Bug 1278269

Summary: httpd_can_read_write_radicale boolean reset from 'on' to 'off' in upgrade from F21 to F23
Product: [Fedora] Fedora Reporter: Adam Williamson <awilliam>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: medium    
Version: 23CC: dominick.grift, dwalsh, jorti, lvrabec, mgrepl, opensource, plautrba
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-155.fc23 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-26 20:58:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1278268    
Bug Blocks:    

Description Adam Williamson 2015-11-05 06:42:11 UTC
After working around https://bugzilla.redhat.com/show_bug.cgi?id=1278268 , radicale still does not start correctly, because it tries to create /var/lib/radicale/.config and is not allowed to:

[Wed Nov 04 22:36:37.590756 2015] [wsgi:error] [pid 3056:tid 140258197124864] [remote 192.168.1.5:29639] PermissionError: [Errno 13] Permission denied: '/var/lib/radicale/.config'
[Wed Nov 04 22:36:39.260649 2015] [wsgi:error] [pid 3056:tid 140258197124864] [remote 72.143.234.5:29639] mod_wsgi (pid=3056): Exception occurred processing WSGI script '/usr/share/radicale/radicale.wsgi'.
[Wed Nov 04 22:36:39.260683 2015] [wsgi:error] [pid 3056:tid 140258197124864] [remote 72.143.234.5:29639] Traceback (most recent call last):
[Wed Nov 04 22:36:39.260720 2015] [wsgi:error] [pid 3056:tid 140258197124864] [remote 72.143.234.5:29639]   File "/usr/lib/python3.4/site-packages/radicale/__init__.py", line 332, in __call__
[Wed Nov 04 22:36:39.260724 2015] [wsgi:error] [pid 3056:tid 140258197124864] [remote 72.143.234.5:29639]     user)
[Wed Nov 04 22:36:39.260739 2015] [wsgi:error] [pid 3056:tid 140258197124864] [remote 72.143.234.5:29639]   File "/usr/lib/python3.4/site-packages/radicale/__init__.py", line 547, in propfind
[Wed Nov 04 22:36:39.260742 2015] [wsgi:error] [pid 3056:tid 140258197124864] [remote 72.143.234.5:29639]     environ["PATH_INFO"], content, collections, user)
[Wed Nov 04 22:36:39.261471 2015] [wsgi:error] [pid 3056:tid 140258197124864] [remote 72.143.234.5:29639]   File "/usr/lib/python3.4/site-packages/radicale/xmlutils.py", line 237, in propfind
[Wed Nov 04 22:36:39.261478 2015] [wsgi:error] [pid 3056:tid 140258197124864] [remote 72.143.234.5:29639]     response = _propfind_response(path, collection, props, user)
[Wed Nov 04 22:36:39.261498 2015] [wsgi:error] [pid 3056:tid 140258197124864] [remote 72.143.234.5:29639]   File "/usr/lib/python3.4/site-packages/radicale/xmlutils.py", line 248, in _propfind_response
[Wed Nov 04 22:36:39.261501 2015] [wsgi:error] [pid 3056:tid 140258197124864] [remote 72.143.234.5:29639]     collection_props = properties
[Wed Nov 04 22:36:39.261523 2015] [wsgi:error] [pid 3056:tid 140258197124864] [remote 72.143.234.5:29639]   File "/usr/lib64/python3.4/contextlib.py", line 66, in __exit__
[Wed Nov 04 22:36:39.261526 2015] [wsgi:error] [pid 3056:tid 140258197124864] [remote 72.143.234.5:29639]     next(self.gen)
[Wed Nov 04 22:36:39.261540 2015] [wsgi:error] [pid 3056:tid 140258197124864] [remote 72.143.234.5:29639]   File "/usr/lib/python3.4/site-packages/radicale/storage/filesystem.py", line 131, in props
[Wed Nov 04 22:36:39.261543 2015] [wsgi:error] [pid 3056:tid 140258197124864] [remote 72.143.234.5:29639]     self._create_dirs()
[Wed Nov 04 22:36:39.261554 2015] [wsgi:error] [pid 3056:tid 140258197124864] [remote 72.143.234.5:29639]   File "/usr/lib/python3.4/site-packages/radicale/storage/filesystem.py", line 77, in _create_dirs
[Wed Nov 04 22:36:39.261557 2015] [wsgi:error] [pid 3056:tid 140258197124864] [remote 72.143.234.5:29639]     os.makedirs(os.path.dirname(self._path))
[Wed Nov 04 22:36:39.261568 2015] [wsgi:error] [pid 3056:tid 140258197124864] [remote 72.143.234.5:29639]   File "/usr/lib64/python3.4/os.py", line 227, in makedirs
[Wed Nov 04 22:36:39.261571 2015] [wsgi:error] [pid 3056:tid 140258197124864] [remote 72.143.234.5:29639]     makedirs(head, mode, exist_ok)
[Wed Nov 04 22:36:39.261581 2015] [wsgi:error] [pid 3056:tid 140258197124864] [remote 72.143.234.5:29639]   File "/usr/lib64/python3.4/os.py", line 227, in makedirs
[Wed Nov 04 22:36:39.261584 2015] [wsgi:error] [pid 3056:tid 140258197124864] [remote 72.143.234.5:29639]     makedirs(head, mode, exist_ok)
[Wed Nov 04 22:36:39.261594 2015] [wsgi:error] [pid 3056:tid 140258197124864] [remote 72.143.234.5:29639]   File "/usr/lib64/python3.4/os.py", line 227, in makedirs
[Wed Nov 04 22:36:39.261600 2015] [wsgi:error] [pid 3056:tid 140258197124864] [remote 72.143.234.5:29639]     makedirs(head, mode, exist_ok)
[Wed Nov 04 22:36:39.261612 2015] [wsgi:error] [pid 3056:tid 140258197124864] [remote 72.143.234.5:29639]   File "/usr/lib64/python3.4/os.py", line 237, in makedirs
[Wed Nov 04 22:36:39.261614 2015] [wsgi:error] [pid 3056:tid 140258197124864] [remote 72.143.234.5:29639]     mkdir(name, mode)

