Bug 145895

Summary: httpd does not start anymore, lots of avc messages for other deamons
Product: [Fedora] Fedora Reporter: Daniel Hammer <h0m6r3>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: medium    
Version: 3   
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-01-23 21:43:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Daniel Hammer 2005-01-23 11:41:28 UTC
Description of problem:
Since last 2 ugrades of selinux-policy-targeted there a lots aof avc
messages which appear when booting. Last version does even not permit
http to start properly:

/usr/sbin/httpd: error while loading shared libraries: libapr-0.so.0:
failed to map segment from shared object: Permission denied

Lots of other messages appear when starting portmap, ntpd, nscd

avc:  denied  { write } for  pid=6581 exe=/usr/sbin/ntpdate name=log
dev=tmpfs ino=9915 scontext=root:system_r:ntpd_t
tcontext=user_u:object_r:device_t tclass=sock_file

audit(1106479425.848:0): avc:  denied  { getattr } for  pid=4835
exe=/sbin/minilogd path=/dev/log dev=tmpfs ino=9915
scontext=user_u:system_r:syslogd_t tcontext=user_u:object_r:device_t
tclass=sock_file
Jan 23 12:23:51 tunix kernel: audit(1106479425.908:0): avc:  denied  {
getattr } for  pid=4837 exe=/sbin/minilogd path=/dev/log dev=tmpfs
ino=9915 scontext=user_u:system_r:syslogd_t
tcontext=user_u:object_r:device_t tclass=sock_file
Jan 23 12:23:51 tunix kernel: audit(1106479426.103:0): avc:  denied  {
write } for  pid=4922 exe=/usr/sbin/nscd name=log dev=tmpfs ino=9915
scontext=user_u:system_r:nscd_t tcontext=user_u:object_r:device_t
tclass=sock_file
Jan 23 12:23:51 tunix kernel: audit(1106479426.113:0): avc:  denied  {
sys_tty_config } for  pid=4922 exe=/usr/sbin/nscd capability=26
scontext=user_u:system_r:nscd_t tcontext=user_u:system_r:nscd_t
tclass=capability

This is quite disappointing and leaves me with doubts about package
quality testing.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.17.30-2.73

How reproducible:
Always

Steps to Reproduce:
1. install selinux-policy-targeted-1.17.30-2.73 and let the system
start httpd, portmap, nscd, ntpd 
  

Actual Results:  lots of avc messages, failed system start

Expected Results:  all deamons should start as they did before
installing selinux-policy-targeted-1.17.30-2.73

Additional info:

Comment 1 Daniel Hammer 2005-01-23 11:55:24 UTC
Sorry for harsh word, and also to clearify the issue: It seems not to be 
selinux-policy-targeted-1.17.30-2.73 alone since older versions show
the same result. 
Seems that new kernel 2.6.10-1.741_FC3 together with
selinux-policy-targeted do this "evil" work. 

With SELINUX=Permissive in /etc/sysconfig/selinux the avc messages
remain (concerning httpd, cups, nscd, ntpd, ...) but at least the
deamons do start. Nothing else has changed on this system, only the
security updates are installed, when they appear.

Comment 2 Sitsofe Wheeler 2005-01-23 19:45:35 UTC
Do you ever run your system without selinux enabled (i.e. turned off
completely)? If so does relabelling help?

Comment 3 Daniel Hammer 2005-01-23 21:43:58 UTC
> Do you ever run your system without selinux enabled (i.e. turned off
> completely)? If so does relabelling help?

Ok., RTFM. ;-)
Running with selinux turned off does not change anything, all deamons start
normally and with selinux turned on again the system shows the same errors.

Relabeling DOES HELP, of course. After running  "/sbin/fixfiles relabel" the
system works as it should. Anyway, IMHO, there should be some automatism to fix
odd label settings. Thanx anyway ... lets kill that beast!

Comment 4 Colin Walters 2005-01-24 15:29:20 UTC
I think Sitsofe was asking if you had run with it turned off at some
point, and then later experienced the labeling issues.


Comment 5 Daniel Hammer 2005-01-24 15:38:07 UTC
No, selinux was always enabled and sec-updates were done
automatically. Just when upgrading the kernel it was rebooted and some
trouble began ... ;-)

Comment 6 Daniel Walsh 2005-01-24 19:48:01 UTC
Are you using udev?  This looks like 
/dev/log is labeled device_t, it should be labeled devlog_t?

Dan

Comment 7 Daniel Hammer 2005-01-24 23:22:32 UTC
# ls -aZ /dev/log
srw-rw-rw-  root     root     user_u:object_r:devlog_t         /dev/log