Uploaded image for project: 'Red Hat Directory Server'
  1. Red Hat Directory Server
  2. DIRSRV-76

dirsrv-snmp is showing multiples avc denied for ldap-agent related to dac_override

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Blocker Blocker
    • dirsrv-12.5
    • dirsrv-12.0
    • 389-ds-base
    • None
    • sst_idm_ds
    • 0
    • False
    • Hide

      None

      Show
      None
    • Yes
    • None
    • Bug Fix
    • SELinux was reporting AVC error when using the directory server snmp agent and the agent failed to start if SELinux policy is enforced. The agent permissions and SELinux policy have been changed to fix that issue
    • Proposed

      Description of problem:

      Customer wants to understand why they are being told to implement custom SELinux policies for a Red Hat-supplied application.

      The sos report from 2 different machines; theoretically are identical in software installation and configuration, however one of them works correctly with SELinux Enforcing, why one of them is requesting that? Why the ldap-agent needs to have the dac_override capability? That should not be delivered by default?

      Version-Release number of selected component (if applicable):

      Working System
      Hostname : ldap-dm1
      OS Version: 9.3 (Plow)
      389-ds-base-2.3.6-8.module+el9dsrv+20821+6bc979c1.x86_64 Wed Jan 31 15:48:34 2024
      389-ds-base-libs-2.3.6-8.module+el9dsrv+20821+6bc979c1.x86_64 Wed Jan 31 15:48:34 2024
      389-ds-base-snmp-2.3.6-8.module+el9dsrv+20821+6bc979c1.x86_64 Wed Jan 31 15:48:56 2024

      Failing System
      Hostname : ldap-dm2
      OS Version: 9.3 (Plow)

      389-ds-base-2.3.6-8.module+el9dsrv+20821+6bc979c1.x86_64 Wed Jan 31 14:54:07 2024
      389-ds-base-libs-2.3.6-8.module+el9dsrv+20821+6bc979c1.x86_64 Wed Jan 31 14:53:37 2024
      389-ds-base-snmp-2.3.6-8.module+el9dsrv+20821+6bc979c1.x86_64 Wed Jan 31 14:55:25 2024

      How reproducible:
      I couldn't reproduce it yet.

      Actual results:

      Recommended the customer run ` fixfiles -F onboot ` to check if any Selinux-related issues are causing this.

      Customer notes:

      I set 'enforcing=0' on the kernel command, used "fixfiles -F onboot", and rebooted to relabel the system. dirsrv-snmp then started up OK (without any new 'avc denied' messages) - BUT I am still seeing 'avc denied' errors for the dirsrv-snmp (ldap-agent) process when I shut it down (the same 3 messages - one for "dac_override", and two for access to *.stats files on ephemeral file systems.

      ~~~

      type=AVC msg=audit(1711084375.582:170): avc: denied

      { dac_override }

      for pid=2742 comm="ldap-agent" capability=1 scontext=system_u:system_r:dirsrv_snmp_t:s0 tcontext=system_u:system_r:dirsrv_snmp_t:s0 tclass=capability permissive=1
      type=AVC msg=audit(1711084390.591:175): avc: denied

      { map } for pid=2742 comm="ldap-agent" path="/run/dirsrv/slapd-ldap-dm2.stats" dev="tmpfs" ino=1387 scontext=system_u:system_r:dirsrv_snmp_t:s0 tcontext=system_u:object_r:dirsrv_var_run_t:s0 tclass=file permissive=1
      type=AVC msg=audit(1711084405.600:180): avc: denied { map }

      for pid=2742 comm="ldap-agent" path="/dev/shm/sem.slapd-ldap-dm2.stats" dev="tmpfs" ino=7 scontext=system_u:system_r:dirsrv_snmp_t:s0 tcontext=system_u:object_r:dirsrv_tmpfs_t:s0 tclass=file permissive
      ~~~

      Expected results:

      No one AVC denial related to ldap-agent and dirsrv_snmp* context since it should be something standard from the SO.

              idm-ds-dev-bugs IdM DS Dev
              rhn-support-dcamilof Daniel Camilo Filho
              IdM DS QE IdM DS QE
              Evgenia Martyniuk Evgenia Martyniuk
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: