Bug 1549514

Summary:	/var/log/shibboleth-www(/.*) needs httpd_sys_content_rw_t
Product:	Red Hat Enterprise Linux 7	Reporter:	Benjamin Lefoul <lef>
Component:	selinux-policy	Assignee:	Lukas Vrabec <lvrabec>
Status:	CLOSED ERRATA	QA Contact:	Milos Malik <mmalik>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	7.4	CC:	dapospis, dmulford, lvrabec, mgrepl, mmalik, moremellotron, nbhumkar, plautrba, ssekidde
Target Milestone:	rc
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2018-10-30 10:02:53 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Benjamin Lefoul 2018-02-27 10:11:58 UTC

Shibboleth is a Web Single Sign-On implementations based on OpenSAML that supports multiple protocols, federated identity, and the extensible exchange of rich attributes subject to privacy controls.
It is packaged together with Apache module mod_shib (/usr/lib64/shibboleth/mod_shib_24.so).

Shibboleth historically uses /var/log/shibboleth-www for logging (labeled by default as var_log_t).

Most people use the RPM provided in this repo:
http://download.opensuse.org/repositories/security:/shibboleth/CentOS_7/

[root@anon ~]# rpm -qf /var/log/shibboleth-www
shibboleth-2.6.1-3.1.x86_64

[root@anon ~]# rpm -ql shibboleth-2.6.1-3.1.x86_64
/etc/httpd/conf.d/shib.conf
/etc/shibboleth
/etc/shibboleth/accessError.html
/etc/shibboleth/accessError.html.dist
/etc/shibboleth/apache.config
/etc/shibboleth/apache2.config
/etc/shibboleth/apache22.config
/etc/shibboleth/apache24.config
/etc/shibboleth/attrChecker.html
/etc/shibboleth/attrChecker.html.dist
/etc/shibboleth/attribute-map.xml
/etc/shibboleth/attribute-map.xml.dist
/etc/shibboleth/attribute-policy.xml
/etc/shibboleth/attribute-policy.xml.dist
/etc/shibboleth/bindingTemplate.html
/etc/shibboleth/bindingTemplate.html.dist
/etc/shibboleth/console.logger
/etc/shibboleth/console.logger.dist
/etc/shibboleth/discoveryTemplate.html
/etc/shibboleth/discoveryTemplate.html.dist
/etc/shibboleth/example-metadata.xml
/etc/shibboleth/example-metadata.xml.dist
/etc/shibboleth/example-shibboleth2.xml
/etc/shibboleth/example-shibboleth2.xml.dist
/etc/shibboleth/globalLogout.html
/etc/shibboleth/globalLogout.html.dist
/etc/shibboleth/keygen.sh
/etc/shibboleth/localLogout.html
/etc/shibboleth/localLogout.html.dist
/etc/shibboleth/metadataError.html
/etc/shibboleth/metadataError.html.dist
/etc/shibboleth/metagen.sh
/etc/shibboleth/native.logger
/etc/shibboleth/native.logger.dist
/etc/shibboleth/partialLogout.html
