Bug 1042864

Summary:

mirrormanager publiclist selinux policy

Product:

Red Hat Enterprise Linux 6

Reporter:

Matt Domsch <matt_domsch>

Component:

selinux-policy

Assignee:

Lukas Vrabec <lvrabec>

Status:

CLOSED ERRATA

QA Contact:

Milos Malik <mmalik>

Severity:

unspecified

Docs Contact:

Priority:

unspecified

Version:

6.6

CC:

crose, dwalsh, ksrot, lvrabec, mgrepl, mmalik, ssekidde

Target Milestone:

Target Release:

---

Hardware:

All

OS:

Linux

Whiteboard:

Fixed In Version:

selinux-policy-3.7.19-261.el6

Doc Type:

Bug Fix

Doc Text:

Story Points:

---

Clone Of:

1042860

Environment:

Last Closed:

2015-07-22 07:07:21 UTC

Type:

Bug

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Bug Depends On:

1042860

Bug Blocks:

Attachments:

Description	Flags
audit.logs	none

Description Matt Domsch 2013-12-13 14:31:34 UTC

+++ This bug was initially created as a clone of Bug #1042860 +++

Description of problem:
/var/lib/mirrormanager/mirrorlists/  is generated by a cronjob and served as HTTP content.  selinux policy doesn't let this content be served by HTTP.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.7.19-231.el6.noarch, though anticipated in Fedora as well.

How reproducible:
always

Steps to Reproduce:
1. run mirrormanager with content in the database
2. run mirrormanager update-static-content script, which creates /var/lib/mirrormanager/mirrorlists/


Actual results:
content created, but can't be served by httpd

Expected results:
content served by httpd

Additional info:
semanage fcontext -a -t httpd_sys_content_t '/var/lib/mirrormanager/mirrorlists(/.*)?'

resolves this.


Thanks,
Matt

Comment 1 Matt Domsch 2013-12-13 14:51:55 UTC

One more please:

semanage fcontext -a -t httpd_sys_content_t '/var/log/mirrormanager/crawler(/.*)?'

(or I could move the crawler logs to somewhere besides /var/log I suppose, such as under /var/lib/mirrormanager/crawler/* if that would be preferred).

Comment 2 Daniel Walsh 2013-12-16 15:19:19 UTC

I would leave the logs files there. although I am not crazy about labeling them as apache content.  Since log file tools would be broken, like logrotate.

The best solution would be add policy for mirrormanager and allow httpd_t to read mirrormanager_log_t and mirrormanager_var_lib_t.

Miroslav I added mirrormanager policy to git.

4e392a73ea87b8f14ddbba5944a759a712c99622

We should add this to RHEL and make mirrormanager_t an unconfined_domain.

Matt how does mirrormanager run?  Is is started by init?

Comment 3 Matt Domsch 2013-12-16 18:36:04 UTC

Dan - there are several components to mirrormanager, that run under different contexts I suppose.

There is the mirrormanager web app, which is a python WSGI app run under apache, which is run by init.  This needs to read the crawler logs.

There is the crawler, which is run under cron, which write the crawler logs.

Comment 4 Daniel Walsh 2013-12-16 18:45:27 UTC

Ok well first things we need is the labels on mirrormanager content and then give access to those.

Matt do you have any AVC's you could attach?

Comment 5 Matt Domsch 2013-12-16 19:14:40 UTC

Created attachment 837385 [details]
audit.logs

Logs attached.  Here are a few that I recognize:

httpd reading /var/lib/mirrormanager/mirrorlists/ (the publiclist HTML pages which are created by a cronjob.

httpd reading /var/log/mirrormanager/crawler/* (name="1.log") which are created by a cronjob.

sockets in /var/run/mirrormanager/.  There are 2 sockets types:
1) mirrorlist_server.py's socket, where mirrorlist_server is started by an initscript, or preferrably, supervisord.  This socket is opened for r/w by an apache WSGI process to make requests to the mirrorlist_server process. (name="mirrorlist-server.sock")

2) apache<->wsgi socket for running the mirrormanager web app wsgi, started by apache. (name="wsgi.$PID.*.sock")

and of course, logrotate on everything under /var/log/mirrormanager/* which are created by any process started under init, supervisord, or cron.

