View Issue Details

IDProjectCategoryView StatusLast Update
0008337CentOS-7selinux-policypublic2015-03-24 22:17
Reporterxuhdev 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
PlatformOSCentOSOS Version7
Product Version7.0-1406 
Target VersionFixed in Version 
Summary0008337: SELinux prevents /usr/sbin/slappasswd from 'execmod' accesses on the file
Descriptionexecute slappasswd in a container causes the following error:

SELinux is preventing /usr/sbin/slappasswd from execmod access on the file .

***** Plugin catchall (100. confidence) suggests **************************

If you believe that slappasswd should be allowed execmod access on the file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep slappasswd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context system_u:system_r:svirt_lxc_net_t:s0:c558,c619
Target Context system_u:object_r:svirt_sandbox_file_t:s0:c558,c61
                              9
Target Objects [ file ]
Source slappasswd
Source Path /usr/sbin/slappasswd
Port <Unknown>
Host localhost.localdomain
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.12.1-153.el7_0.13.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain
                              3.10.0-123.20.1.el7.x86_64 #1 SMP Thu Jan 29
                              18:05:33 UTC 2015 x86_64 x86_64
Alert Count 2
First Seen 2015-03-24 10:01:36 PDT
Last Seen 2015-03-24 10:01:36 PDT
Local ID db3fa383-0e4e-4fdd-8a23-a70f949f5f6c

Raw Audit Messages
type=AVC msg=audit(1427216496.973:496): avc: denied { execmod } for pid=3073 comm="slapadd" path="/usr/sbin/slapadd" dev="dm-1" ino=530098 scontext=system_u:system_r:svirt_lxc_net_t:s0:c558,c619 tcontext=system_u:object_r:svirt_sandbox_file_t:s0:c558,c619 tclass=file


type=SYSCALL msg=audit(1427216496.973:496): arch=x86_64 syscall=mprotect success=no exit=EACCES a0=7f6937fb6000 a1=12a000 a2=5 a3=7f69375d1428 items=0 ppid=46 pid=3073 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=slapadd exe=/usr/sbin/slapadd subj=system_u:system_r:svirt_lxc_net_t:s0:c558,c619 key=(null)

Hash: slappasswd,svirt_lxc_net_t,svirt_sandbox_file_t,file,execmod
Steps To Reproduceyum install docker
systemctl start docker
docker run -t -i debian /bin/bash
apt-get update && apt-get install slapd

The error would show up during installation
Additional InformationThis bug has been reported and seems to have been fixed in Fedora 21:

https://bugzilla.redhat.com/show_bug.cgi?id=1129706

Here is the fix in Fedora:

https://github.com/fedora-selinux/selinux-policy/commit/00660273f83ee1cfb19365f761863760ac2ed3c0

Can you back port the fix? Thanks!
TagsNo tags attached.
abrt_hash
URL

Activities

xuhdev

xuhdev

2015-03-24 22:17

reporter   ~0022589

This bug still exists in CentOS 7.1

Issue History

Date Modified Username Field Change
2015-03-24 17:37 xuhdev New Issue
2015-03-24 22:17 xuhdev Note Added: 0022589