| Summary: | mirrormanager publiclist selinux policy | |||
|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Matt Domsch <matt_domsch> | |
| Component: | selinux-policy-targeted | Assignee: | Miroslav Grepl <mgrepl> | |
| Status: | CLOSED RAWHIDE | QA Contact: | Ben Levenson <benl> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | rawhide | CC: | dwalsh, matt_domsch | |
| Target Milestone: | --- | |||
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1042864 (view as bug list) | Environment: | ||
| Last Closed: | 2014-01-14 21:58:26 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Bug Depends On: | ||||
| Bug Blocks: | 1042864 | |||
|
Description
Matt Domsch
2013-12-13 14:29:30 UTC
One more please: semanage fcontext -a -t httpd_sys_content_t '/var/log/mirrormanager/crawler(/.*)?' (or I could move the crawler logs to somewhere besides /var/log I suppose, such as under /var/lib/mirrormanager/crawler/* if that would be preferred). Added mirrormanager policy to Rawhide. Matt, any chance to test this policy in rawhide? Miroslav and Dan, thanks for the quick turnaround.
selinux-policy-targeted-3.13.1-11.fc21.noarch
Three issues I still see:
1) httpd (mirrormanager.wsgi application) failed to open its socket file in /var/run/mirrormanager/.
[Wed Jan 08 11:59:44.112258 2014] [:alert] [pid 5240] (13)Permission denied: mod_wsgi (pid=5240): Couldn't bind unix domain socket '/var/run/mirrormanager/wsgi.5240.0.1.sock'.
# audit2why -a -v
type=AVC msg=audit(1389200384.110:652): avc: denied { search } for pid=5240 comm="httpd" name="mirrormanager" dev="tmpfs" ino=17748 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=dir
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
2) httpd (mirrorlist_client.wsgi application) fails to open a socket created by the mirrormanager_server process, in /var/run/mirrormanager/mirrorlist_server.sock.
type=AVC msg=audit(1389201478.910:694): avc: denied { search } for pid=5364 comm="httpd" name="mirrormanager" dev="tmpfs" ino=17748 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=dir
type=SYSCALL msg=audit(1389201478.910:694): arch=c000003e syscall=87 success=no exit=-13 a0=7f667f458208 a1=7f667f458320 a2=14f4 a3=0 items=0 ppid=1 pid=5364 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1389201478.910:695): avc: denied { search } for pid=5364 comm="httpd" name="mirrormanager" dev="tmpfs" ino=17748 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=dir
type=SYSCALL msg=audit(1389201478.910:695): arch=c000003e syscall=87 success=no exit=-13 a0=7f667f3b4620 a1=7f667f3b4738 a2=14f4 a3=b1 items=0 ppid=1 pid=5364 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=ANOM_ABEND msg=audit(1389201479.055:696): auid=4294967295 uid=48 gid=48 ses=4294967295 subj=system_u:system_r:httpd_t:s0 pid=5564 comm="httpd" reason="memory violation" sig=11
type=ANOM_ABEND msg=audit(1389201479.057:697): auid=4294967295 uid=48 gid=48 ses=4294967295 subj=system_u:system_r:httpd_t:s0 pid=5550 comm="httpd" reason="memory violation" sig=11
type=AVC msg=audit(1389201479.057:698): avc: denied { lock } for pid=5493 comm="httpd" path=2F72756E2F6D6972726F726D616E616765722F777367692E353336342E302E312E6C6F636B202864656C6574656429 dev="tmpfs" ino=30996 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1389201479.057:698): arch=c000003e syscall=72 success=no exit=-13 a0=9 a1=7 a2=7f667c110e40 a3=7f666eafcba0 items=0 ppid=5364 pid=5493 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1389201479.071:699): avc: denied { lock } for pid=5444 comm="httpd" path=2F72756E2F6D6972726F726D616E616765722F777367692E353336342E302E312E6C6F636B202864656C6574656429 dev="tmpfs" ino=30996 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1389201479.071:699): arch=c000003e syscall=72 success=no exit=-13 a0=9 a1=7 a2=7f667c110e40 a3=7f666eafd9d0 items=0 ppid=5364 pid=5444 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1389201479.080:700): avc: denied { lock } for pid=5506 comm="httpd" path=2F72756E2F6D6972726F726D616E616765722F777367692E353336342E302E312E6C6F636B202864656C6574656429 dev="tmpfs" ino=30996 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1389201479.080:700): arch=c000003e syscall=72 success=no exit=-13 a0=9 a1=7 a2=7f667c110e40 a3=7f666eafd9d0 items=0 ppid=5364 pid=5506 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1389201479.082:701): avc: denied { lock } for pid=5538 comm="httpd" path=2F72756E2F6D6972726F726D616E616765722F777367692E353336342E302E322E6C6F636B202864656C6574656429 dev="tmpfs" ino=31011 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1389201479.082:701): arch=c000003e syscall=72 success=no exit=-13 a0=b a1=7 a2=7f667c110e40 a3=1 items=0 ppid=5364 pid=5538 auid=4294967295 uid=998 gid=997 euid=998 suid=998 fsuid=998 egid=997 sgid=997 fsgid=997 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1389201479.082:702): avc: denied { lock } for pid=5535 comm="httpd" path=2F72756E2F6D6972726F726D616E616765722F777367692E353336342E302E312E6C6F636B202864656C6574656429 dev="tmpfs" ino=30996 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1389201479.082:702): arch=c000003e syscall=72 success=no exit=-13 a0=9 a1=7 a2=7f667c110e40 a3=7f666eafcba0 items=0 ppid=5364 pid=5535 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=SERVICE_STOP msg=audit(1389201479.194:703): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="httpd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1389201479.262:704): avc: denied { search } for pid=5723 comm="httpd" name="mirrormanager" dev="tmpfs" ino=17748 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=dir