Comment 1 Adam Williamson 2015-11-05 06:47:09 UTC
I'm thinking the problem is that /var/lib/radicale is owned by radicale.radicale but the script is running as httpd user? not really sure.

Comment 2 Juan Orti 2015-11-05 08:09:36 UTC
It should run with radicale:radicale if you configured it like in the example /etc/httpd/conf.d/radicale.conf:

WSGIDaemonProcess radicale user=radicale group=radicale threads=1 umask=0027

Please, make sure you have activated the SELinux boolean httpd_can_read_write_radicale:

setsebool -P httpd_can_read_write_radicale 1

Comment 3 Adam Williamson 2015-11-05 17:04:05 UTC
Hmm. I had it right in radicale.conf , but getsebool shows the boolean as off, which is strange, because I'd previously turned it on:

[root@www srvad]# history | grep setseb
  787  setsebool -P httpd_can_read_write_radicale on

And indeed if I set it back to 'on', radicale starts working again.

somehow I guess SELinux flipped the boolean back to 'off' when I upgraded from F21 to F23? So re-assigning to something selinux-y...

Comment 4 Juan Orti 2015-11-05 19:45:40 UTC
It's probably caused by the integration of the selinux policy in the main package, but I'm not sure why.

Comment 5 Juan Orti 2015-11-06 06:43:24 UTC
Thinking more about it, the module is removed when the radicale-selinux is obsoleted and then re-installed, so that must be the cause of the booleans resetting to their defaults.

Comment 6 Miroslav Grepl 2015-11-09 08:28:29 UTC
(In reply to Juan Orti from comment #5)
> Thinking more about it, the module is removed when the radicale-selinux is
> obsoleted and then re-installed, so that must be the cause of the booleans
> resetting to their defaults.

Ok so there was a radicale-selinux packcage, correct?

Comment 7 Juan Orti 2015-11-09 08:30:33 UTC
Yes, I integrated the radicale-selinux package into the main radicale package.

Comment 8 Miroslav Grepl 2015-11-09 08:43:31 UTC
Ok there needs to be an upgrade issue. I don't see how it could reset a default value of a boolean.

Comment 9 Daniel Walsh 2015-11-13 22:03:20 UTC
Why is there a boolean?  I see no reason for this boolean, it would be better to fix this problem though labeling.

Comment 10 Miroslav Grepl 2015-11-20 13:25:08 UTC
We added fixes to the policy spec file to keep local boolean modifications after upgrade.

Comment 11 Fedora Update System 2015-11-20 13:27:09 UTC
selinux-policy-3.13.1-155.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-0d84d6c75f

Comment 12 Fedora Update System 2015-11-22 14:26:16 UTC
selinux-policy-3.13.1-155.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update selinux-policy'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-0d84d6c75f

Comment 13 Fedora Update System 2015-11-26 20:57:33 UTC
selinux-policy-3.13.1-155.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.