| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
The dirsrv_lib_t label used to label the dirsrv libraries is causing
AVCs to occur from prelink. It turns out that the dirsrv_lib_t
label is not really necessary. We can just allow our libraries to
use the default label of lib_t.
|
| |
|
|
|
|
| |
The slapi-nis plug-in needs the dirsrv SELinux policy to allow
ns-slapd to bind to rpc ports. This adds the appropriate macros
to the dirsrv policy.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=609256
Description by nkinder@redhat.com:
Our CGIs are very restricted in what they can access/run. Most of
the CGIs are self contained programs (they may use libraries, which
is fine). In this case, it looks like pwdhash-bin is called from
the SELinux context used by CGIs (httpd_dirsrvadmin_script_t). The
pwdhash-bin program then tries to load libslapd.so.0, which is labeled
as dirsrv_lib_t. This should be allowed by our SELinux policy since
we call this macro with the httpd_dirsrvadmin_script_t contex. What
seems to be the issue here is that libslapd.so.0 is a symlink, not a
regular file. SELinux considers this to be a class of "lnk_file",
as can be seen in the raw AVC from /var/log/audit/audit. We need to
expand the dirsrv_exec_lib macro to cover link_file.
|
| |
|
|
|
|
|
|
|
| |
One of the dirsrv selinux module interfaces used by the admin
server creates a conflict with the httpd policy. This change
pulls out the conflicting rule from the interface used to extend
the httpd policy. A new interface is available with the rule that
was pulled out for use by the admin server CGIs (which causes no
conflict for httpd).
|
| |
|
|
|
|
| |
There was a simple syntax error in the dirsrv SELinux interface
file. This would cause issues building the admin server SELinux
policy.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using the retro changelog plugin, post-op plugins that perform
internal operations (such as memberOf) can result in the internal
operation preceeding the original operation in the changelog.
The fix is to give the retro changelog a higher precedence than the
other post-op plugins. This required some core server changes to
be made around the plugin precedence to allow an object plugin to
pass it's precedence into it's calls to slapi_register_plugin()
when it registers other plugin types.
I added an update LDIF to set the plugin precedence when running
"setup-ds.pl -u". I also noticed an AVC when restarting after the
update due to the schema.bak directory that is created. I've
adjusted the dirsrv SELinux policy to deal with this AVC.
|
| |
|
|
|
|
| |
I ran into an SELinux violation during some testing. This patch
allows ns-slapd to have the fsetid capability on itself, which
eliminates the AVC.
|
| |
|
|
|
|
|
| |
This patch changes the SELinux dirsrv policy to allow ns-slapd to
log to a fifo file.
Author: nkinder (Thanks!)
Tested on RHEL5 i386
|
| |
|
|
|
|
|
|
| |
The dirsrv SELinux policy needs some changes to allow SASL GSSAPI
authentication to work. We need to allow ns-slapd to read the
krb5.conf file and to create the in memory credentials cache. The
kerberos libraries also attempt to open the krb5.conf in write mode,
so we need to prevent those attempts from being audited.
|
| |
|
|
|
|
| |
The dirsrv SELinux policy interface needed to be extended to
allow the confined Admin Server the proper permissions to
interact with the Directory Server.
|
| |
|
|
|
|
|
|
|
|
| |
This adds a number of interface macros to the dirsrv SELinux policy
module. These macros are intended for use by the Administration
Server SELinux policy that is currently being developed.
I also made some changes to the setup code that labels newly created
directories. When the first instance is created, some top-level
directories are created that were not being labeled properly.
|
| |
|
|
|
|
|
|
|
|
|
| |
This adds a new config switch (nsslapd-allow-anonymous-access) that
allows one to restrict all anonymous access. When this is enabled,
the connection displatch code will only allow BIND operations through
for an unauthenticated user. The BIND code will only allow the
operation through if it's not an anonymous or unauthenticated BIND.
I also fixed a missing capability in the SELinux policy that I ran
into while testing this patch.
|
| |
|
|
|
|
|
| |
The admin_pattern macro is not available on RHEL5, so we
shouldn't attempt to use it. Aside from that, we don't
need all of the permission that admin_pattern grants. We
should just use the manage_files_pattern macro instead.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds SELinux policy to confine the SNMP subagent (ldap-agent).
There were some changes required around the aubagent to make it
work in a more standard fashion.
I moved the ldap-agent binary and wrapper to sbindir. It was
previously in bindir, yet it is not a user command. The location
really should be sbindir per FHS.
I added init scripts for the subagent, so it can now be managed
using "service dirsrv-snmp [start|stop|restart|condrestart|status]".
While doing this, I found that the parent process was exiting with
1 on success instead of 0, so I fixed that.
I added a default config file for the subagent as well. When using
the init script, the config file is hardcoded into this standard
location. Having this config template should also hopefully cut
down on configuration errors since it's self documenting.
The pid file location was also changed to go into /var/run per FHS.
Previously, it was written to the same directory as the log file.
There are a few notes in the policy .te file about some bugs that
we are working around for now. These bugs are mainly minor issues
in the snmp policy that is a part of the selinux-policy pacakge.
Once those bugs are fixed, we can clean our policy .te file up.
|
| |
|
|
|
| |
We need to allow ns-slapd to manage the ldapi socket in the
dirsrv SELinux policy. This patch adds the proper rules.
|
|
|
This adds a "dirsrv" selinux policy module to confine the ns-slapd
daemon. The setup and migration perl modules were changed to take
care of any relabeling of installed files if selinux support was
compiled in.
The build system now takes a "--with-selinux" option that will
compile the dirsrv policy module and enable any selinux specific
setup code.
To use the dirsrv policy module, the module will need to be loaded
using the semodule utility. It is also necessary to relabel the
installed files using restorecon after performing a make install.
All of this will be taken care of in the spec file when in the
case of using a RPM package.
|
