Bug 1299552
| Summary: | SELinux prevents lighttpd from fstat()-ing inotifyfs | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Milos Malik <mmalik> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 6.8 | CC: | dwalsh, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.7.19-294.el6 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-03-21 09:45:03 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2017-0627.html |
Description of problem: * when gam_server is installed and lighttpd is configured to use "fam" then at least 1 SELinux denials appears Version-Release number of selected component (if applicable): gamin-0.1.10-9.el6.x86_64 lighttpd-1.4.39-1.el6.x86_64 selinux-policy-3.7.19-287.el6.noarch selinux-policy-doc-3.7.19-287.el6.noarch selinux-policy-minimum-3.7.19-287.el6.noarch selinux-policy-mls-3.7.19-287.el6.noarch selinux-policy-targeted-3.7.19-287.el6.noarch How reproducible: always Steps to Reproduce: # grep "server.*fam" /etc/lighttpd/lighttpd.conf server.stat-cache-engine = "fam" # service lighttpd start # search for SELinux denials Actual results (enforcing mode): ---- type=SYSCALL msg=audit(01/18/2016 15:25:42.640:669) : arch=x86_64 syscall=fstat success=no exit=-13(Permission denied) a0=0x4 a1=0x7fff7a5f6a90 a2=0x7fff7a5f6a90 a3=0x6 items=0 ppid=1 pid=29163 auid=root uid=lighttpd gid=lighttpd euid=lighttpd suid=lighttpd fsuid=lighttpd egid=lighttpd sgid=lighttpd fsgid=lighttpd tty=(none) ses=1 comm=gam_server exe=/usr/libexec/gam_server subj=unconfined_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(01/18/2016 15:25:42.640:669) : avc: denied { getattr } for pid=29163 comm=gam_server path=inotify dev=inotifyfs ino=1 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir ---- Actual results (permissive mode): ---- type=SYSCALL msg=audit(01/18/2016 15:50:33.956:991) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x4 a1=0x7ffde167f5c0 a2=0x7ffde167f5c0 a3=0x6 items=0 ppid=1 pid=19743 auid=root uid=lighttpd gid=lighttpd euid=lighttpd suid=lighttpd fsuid=lighttpd egid=lighttpd sgid=lighttpd fsgid=lighttpd tty=(none) ses=1 comm=gam_server exe=/usr/libexec/gam_server subj=unconfined_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(01/18/2016 15:50:33.956:991) : avc: denied { getattr } for pid=19743 comm=gam_server path=inotify dev=inotifyfs ino=1 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir ---- Expected results: * no SELinux denials