919192 – Admin server restart from console denied by SELinux

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 919192 - Admin server restart from console denied by SELinux

Summary: Admin server restart from console denied by SELinux

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.4
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	953600 955703
TreeView+	depends on / blocked

Reported:	2013-03-07 19:48 UTC by Ján Rusnačko
Modified:	2013-11-21 10:19 UTC (History)
CC List:	8 users (show)
Fixed In Version:	selinux-policy-3.7.19-198.el6
Doc Type:	Bug Fix
Doc Text:	Due to an incorrect label on the /var/lock/subsys/dirsrv-admin file, attempts to restart the Administration server from the console or from the command line failed and AVC denial messages were returned. This update adds the proper default security context for the /var/lock/subsys/dirsrv-admin file, and denial messages are no longer returned in the described scenario.
Clone Of:
Clones:	953600 (view as bug list)
Environment:
Last Closed:	2013-11-21 10:19:22 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2013:1598	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2013-11-20 21:39:24 UTC

Description Ján Rusnačko 2013-03-07 19:48:55 UTC

Description of problem:
Admin server cannot be restarted from console and subsequent restarts from command line are also unsuccessful.

Version-Release number of selected component (if applicable):
RHEL 6.4 i386 with RHDS 9.1

How reproducible:
always


Steps to Reproduce:
1) Try restarting from console (should succeed):

[jrusnack@dstet ~]$ sudo service dirsrv-admin restart
Shutting down dirsrv-admin:
                                                            [  OK  ]
Starting dirsrv-admin:
                                                            [  OK  ]
(restart from command line OK)


2) Restart from console, this error message appears:

   Status: Failure
   Can not open pidlog file
   text/html

   Admin server shoul restart on user request.


3) Now try to restart again from command line:

[jrusnack@dstet ~]$ sudo service dirsrv-admin restart
Shutting down dirsrv-admin:
Starting dirsrv-admin:
(98)Address already in use: make_sock: could not bind to address
0.0.0.0:9830
no listening sockets available, shutting down
Unable to open logs
Server failed to start !!! Please check errors log for problems
                                                            [FAILED]
From /var/log/dirsrv/admin-serv/error:

[Thu Mar 07 13:52:23 2013] [notice] [client 127.0.0.1]
admserv_host_ip_check: ap_get_remote_host could not resolve 127.0.0.1
[Thu Mar 07 13:52:23 2013] [crit] [client 127.0.0.1] configuration
error:  couldn't check access.  No groups file?: /tasks/Operation/Restart
rm: cannot remove `/var/lock/subsys/dirsrv-admin': Permission denied
httpd.worker: Syntax error on line 120 of
/etc/dirsrv/admin-serv/httpd.conf: Cannot load
/usr/lib/httpd/modules/mod_authz_host.so into server:
/usr/lib/httpd/modules/mod_authz_host.so: cannot open shared object
file: Permission denied
[Thu Mar 07 13:52:37 2013] [notice] [client 127.0.0.1]
admserv_host_ip_check: ap_get_remote_host could not resolve 127.0.0.1

From /var/log/audit/audit.log :

type=AVC msg=audit(1362683505.581:86): avc:  denied  { search } for  pid=3520 comm="httpd.worker" name="httpd" dev=dm-0 ino=141841 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=system_u:object_r:httpd_modules_t:s0 tclass=dir
type=SYSCALL msg=audit(1362683505.581:86): arch=40000003 syscall=5 success=no exit=-13 a0=1842198 a1=0 a2=0 a3=b77527f8 items=0 ppid=3518 pid=3520 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="httpd.worker" exe="/usr/sbin/httpd.worker" subj=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 key=(null)

[jrusnack@dstet /]$ rpm -qa | grep 389
389-ds-base-devel-1.2.11.15-12.el6_4.i686
389-console-1.1.7-1.el6.noarch
389-admin-1.1.32-1.el6.i386
389-ds-base-libs-1.2.11.15-12.el6_4.i686
389-ds-console-1.2.7-1.el6.noarch
389-admin-debuginfo-1.1.32-1.el6.i386
389-ds-base-1.2.11.15-12.el6_4.i686
389-ds-base-debuginfo-1.2.11.15-12.el6_4.i686
389-adminutil-devel-1.1.17-1.el6.i386
389-adminutil-1.1.17-1.el6.i386
389-admin-console-1.1.8-1.el6.noarch
389-adminutil-debuginfo-1.1.17-1.el6.i386
389-admin-console-doc-1.1.8-1.el6.noarch


Expected results:
Admin server should restart from console and command line. 

Additional info:
After server restart admin server can be restarted again from console, but issue persists.

Comment 1 mreynolds 2013-03-18 19:54:09 UTC

This reproduces for me testing with the latest version of DS and Admin server.

