-
Bug
-
Resolution: Done-Errata
-
Blocker
-
dirsrv-12.0
-
None
-
rhel-sst-idm-ds
-
0
-
False
-
-
Yes
-
None
-
Bug Fix
-
-
Proposed
Description of problem:
Customer wants to understand why they are being told to implement custom SELinux policies for a Red Hat-supplied application.
The sos report from 2 different machines; theoretically are identical in software installation and configuration, however one of them works correctly with SELinux Enforcing, why one of them is requesting that? Why the ldap-agent needs to have the dac_override capability? That should not be delivered by default?
Version-Release number of selected component (if applicable):
Working System
Hostname : ldap-dm1
OS Version: 9.3 (Plow)
389-ds-base-2.3.6-8.module+el9dsrv+20821+6bc979c1.x86_64 Wed Jan 31 15:48:34 2024
389-ds-base-libs-2.3.6-8.module+el9dsrv+20821+6bc979c1.x86_64 Wed Jan 31 15:48:34 2024
389-ds-base-snmp-2.3.6-8.module+el9dsrv+20821+6bc979c1.x86_64 Wed Jan 31 15:48:56 2024
Failing System
Hostname : ldap-dm2
OS Version: 9.3 (Plow)
389-ds-base-2.3.6-8.module+el9dsrv+20821+6bc979c1.x86_64 Wed Jan 31 14:54:07 2024
389-ds-base-libs-2.3.6-8.module+el9dsrv+20821+6bc979c1.x86_64 Wed Jan 31 14:53:37 2024
389-ds-base-snmp-2.3.6-8.module+el9dsrv+20821+6bc979c1.x86_64 Wed Jan 31 14:55:25 2024
How reproducible:
I couldn't reproduce it yet.
Actual results:
Recommended the customer run ` fixfiles -F onboot ` to check if any Selinux-related issues are causing this.
Customer notes:
I set 'enforcing=0' on the kernel command, used "fixfiles -F onboot", and rebooted to relabel the system. dirsrv-snmp then started up OK (without any new 'avc denied' messages) - BUT I am still seeing 'avc denied' errors for the dirsrv-snmp (ldap-agent) process when I shut it down (the same 3 messages - one for "dac_override", and two for access to *.stats files on ephemeral file systems.
~~~
type=AVC msg=audit(1711084375.582:170): avc: denied
{ dac_override } for pid=2742 comm="ldap-agent" capability=1 scontext=system_u:system_r:dirsrv_snmp_t:s0 tcontext=system_u:system_r:dirsrv_snmp_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1711084390.591:175): avc: denied
type=AVC msg=audit(1711084405.600:180): avc: denied { map }
for pid=2742 comm="ldap-agent" path="/dev/shm/sem.slapd-ldap-dm2.stats" dev="tmpfs" ino=7 scontext=system_u:system_r:dirsrv_snmp_t:s0 tcontext=system_u:object_r:dirsrv_tmpfs_t:s0 tclass=file permissive
~~~
Expected results:
No one AVC denial related to ldap-agent and dirsrv_snmp* context since it should be something standard from the SO.
- external trackers
- links to
-
RHBA-2024:136844 redhat-ds:12 bug fix update