FC5 LDAP issues
Daniel J Walsh
dwalsh at redhat.com
Thu Mar 30 20:28:29 UTC 2006
Jason L Tibbitts III wrote:
>>>>>> "DJW" == Daniel J Walsh <Daniel> writes:
>>>>>>
>
> DJW> Can you setenforce now and then start it up, please collect all
> DJW> of the avc messages.
>
> Since I can't even boot in enforcing mode, I'm running in permissive
> mode and just after boot I have 24 denials. Many of these are
> probably normal but several are looking in /etc/pki for various
> certs. These are probably related to LDAP; /etc/ldap.conf requires
> encryption so anything that needs to look at users or groups before
> nscd starts will need to see the certs.
>
>
>> cat /etc/ldap.conf
>>
> base dc=blah
> uri ldaps://xxxx ldaps://yyyy ldaps://zzzz
> bind_timelimit 3
> idle_timelimit 3600
> tls_checkpeer yes
> tls_cacertfile /etc/pki/cacert.pem
>
>
>> sestatus
>>
> SELinux status: enabled
> SELinuxfs mount: /selinux
> Current mode: permissive
> Mode from config file: permissive
> Policy version: 20
> Policy from config file: targeted
>
>
>> dmesg|grep avc
>>
> audit(1143749462.567:2): avc: denied { search } for pid=659 comm="pam_console_app" name="var" dev=dm-0 ino=98305 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255 tcontext=system_u:object_r:file_t:s0 tclass=dir
> audit(1143749475.708:3): avc: denied { read } for pid=1261 comm="fsck" name="blkid.tab" dev=dm-0 ino=167310 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
> audit(1143749475.708:4): avc: denied { getattr } for pid=1261 comm="fsck" name="blkid.tab" dev=dm-0 ino=167310 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
> audit(1143749475.772:5): avc: denied { read } for pid=1263 comm="fsck.ext3" name="mtab" dev=dm-0 ino=167311 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
> audit(1143749475.772:6): avc: denied { getattr } for pid=1263 comm="fsck.ext3" name="mtab" dev=dm-0 ino=167311 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
> audit(1143749476.672:7): avc: denied { write } for pid=1279 comm="mount" name="blkid.tab" dev=dm-0 ino=167310 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
> audit(1143749476.672:8): avc: denied { unlink } for pid=1279 comm="mount" name="blkid.tab.old" dev=dm-0 ino=165330 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
> audit(1143749476.672:9): avc: denied { link } for pid=1279 comm="mount" name="blkid.tab" dev=dm-0 ino=167310 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
> audit(1143749708.498:10): avc: denied { search } for pid=1719 comm="dbus-daemon" name="pki" dev=dm-0 ino=163878 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir
> audit(1143749708.498:11): avc: denied { read } for pid=1719 comm="dbus-daemon" name="cacert.pem" dev=dm-0 ino=165663 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file
> audit(1143749708.498:12): avc: denied { getattr } for pid=1719 comm="dbus-daemon" name="cacert.pem" dev=dm-0 ino=165663 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file
> audit(1143749708.498:13): avc: denied { read } for pid=1719 comm="dbus-daemon" name="cert.pem" dev=dm-0 ino=164178 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=lnk_file
> audit(1143749710.051:14): avc: denied { mounton } for pid=1773 comm="mount" name="mail" dev=dm-4 ino=589827 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=dir
> audit(1143749711.663:15): avc: denied { read } for pid=1950 comm="automount" name="cacert.pem" dev=dm-0 ino=165663 scontext=system_u:system_r:automount_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file
> audit(1143749711.663:16): avc: denied { getattr } for pid=1950 comm="automount" name="cacert.pem" dev=dm-0 ino=165663 scontext=system_u:system_r:automount_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file
> audit(1143749711.663:17): avc: denied { read } for pid=1950 comm="automount" name="cert.pem" dev=dm-0 ino=164178 scontext=system_u:system_r:automount_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=lnk_file
> audit(1143749720.792:18): avc: denied { getattr } for pid=2240 comm="hald" name="/" dev=dm-1 ino=2 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=dir
> audit(1143749720.792:19): avc: denied { search } for pid=2240 comm="hald" name="spool" dev=dm-4 ino=589825 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
> audit(1143749801.841:20): avc: denied { write } for pid=2352 comm="mount" name="socket" dev=dm-4 ino=917527 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=sock_file
> audit(1143749801.841:21): avc: denied { connectto } for pid=2352 comm="mount" name="socket" scontext=system_u:system_r:mount_t:s0 tcontext=system_u:system_r:nscd_t:s0 tclass=unix_stream_socket
> audit(1143749801.841:22): avc: denied { use } for pid=2352 comm="mount" name="hosts" dev=dm-4 ino=622598 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:system_r:nscd_t:s0 tclass=fd
> audit(1143749801.841:23): avc: denied { read } for pid=2352 comm="mount" name="hosts" dev=dm-4 ino=622598 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file
> audit(1143749801.841:24): avc: denied { getattr } for pid=2352 comm="mount" name="hosts" dev=dm-4 ino=622598 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file
> audit(1143749801.869:25): avc: denied { getattr } for pid=2240 comm="hald" name="/" dev=dm-1 ino=2 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=dir
>
> - J<
>
Looks like you have a labeling problem. Your var partition looks like
it is labeled file_t. So if you relabel things might clear up
touch /.autorelabel
reboot
More information about the selinux
mailing list