Comment 2 mreynolds 2013-03-21 15:12:53 UTC

Ok here are the AVC errors and the rules needed to resolve them:

type=AVC msg=audit(1363875676.580:42420): avc:  denied  { unlink } for  pid=31502 comm="rm" name="dirsrv-admin" dev=dm-0 ino=276410 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file
type=AVC msg=audit(1363875676.582:42421): avc:  denied  { signull } for  pid=31494 comm="dirsrv-admin" scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=process
type=AVC msg=audit(1363875676.592:42422): avc:  denied  { fowner } for  pid=31517 comm="chmod" capability=3  scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tclass=capability
type=AVC msg=audit(1363875676.598:42423): avc:  denied  { search } for  pid=31520 comm="httpd.worker" name="httpd" dev=dm-0 ino=9358 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=system_u:object_r:httpd_modules_t:s0 tclass=dir
type=AVC msg=audit(1363877589.860:42459): avc:  denied  { search } for  pid=2835 comm="httpd.worker" name="httpd" dev=dm-0 ino=133230 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir
type=AVC msg=audit(1363876540.017:42431): avc:  denied  { signal } for  pid=32129 comm="dirsrv-admin" scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=process
type=AVC msg=audit(1363876747.209:42433): avc:  denied  { getattr } for  pid=32593 comm="rm" path="/var/lock/subsys/dirsrv-admin" dev=dm-0 ino=276469 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file
type=AVC msg=audit(1363876747.222:42434): avc:  denied  { fsetid } for  pid=32606 comm="chmod" capability=4  scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tclass=capability
type=AVC msg=audit(1363876747.225:42435): avc:  denied  { read } for  pid=32609 comm="httpd.worker" name="mod_authz_host.so" dev=dm-0 ino=28257 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=system_u:object_r:httpd_modules_t:s0 tclass=file
type=AVC msg=audit(1363877006.506:42443): avc:  denied  { open } for  pid=532 comm="httpd.worker" name="mod_authz_host.so" dev=dm-0 ino=28257 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=system_u:object_r:httpd_modules_t:s0 tclass=file
type=AVC msg=audit(1363877181.386:42445): avc:  denied  { getattr } for  pid=983 comm="httpd.worker" path="/usr/lib64/httpd/modules/mod_authz_host.so" dev=dm-0 ino=28257 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=system_u:object_r:httpd_modules_t:s0 tclass=file
type=AVC msg=audit(1363877302.344:42447): avc:  denied  { execute } for  pid=1480 comm="httpd.worker" path="/usr/lib64/httpd/modules/mod_authz_host.so" dev=dm-0 ino=28257 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=system_u:object_r:httpd_modules_t:s0 tclass=file
type=AVC msg=audit(1363877397.534:42449): avc:  denied  { name_bind } for  pid=1860 comm="httpd.worker" src=9830 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1363877503.463:42457): avc:  denied  { node_bind } for  pid=2464 comm="httpd.worker" src=9830 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=tcp_socket
type=AVC msg=audit(1363877706.602:42462): avc:  denied  { read } for  pid=3149 comm="httpd.worker" name="magic" dev=dm-0 ino=151193 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file
type=AVC msg=audit(1363877832.049:42465): avc:  denied  { open } for  pid=3453 comm="httpd.worker" name="magic" dev=dm-0 ino=151193 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file

allow httpd_dirsrvadmin_script_t http_port_t:tcp_socket name_bind;
allow httpd_dirsrvadmin_script_t httpd_config_t:dir search;
allow httpd_dirsrvadmin_script_t httpd_config_t:file { read open };
allow httpd_dirsrvadmin_script_t httpd_modules_t:dir search;
allow httpd_dirsrvadmin_script_t httpd_modules_t:file { read getattr open execute };
allow httpd_dirsrvadmin_script_t httpd_t:process { signal signull };
allow httpd_dirsrvadmin_script_t node_t:tcp_socket node_bind;
allow httpd_dirsrvadmin_script_t self:capability { fowner fsetid };
allow httpd_dirsrvadmin_script_t var_lock_t:file { getattr unlink };



I saw the following errors on RHEL 6.2 (using SSL in AS), but my SSL tests failed to setup correctly on 6.4 so I do not know if these still apply

type=AVC msg=audit(1363814396.380:41685): avc:  denied  { search } for  pid=14723 comm="httpd.worker" name="httpd" dev=dm-0 ino=9358 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=system_u:object_r:httpd_modules_t:s0 tclass=dir
type=AVC msg=audit(1363644161.748:3742): avc:  denied  { read } for  pid=7656 comm="config" name="adm.conf" dev=dm-1 ino=391938 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
type=AVC msg=audit(1363644161.748:3742): avc:  denied  { open } for  pid=7656 comm="config" name="adm.conf" dev=dm-1 ino=391938 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
type=AVC msg=audit(1363644227.597:3743): avc:  denied  { write } for  pid=7750 comm="sec-activate" name="console.conf" dev=dm-1 ino=391937 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file


allow httpd_dirsrvadmin_script_t httpd_modules_t:dir search;
#!!!! The source type 'httpd_dirsrvadmin_script_t' can write to a 'file' of the following types:
# dirsrv_config_t, dirsrvadmin_tmp_t, dirsrv_var_lock_t, dirsrv_var_log_t, dirsrv_var_lib_t, dirsrv_var_run_t, dirsrvadmin_config_t, httpd_dirsrvadmin_rw_content_t

allow httpd_dirsrvadmin_script_t user_tmp_t:file { read write open };

