Skip to content

Issue 7391 - Harden systemd service unit #7392

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
progier389 wants to merge 4 commits into
base: main
Choose a base branch
from
+25 −1
Draft

Issue 7391 - Harden systemd service unit #7392

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
4772942
Issue 7391 - Harden systemd service unit
progier389 Apr 9, 2026
2ddd43f
Test with additional SELinux policy
progier389 Apr 10, 2026
f40bfa6
Fix policy for snmp
progier389 Apr 10, 2026
1fdb0cd
Remove dac_override from SELInux Policy
progier389 Apr 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion ldap/servers/snmp/main.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -454,7 +454,7 @@ load_config(char *conf_path)
/* 8 = "/" + ".stats" + \0 */
serv_p->stats_file = calloc(1, vlen + (instancename ? strlen(instancename) : 0) + 8);
if (serv_p->stats_file && instancename) {
snprintf(serv_p->stats_file, vlen + strlen(instancename) + 7,
snprintf(serv_p->stats_file, vlen + strlen(instancename) + 8,
"%s/%s.stats", val, instancename);
} else {
printf("ldap-agent: malloc error processing config file\n");
Expand Down
15 changes: 15 additions & 0 deletions rpm/389-ds-base.spec.in
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -210,6 +210,8 @@ Requires: zlib-devel
Requires: python3-file-magic
# Picks up our systemd deps.
%{?systemd_requires}
# Needed for work-around about setting up SELinux policy
Requires: policycoreutils-python-utils


Source0: %{name}-%{version}.tar.bz2
Expand Down Expand Up @@ -604,6 +606,19 @@ else
output2=/dev/null
fi

# Update SELinux policy
if [ -f /usr/sbin/sestatus ] ; then
pushd /var/run/dirsrv >/dev/null
/usr/bin/audit2allow -M ns-slapd-test >/dev/null <<!
type=AVC msg=audit(1775741107.400:9691): avc: denied { nnp_transition } for pid=980206 comm="(ns-slapd)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:dirsrv_t:s0 tclass=process2 permissive=0
Copy link
Copy Markdown
Member

@vashirov vashirov Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like we need to file a bug against selinux-policy in Fedora and RHEL if want to make this work.

Copy link
Copy Markdown
Contributor Author

@progier389 progier389 Apr 13, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like we need to file a bug against selinux-policy in Fedora and RHEL if want to make this work.

Definitively !
Current work-around is only for test purpose.
We need to change the SELinux before being able to merge this PR
But something looks strange with snmp:

snmpwalk -v3 -u user_name -M /usr/share/snmp/mibs:/usr/share/dirsrv/mibs/  -l AuthPriv -m +RHDS-MIB -A authentication_password -a SHA -X private_password -x AES localhost .1.3.6.1.4.1.2312.6.1.1
RHDS-MIB::dsAnonymousBinds.389 = Counter64: 0
RHDS-MIB::dsUnAuthBinds.389 = Counter64: 0
RHDS-MIB::dsSimpleAuthBinds.389 = Counter64: 0
RHDS-MIB::dsStrongAuthBinds.389 = Counter64: 0
RHDS-MIB::dsBindSecurityErrors.389 = Counter64: 0
...

but:

 ldapsearch -H ldap://localhost:389 -D "cn=directory manager" -w secret12 -b cn=snmp,cn=monitor
# extended LDIF
#
# LDAPv3
# base <cn=snmp,cn=monitor> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# snmp, monitor
dn: cn=snmp,cn=monitor
objectClass: top
objectClass: extensibleObject
cn: snmp
anonymousbinds: 0
unauthbinds: 0
simpleauthbinds: 4
strongauthbinds: 0
bindsecurityerrors: 1
...

od -x /var/run/dirsrv/slapd-i2.stats seems ok
but I do not see any error in dirsrv-agent log nor in dirsrv logs and no AVC is reported ...

Copy link
Copy Markdown
Member

@vashirov vashirov Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

2026-04-13 13:18:42 Opening stats file (/run/dirsrv/slapd-localhost.stat) for server: 389
2026-04-13 13:18:42 Unable to open stats file (/run/dirsrv/slapd-localhost.stat) for server: 389

But the file name is /run/dirsrv/slapd-localhost.stats. Looks like a regression from 00a3e07.

Should be:

-                                snprintf(serv_p->stats_file, vlen + strlen(instancename) + 7,
+                                snprintf(serv_p->stats_file, vlen + strlen(instancename) + 8,

Copy link
Copy Markdown
Contributor Author

@progier389 progier389 Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI: In the mean time I realised that the problem was occuring in main branch too and
created
#7406

type=AVC msg=audit(1775833368.436:10776): avc: denied { nnp_transition } for pid=1113882 comm="(ap-agent)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:dirsrv_snmp_t:s0 tclass=process2 permissive=0
type=AVC msg=audit(1775833368.442:10778): avc: denied { read } for pid=1113882 comm="ldap-agent" name="ldap-agent.conf" dev="dm-0" ino=12772110 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:dirsrv_config_t:s0 tclass=file permissive=0

!
semodule -i ns-slapd-test.pp
popd
fi

# reload to pick up any changes to systemd files
/bin/systemctl daemon-reload >$output 2>&1 || :

Expand Down
4 changes: 4 additions & 0 deletions wrappers/systemd-snmp.service.in
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,10 @@ ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictRealtime=true
NoNewPrivileges=yes
MemoryDenyWriteExecute=yes
InaccessiblePaths=/dev/shm
SystemCallFilter=~memfd_create

[Install]
WantedBy=multi-user.target
5 changes: 5 additions & 0 deletions wrappers/systemd.template.service.in
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,11 @@ ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictRealtime=true
NoNewPrivileges=yes
MemoryDenyWriteExecute=yes
# MemoryDenyWriteExecute=yes usually also require: InaccessiblePaths=/dev/shm
# but ns-slapd explicitly creates some files under /dev/shm
SystemCallFilter=~memfd_create

[Install]
WantedBy=multi-user.target
Loading