type=SYSCALL msg=audit(1389201479.262:704): arch=c000003e syscall=49 success=no exit=-13 a0=8 a1=7fff21403a70 a2=6e a3=7fa231a29852 items=0 ppid=1 pid=5723 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=SERVICE_START msg=audit(1389201479.263:705): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="httpd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1389201507.985:706): avc: denied { search } for pid=5724 comm="httpd" name="mirrormanager" dev="tmpfs" ino=17748 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=dir
type=SYSCALL msg=audit(1389201507.985:706): arch=c000003e syscall=42 success=no exit=-13 a0=b a1=7fff21403660 a2=6e a3=fffffffffffff7cf items=0 ppid=5723 pid=5724 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=MAC_STATUS msg=audit(1389201542.985:707): enforcing=0 old_enforcing=1 auid=1000 ses=7
type=SYSCALL msg=audit(1389201542.985:707): arch=c000003e syscall=1 success=yes exit=1 a0=3 a1=7fffbadd98c0 a2=1 a3=7fffbadd9680 items=0 ppid=5134 pid=5732 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=7 tty=pts0 comm="setenforce" exe="/usr/sbin/setenforce" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1389201544.924:708): avc: denied { search } for pid=5726 comm="httpd" name="mirrormanager" dev="tmpfs" ino=17748 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=dir
type=SYSCALL msg=audit(1389201544.924:708): arch=c000003e syscall=42 success=no exit=-2 a0=b a1=7fff21403660 a2=6e a3=fffffffffffff7cf items=0 ppid=5723 pid=5726 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=USER_AVC msg=audit(1389201549.499:709): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received setenforce notice (enforcing=0) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=SERVICE_STOP msg=audit(1389201555.540:710): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="httpd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1389201555.604:711): avc: denied { write } for pid=5751 comm="httpd" name="mirrormanager" dev="tmpfs" ino=17748 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=dir
type=AVC msg=audit(1389201555.604:711): avc: denied { add_name } for pid=5751 comm="httpd" name="wsgi.5751.0.1.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=dir
type=AVC msg=audit(1389201555.604:711): avc: denied { create } for pid=5751 comm="httpd" name="wsgi.5751.0.1.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1389201555.604:711): arch=c000003e syscall=49 success=yes exit=0 a0=8 a1=7fff0340ac80 a2=6e a3=7f19ed5be852 items=0 ppid=1 pid=5751 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1389201555.605:712): avc: denied { setattr } for pid=5751 comm="httpd" name="wsgi.5751.0.1.sock" dev="tmpfs" ino=27597 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1389201555.605:712): arch=c000003e syscall=92 success=yes exit=0 a0=7f19fc0ba620 a1=30 a2=ffffffff a3=7f19ed5be852 items=0 ppid=1 pid=5751 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1389201555.605:713): avc: denied { create } for pid=5751 comm="httpd" name="wsgi.5751.0.1.lock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=file
type=AVC msg=audit(1389201555.605:713): avc: denied { write open } for pid=5751 comm="httpd" path="/run/mirrormanager/wsgi.5751.0.1.lock" dev="tmpfs" ino=27598 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1389201555.605:713): arch=c000003e syscall=2 success=yes exit=9 a0=7f19fc0ba708 a1=800c1 a2=1a4 a3=7fff0340a8a0 items=0 ppid=1 pid=5751 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1389201555.605:714): avc: denied { remove_name } for pid=5751 comm="httpd" name="wsgi.5751.0.1.lock" dev="tmpfs" ino=27598 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=dir
