Bug 234266
| Summary: | apcupsd web monitoring generates slew of avc denied errors | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Need Real Name <bugzilla> | ||||
| Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Ben Levenson <benl> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 6 | CC: | amessina, goodyca48, ronin | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Current | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2007-08-22 14:12:37 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Fixed in selinux-policy-2.4.6-54 Did you test this? Because I still get avc: denied errors even on selinux-policy-targeted-2.4.6.5 Also, not only does the web display not work, but even the cli display 'apcaccess' doesn't work. Any suggestions? (I'm assuming that a reboot wasn't required to get the new selinux-policy-targeted to take effect) I tested it somewhat on Rawhide. What avc messages are you seeing. You might need to restart the service. I am using selinux-policy-2.4.6-54, and see the same issues as the OP. It appears as though selinux isn't favoring configs that are not standalone or the monitoring of multiple ups. What AVC messages are you seeing? Created attachment 152498 [details]
apcupsd audits
See attachment
FIxed in selinux-policy-2.4.6-56 OK. Some progress has been made in that starting/stopping the apcupsd service
and running apcaccess no longer generate errors.
However the cgi scripts such as multimon.cgi and upsstats.cgi still generate
slews of avc errors: (note these scripts are in the apcupsd-cgi rpm)
audit(1177041849.109:19): avc: denied { create } for pid=14986 comm="multimo\
n.cgi" scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:system_r:\
httpd_sys_script_t:s0 tclass=tcp_socket
audit(1177041849.109:20): avc: denied { connect } for pid=14986 comm="multim\
on.cgi" scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:system_r\
:httpd_sys_script_t:s0 tclass=tcp_socket
audit(1177041849.109:21): avc: denied { name_connect } for pid=14986 comm="m\
ultimon.cgi" dest=3551 scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=\
system_u:object_r:apcupsd_port_t:s0 tclass=tcp_socket
audit(1177041849.109:22): avc: denied { tcp_send } for pid=14986 comm="multi\
mon.cgi" saddr=127.0.0.1 src=39583 daddr=127.0.0.1 dest=3551 netif=lo scontext=\
user_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:netif_t:s0 tcl\
ass=netif
audit(1177041849.109:23): avc: denied { tcp_send } for pid=14986 comm="multi\
mon.cgi" saddr=127.0.0.1 src=39583 daddr=127.0.0.1 dest=3551 netif=lo scontext=\
user_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:lo_node_t:s0 t\
class=node
audit(1177041849.109:24): avc: denied { send_msg } for pid=14986 comm="multi\
mon.cgi" saddr=127.0.0.1 src=39583 daddr=127.0.0.1 dest=3551 netif=lo scontext=\
user_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:apcupsd_port_t\
:s0 tclass=tcp_socket
audit(1177041849.109:25): avc: denied { tcp_recv } for pid=14986 comm="multi\
mon.cgi" saddr=127.0.0.1 src=3551 daddr=127.0.0.1 dest=39583 netif=lo scontext=\
user_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:netif_t:s0 tcl\
ass=netif
audit(1177041849.109:26): avc: denied { tcp_recv } for pid=14986 comm="multi\
mon.cgi" saddr=127.0.0.1 src=3551 daddr=127.0.0.1 dest=39583 netif=lo scontext=\
user_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:lo_node_t:s0 t\
class=node
audit(1177041849.109:27): avc: denied { recv_msg } for pid=14986 comm="multi\
mon.cgi" saddr=127.0.0.1 src=3551 daddr=127.0.0.1 dest=39583 netif=lo scontext=\
user_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:apcupsd_port_t\
:s0 tclass=tcp_socket
audit(1177041849.109:28): avc: denied { write } for pid=14986 comm="multimon\
.cgi" name="[1745604]" dev=sockfs ino=1745604 scontext=user_u:system_r:httpd_sy\
s_script_t:s0 tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=tcp_socket
audit(1177041849.109:29): avc: denied { read } for pid=14986 comm="multimon.\
cgi" name="[1745604]" dev=sockfs ino=1745604 scontext=user_u:system_r:httpd_sys\
_script_t:s0 tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=tcp_socket
audit(1177041911.763:30): avc: denied { create } for pid=15081 comm="upsstat\
s.cgi" scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:system_r:\
httpd_sys_script_t:s0 tclass=tcp_socket
audit(1177041911.763:31): avc: denied { connect } for pid=15081 comm="upssta\
ts.cgi" scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:system_r\
:httpd_sys_script_t:s0 tclass=tcp_socket
audit(1177041911.763:32): avc: denied { write } for pid=15081 comm="upsstats\
.cgi" name="[1745800]" dev=sockfs ino=1745800 scontext=user_u:system_r:httpd_sy\