Comment 3 mreynolds 2013-03-21 16:34:58 UTC

Found another error:

type=AVC msg=audit(1363883452.584:42542): avc:  denied  { signal } for  pid=4889 comm="start-ds-admin" scontext=unconfined_u:system_r:dirsrvadmin_t:s0 tcontext=unconfined_u:system_r:dirsrvadmin_t:s0 tclass=process

Comment 7 Miroslav Grepl 2013-04-02 13:26:09 UTC

type=AVC msg=audit(1363644227.597:3743): avc:  denied  { write } for  pid=7750 comm="sec-activate" name="console.conf" dev=dm-1 ino=391937 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file

what's going on here? Where is console.conf really located?

Comment 8 mreynolds 2013-04-02 14:16:30 UTC

console.conf is located in /etc/dirsv/admin-serv/  

As for what's going on when the error occurs on this file, I'm not entirely sure.  I think the process is simply making an update to the config file, but it could possibly be recreating the file as well.

Comment 9 Nathan Kinder 2013-04-02 15:37:21 UTC

I don't believe that we need to worry about any of the user_tmp_t failures here.  Those files are mislabelled since they were created in /tmp by a developer convenience script (setupssl2.sh), then moved into /etc/dirsrv/admin-serv.  If that script is used, you need to run restorecon -rv on /etc/dirsrv.

The believe that the real issues that need to be addressed in the policy are the other issues mentioned in comment#2:

allow httpd_dirsrvadmin_script_t http_port_t:tcp_socket name_bind;
allow httpd_dirsrvadmin_script_t httpd_config_t:dir search;
allow httpd_dirsrvadmin_script_t httpd_config_t:file { read open };
allow httpd_dirsrvadmin_script_t httpd_modules_t:dir search;
allow httpd_dirsrvadmin_script_t httpd_modules_t:file { read getattr open execute };
allow httpd_dirsrvadmin_script_t httpd_t:process { signal signull };
allow httpd_dirsrvadmin_script_t node_t:tcp_socket node_bind;
allow httpd_dirsrvadmin_script_t self:capability { fowner fsetid };
allow httpd_dirsrvadmin_script_t var_lock_t:file { getattr unlink };

Comment 11 Ján Rusnačko 2013-04-04 09:37:58 UTC

[jrusnack@dstet ~]$ rpm -qa selinux-policy*
selinux-policy-targeted-3.7.19-197.el6.noarch
selinux-policy-3.7.19-197.el6.noarch
[jrusnack@dstet ~]$ sudo service dirsrv-admin restart
Shutting down dirsrv-admin: 
                                                           [  OK  ]
Starting dirsrv-admin: 
                                                           [  OK  ]
Restart from console still fails, now with:

"URL:http://dstet.example.com:9830/admin-serv/tasks/Operation/Restart

HTTP/1.1 500 Internal Server Error"

audit.log doesn`t show any SElinux issues. However

[jrusnack@dstet ~]$ tail /var/log/dirsrv/admin-serv/error 
...
[Thu Apr 04 05:34:56 2013] [notice] [client 127.0.0.1] admserv_host_ip_check: ap_get_remote_host could not resolve 127.0.0.1
[Thu Apr 04 05:34:56 2013] [crit] [client 127.0.0.1] configuration error:  couldn't check access.  No groups file?: /tasks/Operation/Restart
[Thu Apr 04 05:34:56 2013] [error] [client 127.0.0.1] Premature end of script headers: restartsrv
[Thu Apr 04 05:35:08 2013] [notice] [client 127.0.0.1] admserv_host_ip_check: ap_get_remote_host could not resolve 127.0.0.1


Subsequent restart from console passes.

Comment 12 Nathan Kinder 2013-04-04 15:41:48 UTC

(In reply to comment #11)
> [jrusnack@dstet ~]$ rpm -qa selinux-policy*
> selinux-policy-targeted-3.7.19-197.el6.noarch
> selinux-policy-3.7.19-197.el6.noarch
> [jrusnack@dstet ~]$ sudo service dirsrv-admin restart
> Shutting down dirsrv-admin: 
>                                                            [  OK  ]
> Starting dirsrv-admin: 
>                                                            [  OK  ]
> Restart from console still fails, now with:
> 
> "URL:http://dstet.example.com:9830/admin-serv/tasks/Operation/Restart
> 
> HTTP/1.1 500 Internal Server Error"
> 

Does this error still happen in permissive mode?  If so, this should be dealt with as a separate Admin Server bug (not SELinux).  If everything works fine in permissive mode, then it's possible that a dontaudit rule is causing a silent deny.  You can disable dontaudit rules by running the following command as root:

    semodule -DB

To re-enable dontaudit rules after testing run this:

    semodule -B

Comment 13 mreynolds 2013-04-05 13:38:08 UTC

Ok I was able to resolve the error:

"configuration error:  couldn't check access.  No groups file?: /tasks/Operation/Restart"

In /etc/dirsrv/admin-serv/httpd.conf add:

LoadModule authz_user_module /usr/lib64/httpd/modules/mod_authz_user.so
LoadModule authz_default_module /usr/lib64/httpd/modules/mod_authz_default.so


Now, I still get the server error 500, and in the error log I still see:

"Premature end of script headers: restartsrv"

Still investigating...

