110): avc: denied { write } for pid=24602 comm="touch" name="dirsrv-admin" dev=dm-0 ino=99 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file #============= dirsrvadmin_t ============== allow dirsrvadmin_t httpd_t:process { siginh rlimitinh noatsecure }; #============= httpd_dirsrvadmin_script_t ============== allow httpd_dirsrvadmin_script_t security_t:file read; allow httpd_dirsrvadmin_script_t var_lock_t:file { write getattr unlink }; #============= httpd_t ============== allow httpd_t security_t:file read; Since there are still known SSL issues on rhel 6.4, I have not tested SSL yet.
(In reply to comment #20) > I believe that the issues in comment#9 are unrelated. Let's discuss those > outside of this bug. Sure. > > Do you see any AVC messages when you restart Admin Server from the > command-line? If not, I think we can say that Miroslav's test build works > for us. Do you agree? Scratch what I said, I see AVC messages that Mark lists, too.
/var/lock/subsys/dirsrv-admin is the problem, the other AVC's should be dontaudited rm -f /var/lock/subsys/dirsrv-admin Then try to start it. Does it work? What is the label of the file now? ls -lZ /var/lock/subsys/dirsrv-admin
(In reply to comment #23) > /var/lock/subsys/dirsrv-admin is the problem, the other AVC's should be > dontaudited You are correct. These other AVCs do not show up if dontaudit rules are enabled. We can ignore these. > > rm -f /var/lock/subsys/dirsrv-admin > > Then try to start it. Does it work? > > What is the label of the file now? > > ls -lZ /var/lock/subsys/dirsrv-admin If I run 'service dirsrv-admin start', the /var/lock/subsys/dirsrv-admin file is created with a label of var_lock_t. If I then attempt to restart the Admin Server via Console, the restart CGI (running as httpd_dirsrvadmin_script_t) encounters the same AVCs that Mark and Ján see when it tries to remove the old lock file and create a new one: --------------------------------------------------------------- type=AVC msg=audit(1366211476.118:62105): avc: denied { getattr } for pid=24497 comm="rm" path="/var/lock/subsys/dirsrv-admin" dev=dm-0 ino=99 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file type=AVC msg=audit(1366211476.119:62106): avc: denied { unlink } for pid=24497 comm="rm" name="dirsrv-admin" dev=dm-0 ino=99 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file type=AVC msg=audit(1366211478.173:62110): avc: denied { write } for pid=24602 comm="touch" name="dirsrv-admin" dev=dm-0 ino=99 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file ---------------------------------------------------------------
e3d60e3c2024d16ee86313d9d03816ed0e39dac4 fixes the label on this file in git. I think the problem is the lock file is named differently then the file context.
But I added the correct labeling for RHEL6 to the test build. # matchpathcon /var/lock/subsys/dirsrv-admin /var/lock/subsys/dirsrv-admin system_u:object_r:dirsrv_var_lock_t:s0 How is this lock file created? It looks like we will need to run restorecon on it.
(In reply to comment #26) > But I added the correct labeling for RHEL6 to the test build. > > # matchpathcon /var/lock/subsys/dirsrv-admin > /var/lock/subsys/dirsrv-admin system_u:object_r:dirsrv_var_lock_t:s0 > > > How is this lock file created? It looks like we will need to run restorecon > on it. When you start Admin Server from the command line, our init script (/etc/init.d/dirsrv-admin) creates the file by doing this: touch /var/lock/subsys/dirsrv-admin If I add a make our init script do a restorecon immediately after creating the lockfile, it gets relabeled as dirsrv_var_lock_t. I am them able to restart Admin Server from Console sucessfully without any AVC messages using your test build. It sounds like this is the recommended approach, so I will file a separate bug so we can address this in the 389-admin package.
I performed some additional testing, and the test selinux-policy package is working correctly for me with no AVCs. I would like to get this fixed in 6.4.z, so we will need to get PM and QE approval to continue.
Yes, the restorecon is needed in this case.
Fixed in selinux-policy-3.7.19-198.el6
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1598.html