Re: [389-users] Announcing 389 Directory Server 1.2.6 Release Candidate 3

Aaron Hagopian <airhead1@xxxxxxxxx> · Thu, 15 Jul 2010 11:12:34 -0500

I upgraded my fedora 13 x86_64 machine to the RC3 using the rpms in updates-testing and now I cannot start the admin server with selinux enabled.  I am attaching the selinux message.  It does start when I disable selinux.

On Tue, Jul 6, 2010 at 2:38 PM, Rich Megginson <rmeggins@xxxxxxxxxx> wrote:

The 389 team is pleased to announce the availability of Release

Candidate 3 of version 1.2.6.  This release has a few bug fixes.

***We need your help!  Please help us test this software.***  It is a

release candidate, so it may have a few glitches, but it has been tested

for regressions and for new feature bugs.  The Fedora system

strongly encourages packages to be in Testing until verified and pushed

to Stable.  If we don't get any feedback while the packages are in

Testing, the packages will remain in limbo, or get pushed to Stable.

The more testing we get, the faster we can release these packages to

Stable.  See the Release Notes for information about how to provide

testing feedback (or just send an email to

389-users@xxxxxxxxxxxxxxxxxxxxxxx).

The packages that need testing are:

* 389-ds-base-1.2.6.rc3 - 389-ds-base

More information

* Release Notes - http://port389.org/wiki/Release_Notes

* Install_Guide - http://port389.org/wiki/Install_Guide

* Download - http://port389.org/wiki/Download

=== Bugs Fixed ===

This release contains a couple of bug fixes.  The complete list of bugs

fixed is found at the link below.  Note that bugs marked as MODIFIED

have been fixed but are still in testing.

* Tracking bug for 1.2.6 release -

https://bugzilla.redhat.com/showdependencytree.cgi?id=543590&hide_resolved=0

**  Bug 606920 - anonymous resource limit - nstimelimit - also applied

to "cn=directory manager"

** Bug 604453 - SASL Stress and Server crash: Program quits with the

assertion failure in PR_Poll

** Bug 605827 - In-place upgrade: upgrade dn format should not run in

setup-ds-admin.pl

** Bug 578296 - Attribute type entrydn needs to be added when subtree

rename switch is on

** Bug 609256 - Selinux: pwdhash fails if called via Admin Server CGI

** Bug 603942 - null deref in _ger_parse_control() for subjectdn

--

389 users mailing list

389-users@xxxxxxxxxxxxxxxxxxxxxxx

https://admin.fedoraproject.org/mailman/listinfo/389-users

Summary:

SELinux is preventing /usr/sbin/httpd.worker from using potentially mislabeled
files /etc/dirsrv.

Detailed Description:

SELinux has denied the httpd.worker access to potentially mislabeled files
/etc/dirsrv. This means that SELinux will not allow httpd to use these files. If
httpd should be allowed this access to these files you should change the file
context to one of the following types, httpd_bugzilla_rw_content_t,
httpd_nutups_cgi_script_exec_t, var_log_t, setrans_var_run_t, sysctl_crypto_t,
samba_var_t, pki_ra_var_lib_t, pki_ra_var_run_t, avahi_var_run_t, sysctl_t,
abrt_t, bin_t, lib_t, net_conf_t, mnt_t, httpd_cvs_rw_content_t,
httpd_git_rw_content_t, httpd_nagios_content_t, httpd_sys_rw_content_t,
httpd_w3c_validator_content_t, root_t, tmp_t, httpd_nagios_rw_content_t, usr_t,
var_t, public_content_t, httpd_nutups_cgi_rw_content_t,
httpd_cobbler_script_exec_t, anon_inodefs_t, httpd_sys_content_t,
sysctl_kernel_t, var_lib_nfs_t, home_root_t, httpd_modules_t,
httpd_smokeping_cgi_script_exec_t, httpd_git_content_t, httpd_user_content_t,
mysqld_var_run_t, httpd_var_lib_t, httpd_var_run_t, device_t, nscd_var_run_t,
nslcd_var_run_t, pki_ra_log_t, sssd_var_lib_t, var_t, httpd_squid_rw_content_t,
httpd_apcupsd_cgi_content_t, etc_t, pki_tps_log_t, mysqld_db_t, proc_t,
httpd_prewikka_content_t, gitosis_var_lib_t, httpd_smokeping_cgi_rw_content_t,
httpd_apcupsd_cgi_rw_content_t, httpd_munin_content_t, httpd_squid_content_t,
pki_tps_var_lib_t, pki_tps_var_run_t, httpd_awstats_script_exec_t,
httpd_smokeping_cgi_content_t, mailman_archive_t, httpd_cvs_content_t,
httpd_sys_content_t, logfile, public_content_rw_t, rpm_script_tmp_t,
mailman_data_t, security_t, httpd_munin_script_exec_t, var_lock_t, sysctl_t,
httpd_w3c_validator_script_exec_t, system_dbusd_var_lib_t,
system_dbusd_var_run_t, bin_t, cert_t, httpd_prewikka_rw_content_t,
httpd_user_script_exec_t, httpd_cobbler_content_t, squirrelmail_spool_t,
httpd_t, httpd_bugzilla_content_t, lib_t, mnt_t, tmp_t, usr_t, var_t,
httpd_apcupsd_cgi_script_exec_t, cobbler_var_lib_t, httpd_nagios_script_exec_t,
rpm_tmp_t, nagios_etc_t, nagios_log_t, var_run_t, sssd_public_t,
httpd_squid_script_exec_t, httpd_awstats_rw_content_t,
httpd_w3c_validator_rw_content_t, winbind_var_run_t, cluster_conf_t, autofs_t,
device_t, devpts_t, locale_t, likewise_var_lib_t, httpd_bugzilla_script_exec_t,
fonts_cache_t, etc_t, fonts_t, httpd_log_t, proc_t, sysfs_t, tmpfs_t,
httpd_awstats_content_t, var_lib_t, krb5_conf_t, httpd_user_rw_content_t,
httpd_config_t, httpd_nutups_cgi_content_t, sysctl_net_t, rpm_log_t,
httpd_cobbler_rw_content_t, httpd_prewikka_script_exec_t, calamaris_www_t,
httpd_munin_rw_content_t, var_spool_t, httpd_cache_t, httpd_tmpfs_t, udev_tbl_t,
httpd_tmp_t, httpd_sys_script_exec_t, iso9660_t, pki_tps_etc_rw_t,
smokeping_var_lib_t, httpd_git_script_exec_t, var_lib_t, var_run_t,
mysqld_etc_t, cvs_data_t, httpd_cvs_script_exec_t, configfile, pki_ra_etc_rw_t,
dbusd_etc_t, abrt_var_run_t, httpd_squirrelmail_t, httpd_bugzilla_ra_content_t,
httpd_bugzilla_rw_content_t, httpd_nutups_cgi_script_exec_t,
httpd_cvs_ra_content_t, httpd_cvs_rw_content_t, httpd_git_ra_content_t,
httpd_git_rw_content_t, httpd_nagios_content_t, httpd_sys_ra_content_t,
httpd_sys_rw_content_t, httpd_w3c_validator_content_t,
httpd_nagios_ra_content_t, httpd_nagios_rw_content_t,
httpd_nutups_cgi_ra_content_t, httpd_nutups_cgi_rw_content_t,
httpd_cobbler_script_exec_t, httpd_smokeping_cgi_script_exec_t,
httpd_git_content_t, httpd_user_content_t, root_t, nscd_var_run_t,
pcscd_var_run_t, httpd_squid_ra_content_t, httpd_squid_rw_content_t,
httpd_apcupsd_cgi_content_t, httpd_prewikka_content_t,
httpd_smokeping_cgi_ra_content_t, httpd_smokeping_cgi_rw_content_t,
httpd_apcupsd_cgi_ra_content_t, httpd_apcupsd_cgi_rw_content_t,
httpd_munin_content_t, httpd_squid_content_t, httpd_awstats_script_exec_t,
httpd_smokeping_cgi_content_t, httpd_cvs_content_t, httpd_sys_content_t,
httpd_munin_script_exec_t, httpd_w3c_validator_script_exec_t,
httpd_prewikka_ra_content_t, httpd_prewikka_rw_content_t,
httpd_user_script_exec_t, httpd_cobbler_content_t, httpd_bugzilla_content_t,
var_t, var_t, httpd_apcupsd_cgi_script_exec_t, httpd_nagios_script_exec_t,
httpd_squid_script_exec_t, httpd_awstats_ra_content_t,
httpd_awstats_rw_content_t, httpd_w3c_validator_ra_content_t,
httpd_w3c_validator_rw_content_t, httpd_bugzilla_script_exec_t,
httpd_awstats_content_t, httpd_user_ra_content_t, httpd_user_rw_content_t,
httpd_nutups_cgi_content_t, httpd_cobbler_ra_content_t,
httpd_cobbler_rw_content_t, httpd_prewikka_script_exec_t,
httpd_munin_ra_content_t, httpd_munin_rw_content_t, httpd_sys_script_exec_t,
httpd_git_script_exec_t, var_run_t, var_run_t, httpd_cvs_script_exec_t. Many
third party apps install html files in directories that SELinux policy cannot
predict. These directories have to be labeled with a file context which httpd
can access.

Allowing Access:

If you want to change the file context of /etc/dirsrv so that the httpd daemon
can access it, you need to execute it using semanage fcontext -a -t FILE_TYPE
'/etc/dirsrv'.
where FILE_TYPE is one of the following: httpd_bugzilla_rw_content_t,
httpd_nutups_cgi_script_exec_t, var_log_t, setrans_var_run_t, sysctl_crypto_t,
samba_var_t, pki_ra_var_lib_t, pki_ra_var_run_t, avahi_var_run_t, sysctl_t,
abrt_t, bin_t, lib_t, net_conf_t, mnt_t, httpd_cvs_rw_content_t,
httpd_git_rw_content_t, httpd_nagios_content_t, httpd_sys_rw_content_t,
httpd_w3c_validator_content_t, root_t, tmp_t, httpd_nagios_rw_content_t, usr_t,
var_t, public_content_t, httpd_nutups_cgi_rw_content_t,
httpd_cobbler_script_exec_t, anon_inodefs_t, httpd_sys_content_t,
sysctl_kernel_t, var_lib_nfs_t, home_root_t, httpd_modules_t,
httpd_smokeping_cgi_script_exec_t, httpd_git_content_t, httpd_user_content_t,
mysqld_var_run_t, httpd_var_lib_t, httpd_var_run_t, device_t, nscd_var_run_t,
nslcd_var_run_t, pki_ra_log_t, sssd_var_lib_t, var_t, httpd_squid_rw_content_t,
httpd_apcupsd_cgi_content_t, etc_t, pki_tps_log_t, mysqld_db_t, proc_t,
httpd_prewikka_content_t, gitosis_var_lib_t, httpd_smokeping_cgi_rw_content_t,
httpd_apcupsd_cgi_rw_content_t, httpd_munin_content_t, httpd_squid_content_t,
pki_tps_var_lib_t, pki_tps_var_run_t, httpd_awstats_script_exec_t,
httpd_smokeping_cgi_content_t, mailman_archive_t, httpd_cvs_content_t,
httpd_sys_content_t, logfile, public_content_rw_t, rpm_script_tmp_t,
mailman_data_t, security_t, httpd_munin_script_exec_t, var_lock_t, sysctl_t,
httpd_w3c_validator_script_exec_t, system_dbusd_var_lib_t,
system_dbusd_var_run_t, bin_t, cert_t, httpd_prewikka_rw_content_t,
httpd_user_script_exec_t, httpd_cobbler_content_t, squirrelmail_spool_t,
httpd_t, httpd_bugzilla_content_t, lib_t, mnt_t, tmp_t, usr_t, var_t,
httpd_apcupsd_cgi_script_exec_t, cobbler_var_lib_t, httpd_nagios_script_exec_t,
rpm_tmp_t, nagios_etc_t, nagios_log_t, var_run_t, sssd_public_t,
httpd_squid_script_exec_t, httpd_awstats_rw_content_t,
httpd_w3c_validator_rw_content_t, winbind_var_run_t, cluster_conf_t, autofs_t,
device_t, devpts_t, locale_t, likewise_var_lib_t, httpd_bugzilla_script_exec_t,
fonts_cache_t, etc_t, fonts_t, httpd_log_t, proc_t, sysfs_t, tmpfs_t,
httpd_awstats_content_t, var_lib_t, krb5_conf_t, httpd_user_rw_content_t,
httpd_config_t, httpd_nutups_cgi_content_t, sysctl_net_t, rpm_log_t,
httpd_cobbler_rw_content_t, httpd_prewikka_script_exec_t, calamaris_www_t,
httpd_munin_rw_content_t, var_spool_t, httpd_cache_t, httpd_tmpfs_t, udev_tbl_t,
httpd_tmp_t, httpd_sys_script_exec_t, iso9660_t, pki_tps_etc_rw_t,
smokeping_var_lib_t, httpd_git_script_exec_t, var_lib_t, var_run_t,
mysqld_etc_t, cvs_data_t, httpd_cvs_script_exec_t, configfile, pki_ra_etc_rw_t,
dbusd_etc_t, abrt_var_run_t, httpd_squirrelmail_t, httpd_bugzilla_ra_content_t,
httpd_bugzilla_rw_content_t, httpd_nutups_cgi_script_exec_t,
httpd_cvs_ra_content_t, httpd_cvs_rw_content_t, httpd_git_ra_content_t,
httpd_git_rw_content_t, httpd_nagios_content_t, httpd_sys_ra_content_t,
httpd_sys_rw_content_t, httpd_w3c_validator_content_t,
httpd_nagios_ra_content_t, httpd_nagios_rw_content_t,
httpd_nutups_cgi_ra_content_t, httpd_nutups_cgi_rw_content_t,
httpd_cobbler_script_exec_t, httpd_smokeping_cgi_script_exec_t,
httpd_git_content_t, httpd_user_content_t, root_t, nscd_var_run_t,
pcscd_var_run_t, httpd_squid_ra_content_t, httpd_squid_rw_content_t,
httpd_apcupsd_cgi_content_t, httpd_prewikka_content_t,
httpd_smokeping_cgi_ra_content_t, httpd_smokeping_cgi_rw_content_t,
httpd_apcupsd_cgi_ra_content_t, httpd_apcupsd_cgi_rw_content_t,
httpd_munin_content_t, httpd_squid_content_t, httpd_awstats_script_exec_t,
httpd_smokeping_cgi_content_t, httpd_cvs_content_t, httpd_sys_content_t,
httpd_munin_script_exec_t, httpd_w3c_validator_script_exec_t,
httpd_prewikka_ra_content_t, httpd_prewikka_rw_content_t,
httpd_user_script_exec_t, httpd_cobbler_content_t, httpd_bugzilla_content_t,
var_t, var_t, httpd_apcupsd_cgi_script_exec_t, httpd_nagios_script_exec_t,
httpd_squid_script_exec_t, httpd_awstats_ra_content_t,
httpd_awstats_rw_content_t, httpd_w3c_validator_ra_content_t,
httpd_w3c_validator_rw_content_t, httpd_bugzilla_script_exec_t,
httpd_awstats_content_t, httpd_user_ra_content_t, httpd_user_rw_content_t,
httpd_nutups_cgi_content_t, httpd_cobbler_ra_content_t,
httpd_cobbler_rw_content_t, httpd_prewikka_script_exec_t,
httpd_munin_ra_content_t, httpd_munin_rw_content_t, httpd_sys_script_exec_t,
httpd_git_script_exec_t, var_run_t, var_run_t, httpd_cvs_script_exec_t. You can
look at the httpd_selinux man page for additional information.