Comment 14 mreynolds 2013-04-05 14:21:24 UTC

Ok, there are still selinux errors.  I see errors trying to "restart" and "stop" admin server from the console.  I also noticed that while the server was running there were selinux errors around "statusping".

If I disable selinux the server restarts/stops from the console, otherwise I see these errors:


"stop"
type=AVC msg=audit(1365170859.413:46887): avc:  denied  { read write } for  pid=1510 comm="stopsrv" path="socket:[211889]" dev=sockfs ino=211889 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1365170859.413:46887): avc:  denied  { read write } for  pid=1510 comm="stopsrv" path="socket:[211889]" dev=sockfs ino=211889 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1365170859.413:46887): avc:  denied  { read write } for  pid=1510 comm="stopsrv" path="socket:[211835]" dev=sockfs ino=211835 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1365170859.413:46887): avc:  denied  { rlimitinh } for  pid=1510 comm="stopsrv" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tclass=process
type=AVC msg=audit(1365170859.413:46887): avc:  denied  { siginh } for  pid=1510 comm="stopsrv" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tclass=process
type=AVC msg=audit(1365170859.413:46887): avc:  denied  { noatsecure } for  pid=1510 comm="stopsrv" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tclass=process
type=AVC msg=audit(1365170865.586:46888): avc:  denied  { getattr } for  pid=1533 comm="rm" path="/var/lock/subsys/dirsrv-admin" dev=dm-0 ino=99 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file
type=AVC msg=audit(1365170865.586:46889): avc:  denied  { unlink } for  pid=1533 comm="rm" name="dirsrv-admin" dev=dm-0 ino=99 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file

"restart"
type=AVC msg=audit(1365170740.528:46885): avc:  denied  { read write } for  pid=1500 comm="restartsrv" path="socket:[211837]" dev=sockfs ino=211837 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1365170740.528:46885): avc:  denied  { read write } for  pid=1500 comm="restartsrv" path="socket:[211837]" dev=sockfs ino=211837 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1365170740.528:46885): avc:  denied  { read write } for  pid=1500 comm="restartsrv" path="socket:[211835]" dev=sockfs ino=211835 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1365170740.528:46885): avc:  denied  { rlimitinh } for  pid=1500 comm="restartsrv" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tclass=process
type=AVC msg=audit(1365170740.528:46885): avc:  denied  { siginh } for  pid=1500 comm="restartsrv" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tclass=process
type=AVC msg=audit(1365170740.528:46885): avc:  denied  { noatsecure } for  pid=1500 comm="restartsrv" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tclass=process

"Random httpd errors"
type=AVC msg=audit(1365170711.737:46883): avc:  denied  { rlimitinh } for  pid=1395 comm="httpd.worker" scontext=unconfined_u:system_r:dirsrvadmin_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=process
type=AVC msg=audit(1365170711.737:46883): avc:  denied  { siginh } for  pid=1395 comm="httpd.worker" scontext=unconfined_u:system_r:dirsrvadmin_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=process
type=AVC msg=audit(1365170711.737:46883): avc:  denied  { noatsecure } for  pid=1395 comm="httpd.worker" scontext=unconfined_u:system_r:dirsrvadmin_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=process
type=AVC msg=audit(1365170711.759:46884): avc:  denied  { read } for  pid=1395 comm="httpd.worker" name="mls" dev=selinuxfs ino=12 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file

"statusping errors while the process is running"
type=AVC msg=audit(1365170518.491:46852): avc:  denied  { rlimitinh } for  pid=413 comm="statusping" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tclass=process
type=AVC msg=audit(1365170518.491:46852): avc:  denied  { siginh } for  pid=413 comm="statusping" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tclass=process
type=AVC msg=audit(1365170518.491:46852): avc:  denied  { noatsecure } for  pid=413 comm="statusping" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tclass=process

