[389-users] Announcing 389 Directory Server 1.2.6 Release Candidate 3

Aaron Hagopian airhead1 at gmail.com
Mon Jul 19 15:47:57 UTC 2010 

Ok this time I think I have hit a legit issue with SELinux and 1.2.6 RC3.
 On my workstation to sync up my ldap server with production I take a ldif
dump from production and load it into my system with the ldif2db.pl script.
 For versions 1.2.5 and previous that ldif file could be located anywhere
that was readable to the "nobody" user.  Since upgrading, I try to use the
same command and get denied because of SELinux.

My real question here is what is an acceptable directory?  I thought for
sure the /var/lib/dirsrv/slapd-<instance>/ldif/  directory would be
acceptable but I get a "SELinux is preventing /usr/sbin/ns-slapd "read"
access on ..." message no matter where I place the LDIF file.

Attached is the full SELinux error.

Thanks,

Aaron


On Fri, Jul 16, 2010 at 8:49 AM, Aaron Hagopian <airhead1 at gmail.com> wrote:

> As I was looking up the version number of admin I noticed that I had only
> updated 389-ds* and not 389* so the 389-admin* packages were mismatched.
>  Once I upgraded everything to what was in updates-testing no more selinux
> messages, sorry about the confusion.
>
> Aaron
>
> 2010/7/15 Nathan Kinder <nkinder at redhat.com>
>
>  On 07/15/2010 09:12 AM, Aaron Hagopian wrote:
>>
>> I upgraded my fedora 13 x86_64 machine to the RC3 using the rpms in
>> updates-testing and now I cannot start the admin server with selinux
>> enabled.  I am attaching the selinux message.  It does start when I disable
>> selinux.
>>
>> What version of 389-admin are you running?
>>
>> I'd also like to see the output of 'semodule -l | grep 389' from your
>> system.
>>
>> -NGK
>>
>>
>>
>> On Tue, Jul 6, 2010 at 2:38 PM, Rich Megginson <rmeggins at redhat.com>wrote:
>>
>>> The 389 team is pleased to announce the availability of Release
>>> Candidate 3 of version 1.2.6.  This release has a few bug fixes.
>>>
>>> ***We need your help!  Please help us test this software.***  It is a
>>> release candidate, so it may have a few glitches, but it has been tested
>>> for regressions and for new feature bugs.  The Fedora system
>>> strongly encourages packages to be in Testing until verified and pushed
>>> to Stable.  If we don't get any feedback while the packages are in
>>> Testing, the packages will remain in limbo, or get pushed to Stable.
>>>
>>> The more testing we get, the faster we can release these packages to
>>> Stable.  See the Release Notes for information about how to provide
>>> testing feedback (or just send an email to
>>> 389-users at lists.fedoraproject.org).
>>>
>>> The packages that need testing are:
>>> * 389-ds-base-1.2.6.rc3 - 389-ds-base
>>>
>>> More information
>>> * Release Notes - http://port389.org/wiki/Release_Notes
>>> * Install_Guide - http://port389.org/wiki/Install_Guide
>>> * Download - http://port389.org/wiki/Download
>>>
>>> === Bugs Fixed ===
>>> This release contains a couple of bug fixes.  The complete list of bugs
>>> fixed is found at the link below.  Note that bugs marked as MODIFIED
>>> have been fixed but are still in testing.
>>> * Tracking bug for 1.2.6 release -
>>>
>>> https://bugzilla.redhat.com/showdependencytree.cgi?id=543590&hide_resolved=0
>>> **  Bug 606920 - anonymous resource limit - nstimelimit - also applied
>>> to "cn=directory manager"
>>> ** Bug 604453 - SASL Stress and Server crash: Program quits with the
>>> assertion failure in PR_Poll
>>> ** Bug 605827 - In-place upgrade: upgrade dn format should not run in
>>> setup-ds-admin.pl
>>> ** Bug 578296 - Attribute type entrydn needs to be added when subtree
>>> rename switch is on
>>> ** Bug 609256 - Selinux: pwdhash fails if called via Admin Server CGI
>>> ** Bug 603942 - null deref in _ger_parse_control() for subjectdn
>>>
>>> --
>>> 389 users mailing list
>>> 389-users at lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>
>>
>>
>> --
>> 389 users mailing list389-users at lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>>
>>
>> --
>> 389 users mailing list
>> 389-users at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20100719/6d0ef834/attachment.html>
-------------- next part --------------

Summary:

SELinux is preventing /usr/sbin/ns-slapd "read" access on all-penny.ldif.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by ns-slapd. It is not expected that this access
is required by ns-slapd and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:system_r:dirsrv_t:s0
Target Context                unconfined_u:object_r:var_t:s0
Target Objects                all-penny.ldif [ file ]
Source                        ns-slapd
Source Path                   /usr/sbin/ns-slapd
Port                          <Unknown>
Host                          barfolomew.hra.local
Source RPM Packages           389-ds-base-1.2.6-0.8.rc3.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-33.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     barfolomew.hra.local
Platform                      Linux barfolomew.hra.local
                              2.6.33.6-147.fc13.x86_64 #1 SMP Tue Jul 6 22:32:17
                              UTC 2010 x86_64 x86_64
Alert Count                   14
First Seen                    Mon 19 Jul 2010 10:17:57 AM CDT
Last Seen                     Mon 19 Jul 2010 10:43:17 AM CDT
Local ID                      c2f614a6-077e-4d38-b7a6-fd1161a959b0
Line Numbers                  

Raw Audit Messages            

node=barfolomew.hra.local type=AVC msg=audit(1279554197.982:30320): avc:  denied  { read } for  pid=9763 comm="ns-slapd" name="all-penny.ldif" dev=dm-3 ino=394927 scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file

node=barfolomew.hra.local type=AVC msg=audit(1279554197.982:30320): avc:  denied  { open } for  pid=9763 comm="ns-slapd" name="all-penny.ldif" dev=dm-3 ino=394927 scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file

node=barfolomew.hra.local type=SYSCALL msg=audit(1279554197.982:30320): arch=c000003e syscall=2 success=yes exit=14 a0=7fd6ec34dcc0 a1=0 a2=0 a3=0 items=0 ppid=1 pid=9763 auid=2397 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=2 comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null)

More information about the 389-users mailing list