diff options
author | Noriko Hosoi <nhosoi@redhat.com> | 2010-06-29 12:11:46 -0700 |
---|---|---|
committer | Noriko Hosoi <nhosoi@redhat.com> | 2010-06-29 12:11:46 -0700 |
commit | 1a47871230d6cd088e08b8af42072e2560b423ec (patch) | |
tree | d91f786600a55531da62131b0ac14ab1e90d4bbc | |
parent | 7482698b041e4882b4d0ca66d06dfd833657b6f3 (diff) | |
download | ds-1a47871230d6cd088e08b8af42072e2560b423ec.tar.gz ds-1a47871230d6cd088e08b8af42072e2560b423ec.tar.xz ds-1a47871230d6cd088e08b8af42072e2560b423ec.zip |
609256 - Selinux: pwdhash fails if called via Admin Server CGI
https://bugzilla.redhat.com/show_bug.cgi?id=609256
Description by nkinder@redhat.com:
Our CGIs are very restricted in what they can access/run. Most of
the CGIs are self contained programs (they may use libraries, which
is fine). In this case, it looks like pwdhash-bin is called from
the SELinux context used by CGIs (httpd_dirsrvadmin_script_t). The
pwdhash-bin program then tries to load libslapd.so.0, which is labeled
as dirsrv_lib_t. This should be allowed by our SELinux policy since
we call this macro with the httpd_dirsrvadmin_script_t contex. What
seems to be the issue here is that libslapd.so.0 is a symlink, not a
regular file. SELinux considers this to be a class of "lnk_file",
as can be seen in the raw AVC from /var/log/audit/audit. We need to
expand the dirsrv_exec_lib macro to cover link_file.
-rw-r--r-- | selinux/dirsrv.if | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/selinux/dirsrv.if b/selinux/dirsrv.if index 56eda43d..ed88fb22 100644 --- a/selinux/dirsrv.if +++ b/selinux/dirsrv.if @@ -189,6 +189,7 @@ interface(`dirsrv_exec_lib',` allow $1 dirsrv_lib_t:dir search_dir_perms; allow $1 dirsrv_lib_t:file exec_file_perms; + allow $1 dirsrv_lib_t:link_file exec_file_perms; # Not all platforms include ioctl in exec_file_perms allow $1 dirsrv_lib_t:file ioctl; ') |