Bug 1655281
Summary: | Socket location not covered by SELinux Policy | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Juan Orti <jorti> |
Component: | fcgiwrap | Assignee: | Andrew Bauer <zonexpertconsulting> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 29 | CC: | zonexpertconsulting |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | fcgiwrap-1.1.0-8.20181108git99c942c.fc29 fcgiwrap-1.1.0-8.20181108git99c942c.fc28 fcgiwrap-1.1.0-9.20181108git99c942c.fc28 fcgiwrap-1.1.0-9.20181108git99c942c.fc29 fcgiwrap-1.1.0-9.20181108git99c942c.el7 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-12-13 02:15:57 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Juan Orti
2018-12-02 10:49:32 UTC
Thank you for reporting this. It's good to know someone besides myself is using this package. Strange, I am not seeing this on my system. The web application I am using works well with fcgiwrap and nginx. I see no avc denials with the sock file. I am far from an expert on selinux though so let me ask you, how might you expect this to be solved? I notice the fcgiwrap package you've got in Copr suggests one put the sock file under /run/nginx/fcgiwrap.sock. Do you get the same avc denial in this case? Or should I file an selinux bug report to get this resolved? I'll keep digging. Hi, Thanks for the package, I still use it for gitweb. I'm currently putting the socket in /var/run/nginx so it's covered by the SELinux policy and is created with the httpd_var_run_t label. These are the locations with that label: # semanage fcontext -l | grep httpd_var_run_t /opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? all files system_u:object_r:httpd_var_run_t:s0 /var/lib/php/session(/.*)? all files system_u:object_r:httpd_var_run_t:s0 /var/lib/php/wsdlcache(/.*)? all files system_u:object_r:httpd_var_run_t:s0 /var/opt/rh/rh-nginx18/run/nginx(/.*)? all files system_u:object_r:httpd_var_run_t:s0 /var/run/apache.* all files system_u:object_r:httpd_var_run_t:s0 /var/run/cherokee\.pid regular file system_u:object_r:httpd_var_run_t:s0 /var/run/dirsrv/admin-serv.* all files system_u:object_r:httpd_var_run_t:s0 /var/run/gcache_port socket system_u:object_r:httpd_var_run_t:s0 /var/run/httpd.* all files system_u:object_r:httpd_var_run_t:s0 /var/run/lighttpd(/.*)? all files system_u:object_r:httpd_var_run_t:s0 /var/run/mod_.* all files system_u:object_r:httpd_var_run_t:s0 /var/run/nginx.* all files system_u:object_r:httpd_var_run_t:s0 /var/run/php-fpm(/.*)? all files system_u:object_r:httpd_var_run_t:s0 /var/run/thttpd\.pid regular file system_u:object_r:httpd_var_run_t:s0 /var/run/wsgi.* socket system_u:object_r:httpd_var_run_t:s0 /var/www/openshift/broker/httpd/run(/.*)? all files system_u:object_r:httpd_var_run_t:s0 /var/www/openshift/console/httpd/run(/.*)? all files system_u:object_r:httpd_var_run_t:s0 Maybe a good solution can be to create a directory /var/run/fcgiwrap and make it labeled as httpd_var_run_t. I don't know if it's enough to do in the package: # semanage fcontext -a -t httpd_var_run_t '/var/run/fcgiwrap(/.*)?' or the main SELinux policy package has to include this change. With the directory in place, I'd create the socket with %i, to be able to have several instances: ListenStream=/run/fcgiwrap/fcgiwrap-%i.sock Good idea. I've patched my local service file according to your suggestion and created a bug report against selinux-policy: https://bugzilla.redhat.com/show_bug.cgi?id=1655702 I will push out a new package shortly, with the following changes: 1) Updated fcgiwrap@.socket --------------------------- [Unit] Description=fcgiwrap Socket [Socket] ListenStream=/var/run/fcgiwrap/fcgiwrap-%i.sock SocketUser=%i SocketMode=0660 RuntimeDirectory=fcgiwrap [Install] WantedBy=sockets.target 2) Add README.SELinux that instructs the end user to modify their local policy while we wait for this change to be approved and trickle down: # semanage fcontext -a -t httpd_var_run_t '/var/run/fcgiwrap(/.*)?' fcgiwrap-1.1.0-8.20181108git99c942c.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-033cf7d73e fcgiwrap-1.1.0-8.20181108git99c942c.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-f1d6058782 fcgiwrap-1.1.0-8.20181108git99c942c.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-2313a25f7d fcgiwrap-1.1.0-8.20181108git99c942c.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-f1d6058782 fcgiwrap-1.1.0-8.20181108git99c942c.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-033cf7d73e fcgiwrap-1.1.0-8.20181108git99c942c.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-2313a25f7d fcgiwrap-1.1.0-8.20181108git99c942c.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report. fcgiwrap-1.1.0-8.20181108git99c942c.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report. Found and fixed a typo in the socket file. New packages are in testing. fcgiwrap-1.1.0-9.20181108git99c942c.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-d425be3696 fcgiwrap-1.1.0-9.20181108git99c942c.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-5bcdf4082e fcgiwrap-1.1.0-9.20181108git99c942c.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-234ddd69fa fcgiwrap-1.1.0-9.20181108git99c942c.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report. fcgiwrap-1.1.0-9.20181108git99c942c.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report. fcgiwrap-1.1.0-9.20181108git99c942c.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report. |