-
Bug
-
Resolution: Unresolved
-
Blocker
-
dirsrv-12.0
-
None
-
sst_idm_ds
-
0
-
False
-
-
Yes
-
None
-
Bug Fix
-
SELinux was reporting AVC error when using the directory server snmp agent and the agent failed to start if SELinux policy is enforced. The agent permissions and SELinux policy have been changed to fix that issue
-
Proposed
Description of problem:
Customer wants to understand why they are being told to implement custom SELinux policies for a Red Hat-supplied application.
The sos report from 2 different machines; theoretically are identical in software installation and configuration, however one of them works correctly with SELinux Enforcing, why one of them is requesting that? Why the ldap-agent needs to have the dac_override capability? That should not be delivered by default?
Version-Release number of selected component (if applicable):
Working System
Hostname : ldap-dm1
OS Version: 9.3 (Plow)
389-ds-base-2.3.6-8.module+el9dsrv+20821+6bc979c1.x86_64 Wed Jan 31 15:48:34 2024
389-ds-base-libs-2.3.6-8.module+el9dsrv+20821+6bc979c1.x86_64 Wed Jan 31 15:48:34 2024
389-ds-base-snmp-2.3.6-8.module+el9dsrv+20821+6bc979c1.x86_64 Wed Jan 31 15:48:56 2024
Failing System
Hostname : ldap-dm2
OS Version: 9.3 (Plow)
389-ds-base-2.3.6-8.module+el9dsrv+20821+6bc979c1.x86_64 Wed Jan 31 14:54:07 2024
389-ds-base-libs-2.3.6-8.module+el9dsrv+20821+6bc979c1.x86_64 Wed Jan 31 14:53:37 2024
389-ds-base-snmp-2.3.6-8.module+el9dsrv+20821+6bc979c1.x86_64 Wed Jan 31 14:55:25 2024
How reproducible:
I couldn't reproduce it yet.
Actual results:
Recommended the customer run ` fixfiles -F onboot ` to check if any Selinux-related issues are causing this.
Customer notes:
I set 'enforcing=0' on the kernel command, used "fixfiles -F onboot", and rebooted to relabel the system. dirsrv-snmp then started up OK (without any new 'avc denied' messages) - BUT I am still seeing 'avc denied' errors for the dirsrv-snmp (ldap-agent) process when I shut it down (the same 3 messages - one for "dac_override", and two for access to *.stats files on ephemeral file systems.
~~~
type=AVC msg=audit(1711084375.582:170): avc: denied
{ dac_override } for pid=2742 comm="ldap-agent" capability=1 scontext=system_u:system_r:dirsrv_snmp_t:s0 tcontext=system_u:system_r:dirsrv_snmp_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1711084390.591:175): avc: denied
type=AVC msg=audit(1711084405.600:180): avc: denied { map }
for pid=2742 comm="ldap-agent" path="/dev/shm/sem.slapd-ldap-dm2.stats" dev="tmpfs" ino=7 scontext=system_u:system_r:dirsrv_snmp_t:s0 tcontext=system_u:object_r:dirsrv_tmpfs_t:s0 tclass=file permissive
~~~
Expected results:
No one AVC denial related to ldap-agent and dirsrv_snmp* context since it should be something standard from the SO.
- external trackers
- links to
-
RHBA-2024:136844 redhat-ds:12 bug fix update