Comment 6 Matt Domsch 2013-12-16 21:44:04 UTC

I also need cronjobs, command line scripts run as user mirrormanager, and my mirrormanager web app WSGi running under httpd to be able to read /etc/mirrormanager/* (specifically, prod.cfg).  

# ls -lZ /etc/mirrormanager/prod.cfg
-rw-r--r--. mirrormanager mirrormanager unconfined_u:object_r:etc_t:s0   /etc/mirrormanager/prod.cfg

This config file contains the database connection information, and various other config parameters.

Comment 9 Lukas Vrabec 2014-07-14 11:10:08 UTC

commit 7a941ae3ab89c689489b73e1e42bf22e4bfd655a
Author: Lukas Vrabec <lvrabec>
Date:   Mon Jul 14 11:45:01 2014 +0200

    Allow apache to manage pid sock files BZ #1042864

Comment 15 Lukas Vrabec 2014-09-02 12:52:53 UTC

Hi Karel, 

We are waiting for reaction in comment 13 then we move on with this bug.

Comment 19 Milos Malik 2014-09-08 07:18:26 UTC

Following 2 files are mentioned in /etc/httpd/conf.d/mirrormanager.conf and /etc/httpd/conf.d/mirrorlist-server.conf files. In both cases they are executed by mod_wsgi module of httpd.

# ls -l /usr/share/mirrormanager/server/mirrormanager.wsgi 
-rwxr-xr-x. 1 root root 1388 Mar 22  2010 /usr/share/mirrormanager/server/mirrormanager.wsgi
# ls -l /usr/share/mirrormanager/mirrorlist-server/mirrorlist_client.wsgi
-rwxr-xr-x. 1 root root 5505 Sep 12  2010 /usr/share/mirrormanager/mirrorlist-server/mirrorlist_client.wsgi
#

Comment 25 Milos Malik 2015-02-25 11:48:17 UTC

There are no AVCs. The problem is that WSGI scripts do not transition to correct domain:

:: [  BEGIN   ] :: Running 'ps -efZ | grep -v grep | grep "mirrormanager"'
unconfined_u:system_r:httpd_t:s0 498      5311  5300  0 12:46 ?        00:00:00 mirrormanager  
unconfined_u:system_r:httpd_t:s0 498      5312  5300  0 12:46 ?        00:00:00 mirrormanager  
unconfined_u:system_r:httpd_t:s0 498      5313  5300  0 12:46 ?        00:00:00 mirrormanager  
unconfined_u:system_r:httpd_t:s0 498      5314  5300  0 12:46 ?        00:00:00 mirrormanager  
:: [   PASS   ] :: Command 'ps -efZ | grep -v grep | grep "mirrormanager"' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ps -efZ | grep -v grep | grep "mirrorlist"'
unconfined_u:system_r:httpd_t:s0 apache   5305  5300  0 12:46 ?        00:00:00 mirrorlist     
unconfined_u:system_r:httpd_t:s0 apache   5306  5300  0 12:46 ?        00:00:00 mirrorlist     
unconfined_u:system_r:httpd_t:s0 apache   5307  5300  0 12:46 ?        00:00:00 mirrorlist     
unconfined_u:system_r:httpd_t:s0 apache   5308  5300  0 12:46 ?        00:00:00 mirrorlist     
unconfined_u:system_r:httpd_t:s0 apache   5309  5300  0 12:46 ?        00:00:00 mirrorlist     
unconfined_u:system_r:httpd_t:s0 apache   5310  5300  0 12:46 ?        00:00:00 mirrorlist     
:: [   PASS   ] :: Command 'ps -efZ | grep -v grep | grep "mirrorlist"' (Expected 0, got 0)

Comment 28 errata-xmlrpc 2015-07-22 07:07:21 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1375.html