ds.git/selinux, branch master Unnamed repository; edit this file to name it for gitweb. Bug 594745 - Get rid of dirsrv_lib_t label 2010-08-03T17:34:47+00:00 Nathan Kinder nkinder@redhat.com 2010-07-29T22:16:44+00:00 b0b88c2096d02821060bd1b69c9ba675cd26adc3 The dirsrv_lib_t label used to label the dirsrv libraries is causing AVCs to occur from prelink. It turns out that the dirsrv_lib_t label is not really necessary. We can just allow our libraries to use the default label of lib_t. 
The dirsrv_lib_t label used to label the dirsrv libraries is causing
AVCs to occur from prelink.  It turns out that the dirsrv_lib_t
label is not really necessary.  We can just allow our libraries to
use the default label of lib_t.
Bug 613833 - Allow dirsrv_t to bind to rpc ports 2010-07-13T18:28:07+00:00 Nathan Kinder nkinder@redhat.com 2010-07-13T18:28:07+00:00 b7a93e6ba4e5c11585399078efd8ec67230afdbc The slapi-nis plug-in needs the dirsrv SELinux policy to allow ns-slapd to bind to rpc ports. This adds the appropriate macros to the dirsrv policy. 
The slapi-nis plug-in needs the dirsrv SELinux policy to allow
ns-slapd to bind to rpc ports.  This adds the appropriate macros
to the dirsrv policy.
609256 - Selinux: pwdhash fails if called via Admin Server CGI 2010-06-29T19:11:46+00:00 Noriko Hosoi nhosoi@redhat.com 2010-06-29T19:11:46+00:00 1a47871230d6cd088e08b8af42072e2560b423ec https://bugzilla.redhat.com/show_bug.cgi?id=609256 Description by nkinder@redhat.com: Our CGIs are very restricted in what they can access/run. Most of the CGIs are self contained programs (they may use libraries, which is fine). In this case, it looks like pwdhash-bin is called from the SELinux context used by CGIs (httpd_dirsrvadmin_script_t). The pwdhash-bin program then tries to load libslapd.so.0, which is labeled as dirsrv_lib_t. This should be allowed by our SELinux policy since we call this macro with the httpd_dirsrvadmin_script_t contex. What seems to be the issue here is that libslapd.so.0 is a symlink, not a regular file. SELinux considers this to be a class of "lnk_file", as can be seen in the raw AVC from /var/log/audit/audit. We need to expand the dirsrv_exec_lib macro to cover link_file. 
https://bugzilla.redhat.com/show_bug.cgi?id=609256

Description by nkinder@redhat.com:
Our CGIs are very restricted in what they can access/run.  Most of
the CGIs are self contained programs (they may use libraries, which
is fine).  In this case, it looks like pwdhash-bin is called from
the SELinux context used by CGIs (httpd_dirsrvadmin_script_t).  The
pwdhash-bin program then tries to load libslapd.so.0, which is labeled
as dirsrv_lib_t.  This should be allowed by our SELinux policy since
we call this macro with the httpd_dirsrvadmin_script_t contex.  What
seems to be the issue here is that libslapd.so.0 is a symlink, not a
regular file.  SELinux considers this to be a class of "lnk_file",
as can be seen in the raw AVC from /var/log/audit/audit.  We need to
expand the dirsrv_exec_lib macro to cover link_file.
Bug 570912 - Avoid selinux context conflict with httpd 2010-04-01T19:00:58+00:00 Nathan Kinder nkinder@redhat.com 2010-04-01T18:37:21+00:00 6f4d92143892524fe55e1a80e8ca58fd708872ae One of the dirsrv selinux module interfaces used by the admin server creates a conflict with the httpd policy. This change pulls out the conflicting rule from the interface used to extend the httpd policy. A new interface is available with the rule that was pulled out for use by the admin server CGIs (which causes no conflict for httpd). 
One of the dirsrv selinux module interfaces used by the admin
server creates a conflict with the httpd policy.  This change
pulls out the conflicting rule from the interface used to extend
the httpd policy.  A new interface is available with the rule that
was pulled out for use by the admin server CGIs (which causes no
conflict for httpd).
Fix syntax error in selinux interface. 2010-01-18T19:37:18+00:00 Nathan Kinder nkinder@redhat.com 2010-01-18T19:37:18+00:00 f6d937e8189a5ebc2d096731bf811f3b370db612 There was a simple syntax error in the dirsrv SELinux interface file. This would cause issues building the admin server SELinux policy. 
There was a simple syntax error in the dirsrv SELinux interface
file.  This would cause issues building the admin server SELinux
policy.
Bug 518084 - Fix out of order retro changelog entries 2009-12-15T22:16:04+00:00 Nathan Kinder nkinder@redhat.com 2009-12-15T22:16:04+00:00 cf0fcc51746c7e280ada377d37cdab318fd231e9 When using the retro changelog plugin, post-op plugins that perform internal operations (such as memberOf) can result in the internal operation preceeding the original operation in the changelog. The fix is to give the retro changelog a higher precedence than the other post-op plugins. This required some core server changes to be made around the plugin precedence to allow an object plugin to pass it's precedence into it's calls to slapi_register_plugin() when it registers other plugin types. I added an update LDIF to set the plugin precedence when running "setup-ds.pl -u". I also noticed an AVC when restarting after the update due to the schema.bak directory that is created. I've adjusted the dirsrv SELinux policy to deal with this AVC. 
When using the retro changelog plugin, post-op plugins that perform
internal operations (such as memberOf) can result in the internal
operation preceeding the original operation in the changelog.

