Bug 1260536
Summary: | AVC is triggered when accessing ganglia web UI | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Milos Malik <mmalik> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 7.3 | CC: | dyocum, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.13.1-82.el7 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | 1219900 | Environment: | |
Last Closed: | 2016-11-04 02:21:58 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Milos Malik
2015-09-07 08:13:49 UTC
Following AVC appears in permissive mode: ---- type=PATH msg=audit(09/07/2015 10:17:21.215:363) : item=0 name=/var/lib/ganglia/dwoo/compiled/./ inode=21826000 dev=fd:02 mode=dir,777 ouid=apache ogid=apache rdev=00:00 obj=system_u:object_r:var_lib_t:s0 objtype=NORMAL type=CWD msg=audit(09/07/2015 10:17:21.215:363) : cwd=/usr/share/ganglia type=SYSCALL msg=audit(09/07/2015 10:17:21.215:363) : arch=x86_64 syscall=chmod success=yes exit=0 a0=0x7f94ca8aae60 a1=0777 a2=0x7f94c6a20b40 a3=0x7f94c69f6f30 items=1 ppid=7141 pid=7150 auid=unset uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache tty=(none) ses=unset comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(09/07/2015 10:17:21.215:363) : avc: denied { setattr } for pid=7150 comm=httpd name=compiled dev="vda2" ino=21826000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir ---- # ls -aRZ /var/lib/ganglia/dwoo/ /var/lib/ganglia/dwoo/: drwxr-xr-x. apache apache system_u:object_r:var_lib_t:s0 . drwxr-xr-x. root root system_u:object_r:var_lib_t:s0 .. drwxr-xr-x. apache apache system_u:object_r:var_lib_t:s0 cache drwxrwxrwx. apache apache system_u:object_r:var_lib_t:s0 compiled /var/lib/ganglia/dwoo/cache: drwxr-xr-x. apache apache system_u:object_r:var_lib_t:s0 . drwxr-xr-x. apache apache system_u:object_r:var_lib_t:s0 .. /var/lib/ganglia/dwoo/compiled: drwxrwxrwx. apache apache system_u:object_r:var_lib_t:s0 . drwxr-xr-x. apache apache system_u:object_r:var_lib_t:s0 .. -rw-r--r--. apache apache system_u:object_r:httpd_var_lib_t:s0 classpath.cache.d17.php drwxrwxrwx. apache apache system_u:object_r:httpd_var_lib_t:s0 templates /var/lib/ganglia/dwoo/compiled/templates: drwxrwxrwx. apache apache system_u:object_r:httpd_var_lib_t:s0 . drwxrwxrwx. apache apache system_u:object_r:var_lib_t:s0 .. drwxrwxrwx. apache apache system_u:object_r:httpd_var_lib_t:s0 default /var/lib/ganglia/dwoo/compiled/templates/default: drwxrwxrwx. apache apache system_u:object_r:httpd_var_lib_t:s0 . drwxrwxrwx. apache apache system_u:object_r:httpd_var_lib_t:s0 .. -rwxrwxrwx. apache apache system_u:object_r:httpd_var_lib_t:s0 cluster_extra.tpl.d17.php -rwxrwxrwx. apache apache system_u:object_r:httpd_var_lib_t:s0 cluster_host_metric_graphs.tpl.d17.php -rwxrwxrwx. apache apache system_u:object_r:httpd_var_lib_t:s0 cluster_overview.tpl.d17.php -rwxrwxrwx. apache apache system_u:object_r:httpd_var_lib_t:s0 cluster_view.tpl.d17.php -rwxrwxrwx. apache apache system_u:object_r:httpd_var_lib_t:s0 footer.tpl.d17.php -rwxrwxrwx. apache apache system_u:object_r:httpd_var_lib_t:s0 header.tpl.d17.php # restorecon -Rv /var/lib/ganglia restores labels to var_lib_t, which is incorrect in my opinion. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2283.html |