#7957 SELinux is preventing ns-slapd from map access on the file /etc/pkcs11/modules/softhsm2.module
Opened 3 months ago by rcritten. Modified 3 months ago

Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 1710607

SELinux is preventing ns-slapd from map access on the file
/etc/pkcs11/modules/softhsm2.module.

*****  Plugin restorecon (88.2 confidence) suggests   ************************

If you want to fix the label.
/etc/pkcs11/modules/softhsm2.module default label should be
pkcs11_modules_conf_t.
Then you can run restorecon. The access attempt may have been stopped due to
insufficient permissions to access a parent directory in which case try to
change the following command accordingly.
Do
# /sbin/restorecon -v /etc/pkcs11/modules/softhsm2.module

*****  Plugin catchall_boolean (7.51 confidence) suggests   ******************

If you want to allow domain to can mmap files
Then you must tell SELinux about this by enabling the 'domain_can_mmap_files'
boolean.

Do
setsebool -P domain_can_mmap_files 1

*****  Plugin catchall_labels (4.88 confidence) suggests   *******************

If you want to allow ns-slapd to have map access on the softhsm2.module file
Then you need to change the label on /etc/pkcs11/modules/softhsm2.module
Do
# semanage fcontext -a -t FILE_TYPE '/etc/pkcs11/modules/softhsm2.module'
where FILE_TYPE is one of the following: abrt_helper_exec_t, chkpwd_exec_t,
dirsrv_exec_t, dirsrv_tmp_t, dirsrv_tmpfs_t, dirsrv_var_lib_t,
dirsrv_var_run_t, file_context_t, fonts_cache_t, fonts_t, ld_so_cache_t,
ld_so_t, lib_t, locale_t, nscd_var_run_t, pam_timestamp_exec_t, passwd_file_t,
pkcs11_modules_conf_t, prelink_exec_t, security_t, sssd_public_t,
textrel_shlib_t, updpwd_exec_t, usr_t.
Then execute:
restorecon -v '/etc/pkcs11/modules/softhsm2.module'


*****  Plugin catchall (1.37 confidence) suggests   **************************

If you believe that ns-slapd should be allowed map access on the
softhsm2.module file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'ns-slapd' --raw | audit2allow -M my-nsslapd
# semodule -X 300 -i my-nsslapd.pp

Additional Information:
Source Context                system_u:system_r:dirsrv_t:s0
Target Context                unconfined_u:object_r:etc_t:s0
Target Objects                /etc/pkcs11/modules/softhsm2.module [ file ]
Source                        ns-slapd
Source Path                   ns-slapd
Port                          <Unknown>
Host                          dell-r730-002-guest21.example.test
Source RPM Packages
Target RPM Packages
Policy RPM                    selinux-policy-3.14.3-35.fc30.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     dell-r730-002-guest21.example.test
Platform                      Linux dell-r730-002-guest21.example.test
                              5.0.16-300.fc30.x86_64 #1 SMP Tue May 14 19:33:09
                              UTC 2019 x86_64 x86_64
Alert Count                   1
First Seen                    2019-05-15 10:17:38 EDT
Last Seen                     2019-05-15 10:17:38 EDT
Local ID                      06233c6e-ce9f-4503-a85d-6d046b556db8

Raw Audit Messages
type=AVC msg=audit(1557929858.956:295): avc:  denied  { map } for  pid=22723
comm="ns-slapd" path="/etc/pkcs11/modules/softhsm2.module" dev="dm-0"
ino=8445201 scontext=system_u:system_r:dirsrv_t:s0
tcontext=unconfined_u:object_r:etc_t:s0 tclass=file permissive=0


Hash: ns-slapd,dirsrv_t,etc_t,file,map

Metadata Update from @rcritten:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1710607

3 months ago

I suspect this is just missing a call to restore_context(filename) in the loop.

I'm confused. The code is creating a new file. I was under the impression that new files are labelled automatically with the correct label.

I haven't tried to reproduce it yet, this was just a guess. Perhaps it is rather getting created with a context that 389-ds can't read.

Login to comment on this ticket.

Metadata