The fix is to give the retro changelog a higher precedence than the
other post-op plugins.  This required some core server changes to
be made around the plugin precedence to allow an object plugin to
pass it's precedence into it's calls to slapi_register_plugin()
when it registers other plugin types.

I added an update LDIF to set the plugin precedence when running
"setup-ds.pl -u".  I also noticed an AVC when restarting after the
update due to the schema.bak directory that is created.  I've
adjusted the dirsrv SELinux policy to deal with this AVC.
Allow dirsrv_t to have fsetid capability 2009-12-11T18:04:36+00:00 Nathan Kinder nkinder@redhat.com 2009-12-11T18:04:36+00:00 24e6ca2262e1fa9114fb80b5d2f32205379d3a97 I ran into an SELinux violation during some testing. This patch allows ns-slapd to have the fsetid capability on itself, which eliminates the AVC. 
I ran into an SELinux violation during some testing.  This patch
allows ns-slapd to have the fsetid capability on itself, which
eliminates the AVC.
Allow dirsrv_t to log to a fifo in SELinux policy. 2009-11-24T18:35:30+00:00 Nathan Kinder nkinder@redhat.com 2009-11-23T17:48:50+00:00 b2e2a3f5294707e1ccf2b25fd281ce3653dac819 This patch changes the SELinux dirsrv policy to allow ns-slapd to log to a fifo file. Author: nkinder (Thanks!) Tested on RHEL5 i386 
This patch changes the SELinux dirsrv policy to allow ns-slapd to
log to a fifo file.
Author: nkinder (Thanks!)
Tested on RHEL5 i386
529909 - Update SELinux policy for SASL GSSAPI 2009-10-30T15:44:34+00:00 Nathan Kinder nkinder@redhat.com 2009-10-30T15:44:34+00:00 027e8a4fbd4761a5c7ae4a9cc82befe4741e2dd5 The dirsrv SELinux policy needs some changes to allow SASL GSSAPI authentication to work. We need to allow ns-slapd to read the krb5.conf file and to create the in memory credentials cache. The kerberos libraries also attempt to open the krb5.conf in write mode, so we need to prevent those attempts from being audited. 
The dirsrv SELinux policy needs some changes to allow SASL GSSAPI
authentication to work.  We need to allow ns-slapd to read the
krb5.conf file and to create the in memory credentials cache.  The
kerberos libraries also attempt to open the krb5.conf in write mode,
so we need to prevent those attempts from being audited.
Extend dirsrv SELinux policy interface. 2009-10-22T21:56:06+00:00 Nathan Kinder nkinder@redhat.com 2009-10-22T21:56:06+00:00 41fa124aeec3b6bc86f28d69aeccb0e02f382aeb The dirsrv SELinux policy interface needed to be extended to allow the confined Admin Server the proper permissions to interact with the Directory Server. 
The dirsrv SELinux policy interface needed to be extended to
allow the confined Admin Server the proper permissions to
interact with the Directory Server.