| Summary: | sec-policy/selinux-puppet ldap use flag not honored | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Matthew Thode ( prometheanfire ) <prometheanfire> |
| Component: | Hardened | Assignee: | Sven Vermeulen (RETIRED) <swift> |
| Status: | VERIFIED FIXED | ||
| Severity: | normal | CC: | prometheanfire, selinux |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
Indeed, ldap connectivity isn't allowed (yet) by the policy. Consider this confirmed ;-)
If you need a local workaround, create a file with the following contents:
policy_module(localmod,1.0)
require {
type puppet_t;
}
corenet_tcp_connect_ldap_port(puppet_t)
corenet_sendrecv_ldap_client_packets(puppet_t)
Then run "make -f /usr/share/selinux/strict/include/Makefile localmod.pp" after which you can run "semodule -i localmod.pp" to load in the updated policy.
Hmm I'm wondering if this is sufficient or not. Can you test that test module out to see if that helps? There is another interface available that allows send_msg and recv_msg but I'm not sure if that is needed here. Seems to be working in overlay In hardened-dev overlay. In portage tree (~arch) |
type=AVC msg=audit(1312294578.971:872): avc: denied { name_connect } for pid=1733 comm="puppetd" dest=636 scontext=system_u:system_r:puppet_t tcontext=system_u:object_r:ldap_port_t tclass=tcp_socket Reproducible: Always Steps to Reproduce: run the puppet client when ldap is enabled as a use flag (I don't even have it being used in the puppet config)