type=AVC msg=audit(1389201555.605:714): avc: denied { unlink } for pid=5751 comm="httpd" name="wsgi.5751.0.1.lock" dev="tmpfs" ino=27598 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1389201555.605:714): arch=c000003e syscall=87 success=yes exit=0 a0=7f19fc0ba708 a1=0 a2=7f19fc0ba678 a3=7fff0340a8a0 items=0 ppid=1 pid=5751 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1389201555.678:715): avc: denied { lock } for pid=5782 comm="httpd" path=2F72756E2F6D6972726F726D616E616765722F777367692E353735312E302E312E6C6F636B202864656C6574656429 dev="tmpfs" ino=27598 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1389201555.678:715): arch=c000003e syscall=72 success=yes exit=0 a0=9 a1=7 a2=7f19f93dae60 a3=7f19ebdc79d0 items=0 ppid=5751 pid=5782 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=SERVICE_START msg=audit(1389201555.844:716): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="httpd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1389201557.424:717): avc: denied { write } for pid=5921 comm="httpd" name="wsgi.5751.0.1.sock" dev="tmpfs" ino=27597 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1389201557.424:717): arch=c000003e syscall=42 success=yes exit=0 a0=c a1=7fff0340a870 a2=6e a3=fffffffffffff7cf items=0 ppid=5751 pid=5921 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1389201557.505:718): avc: denied { connectto } for pid=5782 comm="httpd" path="/run/mirrormanager/mirrorlist_server.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
type=SYSCALL msg=audit(1389201557.505:718): arch=c000003e syscall=42 success=yes exit=0 a0=d a1=7f19ebdc6320 a2=2f a3=0 items=0 ppid=5751 pid=5782 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
3) I need to add setsebool -P httpd_can_network_connect_db 1
Should I just add this to the mirrormanager.spec %post ?
What is a path to mirrormanager apache scripts? /usr/share/mirrormanager/server/mirrormanager.wsgi (the main TurboGears-based application) /usr/share/mirrormanager/mirrorlist-server/mirrorlist_client.wsgi (the WSGI responsible for answering http:///mirrorlist and /metalink requests. Could you try to add # cat mypol.te policy_module(mypol,1.0) apache_content_template(mirrormanager) and run # make -f /usr/share/selinux/devel/Makefile mypol.pp # semodule -i mypol.pp # chcon -t mirrormanager_script_exec_t /usr/share/mirrormanager/server/mirrormanager.wsgi /usr/share/mirrormanager/mirrorlist-server/mirrorlist_client.wsgi and re-test it? Thank you. Thanks Miroslav. Still getting failures:
type=AVC msg=audit(1389643301.501:1636): avc: denied { search } for pid=6321 comm="httpd" name="mirrormanager" dev="tmpfs" ino=17748 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=dir
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1389643301.509:1637): avc: denied { lock } for pid=6400 comm="httpd" path=2F72756E2F6D6972726F726D616E616765722F777367692E363332312E302E312E6C6F636B202864656C6574656429 dev="tmpfs" ino=32973 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1389643301.529:1638): avc: denied { search } for pid=6321 comm="httpd" name="mirrormanager" dev="tmpfs" ino=17748 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=dir
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1389643301.581:1639): avc: denied { lock } for pid=6382 comm="httpd" path=2F72756E2F6D6972726F726D616E616765722F777367692E363332312E302E312E6C6F636B202864656C6574656429 dev="tmpfs" ino=32973 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1389643301.586:1640): avc: denied { lock } for pid=6453 comm="httpd" path=2F72756E2F6D6972726F726D616E616765722F777367692E363332312E302E312E6C6F636B202864656C6574656429 dev="tmpfs" ino=32973 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1389643301.705:1642): avc: denied { search } for pid=18438 comm="httpd" name="mirrormanager" dev="tmpfs" ino=17748 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=dir
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
It was in permissive mode? I just added an allow rule for this. Should be fixed in next update. Miroslav: it was in enforcing mode when I tried with the above, not Permissive.
Dan - thanks for the update. I ran
selinux-policy-targeted-3.13.1-13.fc21.noarch
and upon starting httpd, still get this:
type=AVC msg=audit(1389831664.478:2486): avc: denied { search } for pid=1125 comm="httpd" name="mirrormanager" dev="tmpfs" ino=17748 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=dir
type=SYSCALL msg=audit(1389831664.478:2486): arch=c000003e syscall=49 success=no exit=-13 a0=8 a1=7fff27fec9b0 a2=6e a3=0 items=0 ppid=1 pid=1125 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=SERVICE_START msg=audit(1389831664.479:2487): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="httpd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1389831887.806:2488): avc: denied { search } for pid=1127 comm="httpd" name="mirrormanager" dev="tmpfs" ino=17748 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=dir
type=SYSCALL msg=audit(1389831887.806:2488): arch=c000003e syscall=42 success=no exit=-13 a0=b a1=7fff27fec5a0 a2=6e a3=fffffffffffff54b items=0 ppid=1125 pid=1127 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
and I note that /var/run/mirrormanager does not have the WSGI sockets for either of the two WSGI apps that I would have expected it to have.