Comment 15 mreynolds 2013-04-05 20:27:14 UTC

Here are the restart errors(permissive mode) running selinux-3.7.19-197

type=AVC msg=audit(1365181161.020:47038): avc:  denied  { read write } for  pid=3104 comm="restartsrv" path="socket:[217931]" dev=sockfs ino=217931 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1365181161.020:47038): avc:  denied  { rlimitinh } for  pid=3104 comm="restartsrv" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tclass=process
type=AVC msg=audit(1365181161.020:47038): avc:  denied  { siginh } for  pid=3104 comm="restartsrv" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tclass=process
type=AVC msg=audit(1365181161.020:47038): avc:  denied  { noatsecure } for  pid=3104 comm="restartsrv" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tclass=process
type=AVC msg=audit(1365181161.071:47039): avc:  denied  { getattr } for  pid=3104 comm="restartsrv" path="socket:[217931]" dev=sockfs ino=217931 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1365181161.071:47040): avc:  denied  { read } for  pid=3104 comm="restartsrv" path="socket:[217931]" dev=sockfs ino=217931 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1365181161.073:47041): avc:  denied  { write } for  pid=3104 comm="restartsrv" path="socket:[217931]" dev=sockfs ino=217931 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1365181161.096:47042): avc:  denied  { ioctl } for  pid=3107 comm="sh" path="socket:[217931]" dev=sockfs ino=217931 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1365181172.169:47043): avc:  denied  { getattr } for  pid=3148 comm="rm" path="/var/lock/subsys/dirsrv-admin" dev=dm-0 ino=99 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file
type=AVC msg=audit(1365181172.170:47044): avc:  denied  { unlink } for  pid=3148 comm="rm" name="dirsrv-admin" dev=dm-0 ino=99 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file
type=AVC msg=audit(1365181172.180:47045): avc:  denied  { read } for  pid=3154 comm="ls" name="mls" dev=selinuxfs ino=12 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file
type=AVC msg=audit(1365181172.180:47045): avc:  denied  { open } for  pid=3154 comm="ls" name="mls" dev=selinuxfs ino=12 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file
type=AVC msg=audit(1365181172.198:47046): avc:  denied  { execute } for  pid=3161 comm="httpd.worker" path="/usr/lib64/httpd/modules/mod_authz_host.so" dev=dm-0 ino=165457 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=system_u:object_r:httpd_modules_t:s0 tclass=file


audit2allow:

allow httpd_dirsrvadmin_script_t httpd_modules_t:file execute;
allow httpd_dirsrvadmin_script_t httpd_t:unix_stream_socket { read write getattr ioctl };
allow httpd_dirsrvadmin_script_t security_t:file { read open };
allow httpd_dirsrvadmin_script_t var_lock_t:file { getattr unlink };
allow dirsrvadmin_t httpd_t:process { siginh rlimitinh noatsecure };
allow httpd_t httpd_dirsrvadmin_script_t:process { siginh rlimitinh noatsecure };
allow httpd_t security_t:file read;
allow httpd_t security_t:file open;

With these rules added I no longer see any errors, and the server restarts cleaning from the console and the command line.

Comment 16 mreynolds 2013-04-05 20:29:59 UTC

(In reply to comment #15)
> Here are the restart errors(permissive mode) running selinux-3.7.19-197
> 
> type=AVC msg=audit(1365181161.020:47038): avc:  denied  { read write } for 
> pid=3104 comm="restartsrv" path="socket:[217931]" dev=sockfs ino=217931
> scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0
> tcontext=unconfined_u:system_r:httpd_t:s0 tclass=unix_stream_socket
> type=AVC msg=audit(1365181161.020:47038): avc:  denied  { rlimitinh } for 
> pid=3104 comm="restartsrv" scontext=unconfined_u:system_r:httpd_t:s0
> tcontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tclass=process
> type=AVC msg=audit(1365181161.020:47038): avc:  denied  { siginh } for 
> pid=3104 comm="restartsrv" scontext=unconfined_u:system_r:httpd_t:s0
> tcontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tclass=process
> type=AVC msg=audit(1365181161.020:47038): avc:  denied  { noatsecure } for 
> pid=3104 comm="restartsrv" scontext=unconfined_u:system_r:httpd_t:s0
> tcontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tclass=process
> type=AVC msg=audit(1365181161.071:47039): avc:  denied  { getattr } for 
> pid=3104 comm="restartsrv" path="socket:[217931]" dev=sockfs ino=217931
> scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0
> tcontext=unconfined_u:system_r:httpd_t:s0 tclass=unix_stream_socket
> type=AVC msg=audit(1365181161.071:47040): avc:  denied  { read } for 
> pid=3104 comm="restartsrv" path="socket:[217931]" dev=sockfs ino=217931
> scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0
> tcontext=unconfined_u:system_r:httpd_t:s0 tclass=unix_stream_socket
> type=AVC msg=audit(1365181161.073:47041): avc:  denied  { write } for 
> pid=3104 comm="restartsrv" path="socket:[217931]" dev=sockfs ino=217931
> scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0
> tcontext=unconfined_u:system_r:httpd_t:s0 tclass=unix_stream_socket
> type=AVC msg=audit(1365181161.096:47042): avc:  denied  { ioctl } for 
> pid=3107 comm="sh" path="socket:[217931]" dev=sockfs ino=217931
> scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0
> tcontext=unconfined_u:system_r:httpd_t:s0 tclass=unix_stream_socket
> type=AVC msg=audit(1365181172.169:47043): avc:  denied  { getattr } for 
> pid=3148 comm="rm" path="/var/lock/subsys/dirsrv-admin" dev=dm-0 ino=99
> scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0
> tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file
> type=AVC msg=audit(1365181172.170:47044): avc:  denied  { unlink } for 
> pid=3148 comm="rm" name="dirsrv-admin" dev=dm-0 ino=99
> scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0
> tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file
> type=AVC msg=audit(1365181172.180:47045): avc:  denied  { read } for 
> pid=3154 comm="ls" name="mls" dev=selinuxfs ino=12
> scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0
> tcontext=system_u:object_r:security_t:s0 tclass=file
> type=AVC msg=audit(1365181172.180:47045): avc:  denied  { open } for 
> pid=3154 comm="ls" name="mls" dev=selinuxfs ino=12
> scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0
> tcontext=system_u:object_r:security_t:s0 tclass=file
> type=AVC msg=audit(1365181172.198:47046): avc:  denied  { execute } for 
> pid=3161 comm="httpd.worker"
> path="/usr/lib64/httpd/modules/mod_authz_host.so" dev=dm-0 ino=165457
> scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0
> tcontext=system_u:object_r:httpd_modules_t:s0 tclass=file
> 

