Bug 149454
Summary: | w3c-markup-validator not compatible with SELinux targeted policy | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Fred New <fred.new2911> |
Component: | w3c-markup-validator | Assignee: | Ville Skyttä <ville.skytta> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 6 | CC: | javabrett, link |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2007-10-14 20:10:23 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 182673 | ||
Bug Blocks: | 162161 |
Description
Fred New
2005-02-23 08:23:08 UTC
I cannot reproduce. This is on my FC3 box: selinux-policy-targeted-1.17.30-2.83 w3c-markup-validator-0.6.7-1 httpd-2.0.52-3.1 -rwxr-xr-x root root system_u:object_r:usr_t check # cat /selinux/enforce 1 Validation works fine, nothing in /var/log/httpd/error_log nor /var/log/messages. What am I missing? I have installed it on a second machine and I am having the same problem. The browser shows "Internal Server Error" with a few suggestions about what to do about it. /var/log/httpd/error_log: [Sat Feb 26 20:01:49 2005] [error] [client 192.168.1.2] (13)Permission denied: exec of '/usr/share/w3c-markup-validator/check' failed, referer: http://darth/w3c-validator/ [Sat Feb 26 20:01:49 2005] [error] [client 192.168.1.2] Premature end of script headers: check, referer: http://darth/w3c-validator/ /var/log/messages: Feb 26 20:01:49 darth kernel: audit(1109440909.250:0): avc: denied { execute } for pid=4947 exe=/usr/sbin/httpd name=check dev=hda3 ino=701643 scontext=root:system_r:httpd_t tcontext=system_u:object_r:usr_t tclass=file sestatus: SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 18 Policy from config file:targeted Policy booleans: allow_ypbind active dhcpd_disable_trans inactive httpd_disable_trans inactive httpd_enable_cgi active httpd_enable_homedirs active httpd_ssi_exec active httpd_tty_comm inactive httpd_unified active mysqld_disable_trans inactive named_disable_trans inactive named_write_master_zonesinactive nscd_disable_trans inactive ntpd_disable_trans inactive portmap_disable_trans inactive postgresql_disable_transinactive snmpd_disable_trans inactive squid_disable_trans inactive syslogd_disable_trans inactive winbind_disable_trans inactive ypbind_disable_trans inactive And finally ls -lZ: # ls -Zl /usr/share/w3c-markup-validator/check -rwxr-xr-x 1 system_u:object_r:usr_t root root 112116 Jul 21 2004 /usr/share/w3c-markup-validator/check My selinux-policy, validator and httpd packages match yours. I still have no clue about this. Works fine here. On the other hand the behaviour on your boxes makes kind of sense, I wonder why I'm not seeing it. The only difference between your and my sestatus output is that you have httpd_enable_homedirs active, while I've inactivated it. That doesn't affect this, but I also verified that to be sure. Do you have any customizations applied to the targeted config? rpm -V selinux-policy-targeted No special customizations to the policy: [root@darth ~]# rpm -V selinux-policy-targeted [root@darth ~]# I re-installed FC3 on my original system yesterday because I messed it up by trying to update it to Rawhide. And just now installed w3c-markup-validator and got the same error. This time I used chcon -t httpd_sys_script_exec_t \ /usr/share/w3c-markup-validator/check and the script started working. Some notes about how I re-installed my system (this time): 1. Before installing, I copied the updated RPMs in /var/cache/yum/updates-released/packages to a partition that I wouldn't format during the installation. 2. Installing from CDs, I selected a "workstation" installation. 3. I also selected to install httpd. 4. After the installation, I removed older, duplicate RPMs from the directory created in step 1 and updated all affected packages: rpm -ivh kernel-2*.rpm rpm -Fvh *.rpm 5. yum update 6. Manually installed the packages required for w3c-markup-validator: perl-Config-General-2.27-1.noarch.rpm perl-Net-IP-1.21-1.noarch.rpm perl-Set-IntSpan-1.07-5.noarch.rpm perl-Text-Iconv-1.4-1.i386.rpm w3c-markup-validator-0.6.7-1.noarch.rpm w3c-markup-validator-libs-0.6.7-1.noarch.rpm The 3 packages mentioned above are still the same: selinux-policy-targeted-1.17.30-2.83 w3c-markup-validator-0.6.7-1 httpd-2.0.52-3.1 I don't understand how your check script can work with a context type of usr_t. Maybe one of us should post a question on the fedora-selinux list. I managed to reproduce this. For a reason unknown to me, my /usr/sbin/httpd was root:object_r:sbin_t. No, I didn't set it myself, and this is a single user box. Now, the check script obviously needs to be system_u:object_r:httpd_sys_script_exec_t, and the static web pages system_u:object_r:httpd_sys_content_t. Dunno about the config files etc yet. I can also reproduce this problem on FC3+Updates with SELinux, unmodified policies. Any further advice and/or patches or config files before I attempt a workaround based on the info above? Help is welcome, but here's a couple of things worth noting: I've examined the behaviour somewhat on FC4 (by the way, this package is not yet included in FC4+ due to these problems), see: http://cvs.fedora.redhat.com/viewcvs/rpms/w3c-markup-validator/devel/w3c-markup-validator.spec?root=extras&r1=1.4&r2=1.5 Also, we're (the W3C QA tools development team) releasing version 0.7.0 of the Validator soon; a beta is expected to be launched this week. While it's pretty much similar to 0.6.7, it's not entirely impossible that their SELinux configuration needs might differ a bit. Examining this is assigned to me both here (the FE package) and upstream, and I will try to find time to look at it in the future in any case. But as said, help is welcome, and looking into what 0.6.7 would need is definitely useful. By the way, there's no way to cleanly install new policy modules currently (until FC5 I hear), so chances are that until then, once someone has figured out exactly what's needed, we'll just include the needed policy changes as documentation in this package. Oh, and for the record: AFAICT we should most likely be creating an individual SELinux domain for the CGI script here. See http://fedora.redhat.com/docs/selinux-apache-fc3/ for more info. FYI, this is finally being worked on in bug 182673, sorry for the delay. Finally got around to verifying that this is indeed done (for the most common HTTP ports) in current F7 selinux policy packages. |