[389-users] DSGW SELinux issues

Orion Poplawski orion at cora.nwra.com
Wed Oct 27 16:45:17 UTC 2010


Running on CentOS 5.4, get:

type=AVC msg=audit(1288197048.706:347260): avc:  denied  { execute_no_trans } 
for  pid=1388 comm="httpd.worker" path="/usr/lib/dirsrv/dsgw-cgi-bin/lang" 
dev=dm-4 ino=225129 scontext=system_u:system_r:httpd_t:s0 
tcontext=system_u:object_r:lib_t:s0 tclass=file

Looks like these are mislabeled:
[root at earth admin-serv]# ls -Z /usr/lib/dirsrv/cgi-bin
-rwxr-xr-x  root root system_u:object_r:httpd_dirsrvadmin_script_exec_t admpw
-rwxr-xr-x  root root system_u:object_r:httpd_dirsrvadmin_script_exec_t config
-rwxr-xr-x  root root system_u:object_r:httpd_dirsrvadmin_script_exec_t download
-rwxr-xr-x  root root system_u:object_r:httpd_dirsrvadmin_script_exec_t dsconfig
-rwxr-xr-x  root root system_u:object_r:httpd_dirsrvadmin_script_exec_t ds_create
-rwxr-xr-x  root root system_u:object_r:httpd_dirsrvadmin_script_exec_t ds_listdb
-rwxr-xr-x  root root system_u:object_r:httpd_dirsrvadmin_script_exec_t ds_remove
-rwxr-xr-x  root root system_u:object_r:httpd_dirsrvadmin_script_exec_t ds_restart
-rwxr-xr-x  root root system_u:object_r:httpd_dirsrvadmin_script_exec_t 
ds_shutdown
-rwxr-xr-x  root root system_u:object_r:httpd_dirsrvadmin_script_exec_t 
ds_snmpctrl
-rwxr-xr-x  root root system_u:object_r:httpd_dirsrvadmin_script_exec_t ds_start
-rwxr-xr-x  root root system_u:object_r:httpd_dirsrvadmin_script_exec_t 
ds_unregister
-rwxr-xr-x  root root system_u:object_r:httpd_dirsrvadmin_script_exec_t help
-rwxr-xr-x  root root system_u:object_r:httpd_dirsrvadmin_script_exec_t htmladmin
-rwxr-xr-x  root root system_u:object_r:httpd_dirsrvadmin_script_exec_t 
monreplication
-rwxr-xr-x  root root system_u:object_r:httpd_dirsrvadmin_script_exec_t ReadLog
-rwxr-xr-x  root root system_u:object_r:httpd_dirsrvadmin_script_exec_t 
repl-monitor-cgi.pl
-rwxr-xr-x  root root system_u:object_r:httpd_dirsrvadmin_script_exec_t restartsrv
-rwxr-xr-x  root root system_u:object_r:httpd_dirsrvadmin_script_exec_t 
sec-activate
-rwxr-xr-x  root root system_u:object_r:httpd_dirsrvadmin_script_exec_t security
-rwxr-xr-x  root root system_u:object_r:httpd_dirsrvadmin_script_exec_t 
start_config_ds
-rwxr-xr-x  root root system_u:object_r:httpd_dirsrvadmin_script_exec_t 
statpingserv
-rwxr-xr-x  root root system_u:object_r:httpd_dirsrvadmin_script_exec_t statusping
-rwxr-xr-x  root root system_u:object_r:httpd_dirsrvadmin_script_exec_t stopsrv
-rwxr-xr-x  root root system_u:object_r:httpd_dirsrvadmin_script_exec_t ugdsconfig
-rwxr-xr-x  root root system_u:object_r:httpd_dirsrvadmin_script_exec_t viewdata
-rwxr-xr-x  root root system_u:object_r:httpd_dirsrvadmin_script_exec_t viewlog
[root at earth admin-serv]# ls -Z /usr/lib/dirsrv/dsgw-cgi-bin
-rwxr-xr-x  root root system_u:object_r:lib_t          auth
-rwxr-xr-x  root root system_u:object_r:lib_t          csearch
-rwxr-xr-x  root root system_u:object_r:lib_t          dnedit
-rwxr-xr-x  root root system_u:object_r:lib_t          doauth
-rwxr-xr-x  root root system_u:object_r:lib_t          domodify
-rwxr-xr-x  root root system_u:object_r:lib_t          dosearch
-rwxr-xr-x  root root system_u:object_r:lib_t          edit
-rwxr-xr-x  root root system_u:object_r:lib_t          lang
-rwxr-xr-x  root root system_u:object_r:lib_t          myorg
-rwxr-xr-x  root root system_u:object_r:lib_t          newentry
-rwxr-xr-x  root root system_u:object_r:lib_t          org
-rwxr-xr-x  root root system_u:object_r:lib_t          search
-rwxr-xr-x  root root system_u:object_r:lib_t          tutor
-rwxr-xr-x  root root system_u:object_r:lib_t          unauth



389-admin-1.1.11-1.el5
389-admin-console-1.1.5-1.el5
389-admin-console-doc-1.1.5-1.el5
389-adminutil-1.1.8-4.el5
389-console-1.1.4-1.el5
389-ds-1.2.1-1.el5
389-ds-base-1.2.6.1-2.el5
389-ds-console-1.2.3-1.el5
389-ds-console-doc-1.2.3-1.el5
389-dsgw-1.1.5-1.el5

File a bug?

-- 
Orion Poplawski
Technical Manager                     303-415-9701 x222
NWRA/CoRA Division                    FAX: 303-415-9702
3380 Mitchell Lane                  orion at cora.nwra.com
Boulder, CO 80301              http://www.cora.nwra.com



More information about the 389-users mailing list