Bug 622801

Summary: Missing rule for suexec
Product: Red Hat Enterprise Linux 6 Reporter: Zbysek MRAZ <zmraz>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: low    
Version: 6.0CC: dwalsh, ebenes, jwest, mmalik, syeghiay
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-37.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-11-10 21:36:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 580448, 620945    

Description Zbysek MRAZ 2010-08-10 13:03:56 UTC
Description of problem:
When running the RHTS test /CoreOS/httpd/suexec/bug161893 I get following AVC

----
time->Tue Aug 10 09:01:23 2010
type=SYSCALL msg=audit(1281445283.733:42647): arch=c000003e syscall=59 success=yes exit=0 a0=7f257b253ff3 a1=7f257bc41810 a2=7f257bc40f00 a3=7fffa5627990 items=0 ppid=25377 pid=25388 auid=0 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=16 comm="suexec" exe="/usr/sbin/suexec" subj=unconfined_u:system_r:httpd_suexec_t:s0 key=(null)
type=AVC msg=audit(1281445283.733:42647): avc:  denied  { read write } for  pid=25388 comm="suexec" path="/dev/pts/0" dev=devpts ino=3 scontext=unconfined_u:system_r:httpd_suexec_t:s0 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file
type=AVC msg=audit(1281445283.733:42647): avc:  denied  { read write } for  pid=25388 comm="suexec" path="/dev/pts/0" dev=devpts ino=3 scontext=unconfined_u:system_r:httpd_suexec_t:s0 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file



Version-Release number of selected component (if applicable):
RHEL6.0-20100805.0
httpd-2.2.15-4.el6.x86_64
selinux-policy-3.7.19-35.el6.noarch

Comment 1 RHEL Product and Program Management 2010-08-10 13:18:44 UTC
This issue has been proposed when we are only considering blocker
issues in the current Red Hat Enterprise Linux release.

** If you would still like this issue considered for the current
release, ask your support representative to file as a blocker on
your behalf. Otherwise ask that it be considered for the next
Red Hat Enterprise Linux release. **

Comment 2 Daniel Walsh 2010-08-10 15:21:10 UTC
This looks like a leaked file descriptor potentially just a test problem.

But it could be caused by an admin doing a service httpd restart

Miroslav, since we have

   dontaudit httpd_t user_devpts_t : chr_file { ioctl read write getattr append open } ;

We need to do the same fot httpd_suexec_t.

Comment 3 Miroslav Grepl 2010-08-10 18:17:18 UTC
Added to selinux-policy-3.7.19-37.el6.noarch

Comment 5 Miroslav Grepl 2010-09-01 09:54:54 UTC
Milos,
did the test pass successfully?


Looks like we also need to add the same change for httpd_user_script_t.

Comment 6 Milos Malik 2010-09-01 11:50:58 UTC
The test passed.

Comment 14 releng-rhel@redhat.com 2010-11-10 21:36:21 UTC
Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.