/etc/shibboleth/partialLogout.html.dist
/etc/shibboleth/postTemplate.html
/etc/shibboleth/postTemplate.html.dist
/etc/shibboleth/protocols.xml
/etc/shibboleth/protocols.xml.dist
/etc/shibboleth/security-policy.xml
/etc/shibboleth/security-policy.xml.dist
/etc/shibboleth/sessionError.html
/etc/shibboleth/sessionError.html.dist
/etc/shibboleth/shibboleth2.xml
/etc/shibboleth/shibboleth2.xml.dist
/etc/shibboleth/shibd-amazon
/etc/shibboleth/shibd-debian
/etc/shibboleth/shibd-osx.plist
/etc/shibboleth/shibd-redhat
/etc/shibboleth/shibd-suse
/etc/shibboleth/shibd-systemd
/etc/shibboleth/shibd.logger
/etc/shibboleth/shibd.logger.dist
/etc/shibboleth/sslError.html
/etc/shibboleth/sslError.html.dist
/etc/shibboleth/syslog.logger
/etc/shibboleth/syslog.logger.dist
/usr/bin/mdquery
/usr/bin/resolvertest
/usr/lib/systemd/system/shibd.service
/usr/lib/tmpfiles.d/shibboleth.conf
/usr/lib64/libshibsp-lite.so.7
/usr/lib64/libshibsp-lite.so.7.0.1
/usr/lib64/libshibsp.so.7
/usr/lib64/libshibsp.so.7.0.1
/usr/lib64/shibboleth
/usr/lib64/shibboleth/adfs-lite.so
/usr/lib64/shibboleth/adfs.so
/usr/lib64/shibboleth/memcache-store.so
/usr/lib64/shibboleth/mod_shib_24.so
/usr/lib64/shibboleth/odbc-store.so
/usr/lib64/shibboleth/plugins-lite.so
/usr/lib64/shibboleth/plugins.so
/usr/sbin/shibd
/usr/share/doc/shibboleth-2.6.1
/usr/share/doc/shibboleth-2.6.1/CREDITS.txt
/usr/share/doc/shibboleth-2.6.1/FASTCGI.LICENSE
/usr/share/doc/shibboleth-2.6.1/LICENSE.txt
/usr/share/doc/shibboleth-2.6.1/LOG4CPP.LICENSE
/usr/share/doc/shibboleth-2.6.1/NOTICE.txt
/usr/share/doc/shibboleth-2.6.1/OPENSSL.LICENSE
/usr/share/doc/shibboleth-2.6.1/README.txt
/usr/share/doc/shibboleth-2.6.1/RELEASE.txt
/usr/share/shibboleth
/usr/share/shibboleth/main.css
/usr/share/xml/shibboleth
/usr/share/xml/shibboleth/WS-Trust.xsd
/usr/share/xml/shibboleth/catalog.xml
/usr/share/xml/shibboleth/shibboleth-2.0-afp-mf-basic.xsd
/usr/share/xml/shibboleth/shibboleth-2.0-afp-mf-saml.xsd
/usr/share/xml/shibboleth/shibboleth-2.0-afp.xsd
/usr/share/xml/shibboleth/shibboleth-2.0-attribute-map.xsd
/usr/share/xml/shibboleth/shibboleth-2.0-native-sp-config.xsd
/usr/share/xml/shibboleth/shibboleth-2.0-native-sp-protocols.xsd
/usr/share/xml/shibboleth/shibboleth-2.0-sp-notify.xsd
/usr/share/xml/shibboleth/shibboleth-metadata-1.0.xsd
/usr/share/xml/shibboleth/shibboleth.xsd
/var/cache/shibboleth
/var/log/shibboleth
/var/log/shibboleth-www
/var/run/shibboleth


But /var/log/shibboleth-www(/.*) needs httpd_sys_content_rw_t

Otherwise:

[root@anon ~]# ausearch -m "AVC" | grep "/var/log/shibboleth-www"
type=AVC msg=audit(1510725658.200:23231): avc:  denied  { open } for  pid=64999 comm="httpd" path="/var/log/shibboleth-www/native.log" dev="dm-5" ino=1069124 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1510725704.104:23257): avc:  denied  { open } for  pid=77317 comm="httpd" path="/var/log/shibboleth-www/native.log" dev="dm-5" ino=1069124 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1510725758.528:35): avc:  denied  { open } for  pid=1144 comm="httpd" path="/var/log/shibboleth-www/native.log" dev="dm-5" ino=1069124 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1510725760.432:47): avc:  denied  { open } for  pid=1144 comm="httpd" path="/var/log/shibboleth-www/native.log" dev="dm-5" ino=1069124 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1510725770.999:58): avc:  denied  { open } for  pid=1144 comm="httpd" path="/var/log/shibboleth-www/native.log" dev="dm-5" ino=1069124 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1510737814.267:402): avc:  denied  { open } for  pid=47136 comm="httpd" path="/var/log/shibboleth-www/native.log" dev="dm-5" ino=1069124 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1511859863.846:9175): avc:  denied  { open } for  pid=95428 comm="httpd" path="/var/log/shibboleth-www/native.log" dev="dm-5" ino=1069124 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1511860802.641:9193): avc:  denied  { open } for  pid=98511 comm="httpd" path="/var/log/shibboleth-www/native.log" dev="dm-5" ino=1069124 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1511860922.822:9198): avc:  denied  { open } for  pid=98888 comm="httpd" path="/var/log/shibboleth-www/native.log" dev="dm-5" ino=1069124 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1511861043.806:9203): avc:  denied  { open } for  pid=99288 comm="httpd" path="/var/log/shibboleth-www/native.log" dev="dm-5" ino=1069124 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1511861255.514:9213): avc:  denied  { open } for  pid=99987 comm="httpd" path="/var/log/shibboleth-www/native.log" dev="dm-5" ino=1069124 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1511861664.585:9225): avc:  denied  { open } for  pid=101251 comm="httpd" path="/var/log/shibboleth-www/native.log" dev="dm-5" ino=1069124 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1511861781.020:9228): avc:  denied  { open } for  pid=101633 comm="httpd" path="/var/log/shibboleth-www/native.log" dev="dm-5" ino=1069124 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1511862138.992:9241): avc:  denied  { open } for  pid=102709 comm="httpd" path="/var/log/shibboleth-www/native.log" dev="dm-5" ino=1069124 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1511862305.523:9245): avc:  denied  { open } for  pid=103275 comm="httpd" path="/var/log/shibboleth-www/native.log" dev="dm-5" ino=1069124 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1511862786.352:9262): avc:  denied  { open } for  pid=104703 comm="httpd" path="/var/log/shibboleth-www/native.log" dev="dm-5" ino=1069124 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1511877115.903:9497): avc:  denied  { open } for  pid=16946 comm="httpd" path="/var/log/shibboleth-www/native.log" dev="dm-5" ino=1069124 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1511946341.207:10128): avc:  denied  { open } for  pid=91751 comm="httpd" path="/var/log/shibboleth-www/native.log" dev="dm-5" ino=1069124 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1512026044.827:10875): avc:  denied  { open } for  pid=65846 comm="httpd" path="/var/log/shibboleth-www/native.log" dev="dm-5" ino=1069124 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1512026128.921:10916): avc:  denied  { open } for  pid=66209 comm="httpd" path="/var/log/shibboleth-www/native.log" dev="dm-5" ino=1069124 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1512083404.042:11424): avc:  denied  { open } for  pid=66209 comm="httpd" path="/var/log/shibboleth-www/native.log" dev="dm-5" ino=1069124 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1513144920.920:48): avc:  denied  { open } for  pid=3858 comm="httpd" path="/var/log/shibboleth-www/native.log" dev="dm-5" ino=1069124 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1513144935.249:58): avc:  denied  { open } for  pid=3858 comm="httpd" path="/var/log/shibboleth-www/native.log" dev="dm-5" ino=1069124 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1513144941.829:61): avc:  denied  { open } for  pid=3858 comm="httpd" path="/var/log/shibboleth-www/native.log" dev="dm-5" ino=1069124 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1514761803.446:11383): avc:  denied  { open } for  pid=3858 comm="httpd" path="/var/log/shibboleth-www/native_warn.log" dev="dm-5" ino=1069125 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1515564064.345:51): avc:  denied  { open } for  pid=4537 comm="httpd" path="/var/log/shibboleth-www/native_warn.log" dev="dm-5" ino=1069125 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1517440204.195:14692): avc:  denied  { open } for  pid=4537 comm="httpd" path="/var/log/shibboleth-www/native_warn.log" dev="dm-5" ino=1069125 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1517440210.805:14696): avc:  denied  { open } for  pid=4537 comm="httpd" path="/var/log/shibboleth-www/native_warn.log" dev="dm-5" ino=1069125 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1518588058.646:50): avc:  denied  { open } for  pid=4550 comm="httpd" path="/var/log/shibboleth-www/native_warn.log" dev="dm-5" ino=1069125 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1518588060.911:56): avc:  denied  { open } for  pid=4550 comm="httpd" path="/var/log/shibboleth-www/native_warn.log" dev="dm-5" ino=1069125 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1518588071.923:65): avc:  denied  { open } for  pid=4550 comm="httpd" path="/var/log/shibboleth-www/native_warn.log" dev="dm-5" ino=1069125 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1518588074.437:66): avc:  denied  { open } for  pid=4550 comm="httpd" path="/var/log/shibboleth-www/native_warn.log" dev="dm-5" ino=1069125 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file


