summaryrefslogtreecommitdiffstats
path: root/ldap/admin/src/scripts/exampleupdate.ldif
diff options
context:
space:
mode:
authorNoriko Hosoi <nhosoi@redhat.com>2010-06-29 12:11:46 -0700
committerNoriko Hosoi <nhosoi@redhat.com>2010-06-29 12:11:46 -0700
commit1a47871230d6cd088e08b8af42072e2560b423ec (patch)
treed91f786600a55531da62131b0ac14ab1e90d4bbc /ldap/admin/src/scripts/exampleupdate.ldif
parent7482698b041e4882b4d0ca66d06dfd833657b6f3 (diff)
downloadds-1a47871230d6cd088e08b8af42072e2560b423ec.tar.gz
ds-1a47871230d6cd088e08b8af42072e2560b423ec.tar.xz
ds-1a47871230d6cd088e08b8af42072e2560b423ec.zip
609256 - Selinux: pwdhash fails if called via Admin Server CGI
https://bugzilla.redhat.com/show_bug.cgi?id=609256 Description by nkinder@redhat.com: Our CGIs are very restricted in what they can access/run. Most of the CGIs are self contained programs (they may use libraries, which is fine). In this case, it looks like pwdhash-bin is called from the SELinux context used by CGIs (httpd_dirsrvadmin_script_t). The pwdhash-bin program then tries to load libslapd.so.0, which is labeled as dirsrv_lib_t. This should be allowed by our SELinux policy since we call this macro with the httpd_dirsrvadmin_script_t contex. What seems to be the issue here is that libslapd.so.0 is a symlink, not a regular file. SELinux considers this to be a class of "lnk_file", as can be seen in the raw AVC from /var/log/audit/audit. We need to expand the dirsrv_exec_lib macro to cover link_file.
Diffstat (limited to 'ldap/admin/src/scripts/exampleupdate.ldif')
0 files changed, 0 insertions, 0 deletions
generated by cgit (git 2.34.1) at 2026-02-19 15:33:29 +0000