After switching to permissive, and restarting httpd, hitting each of the two WSGI URLs, I get:
type=SYSCALL msg=audit(1389831947.083:2489): arch=c000003e syscall=1 success=yes exit=1 a0=3 a1=7fff85746670 a2=1 a3=7fff85746430 items=0 ppid=1050 pid=1147 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=187 tty=pts0 comm="setenforce" exe="/usr/sbin/setenforce" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=USER_AVC msg=audit(1389831951.007:2490): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received setenforce notice (enforcing=0) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=SERVICE_STOP msg=audit(1389831952.045:2491): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="httpd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1389831952.113:2492): avc: denied { search } for pid=1165 comm="httpd" name="mirrormanager" dev="tmpfs" ino=17748 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=dir
type=AVC msg=audit(1389831952.113:2492): avc: denied { write } for pid=1165 comm="httpd" name="mirrormanager" dev="tmpfs" ino=17748 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=dir
type=AVC msg=audit(1389831952.113:2492): avc: denied { add_name } for pid=1165 comm="httpd" name="wsgi.1165.0.1.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=dir
type=AVC msg=audit(1389831952.113:2492): avc: denied { create } for pid=1165 comm="httpd" name="wsgi.1165.0.1.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1389831952.113:2492): arch=c000003e syscall=49 success=yes exit=0 a0=8 a1=7fff0d79de50 a2=6e a3=0 items=0 ppid=1 pid=1165 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1389831952.113:2493): avc: denied { setattr } for pid=1165 comm="httpd" name="wsgi.1165.0.1.sock" dev="tmpfs" ino=143702 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1389831952.113:2493): arch=c000003e syscall=92 success=yes exit=0 a0=7f2ef91857f8 a1=30 a2=ffffffff a3=0 items=0 ppid=1 pid=1165 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1389831952.113:2494): avc: denied { create } for pid=1165 comm="httpd" name="wsgi.1165.0.1.lock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=file
type=AVC msg=audit(1389831952.113:2494): avc: denied { write open } for pid=1165 comm="httpd" path="/run/mirrormanager/wsgi.1165.0.1.lock" dev="tmpfs" ino=143703 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1389831952.113:2494): arch=c000003e syscall=2 success=yes exit=9 a0=7f2ef91858e0 a1=800c1 a2=1a4 a3=7fff0d79da70 items=0 ppid=1 pid=1165 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1389831952.113:2495): avc: denied { remove_name } for pid=1165 comm="httpd" name="wsgi.1165.0.1.lock" dev="tmpfs" ino=143703 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=dir
type=AVC msg=audit(1389831952.113:2495): avc: denied { unlink } for pid=1165 comm="httpd" name="wsgi.1165.0.1.lock" dev="tmpfs" ino=143703 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1389831952.113:2495): arch=c000003e syscall=87 success=yes exit=0 a0=7f2ef91858e0 a1=0 a2=7f2ef9185850 a3=7fff0d79da70 items=0 ppid=1 pid=1165 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1389831952.199:2496): avc: denied { lock } for pid=1192 comm="httpd" path=2F72756E2F6D6972726F726D616E616765722F777367692E313136352E302E312E6C6F636B202864656C6574656429 dev="tmpfs" ino=143703 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1389831952.199:2496): arch=c000003e syscall=72 success=yes exit=0 a0=9 a1=7 a2=7f2ef7b5de60 a3=7f2eea547ba0 items=0 ppid=1165 pid=1192 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=SERVICE_START msg=audit(1389831952.345:2497): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="httpd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1389831968.318:2498): avc: denied { write } for pid=1328 comm="httpd" name="wsgi.1165.0.1.sock" dev="tmpfs" ino=143702 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1389831968.318:2498): arch=c000003e syscall=42 success=yes exit=0 a0=c a1=7fff0d79da40 a2=6e a3=fffffffffffff54b items=0 ppid=1165 pid=1328 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1389831968.399:2499): avc: denied { connectto } for pid=1192 comm="httpd" path="/run/mirrormanager/mirrorlist_server.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
type=SYSCALL msg=audit(1389831968.399:2499): arch=c000003e syscall=42 success=yes exit=0 a0=d a1=7f2eea547320 a2=2f a3=0 items=0 ppid=1165 pid=1192 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1389831974.783:2500): avc: denied { read } for pid=1349 comm="httpd" name="mirrormanager" dev="dm-1" ino=659395 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1389831974.783:2500): arch=c000003e syscall=257 success=yes exit=15 a0=ffffffffffffff9c a1=7f2ee571f9f0 a2=90800 a3=0 items=0 ppid=1165 pid=1349 auid=4294967295 uid=998 gid=997 euid=998 suid=998 fsuid=998 egid=997 sgid=997 fsgid=997 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
I added additional rules. |