Bug 1655281

Summary:	Socket location not covered by SELinux Policy
Product:	[Fedora] Fedora	Reporter:	Juan Orti <jorti>
Component:	fcgiwrap	Assignee:	Andrew Bauer <zonexpertconsulting>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	29	CC:	zonexpertconsulting
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	fcgiwrap-1.1.0-8.20181108git99c942c.fc29 fcgiwrap-1.1.0-8.20181108git99c942c.fc28 fcgiwrap-1.1.0-9.20181108git99c942c.fc28 fcgiwrap-1.1.0-9.20181108git99c942c.fc29 fcgiwrap-1.1.0-9.20181108git99c942c.el7	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2018-12-13 02:15:57 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Juan Orti 2018-12-02 10:49:32 UTC

Description of problem:
The default socket location in /run/fcgiwrap.sock is not writable by the Apache or Nginx servers because of the SELinux policy.

# ls -laZ /run/fcgiwrap.sock
srw-rw----. 1 nginx nginx system_u:object_r:var_run_t:s0 0 dic  2 11:40 /run/fcgiwrap.sock


AVC avc:  denied  { write } for  pid=16137 comm="nginx" name="fcgiwrap.sock" dev="tmpfs" ino=5404007 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0


Version-Release number of selected component (if applicable):
fcgiwrap-1.1.0-7.20181108git99c942c.fc29.x86_64

Comment 1 Andrew Bauer 2018-12-02 18:40:38 UTC

Thank you for reporting this. It's good to know someone besides myself is using this package.

Strange, I am not seeing this on my system. The web application I am using works well with fcgiwrap and nginx. I see no avc denials with the sock file.


I am far from an expert on selinux though so let me ask you, how might you expect this to be solved? 

I notice the fcgiwrap package you've got in Copr suggests one put the sock file under /run/nginx/fcgiwrap.sock. Do you get the same avc denial in this case?


Or should I file an selinux bug report to get this resolved?

I'll keep digging.

Comment 2 Juan Orti 2018-12-03 08:53:00 UTC

Hi,

Thanks for the package, I still use it for gitweb. I'm currently putting the socket in /var/run/nginx so it's covered by the SELinux policy and is created with the httpd_var_run_t label.

These are the locations with that label:

# semanage fcontext -l | grep httpd_var_run_t
/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?      all files          system_u:object_r:httpd_var_run_t:s0 
/var/lib/php/session(/.*)?                         all files          system_u:object_r:httpd_var_run_t:s0 
/var/lib/php/wsdlcache(/.*)?                       all files          system_u:object_r:httpd_var_run_t:s0 
/var/opt/rh/rh-nginx18/run/nginx(/.*)?             all files          system_u:object_r:httpd_var_run_t:s0 
/var/run/apache.*                                  all files          system_u:object_r:httpd_var_run_t:s0 
/var/run/cherokee\.pid                             regular file       system_u:object_r:httpd_var_run_t:s0 
/var/run/dirsrv/admin-serv.*                       all files          system_u:object_r:httpd_var_run_t:s0 
/var/run/gcache_port                               socket             system_u:object_r:httpd_var_run_t:s0 
/var/run/httpd.*                                   all files          system_u:object_r:httpd_var_run_t:s0 
/var/run/lighttpd(/.*)?                            all files          system_u:object_r:httpd_var_run_t:s0 
/var/run/mod_.*                                    all files          system_u:object_r:httpd_var_run_t:s0 
/var/run/nginx.*                                   all files          system_u:object_r:httpd_var_run_t:s0 
/var/run/php-fpm(/.*)?                             all files          system_u:object_r:httpd_var_run_t:s0 
/var/run/thttpd\.pid                               regular file       system_u:object_r:httpd_var_run_t:s0 
/var/run/wsgi.*                                    socket             system_u:object_r:httpd_var_run_t:s0 
/var/www/openshift/broker/httpd/run(/.*)?          all files          system_u:object_r:httpd_var_run_t:s0 
/var/www/openshift/console/httpd/run(/.*)?         all files          system_u:object_r:httpd_var_run_t:s0

Maybe a good solution can be to create a directory /var/run/fcgiwrap and make it labeled as httpd_var_run_t. I don't know if it's enough to do in the package:

# semanage fcontext -a -t httpd_var_run_t '/var/run/fcgiwrap(/.*)?'

or the main SELinux policy package has to include this change.

With the directory in place, I'd create the socket with %i, to be able to have several instances:

ListenStream=/run/fcgiwrap/fcgiwrap-%i.sock

Comment 3 Andrew Bauer 2018-12-03 18:07:21 UTC

Good idea.

I've patched my local service file according to your suggestion and created a bug report against selinux-policy:
https://bugzilla.redhat.com/show_bug.cgi?id=1655702

I will push out a new package shortly, with the following changes:

1) Updated fcgiwrap@.socket
---------------------------

[Unit]
Description=fcgiwrap Socket

[Socket]
ListenStream=/var/run/fcgiwrap/fcgiwrap-%i.sock
SocketUser=%i
SocketMode=0660
RuntimeDirectory=fcgiwrap

[Install]
WantedBy=sockets.target

2) Add README.SELinux that instructs the end user to modify their local policy while we wait for this change to be approved and trickle down:

# semanage fcontext -a -t httpd_var_run_t '/var/run/fcgiwrap(/.*)?'

Comment 4 Fedora Update System 2018-12-04 14:08:10 UTC

fcgiwrap-1.1.0-8.20181108git99c942c.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-033cf7d73e

Comment 5 Fedora Update System 2018-12-04 14:17:00 UTC

fcgiwrap-1.1.0-8.20181108git99c942c.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-f1d6058782

Comment 6 Fedora Update System 2018-12-04 14:26:58 UTC

fcgiwrap-1.1.0-8.20181108git99c942c.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-2313a25f7d

Comment 7 Fedora Update System 2018-12-05 03:06:49 UTC

fcgiwrap-1.1.0-8.20181108git99c942c.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-f1d6058782

Comment 8 Fedora Update System 2018-12-05 03:54:16 UTC

fcgiwrap-1.1.0-8.20181108git99c942c.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-033cf7d73e

Comment 9 Fedora Update System 2018-12-05 03:59:06 UTC

fcgiwrap-1.1.0-8.20181108git99c942c.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-2313a25f7d

Comment 10 Fedora Update System 2018-12-13 02:15:57 UTC

fcgiwrap-1.1.0-8.20181108git99c942c.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2018-12-13 02:47:06 UTC

fcgiwrap-1.1.0-8.20181108git99c942c.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 12 Andrew Bauer 2018-12-15 02:53:42 UTC

Found and fixed a typo in the socket file. New packages are in testing.

Comment 13 Fedora Update System 2018-12-16 01:03:51 UTC

fcgiwrap-1.1.0-9.20181108git99c942c.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-d425be3696

Comment 14 Fedora Update System 2018-12-16 03:17:32 UTC

fcgiwrap-1.1.0-9.20181108git99c942c.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-5bcdf4082e

Comment 15 Fedora Update System 2018-12-16 03:57:51 UTC

fcgiwrap-1.1.0-9.20181108git99c942c.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-234ddd69fa

Comment 16 Fedora Update System 2018-12-24 01:48:34 UTC

fcgiwrap-1.1.0-9.20181108git99c942c.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 17 Fedora Update System 2018-12-24 06:07:17 UTC

fcgiwrap-1.1.0-9.20181108git99c942c.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Comment 18 Fedora Update System 2018-12-31 03:11:00 UTC

fcgiwrap-1.1.0-9.20181108git99c942c.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.