Bug 1083111

Summary: Upcoming varnish-4.0.0 release needs changes in selinux policy
Product: [Fedora] Fedora Reporter: Ingvar Hagelund <ingvar>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: unspecified    
Version: 19CC: dominick.grift, dwalsh, lvrabec, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.12.1-74.26.fc19 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-27 02:22:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ingvar Hagelund 2014-04-01 13:46:41 UTC 
Description of problem:
The Varnish cache project has released varnish-4.0.0-beta1, and I have started looking into packaging it for fedora and epel7, to be able to release varnish-4.0.0 with epel7.

When starting varnishd on fedora 19, selinux croaks
A scratch build of varnish-4.0.0-beta1 is available here:

http://koji.fedoraproject.org/koji/taskinfo?taskID=6695833

Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-74.19.fc19.noarch

How reproducible:
Always

Steps to Reproduce:
1. Install varnish-4.0.0-beta1
2. Start varnish with selinux in enforcing mode
3. Watch the logs

Actual results:
varnishd is not allowed to start

Expected results:
varnishd should be able to start

Additional info:

# rpm -q varnish
varnish-4.0.0-0.4.beta1.fc19.x86_64

# tail -f /var/log/audit/audit.log &

# systemctl start varnish.service
type=AVC msg=audit(1396358466.210:12278): avc:  denied  { chown } for  pid=27000 comm="varnishd" capability=0  scontext=system_u:system_r:varnishd_t:s0 tcontext=system_u:system_r:varnishd_t:s0 tclass=capability
type=SYSCALL msg=audit(1396358466.210:12278): arch=c000003e syscall=93 success=no exit=-1 a0=7 a1=3e1 a2=3dd a3=7fff0403fec0 items=0 ppid=1 pid=27000 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="varnishd" exe="/usr/sbin/varnishd" subj=system_u:system_r:varnishd_t:s0 key=(null)
Job for varnish.service failed. See 'systemctl status varnish.service' and 'journalctl -xn' for details.
type=SERVICE_START msg=audit(1396358466.288:12279): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="varnish" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'

[root@yum ~]# systemctl status varnish.service
varnish.service - Varnish a high-perfomance HTTP accelerator
   Loaded: loaded (/usr/lib/systemd/system/varnish.service; disabled)
   Active: failed (Result: exit-code) since ti. 2014-04-01 15:21:06 CEST; 13s ago
  Process: 27000 ExecStart=/usr/sbin/varnishd -P /var/run/varnish.pid -f $VARNISH_VCL_CONF -a ${VARNISH_LISTEN_ADDRESS}:${VARNISH_LISTEN_PORT} -T ${VARNISH_ADMIN_LISTEN_ADDRESS}:${VARNISH_ADMIN_LISTEN_PORT} -t $VARNISH_TTL -u $VARNISH_USER -g $VARNISH_GROUP -S $VARNISH_SECRET_FILE -s $VARNISH_STORAGE $DAEMON_OPTS (code=exited, status=2)
 Main PID: 31259 (code=exited, status=2)
   CGroup: name=systemd:/system/varnish.service

april 01 15:21:06 yum.linpro.no varnishd[27000]: Running VCC-compiler failed, exit 1
april 01 15:21:06 yum.linpro.no varnishd[27000]: VCL compilation failed
april 01 15:21:06 yum.linpro.no systemd[1]: varnish.service: control process exited, code=exited status=2
april 01 15:21:06 yum.linpro.no systemd[1]: Failed to start Varnish a high-perfomance HTTP accelerator.
april 01 15:21:06 yum.linpro.no systemd[1]: Unit varnish.service entered failed state.

[root@yum ~]# journalctl -xn
-- Logs begin at ti. 2014-01-07 17:46:19 CET, end at ti. 2014-04-01 15:21:06 CEST. --
april 01 15:21:06 yum.linpro.no setroubleshoot[31519]: SetroubleshootdClientConnectionHandler.default_request_handler: rpc_id=8 type=method {<?xml version="1.0" encoding="utf-
april 01 15:21:06 yum.linpro.no setroubleshoot[31519]: [395B blob data]
april 01 15:21:06 yum.linpro.no setroubleshoot[31519]: [395B blob data]
april 01 15:21:06 yum.linpro.no setroubleshoot[31519]: lookup_signature: found 1 matches with scores 1.00
april 01 15:21:06 yum.linpro.no setroubleshoot[31519]: find_filter_by_username ingvar
april 01 15:21:06 yum.linpro.no setroubleshoot[31519]: [166B blob data]
april 01 15:21:06 yum.linpro.no setroubleshoot[31519]: [170B blob data]
april 01 15:21:06 yum.linpro.no /usr/bin/sealert[31516]: [282B blob data]
april 01 15:21:06 yum.linpro.no /usr/bin/sealert[31516]: [318B blob data]
april 01 15:21:06 yum.linpro.no python[31519]: [459B blob data]
Comment 1 Miroslav Grepl 2014-04-02 10:31:16 UTC 
commit 6d57ff778e441927d361d3b6ca1077f99d723574
Author: Miroslav Grepl <mgrepl>
Date:   Wed Apr 2 12:30:32 2014 +0200

    varnishd wants chown capability
Comment 2 Ingvar Hagelund 2014-04-02 11:01:26 UTC 
A little background:

The reason for the need to chown is that the top varnishd process starts as root, but forks off unprivileged worker and compiler children, which needs tempfiles.

cat -n varnish-4.0.0-beta1/bin/varnishd/mgt/mgt_vcc.c
 
   (...)
 
   241          /* Create temporary C source file */
   242          sfd = VFIL_tmpfile(sf);
   243          if (sfd < 0) {
   244                  VSB_printf(sb, "Failed to create %s: %s", sf, strerror(errno));
   245                  return (NULL);
   246          }
   247          (void)fchown(sfd, mgt_param.uid, mgt_param.gid);
   248          AZ(close(sfd));
 
   (...)
 
   275          i = open(of, O_WRONLY|O_CREAT|O_TRUNC, 0600);
   276          if (i < 0) {
   277                  VSB_printf(sb, "Failed to create %s: %s",
   278                      of, strerror(errno));
   279                  (void)unlink(sf);
   280                  return (NULL);
   281          }
   282          (void)fchown(i, mgt_param.uid, mgt_param.gid);
   283          AZ(close(i));
Comment 3 Fedora Update System 2014-05-07 16:25:45 UTC 
selinux-policy-3.12.1-74.26.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.26.fc19
Comment 4 Fedora Update System 2014-05-08 09:59:17 UTC 
Package selinux-policy-3.12.1-74.26.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.26.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-6075/selinux-policy-3.12.1-74.26.fc19
then log in and leave karma (feedback).
Comment 5 Fedora Update System 2014-06-27 02:22:59 UTC 
selinux-policy-3.12.1-74.26.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.