[389-users] DSGW SELinux issues
Rich Megginson
rmeggins at redhat.com
Wed Oct 27 20:42:57 UTC 2010
Orion Poplawski wrote:
> Running on CentOS 5.4, get:
>
> type=AVC msg=audit(1288197048.706:347260): avc: denied { execute_no_trans }
> for pid=1388 comm="httpd.worker" path="/usr/lib/dirsrv/dsgw-cgi-bin/lang"
> dev=dm-4 ino=225129 scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:lib_t:s0 tclass=file
>
> Looks like these are mislabeled:
> [root at earth admin-serv]# ls -Z /usr/lib/dirsrv/cgi-bin
> -rwxr-xr-x root root system_u:object_r:httpd_dirsrvadmin_script_exec_t admpw
> -rwxr-xr-x root root system_u:object_r:httpd_dirsrvadmin_script_exec_t config
> -rwxr-xr-x root root system_u:object_r:httpd_dirsrvadmin_script_exec_t download
> -rwxr-xr-x root root system_u:object_r:httpd_dirsrvadmin_script_exec_t dsconfig
> -rwxr-xr-x root root system_u:object_r:httpd_dirsrvadmin_script_exec_t ds_create
> -rwxr-xr-x root root system_u:object_r:httpd_dirsrvadmin_script_exec_t ds_listdb
> -rwxr-xr-x root root system_u:object_r:httpd_dirsrvadmin_script_exec_t ds_remove
> -rwxr-xr-x root root system_u:object_r:httpd_dirsrvadmin_script_exec_t ds_restart
> -rwxr-xr-x root root system_u:object_r:httpd_dirsrvadmin_script_exec_t
> ds_shutdown
> -rwxr-xr-x root root system_u:object_r:httpd_dirsrvadmin_script_exec_t
> ds_snmpctrl
> -rwxr-xr-x root root system_u:object_r:httpd_dirsrvadmin_script_exec_t ds_start
> -rwxr-xr-x root root system_u:object_r:httpd_dirsrvadmin_script_exec_t
> ds_unregister
> -rwxr-xr-x root root system_u:object_r:httpd_dirsrvadmin_script_exec_t help
> -rwxr-xr-x root root system_u:object_r:httpd_dirsrvadmin_script_exec_t htmladmin
> -rwxr-xr-x root root system_u:object_r:httpd_dirsrvadmin_script_exec_t
> monreplication
> -rwxr-xr-x root root system_u:object_r:httpd_dirsrvadmin_script_exec_t ReadLog
> -rwxr-xr-x root root system_u:object_r:httpd_dirsrvadmin_script_exec_t
> repl-monitor-cgi.pl
> -rwxr-xr-x root root system_u:object_r:httpd_dirsrvadmin_script_exec_t restartsrv
> -rwxr-xr-x root root system_u:object_r:httpd_dirsrvadmin_script_exec_t
> sec-activate
> -rwxr-xr-x root root system_u:object_r:httpd_dirsrvadmin_script_exec_t security
> -rwxr-xr-x root root system_u:object_r:httpd_dirsrvadmin_script_exec_t
> start_config_ds
> -rwxr-xr-x root root system_u:object_r:httpd_dirsrvadmin_script_exec_t
> statpingserv
> -rwxr-xr-x root root system_u:object_r:httpd_dirsrvadmin_script_exec_t statusping
> -rwxr-xr-x root root system_u:object_r:httpd_dirsrvadmin_script_exec_t stopsrv
> -rwxr-xr-x root root system_u:object_r:httpd_dirsrvadmin_script_exec_t ugdsconfig
> -rwxr-xr-x root root system_u:object_r:httpd_dirsrvadmin_script_exec_t viewdata
> -rwxr-xr-x root root system_u:object_r:httpd_dirsrvadmin_script_exec_t viewlog
> [root at earth admin-serv]# ls -Z /usr/lib/dirsrv/dsgw-cgi-bin
> -rwxr-xr-x root root system_u:object_r:lib_t auth
> -rwxr-xr-x root root system_u:object_r:lib_t csearch
> -rwxr-xr-x root root system_u:object_r:lib_t dnedit
> -rwxr-xr-x root root system_u:object_r:lib_t doauth
> -rwxr-xr-x root root system_u:object_r:lib_t domodify
> -rwxr-xr-x root root system_u:object_r:lib_t dosearch
> -rwxr-xr-x root root system_u:object_r:lib_t edit
> -rwxr-xr-x root root system_u:object_r:lib_t lang
> -rwxr-xr-x root root system_u:object_r:lib_t myorg
> -rwxr-xr-x root root system_u:object_r:lib_t newentry
> -rwxr-xr-x root root system_u:object_r:lib_t org
> -rwxr-xr-x root root system_u:object_r:lib_t search
> -rwxr-xr-x root root system_u:object_r:lib_t tutor
> -rwxr-xr-x root root system_u:object_r:lib_t unauth
>
>
>
> 389-admin-1.1.11-1.el5
> 389-admin-console-1.1.5-1.el5
> 389-admin-console-doc-1.1.5-1.el5
> 389-adminutil-1.1.8-4.el5
> 389-console-1.1.4-1.el5
> 389-ds-1.2.1-1.el5
> 389-ds-base-1.2.6.1-2.el5
> 389-ds-console-1.2.3-1.el5
> 389-ds-console-doc-1.2.3-1.el5
> 389-dsgw-1.1.5-1.el5
>
> File a bug?
>
This is fixed in 389-admin-1.1.12.a1which is soon headed to a testing
repo near you
More information about the 389-users
mailing list