Bug 1572369

Summary: SELinux is preventing httpd from 'map' accesses on public_content_t
Product: [Fedora] Fedora Reporter: Jason Tibbitts <tibbs>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 27CC: dwalsh, lvrabec, mgrepl, plautrba, pmoore, tmz
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-283.35.fc27 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-07-06 15:43:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1481454    

Description Jason Tibbitts 2018-04-26 20:20:01 UTC
I happened to take a look at the audit logs for my two public Fedora mirrors today and found hundreds of thousands of of the following denials:

type=AVC msg=audit(1524757500.315:63341066): avc:  denied  { map } for  pid=29361 comm="httpd" path="/srv/mirror/pub/fedora-buffet/epel/7/x86_64/Packages/o/openmx-data-3.8.1-9.el7.noarch.rpm" dev="bcache0" ino=32664828575 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:public_content_t:s0 tclass=file permissive=0

I can't tell when this started because the audit log fills completely in a few hours as it happens for every URL accessed.  I figure someone would have reported it by now if it was a common occurrence but my bugzilla searching failed to turn anything up.  All I see in the policy with sesearch -A -s httpd_t -t public_content_t is:

allow httpd_t file_type:dir { getattr open search };
allow httpd_t file_type:filesystem getattr;
allow httpd_t public_content_t:dir { getattr ioctl lock open read search };
allow httpd_t public_content_t:file { getattr ioctl lock open read };
allow httpd_t public_content_t:lnk_file { getattr read };

so maybe this is another instance where the map privilege needs to be added?  I see that, assuming I can use sesearch correctly, map is allowed for httpd_sys_content_t and user_home_t (with the appropriate boolean set).  I'm not sure why public_content_t would be different.

I am currently running selinux-policy-3.13.1-283.32.fc27.noarch from updates-testing.

Comment 1 Jason Tibbitts 2018-04-26 20:26:34 UTC
I should add that doing the following quiets things down, in case someone else runs into this:

echo "(allow httpd_t public_content_t (file (map)))" > /tmp/httpd-quiet.cil
semodule -i /tmp/httpd-quiet.cil

Comment 2 Todd Zullinger 2018-04-26 22:05:22 UTC
I'm not entirely sure if a more limited map interface for public_content_t is needed or if adding this to the existing miscfiles_read_public_files interface is reasonable.

diff --git i/policy/modules/system/miscfiles.if w/policy/modules/system/miscfiles.if
index 73fc71dbc..71638a80d 100644
--- i/policy/modules/system/miscfiles.if
+++ w/policy/modules/system/miscfiles.if
@@ -771,6 +771,7 @@ interface(`miscfiles_read_public_files',`
 	')
 
 	allow $1 { public_content_t public_content_rw_t }:dir list_dir_perms;
+	allow $1 { public_content_t public_content_rw_t }:file map;
 	read_files_pattern($1, { public_content_t public_content_rw_t }, { public_content_t public_content_rw_t })
 	read_lnk_files_pattern($1, { public_content_t public_content_rw_t }, { public_content_t public_content_rw_t })
 ')

This diff is against the rawhide branch of the https://github.com/fedora-selinux/selinux-policy repo.  I filed it as https://github.com/fedora-selinux/selinux-policy/pull/213 in the hope that it helps speed up a fix.

Comment 3 Jason Tibbitts 2018-04-30 17:41:33 UTC
I'm not sure if the changes in the 3.13.1-283.34 package were supposed to help with this, but I did test that package and found that the denials are still present.

Comment 4 Fedora Update System 2018-05-28 07:42:06 UTC
selinux-policy-3.13.1-283.35.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-2a57dc63c1

Comment 5 Fedora Update System 2018-05-28 14:24:50 UTC
selinux-policy-3.13.1-283.35.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-2a57dc63c1

Comment 6 Fedora Update System 2018-07-06 15:43:59 UTC
selinux-policy-3.13.1-283.35.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.