s_script_t:s0 tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=tcp_socket
audit(1177041911.763:33): avc: denied { read } for pid=15081 comm="upsstats.\
cgi" name="[1745800]" dev=sockfs ino=1745800 scontext=user_u:system_r:httpd_sys\
_script_t:s0 tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=tcp_socket
Hopefully third time will be the charm :)
i do not get the errors in comment #8 when using selinux-policy-2.4.6-57.fc6. however, i do get some trouble when issuing a "service apcupsd restart". SELinux is preventing apcupsd (apcupsd_t) "signal" to <Unknown> (apcupsd_t). avc: denied { signal } for comm="apcupsd" pid=7765 scontext=root:system_r:apcupsd_t:s0 tclass=process tcontext=root:system_r:apcupsd_t:s0 also, doing a restart changes the user on /var/lock/LCK.. from system_u to root and changes the type from apcupsd_lock_t to var_lock_t attempting a restorecon -v /var/lock/LCK.. alters the file to system_u and var_lock_t i do not get any of the above if the apcupsd daemon was started during boot. it's only when i try to restart the service. Comment #8 seems that your cgi scripts are mislabled. ls -lZ /var/www/apcupsd/ -rwxr-xr-x root root system_u:object_r:httpd_apcupsd_cgi_script_exec_t multimon.cgi -rwxr-xr-x root root system_u:object_r:httpd_apcupsd_cgi_script_exec_t upsfstats.cgi -rwxr-xr-x root root system_u:object_r:httpd_apcupsd_cgi_script_exec_t upsimage.cgi -rwxr-xr-x root root system_u:object_r:httpd_apcupsd_cgi_script_exec_t upsstats.cgi You can restorecon -R -v /var/www/apcupsd I will add the signal to the next update. Not sure what apcupsd is doing with lock file. user canging from system_u <--> root is not that important. As long as everything is functioning correctly. If you want to add the signal policy you can use grep apcupsd /var/log/audit/audit.log | audit2allow -M myapcupsd and load the policy module. Interesting, I indeed have:
-rwxr-xr-x root root system_u:object_r:httpd_sys_content_t multimon.cgi*
-rwxr-xr-x root root system_u:object_r:httpd_sys_content_t upsfstats.cgi*
-rwxr-xr-x root root system_u:object_r:httpd_sys_content_t upsimage.cgi*
-rwxr-xr-x root root system_u:object_r:httpd_sys_content_t upsstats.cgi*
I never touched these files so not sure why they would be mislabeled. Anyway I
reinstalled the packages and the labeling is now correct and the cgi scripts no
longer give errors.
Could the problem be that the selinux policy updates require me to do a
'restorecon -R'? Otherwise, not sure why my labeling was messed up.
My other problems are now resolved, but now I noticed the 'signal' problem too.
audit(1177076992.106:41): avc: denied { signal } for pid=29175 comm="apcupsd"
scontext=user_u:system_r:apcupsd_t:s0 tcontext=user_u:system_r:apcupsd_t:s0
tclass=process
I have not noticed any lock issues. I have the following selinux ownership (both
before and after restart)
-rw-r--r-- root root user_u:object_r:apcupsd_lock_t /var/lock/LCK..
Fixed in current release audit(1177041849.109:24): avc: denied { send_msg } for pid=14986 comm="multi\
mon.cgi" saddr=127.0.0.1 src=39583 daddr=127.0.0.1 dest=3551 netif=lo scontext=\
user_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:apcupsd_port_t\
:s0 tclass=tcp_socket
I was looking into this bug (cgi scripts connecting to tcp port in particular),
because I was still having problems, (even after a full update, and restorecon)
and found something similar (bug #244008).
Solution was simple, and worked for me:
setsebool -P httpd_can_network_connect=1
Hope it helps,
Milan
On F7, I have: httpd_can_network_connect --> on but still see this issue occaisionally: once each time the cgi is called. (In reply to comment #14) > On F7, I have: > httpd_can_network_connect --> on > but still see this issue occaisionally: once each time the cgi is called. I think I have a f7 somewhere, so I will check when I find the time. I tried solving the matter before on my boxes using audit2allow, so I'm not 100% sure what exact steps led to solving the problem. as for the multimon.cgi, is it working properly? The function of all the cgi files seems to be unaffected -- they work properly as far as I can tell. But the socket audit error happens each time the cgi is accessed. Seems to all work for me with the latest policy updates. Just checked it on an updated F7, which is already a web server.
selinux is Enforcing
httpd_can_network_connect is off. (?!?)
I just installed latest version of apcupsd* from yum repository
[root@station110 apcupsd]# rpm -qa |grep apc
apcupsd-3.14.2-1.fc7
apcupsd-gui-3.14.2-1.fc7
apcupsd-cgi-3.14.2-1.fc7
Configured access in /etc/httpd/conf.d/apcupsd.conf, and everything is working.
It is a network slave to apcupsd, but it still connects trough the localhost port.