httpd_log_t is not enough because it then turns out we also need write, unlink, link and rename:

[root@anon ~] sesearch -s httpd_t -t httpd_log_t -c file -Ad
Found 1 semantic av rules:
   allow httpd_t httpd_log_t : file { ioctl read create getattr setattr lock append open } ; 

[root@anon ~] sesearch -s httpd_t -t httpd_sys_content_rw_t -c file -Ad
Found 2 semantic av rules:
   allow httpd_t httpd_sys_rw_content_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; 
   allow httpd_t httpd_sys_rw_content_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; 

Solution: /var/log/shibboleth-www(/.*) needs httpd_sys_content_rw_t

Benjamin Lefoul
benjamin.lefoul.se
Technical system administrator
Uppsala university, IT Division, Office of Operations; Linux

Comment 3 Benjamin Lefoul 2018-02-28 20:08:57 UTC

Typo, I meant httpd_sys_rw_content_t, not httpd_sys_content_rw_t!

Comment 4 Scott Cantor 2018-03-01 16:46:30 UTC

I'm not sure why this is a Red Hat bug, and would suggest it be closed. The only packages for Shibboleth for Red Hat are provided by the Shibboleth Project, and our policy on SELinux remains "not supported", so other than noting it as an input to an issue in our JIRA for future tracking purposes, there's really no bug here, nor any issue for Red Hat.

Or I'm just confused, but since my name got dragged into the bug...

Comment 5 Benjamin Lefoul 2018-03-01 20:26:32 UTC

(In reply to Scott Cantor from comment #4)
> I'm not sure why this is a Red Hat bug, and would suggest it be closed. The
> only packages for Shibboleth for Red Hat are provided by the Shibboleth
> Project, and our policy on SELinux remains "not supported", so other than
> noting it as an input to an issue in our JIRA for future tracking purposes,
> there's really no bug here, nor any issue for Red Hat.
> 
> Or I'm just confused, but since my name got dragged into the bug...

Hi Scott,

I CCed because I thought you might be interested. I found your email in the src.rpm's changelog. This is not a feature request for shibboleth (which is indeed unsupported) but for the selinux-policy RPM. If you look at the man page for apache_selinux on RHEL, there are many directories listed with type httpd_sys_rw_content_t and canonically created by software not supported by Red Hat. As far as I can tell, adding /var/log/shibboleth-www(/.*) to that list should not be a problem, and I think that handles all SELinux denials I have come across with shibboleth.

If you think this should be closed that's fine, but then I'll probably just ask one step upstream on the fedora fork of the reference policy where the maintainers are essentially the same as here...

Comment 6 Scott Cantor 2018-03-01 20:41:46 UTC

Ah, thanks for clarifying. Just my ignorance of SELinux, I didn't understand the request you were making. If they do include third party directories, that's fine, that's a stable location, but I will say we're almost certainly switching the default native.logger sink for 3.0 to go to syslog anyway.

Comment 14 errata-xmlrpc 2018-10-30 10:02:53 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111