Forgot to add these errors:

type=AVC msg=audit(1365193110.972:47211): avc:  denied  { rlimitinh } for  pid=4055 comm="httpd.worker" scontext=unconfined_u:system_r:dirsrvadmin_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=process
type=AVC msg=audit(1365193110.972:47211): avc:  denied  { siginh } for  pid=4055 comm="httpd.worker" scontext=unconfined_u:system_r:dirsrvadmin_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=process
type=AVC msg=audit(1365193110.972:47211): avc:  denied  { noatsecure } for  pid=4055 comm="httpd.worker" scontext=unconfined_u:system_r:dirsrvadmin_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=process
type=AVC msg=audit(1365193111.358:47212): avc:  denied  { read } for  pid=4055 comm="httpd.worker" name="mls" dev=selinuxfs ino=12 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file
type=AVC msg=audit(1365193260.515:47225): avc:  denied  { open } for  pid=4486 comm="httpd.worker" name="mls" dev=selinuxfs ino=12 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file

> 
> audit2allow:
> 
> allow httpd_dirsrvadmin_script_t httpd_modules_t:file execute;
> allow httpd_dirsrvadmin_script_t httpd_t:unix_stream_socket { read write
> getattr ioctl };
> allow httpd_dirsrvadmin_script_t security_t:file { read open };
> allow httpd_dirsrvadmin_script_t var_lock_t:file { getattr unlink };
> allow dirsrvadmin_t httpd_t:process { siginh rlimitinh noatsecure };
> allow httpd_t httpd_dirsrvadmin_script_t:process { siginh rlimitinh
> noatsecure };
> allow httpd_t security_t:file read;
> allow httpd_t security_t:file open;
> 
> With these rules added I no longer see any errors, and the server restarts
> cleaning from the console and the command line.

Comment 18 Miroslav Grepl 2013-04-16 11:21:11 UTC

New test builds:

https://brewweb.devel.redhat.com/taskinfo?taskID=5650563

Comment 19 Ján Rusnačko 2013-04-17 09:25:00 UTC

With new policy, I am able to restart admin server from console, when SSL is not enabled. No selinux related messages in logs either with enforcing or permissive mode. This is admin server logfile:

[jrusnack@dstet ~]$ tail -n 15 /var/log/dirsrv/admin-serv/error 
[Wed Apr 17 05:10:19 2013] [notice] [client 127.0.0.1] admserv_host_ip_check: ap_get_remote_host could not resolve 127.0.0.1
[Wed Apr 17 05:10:19 2013] [crit] [client 127.0.0.1] configuration error:  couldn't check access.  No groups file?: /tasks/Operation/Restart
[Wed Apr 17 05:10:23 2013] [warn] child process 3694 still did not exit, sending a SIGTERM
[Wed Apr 17 05:10:25 2013] [warn] child process 3694 still did not exit, sending a SIGTERM
[Wed Apr 17 05:10:27 2013] [warn] child process 3694 still did not exit, sending a SIGTERM
[Wed Apr 17 05:10:29 2013] [error] child process 3694 still did not exit, sending a SIGKILL
[Wed Apr 17 05:10:30 2013] [notice] caught SIGTERM, shutting down
[Wed Apr 17 05:10:30 2013] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0
[Wed Apr 17 05:10:31 2013] [notice] Access Host filter is: *.example.com
[Wed Apr 17 05:10:31 2013] [notice] Access Address filter is: *
[Wed Apr 17 05:10:32 2013] [notice] Apache/2.2.15 (Unix) configured -- resuming normal operations
[Wed Apr 17 05:10:32 2013] [notice] Access Host filter is: *.example.com
[Wed Apr 17 05:10:32 2013] [notice] Access Address filter is: *
[Wed Apr 17 05:10:33 2013] [notice] [client 127.0.0.1] admserv_host_ip_check: ap_get_remote_host could not resolve 127.0.0.1
[Wed Apr 17 05:10:33 2013] [crit] [client 127.0.0.1] configuration error:  couldn't check access.  No groups file?: /tasks/Operation/Restart

Restart from console is successful and without any errors.