Additional Information:

Source Context                unconfined_u:system_r:httpd_t:s0
Target Context                system_u:object_r:dirsrv_config_t:s0
Target Objects                /etc/dirsrv [ dir ]
Source                        httpd.worker
Source Path                   /usr/sbin/httpd.worker
Port                          <Unknown>
Host                          barfolomew.hra.local
Source RPM Packages           httpd-2.2.15-1.fc13
Target RPM Packages           389-ds-base-1.2.6-0.8.rc3.fc13
Policy RPM                    selinux-policy-3.7.19-33.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   httpd_bad_labels
Host Name                     barfolomew.hra.local
Platform                      Linux barfolomew.hra.local
                              2.6.33.6-147.fc13.x86_64 #1 SMP Tue Jul 6 22:32:17
                              UTC 2010 x86_64 x86_64
Alert Count                   2
First Seen                    Thu 15 Jul 2010 11:09:00 AM CDT
Last Seen                     Thu 15 Jul 2010 11:09:00 AM CDT
Local ID                      4120206e-3223-4145-90f9-a2e2129f42fa
Line Numbers                  

Raw Audit Messages            

node=barfolomew.hra.local type=AVC msg=audit(1279210140.552:32139): avc:  denied  { search } for  pid=12106 comm="httpd.worker" name="dirsrv" dev=dm-1 ino=1048465 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:dirsrv_config_t:s0 tclass=dir

node=barfolomew.hra.local type=SYSCALL msg=audit(1279210140.552:32139): arch=c000003e syscall=2 success=no exit=-13 a0=7f8458060dd0 a1=80000 a2=1b6 a3=7fffa028b610 items=0 ppid=12097 pid=12106 auid=2397 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="httpd.worker" exe="/usr/sbin/httpd.worker" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users