Bug 2141233
| Summary: | SELinux is preventing qgis_mapserv.fc from 'setattr' accesses on the Verzeichnis /usr/lib/fontconfig/cache. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Jonathan Haas <jonha87> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | low | ||
| Version: | 37 | CC: | dwalsh, grepl.miroslav, lvrabec, mmalik, omosnacek, pkoncity, vmojzis, zpytela |
| Target Milestone: | --- | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:5938f22c0a6a9c9ebd415e67175d852cc6d158f8c0a21766c0329c0dd7416cee;VARIANT_ID=workstation; | ||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-06-27 19:03:26 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I am afraid this is not a permission we want to add to selinux policy, this is a room for a local policy. It can be a new policy with assigning new types for the GIS files and let httpd transition, or allow the access with default types according to the audited denials. As no new information appeared during the past weeks, we are going to close this bug. If you need to pursue this matter further, feel free to reopen this bug and attach the needed information. |
Description of problem: Launched QGIS server to serve a WMF layer SELinux is preventing qgis_mapserv.fc from 'setattr' accesses on the Verzeichnis /usr/lib/fontconfig/cache. ***** Plugin catchall (100. confidence) suggests ************************** Wenn Sie denken, dass es qgis_mapserv.fc standardmäßig erlaubt sein sollte, setattr Zugriff auf cache directory zu erhalten. Then sie sollten dies als Fehler melden. Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen. Do zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen: # ausearch -c 'qgis_mapserv.fc' --raw | audit2allow -M my-qgismapservfc # semodule -X 300 -i my-qgismapservfc.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:fonts_cache_t:s0 Target Objects /usr/lib/fontconfig/cache [ dir ] Source qgis_mapserv.fc Source Path qgis_mapserv.fc Port <Unbekannt> Host (removed) Source RPM Packages Target RPM Packages fontconfig-2.14.0-3.fc37.x86_64 fontconfig-2.14.0-3.fc37.i686 SELinux Policy RPM selinux-policy-targeted-37.12-2.fc37.noarch Local Policy RPM selinux-policy-targeted-37.12-2.fc37.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.19.16-301.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Oct 21 15:55:37 UTC 2022 x86_64 x86_64 Alert Count 18 First Seen 2022-11-09 09:35:12 CET Last Seen 2022-11-09 09:35:12 CET Local ID cef87f60-23a2-4025-9919-d77944d87d87 Raw Audit Messages type=AVC msg=audit(1667982912.727:469): avc: denied { setattr } for pid=14490 comm="qgis_mapserv.fc" name="cache" dev="dm-0" ino=940642 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:fonts_cache_t:s0 tclass=dir permissive=0 Hash: qgis_mapserv.fc,httpd_t,fonts_cache_t,dir,setattr Version-Release number of selected component: selinux-policy-targeted-37.12-2.fc37.noarch Additional info: component: selinux-policy reporter: libreport-2.17.4 hashmarkername: setroubleshoot kernel: 5.19.16-301.fc37.x86_64 type: libreport