I am not getting any errors, except from some attempt of apcupsd to send mail:
type=AVC msg=audit(1198154272.689:47): avc: denied { read } for pid=7820
comm="sendmail" name="RsGvfZKe" dev=dm-0 ino=448253
scontext=user_u:system_r:system_mail_t:s0
tcontext=user_u:object_r:apcupsd_tmp_t:s0 tclass=file
type=AVC msg=audit(1198155495.047:48): avc: denied { read } for pid=7869
comm="sendmail" name="RsCpzK7V" dev=dm-0 ino=448253
scontext=user_u:system_r:system_mail_t:s0
tcontext=user_u:object_r:apcupsd_tmp_t:s0 tclass=file
But that is another issue.
@amessina: which version of apcupsd and policy are you using?
Here is my version of policy:
[root@station110 ~]# rpm -qa | grep selinux-policy
selinux-policy-2.6.4-42.fc7
selinux-policy-targeted-2.6.4-42.fc7
apcupsd-3.14.2-1.fc7 selinux-policy-targeted-2.6.4-61.fc7 after the update this morning: Dec 21 08:02:08 Updated: bind-libs - 31:9.4.2-2.fc7.x86_64 Dec 21 08:02:13 Updated: policycoreutils - 2.0.16-16.fc7.x86_64 Dec 21 08:02:15 Updated: bind - 31:9.4.2-2.fc7.x86_64 Dec 21 08:02:16 Updated: libexif - 0.6.15-3.fc7.x86_64 Dec 21 08:02:17 Updated: policycoreutils-gui - 2.0.16-16.fc7.x86_64 Dec 21 08:02:20 Updated: logwatch - 7.3.4-9.fc7.noarch Dec 21 08:02:21 Updated: bind-utils - 31:9.4.2-2.fc7.x86_64 Dec 21 08:02:21 Updated: caching-nameserver - 31:9.4.2-2.fc7.x86_64 i don't seem to get the socket errors. i AM using this cgi to monitor more that just the local mcahine, using apcupsd's hosts.conf |
Running apcupsd-3.12.4-4.fc6 generates multiple avc: denied errors when attempting to read the apc status via a web browser (using multimon.cgi or upsstats.cgi). (This occurs even when viewing from localhost). I had to add the following lines to my local.avc file to make it work (not I stripped out generic info like pid or inode #) avc: denied { create } comm="multimon.cgi" scontext=system_u:system_r:httpd_s\ ys_script_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=tcp_sock\ et avc: denied { connect } comm="multimon.cgi" scontext=system_u:system_r:httpd_\ sys_script_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=tcp_soc\ ket avc: denied { name_connect } comm="multimon.cgi" dest=3551 scontext=system_u:\ system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_\ socket avc: denied { tcp_send } comm="multimon.cgi" saddr=127.0.0.1 src=51269 daddr=\ 127.0.0.1 dest=3551 netif=lo scontext=system_u:system_r:httpd_sys_script_t:s0 t\ context=system_u:object_r:netif_t:s0 tclass=netif avc: denied { tcp_send } comm="multimon.cgi" saddr=127.0.0.1 src=36872 daddr=\ 127.0.0.1 dest=3551 netif=lo scontext=system_u:system_r:httpd_sys_script_t:s0 t\ context=system_u:object_r:node_t:s0 tclass=node avc: denied { send_msg } comm="multimon.cgi" saddr=127.0.0.1 src=36875 daddr=\ 127.0.0.1 dest=3551 netif=lo scontext=system_u:system_r:httpd_sys_script_t:s0 t\ context=system_u:object_r:port_t:s0 tclass=tcp_socket avc: denied { tcp_recv } comm="multimon.cgi" saddr=127.0.0.1 src=3551 daddr=1\ 27.0.0.1 dest=36878 netif=lo scontext=system_u:system_r:httpd_sys_script_t:s0 t\ context=system_u:object_r:netif_t:s0 tclass=netif avc: denied { tcp_recv } comm="multimon.cgi" saddr=127.0.0.1 src=3551 daddr=1\ 27.0.0.1 dest=36880 netif=lo scontext=system_u:system_r:httpd_sys_script_t:s0 t\ context=system_u:object_r:node_t:s0 tclass=node avc: denied { recv_msg } comm="multimon.cgi" saddr=127.0.0.1 src=3551 daddr=12\ 7.0.0.1 dest=55171 netif=lo scontext=system_u:system_r:httpd_sys_script_t:s0 tc\ ontext=system_u:object_r:port_t:s0 tclass=tcp_socket avc: denied { write } comm="multimon.cgi" dev=sockfs scontext=system_u:system\ _r:httpd_sys_script_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclas\ s=tcp_socket avc: denied { read } comm="multimon.cgi" dev=sockfs scontext=system_u:system_\ r:httpd_sys_script_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass\ =tcp_socket