When SSL is enabled, I am not able to restart admin server: "The Administration Server cannot be restarted remotely from Console. The server can be restarted only locally from command shell by running restart-admin command." This is already mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=887394#c4

When I try to restart admin server from console with SSL enabled, it succeeds but I see following errors:

[jrusnack@dstet ~]$ tail -n 15 /var/log/dirsrv/admin-serv/error 
[Wed Apr 17 05:17:34 2013] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0
[Wed Apr 17 05:17:35 2013] [warn] NSSProtocol:  Unknown protocol '"sslv2' not supported
[Wed Apr 17 05:17:35 2013] [warn] NSSProtocol:  Unknown protocol 'tlsv1"' not supported
[Wed Apr 17 05:17:35 2013] [notice] Access Host filter is: *.example.com
[Wed Apr 17 05:17:35 2013] [notice] Access Address filter is: *
[Wed Apr 17 05:17:36 2013] [notice] Apache/2.2.15 (Unix) mod_nss/2.2.15 NSS/3.14.0.0 Basic ECC configured -- resuming normal operations
[Wed Apr 17 05:17:36 2013] [warn] NSSProtocol:  Unknown protocol '"sslv2' not supported
[Wed Apr 17 05:17:36 2013] [warn] NSSProtocol:  Unknown protocol 'tlsv1"' not supported
[Wed Apr 17 05:17:36 2013] [notice] Access Host filter is: *.example.com
[Wed Apr 17 05:17:36 2013] [notice] Access Address filter is: *
[Wed Apr 17 05:17:50 2013] [notice] [client 192.168.122.187] admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.122.187
[Wed Apr 17 05:17:50 2013] [notice] [client 192.168.122.187] admserv_host_ip_check: host [dstet] did not match pattern [*.example.com] -will scan aliases
[Wed Apr 17 05:17:50 2013] [notice] [client 192.168.122.187] admserv_check_authz(): passing [/admin-serv/authenticate] to the userauth handler
[Wed Apr 17 05:17:55 2013] [notice] [client 127.0.0.1] admserv_host_ip_check: ap_get_remote_host could not resolve 127.0.0.1
[Wed Apr 17 05:17:55 2013] [notice] [client 127.0.0.1] admserv_host_ip_check: ap_get_remote_host could not resolve 127.0.0.1

[jrusnack@dstet ~]$ rpm -qa | grep 389
389-console-1.1.7-1.el6.noarch
389-ds-base-1.2.11.15-14.el6_4.i686
389-adminutil-1.1.17-1.el6.i386
389-admin-console-1.1.8-1.el6.noarch
389-adminutil-debuginfo-1.1.17-1.el6.i386
389-admin-1.1.33-1.el6.i386
389-ds-console-1.2.7-1.el6.noarch
389-ds-console-doc-1.2.7-1.el6.noarch
389-admin-debuginfo-1.1.33-1.el6.i386
389-ds-base-libs-1.2.11.15-14.el6_4.i686
389-admin-console-doc-1.1.8-1.el6.noarch

[jrusnack@dstet ~]$ rpm -qa | grep selinux-policy
selinux-policy-targeted-3.7.19-198.el6.noarch
selinux-policy-3.7.19-198.el6.noarch

Comment 20 Nathan Kinder 2013-04-17 15:17:06 UTC

I believe that the issues in comment#9 are unrelated.  Let's discuss those outside of this bug.

Do you see any AVC messages when you restart Admin Server from the command-line?  If not, I think we can say that Miroslav's test build works for us.  Do you agree?

Comment 21 mreynolds 2013-04-17 15:21:15 UTC

I tested the new libraries, and the admin server does restart, but I am still seeing selinux errors:

type=AVC msg=audit(1366211395.127:62095): avc:  denied  { rlimitinh } for  pid=24353 comm="httpd.worker" scontext=unconfined_u:system_r:dirsrvadmin_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=process
type=AVC msg=audit(1366211395.127:62095): avc:  denied  { siginh } for  pid=24353 comm="httpd.worker" scontext=unconfined_u:system_r:dirsrvadmin_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=process
type=AVC msg=audit(1366211395.127:62095): avc:  denied  { noatsecure } for  pid=24353 comm="httpd.worker" scontext=unconfined_u:system_r:dirsrvadmin_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=process
type=AVC msg=audit(1366211395.152:62096): avc:  denied  { read } for  pid=24353 comm="httpd.worker" name="mls" dev=selinuxfs ino=12 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file
type=AVC msg=audit(1366211476.118:62105): avc:  denied  { getattr } for  pid=24497 comm="rm" path="/var/lock/subsys/dirsrv-admin" dev=dm-0 ino=99 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file
type=AVC msg=audit(1366211476.119:62106): avc:  denied  { unlink } for  pid=24497 comm="rm" name="dirsrv-admin" dev=dm-0 ino=99 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file
type=AVC msg=audit(1366211476.142:62108): avc:  denied  { read } for  pid=24506 comm="ls" name="mls" dev=selinuxfs ino=12 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file
type=AVC msg=audit(1366211476.191:62109): avc:  denied  { read } for  pid=24510 comm="httpd.worker" name="mls" dev=selinuxfs ino=12 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file
type=AVC msg=audit(1366211478.173:62110): avc:  denied  { write } for  pid=24602 comm="touch" name="dirsrv-admin" dev=dm-0 ino=99 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file



#============= dirsrvadmin_t ==============
allow dirsrvadmin_t httpd_t:process { siginh rlimitinh noatsecure };

#============= httpd_dirsrvadmin_script_t ==============
allow httpd_dirsrvadmin_script_t security_t:file read;
allow httpd_dirsrvadmin_script_t var_lock_t:file { write getattr unlink };

#============= httpd_t ==============
allow httpd_t security_t:file read;



Since there are still known SSL issues on rhel 6.4, I have not tested SSL yet.

