Attachment 604566 Details for Bug 848339 – File: description

File: description

description (text/plain), 7.06 KB, created by Deepak Mahajan on 2012-08-15 09:54:46 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Deepak Mahajan

Created: 2012-08-15 09:54:46 UTC

Size: 7.06 KB

patch

obsolete

>SELinux is preventing /usr/bin/perl from 'read' accesses on the file /var/lightsquid/20120801/.features.
>
>*****  Plugin catchall_labels (83.8 confidence) suggests  ********************
>
>If you want to allow perl to have read access on the .features file
>Then you need to change the label on /var/lightsquid/20120801/.features
>Do
># semanage fcontext -a -t FILE_TYPE '/var/lightsquid/20120801/.features'
>where FILE_TYPE is one of the following: httpd_w3c_validator_htaccess_t, mysqld_etc_t, cvs_data_t, krb5_conf_t, dirsrvadmin_tmp_t, cobbler_etc_t, httpd_helper_exec_t, dbusd_etc_t, dirsrv_share_t, sysctl_crypto_t, calamaris_www_t, httpd_cache_t, httpd_tmpfs_t, iso9660_t, httpd_squirrelmail_t, var_lib_t, httpd_php_exec_t, httpd_passwd_exec_t, httpd_nagios_htaccess_t, proc_net_t, abrt_etc_t, puppet_tmp_t, dirsrv_var_log_t, zarafa_var_lib_t, etc_runtime_t, dirsrv_var_run_t, abrt_t, puppet_var_lib_t, samba_var_t, lib_t, httpd_var_lib_t, httpd_var_run_t, git_system_content_t, udev_var_run_t, ld_so_t, fail2ban_var_lib_t, public_content_t, sysfs_t, net_conf_t, anon_inodefs_t, systemd_passwd_var_run_t, afs_cache_t, abrt_helper_exec_t, httpd_awstats_htaccess_t, httpd_dirsrvadmin_htaccess_t, sysctl_kernel_t, httpd_modules_t, httpd_user_htaccess_t, chroot_exec_t, httpd_sys_content_t, public_content_rw_t, httpd_bugzilla_htaccess_t, httpd_cobbler_htaccess_t, mailman_data_t, httpd_apcupsd_cgi_htaccess_t, httpd_suexec_exec_t, system_dbusd_var_lib_t, application_exec_type, httpd_cvs_htaccess_t, httpd_git_htaccess_t, httpd_sys_htaccess_t, squirrelmail_spool_t, httpd_nutups_cgi_htaccess_t, mailman_cgi_exec_t, textrel_shlib_t, abrt_retrace_worker_exec_t, gitosis_var_lib_t, dirsrvadmin_config_t, httpd_prewikka_htaccess_t, httpd_squid_htaccess_t, httpd_dspam_htaccess_t, httpd_munin_htaccess_t, passenger_var_lib_t, passenger_var_run_t, cobbler_var_lib_t, dirsrvadmin_unconfined_script_exec_t, mailman_archive_t, rpm_script_tmp_t, user_cron_spool_t, bin_t, cert_t, httpd_t, lib_t, locale_t, httpd_collectd_htaccess_t, httpd_unconfined_script_exec_t, etc_t, ld_so_cache_t, usr_t, fonts_t, abrt_retrace_spool_t, proc_t, cert_t, sysfs_t, httpd_mojomojo_htaccess_t, httpd_rotatelogs_exec_t, httpd_smokeping_cgi_htaccess_t, krb5_keytab_t, passenger_exec_t, nagios_etc_t, etc_t, nagios_log_t, sssd_public_t, httpd_keytab_t, httpd_config_t, cluster_conf_t, sssd_public_t, tetex_data_t, httpd_mediawiki_htaccess_t, fonts_cache_t, httpd_exec_t, httpd_lock_t, httpd_log_t, dirsrv_config_t, httpd_tmp_t, abrt_var_run_t, smokeping_var_lib_t, shell_exec_t, krb5_conf_t, httpd_nutups_cgi_content_t, httpd_dirsrvadmin_script_exec_t, httpd_sys_script_exec_t, httpd_git_script_exec_t, httpd_mojomojo_script_exec_t, httpd_bugzilla_ra_content_t, httpd_bugzilla_rw_content_t, httpd_cvs_script_exec_t, httpd_nutups_cgi_script_exec_t, httpd_cvs_ra_content_t, httpd_cvs_rw_content_t, httpd_git_ra_content_t, httpd_git_rw_content_t, httpd_nagios_content_t, httpd_sys_ra_content_t, httpd_sys_rw_content_t, httpd_w3c_validator_content_t, httpd_nagios_ra_content_t, httpd_nagios_rw_content_t, httpd_apcupsd_cgi_content_t, httpd_nutups_cgi_ra_content_t, httpd_nutups_cgi_rw_content_t, httpd_cobbler_script_exec_t, httpd_mediawiki_script_exec_t, httpd_apcupsd_cgi_ra_content_t, httpd_apcupsd_cgi_rw_content_t, httpd_smokeping_cgi_script_exec_t, httpd_git_content_t, httpd_user_content_t, httpd_smokeping_cgi_content_t, httpd_cvs_content_t, httpd_sys_content_t, httpd_dspam_ra_content_t, httpd_dspam_rw_content_t, httpd_mediawiki_ra_content_t, httpd_mediawiki_rw_content_t, httpd_dspam_script_exec_t, httpd_munin_script_exec_t, httpd_collectd_content_t, httpd_squid_ra_content_t, httpd_squid_rw_content_t, httpd_w3c_validator_script_exec_t, httpd_prewikka_ra_content_t, httpd_prewikka_rw_content_t, httpd_user_script_exec_t, httpd_bugzilla_content_t, httpd_collectd_script_exec_t, httpd_mediawiki_content_t, httpd_prewikka_content_t, httpd_smokeping_cgi_ra_content_t, httpd_smokeping_cgi_rw_content_t, httpd_apcupsd_cgi_script_exec_t, httpd_munin_content_t, httpd_squid_content_t, httpd_awstats_script_exec_t, httpd_dirsrvadmin_content_t, httpd_dirsrvadmin_ra_content_t, httpd_dirsrvadmin_rw_content_t, httpd_squid_script_exec_t, httpd_dspam_content_t, httpd_w3c_validator_ra_content_t, httpd_w3c_validator_rw_content_t, httpd_cobbler_content_t, httpd_collectd_ra_content_t, httpd_collectd_rw_content_t, httpd_nagios_script_exec_t, httpd_awstats_content_t, root_t, httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_awstats_ra_content_t, httpd_awstats_rw_content_t, httpd_cobbler_ra_content_t, httpd_cobbler_rw_content_t, httpd_prewikka_script_exec_t, httpd_bugzilla_script_exec_t, httpd_mojomojo_content_t, httpd_munin_ra_content_t, httpd_munin_rw_content_t, httpd_mojomojo_ra_content_t, httpd_mojomojo_rw_content_t. 
>Then execute: 
>restorecon -v '/var/lightsquid/20120801/.features'
>
>
>*****  Plugin catchall (17.1 confidence) suggests  ***************************
>
>If you believe that perl should be allowed read access on the .features file by default.
>Then you should report this as a bug.
>You can generate a local policy module to allow this access.
>Do
>allow this access for now by executing:
># grep index.cgi /var/log/audit/audit.log | audit2allow -M mypol
># semodule -i mypol.pp
>
>Additional Information:
>Source Context                system_u:system_r:httpd_t:s0
>Target Context                system_u:object_r:var_t:s0
>Target Objects                /var/lightsquid/20120801/.features [ file ]
>Source                        index.cgi
>Source Path                   /usr/bin/perl
>Port                          <Unknown>
>Host                          (removed)
>Source RPM Packages           perl-5.14.2-198.fc16.x86_64
>Target RPM Packages           
>Policy RPM                    selinux-policy-3.10.0-90.fc16.noarch
>Selinux Enabled               True
>Policy Type                   targeted
>Enforcing Mode                Enforcing
>Host Name                     (removed)
>Platform                      Linux (removed) 3.4.2-1.fc16.x86_64 #1
>                              SMP Thu Jun 14 20:17:26 UTC 2012 x86_64 x86_64
>Alert Count                   3
>First Seen                    Wednesday 15 August 2012 03:22:26 PM IST
>Last Seen                     Wednesday 15 August 2012 03:22:26 PM IST
>Local ID                      680d6d9c-515d-4eba-ba9d-2d86bc4c4b24
>
>Raw Audit Messages
>type=AVC msg=audit(1345024346.232:7169): avc:  denied  { read } for  pid=6485 comm="index.cgi" name=".features" dev="dm-1" ino=679417 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file
>
>
>type=SYSCALL msg=audit(1345024346.232:7169): arch=x86_64 syscall=open success=no exit=EACCES a0=27738c0 a1=0 a2=1b6 a3=3a1b52e550 items=0 ppid=4769 pid=6485 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=index.cgi exe=/usr/bin/perl subj=system_u:system_r:httpd_t:s0 key=(null)
>
>Hash: index.cgi,httpd_t,var_t,file,read
>
>audit2allow
>
>#============= httpd_t ==============
>#!!!! This avc is allowed in the current policy
>
>allow httpd_t var_t:file read;
>
>audit2allow -R
>
>#============= httpd_t ==============
>#!!!! This avc is allowed in the current policy
>
>allow httpd_t var_t:file read;
>

Actions: View

Attachments on bug 848339: 604566 | 611395 | 611396 | 611400