Bug 1025070

Summary: SELinux is preventing /usr/bin/perl from 'read' accesses on the directory cpu.
Product: [Fedora] Fedora Reporter: Rodd Clarkson <rodd>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 20CC: dominick.grift, dwalsh, lvrabec, mgrepl, rodd
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:4a242264f5aa09881c93e36e65fb652c82ce5de12ebcf3ef503cdaa3ec7afcfa
Fixed In Version: selinux-policy-3.12.1-116.fc20 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-01-16 07:09:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Rodd Clarkson 2013-10-30 23:27:45 UTC 
Description of problem:
I'm trying to reprovision my existing web development environment on f20 (it's been working on f19).
SELinux is preventing /usr/bin/perl from 'read' accesses on the directory cpu.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that perl should be allowed read access on the cpu directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep index.cgi /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:httpd_sys_script_t:s0
Target Context                system_u:object_r:sysfs_t:s0
Target Objects                cpu [ dir ]
Source                        index.cgi
Source Path                   /usr/bin/perl
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           perl-5.18.1-288.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-90.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.11.6-301.fc20.x86_64 #1 SMP Mon
                              Oct 21 21:54:19 UTC 2013 x86_64 x86_64
Alert Count                   2
First Seen                    2013-10-31 10:21:04 EST
Last Seen                     2013-10-31 10:22:03 EST
Local ID                      5bff7d2a-1f7a-4e78-9c86-c91d1b382595

Raw Audit Messages
type=AVC msg=audit(1383175323.483:709): avc:  denied  { read } for  pid=4488 comm="index.cgi" name="cpu" dev="sysfs" ino=37 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir


type=SYSCALL msg=audit(1383175323.483:709): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffffffffffff9c a1=33acf7a67c a2=90800 a3=0 items=0 ppid=3697 pid=4488 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=4294967295 tty=(none) comm=index.cgi exe=/usr/bin/perl subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)

Hash: index.cgi,httpd_sys_script_t,sysfs_t,dir,read

Additional info:
reporter:       libreport-2.1.9
hashmarkername: setroubleshoot
kernel:         3.11.6-301.fc20.x86_64
type:           libreport
Comment 1 Rodd Clarkson 2013-10-30 23:35:17 UTC 
I tried running:

# grep index.cgi /var/log/audit/audit.log | audit2allow -M mypol

as suggested and got:

# grep index.cgi /var/log/audit/audit.log | audit2allow -M mypol
compilation failed:
sh: /usr/bin/checkmodule: No such file or directory

Running

# grep index.cgi /var/log/audit/audit.log

works fine (at least it outputs stuff)
Comment 2 Daniel Walsh 2013-11-01 16:57:00 UTC 
yum install checkpolicy

Will fix that problem.

What is the location of the index.cgi?  Is this something you wrote?
Comment 3 Rodd Clarkson 2013-11-01 22:48:59 UTC 
index.cgi is a perl script I've written and have been using for some 10 years now (with the occasional alteration, but most unchanged).

I can provide you with the script if you like.

I don't know what the 'directory cpu' is.  I'm assuming it's a directory called cpu, but I haven't made this, so I assumed this was a perl running on fedora issue.
Comment 4 Daniel Walsh 2013-11-04 16:58:39 UTC 
/sys/bus/cpu
/sys/bus/event_source/devices/cpu
/sys/devices/cpu
/sys/devices/system/cpu


Is what it is trying to read.

It could be an upgrade to perl which now checks one of these files.

Did your script work correctly?
Comment 5 Rodd Clarkson 2013-11-05 22:50:26 UTC 
Yeah, the script works fine.  I had switched to Permissive, but switching back to Enforcing it still works and there's nothing in the httpd log files that suggests it's an issue.
Comment 6 Daniel Walsh 2013-11-11 18:47:34 UTC 
I added dev_list_sysfs(httpd_sys_script_t)
 to .git.
Comment 7 Daniel Walsh 2013-11-11 18:48:04 UTC 
4340e59155b7f34de781bc269429f14f919dd8de fixes this in git.
Comment 8 Fedora Update System 2014-01-13 22:54:54 UTC 
selinux-policy-3.12.1-116.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-116.fc20
Comment 9 Fedora Update System 2014-01-15 05:56:35 UTC 
Package selinux-policy-3.12.1-116.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-116.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-0806/selinux-policy-3.12.1-116.fc20
then log in and leave karma (feedback).
Comment 10 Fedora Update System 2014-01-16 07:09:06 UTC 
selinux-policy-3.12.1-116.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.