Comment 22 Ján Rusnačko 2013-04-17 19:28:17 UTC

(In reply to comment #20)
> I believe that the issues in comment#9 are unrelated.  Let's discuss those
> outside of this bug.
Sure.

> 
> Do you see any AVC messages when you restart Admin Server from the
> command-line?  If not, I think we can say that Miroslav's test build works
> for us.  Do you agree?
Scratch what I said, I see AVC messages that Mark lists, too.

Comment 23 Daniel Walsh 2013-04-17 20:22:02 UTC

 /var/lock/subsys/dirsrv-admin is the problem, the other AVC's should be dontaudited

rm -f /var/lock/subsys/dirsrv-admin

Then try to start it.  Does it work?

What is the label of the file now?

ls -lZ /var/lock/subsys/dirsrv-admin

Comment 24 Nathan Kinder 2013-04-17 21:19:50 UTC

(In reply to comment #23)
>  /var/lock/subsys/dirsrv-admin is the problem, the other AVC's should be
> dontaudited

You are correct.  These other AVCs do not show up if dontaudit rules are enabled.  We can ignore these.

> 
> rm -f /var/lock/subsys/dirsrv-admin
> 
> Then try to start it.  Does it work?
> 
> What is the label of the file now?
> 
> ls -lZ /var/lock/subsys/dirsrv-admin

If I run 'service dirsrv-admin start', the /var/lock/subsys/dirsrv-admin file is created with a label of var_lock_t.  If I then attempt to restart the Admin Server via Console, the restart CGI (running as httpd_dirsrvadmin_script_t) encounters the same AVCs that Mark and Ján see when it tries to remove the old lock file and create a new one:

---------------------------------------------------------------
type=AVC msg=audit(1366211476.118:62105): avc:  denied  { getattr } for  pid=24497 comm="rm" path="/var/lock/subsys/dirsrv-admin" dev=dm-0 ino=99 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file
type=AVC msg=audit(1366211476.119:62106): avc:  denied  { unlink } for  pid=24497 comm="rm" name="dirsrv-admin" dev=dm-0 ino=99 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file
type=AVC msg=audit(1366211478.173:62110): avc:  denied  { write } for  pid=24602 comm="touch" name="dirsrv-admin" dev=dm-0 ino=99 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file
---------------------------------------------------------------

Comment 25 Daniel Walsh 2013-04-17 22:52:33 UTC

e3d60e3c2024d16ee86313d9d03816ed0e39dac4 fixes the label on this file in git.

I think the problem is the lock file is named differently then the file context.

Comment 26 Miroslav Grepl 2013-04-18 06:47:34 UTC

But I added the correct labeling for RHEL6 to the test build.

# matchpathcon /var/lock/subsys/dirsrv-admin
/var/lock/subsys/dirsrv-admin	system_u:object_r:dirsrv_var_lock_t:s0


How is this lock file created? It looks like we will need to run restorecon on it.

Comment 27 Nathan Kinder 2013-04-18 15:25:20 UTC

(In reply to comment #26)
> But I added the correct labeling for RHEL6 to the test build.
> 
> # matchpathcon /var/lock/subsys/dirsrv-admin
> /var/lock/subsys/dirsrv-admin	system_u:object_r:dirsrv_var_lock_t:s0
> 
> 
> How is this lock file created? It looks like we will need to run restorecon
> on it.

When you start Admin Server from the command line, our init script (/etc/init.d/dirsrv-admin) creates the file by doing this:

  touch /var/lock/subsys/dirsrv-admin

If I add a make our init script do a restorecon immediately after creating the lockfile, it gets relabeled as dirsrv_var_lock_t.  I am them able to restart Admin Server from Console sucessfully without any AVC messages using your test build.  It sounds like this is the recommended approach, so I will file a separate bug so we can address this in the 389-admin package.

Comment 28 Nathan Kinder 2013-04-19 02:57:25 UTC

I performed some additional testing, and the test selinux-policy package is working correctly for me with no AVCs.  I would like to get this fixed in 6.4.z, so we will need to get PM and QE approval to continue.

Comment 30 Miroslav Grepl 2013-04-19 07:27:14 UTC

Yes, the restorecon is needed in this case.

Comment 31 Miroslav Grepl 2013-04-23 10:06:57 UTC

Fixed in selinux-policy-3.7.19-198.el6

Comment 35 errata-xmlrpc 2013-11-21 10:19:22 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html

Note You need to log in before you can comment on or make changes to this bug.