Issue 7391 - Harden systemd service unit

[progier389]

Set NoNewPrivileges and MemoryDenyWriteExecute settings in systemd unit

Issue: #7391

Reviewed by: ?

Summary by Sourcery

Enhancements:

• Strengthen systemd SNMP service units with additional privilege and memory protection options.

[sourcery-ai]

Hey - I've reviewed your changes and they look great!

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[packit-as-a-service]

Congratulations! One of the builds has completed. 🍾

You can install the built RPMs by following these steps:

• sudo dnf install -y 'dnf*-command(copr)'
• dnf copr enable packit/389ds-389-ds-base-7392
• And now you can install the packages.

Please note that the RPMs should be used only in a testing environment.

[vashirov]

dac_override is concerning, I think we should change the default user for ldap-agent to dirsrv, instead of running it as root.

[progier389]

I agree that there should not be any dac_ovrride
But if I remember rightly ldap-agent uid must be root to be able to connect to snmpd.
IMHO the permission of some config files (memory map ? ldap-agent.conf ? dse.ldif ? ) are wrong and should allow read to dirsrv group

[vashirov]

Looks like we need to file a bug against selinux-policy in Fedora and RHEL if want to make this work.

[progier389]

Looks like we need to file a bug against selinux-policy in Fedora and RHEL if want to make this work.

Definitively !
Current work-around is only for test purpose.
We need to change the SELinux before being able to merge this PR
But something looks strange with snmp:

snmpwalk -v3 -u user_name -M /usr/share/snmp/mibs:/usr/share/dirsrv/mibs/  -l AuthPriv -m +RHDS-MIB -A authentication_password -a SHA -X private_password -x AES localhost .1.3.6.1.4.1.2312.6.1.1
RHDS-MIB::dsAnonymousBinds.389 = Counter64: 0
RHDS-MIB::dsUnAuthBinds.389 = Counter64: 0
RHDS-MIB::dsSimpleAuthBinds.389 = Counter64: 0
RHDS-MIB::dsStrongAuthBinds.389 = Counter64: 0
RHDS-MIB::dsBindSecurityErrors.389 = Counter64: 0
...

but:

 ldapsearch -H ldap://localhost:389 -D "cn=directory manager" -w secret12 -b cn=snmp,cn=monitor
# extended LDIF
#
# LDAPv3
# base <cn=snmp,cn=monitor> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# snmp, monitor
dn: cn=snmp,cn=monitor
objectClass: top
objectClass: extensibleObject
cn: snmp
anonymousbinds: 0
unauthbinds: 0
simpleauthbinds: 4
strongauthbinds: 0
bindsecurityerrors: 1
...

od -x /var/run/dirsrv/slapd-i2.stats seems ok
but I do not see any error in dirsrv-agent log nor in dirsrv logs and no AVC is reported ...

[vashirov]

2026-04-13 13:18:42 Opening stats file (/run/dirsrv/slapd-localhost.stat) for server: 389
2026-04-13 13:18:42 Unable to open stats file (/run/dirsrv/slapd-localhost.stat) for server: 389

But the file name is /run/dirsrv/slapd-localhost.stats. Looks like a regression from 00a3e07.

Should be:

-                                snprintf(serv_p->stats_file, vlen + strlen(instancename) + 7,
+                                snprintf(serv_p->stats_file, vlen + strlen(instancename) + 8,

[progier389]

FYI: In the mean time I realised that the problem was occuring in main branch too and
created
#7406

[progier389]

Created https://redhat.atlassian.net/browse/RHEL-167849 to update RHEL SELinux policy
and https://bugzilla.redhat.com/show_bug.cgi?id=2457951 for Fedora

[progier389]

Apparently the following command avoid the dac_override
chmod 770 /run/dirsrv