Issue #1085: dogtag TLS configuration causing ns-slapd AVCs - freeipa

freeipa

#1085 dogtag TLS configuration causing ns-slapd AVCs

Closed: Fixed None Opened 13 years ago by rcritten.

type=SYSCALL msg=audit(1299852348.354:93): arch=c000003e syscall=49 success=yes exit=0 a0=7 a1=7fffd86a25c0 a2=1c a3=0 items=0 ppid=12043 pid=12044 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null)
type=AVC msg=audit(1299852348.354:93): avc: denied { name_bind } for pid=12044 comm="ns-slapd" src=7390 scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

time->Fri Mar 11 09:05:48 2011
type=SYSCALL msg=audit(1299852348.355:94): arch=c000003e syscall=4 success=yes exit=0 a0=7fffd86a18f0 a1=7fffd86a1830 a2=7fffd86a1830 a3=7fffd86a1660 items=0 ppid=12043 pid=12044 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null)
type=AVC msg=audit(1299852348.355:94): avc: denied { read } for pid=12044 comm="ns-slapd" name="cert8.db" dev=dm-0 ino=173411 scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:object_r:dirsrv_config_t:s0 tclass=lnk_file

In order to do TLS we had to define a SSL port so I picked 7390. Trying to set it to resulted in an error that it had to be between 1 and 64k. We really don't need an SSL listener so if there is another way to avoid this I'd rather go that route.

I symlinked the NSS databases because they can share the same cert and it means we don't need another certmonger invocation. I was hoping this cheat would work, apparently not.