FC5 LDAP issues
Jason L Tibbitts III
tibbs at math.uh.edu
Thu Mar 30 20:24:28 UTC 2006
>>>>> "DJW" == Daniel J Walsh <Daniel> writes:
DJW> Can you setenforce now and then start it up, please collect all
DJW> of the avc messages.
Since I can't even boot in enforcing mode, I'm running in permissive
mode and just after boot I have 24 denials. Many of these are
probably normal but several are looking in /etc/pki for various
certs. These are probably related to LDAP; /etc/ldap.conf requires
encryption so anything that needs to look at users or groups before
nscd starts will need to see the certs.
> cat /etc/ldap.conf
base dc=blah
uri ldaps://xxxx ldaps://yyyy ldaps://zzzz
bind_timelimit 3
idle_timelimit 3600
tls_checkpeer yes
tls_cacertfile /etc/pki/cacert.pem
> sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 20
Policy from config file: targeted
> dmesg|grep avc
audit(1143749462.567:2): avc: denied { search } for pid=659 comm="pam_console_app" name="var" dev=dm-0 ino=98305 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255 tcontext=system_u:object_r:file_t:s0 tclass=dir
audit(1143749475.708:3): avc: denied { read } for pid=1261 comm="fsck" name="blkid.tab" dev=dm-0 ino=167310 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
audit(1143749475.708:4): avc: denied { getattr } for pid=1261 comm="fsck" name="blkid.tab" dev=dm-0 ino=167310 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
audit(1143749475.772:5): avc: denied { read } for pid=1263 comm="fsck.ext3" name="mtab" dev=dm-0 ino=167311 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
audit(1143749475.772:6): avc: denied { getattr } for pid=1263 comm="fsck.ext3" name="mtab" dev=dm-0 ino=167311 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
audit(1143749476.672:7): avc: denied { write } for pid=1279 comm="mount" name="blkid.tab" dev=dm-0 ino=167310 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
audit(1143749476.672:8): avc: denied { unlink } for pid=1279 comm="mount" name="blkid.tab.old" dev=dm-0 ino=165330 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
audit(1143749476.672:9): avc: denied { link } for pid=1279 comm="mount" name="blkid.tab" dev=dm-0 ino=167310 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
audit(1143749708.498:10): avc: denied { search } for pid=1719 comm="dbus-daemon" name="pki" dev=dm-0 ino=163878 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir
audit(1143749708.498:11): avc: denied { read } for pid=1719 comm="dbus-daemon" name="cacert.pem" dev=dm-0 ino=165663 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file
audit(1143749708.498:12): avc: denied { getattr } for pid=1719 comm="dbus-daemon" name="cacert.pem" dev=dm-0 ino=165663 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file
audit(1143749708.498:13): avc: denied { read } for pid=1719 comm="dbus-daemon" name="cert.pem" dev=dm-0 ino=164178 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=lnk_file
audit(1143749710.051:14): avc: denied { mounton } for pid=1773 comm="mount" name="mail" dev=dm-4 ino=589827 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=dir
audit(1143749711.663:15): avc: denied { read } for pid=1950 comm="automount" name="cacert.pem" dev=dm-0 ino=165663 scontext=system_u:system_r:automount_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file
audit(1143749711.663:16): avc: denied { getattr } for pid=1950 comm="automount" name="cacert.pem" dev=dm-0 ino=165663 scontext=system_u:system_r:automount_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file
audit(1143749711.663:17): avc: denied { read } for pid=1950 comm="automount" name="cert.pem" dev=dm-0 ino=164178 scontext=system_u:system_r:automount_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=lnk_file
audit(1143749720.792:18): avc: denied { getattr } for pid=2240 comm="hald" name="/" dev=dm-1 ino=2 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=dir
audit(1143749720.792:19): avc: denied { search } for pid=2240 comm="hald" name="spool" dev=dm-4 ino=589825 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
audit(1143749801.841:20): avc: denied { write } for pid=2352 comm="mount" name="socket" dev=dm-4 ino=917527 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=sock_file
audit(1143749801.841:21): avc: denied { connectto } for pid=2352 comm="mount" name="socket" scontext=system_u:system_r:mount_t:s0 tcontext=system_u:system_r:nscd_t:s0 tclass=unix_stream_socket
audit(1143749801.841:22): avc: denied { use } for pid=2352 comm="mount" name="hosts" dev=dm-4 ino=622598 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:system_r:nscd_t:s0 tclass=fd
audit(1143749801.841:23): avc: denied { read } for pid=2352 comm="mount" name="hosts" dev=dm-4 ino=622598 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file
audit(1143749801.841:24): avc: denied { getattr } for pid=2352 comm="mount" name="hosts" dev=dm-4 ino=622598 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file
audit(1143749801.869:25): avc: denied { getattr } for pid=2240 comm="hald" name="/" dev=dm-1 ino=2 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=dir
- J<
More information about the selinux
mailing list