Bug 234267
| Summary: | sens_day.cgi rrdtool scripts (from lm_sensors) generate avc: denied errors | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Need Real Name <bugzilla> | ||||||
| Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> | ||||||
| Status: | CLOSED NOTABUG | QA Contact: | Ben Levenson <benl> | ||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | medium | ||||||||
| Version: | 6 | ||||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2007-05-17 15:39:59 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
To make this work correctly we would need to define a policy for lm_sensors and a type for sensors.rrd. Then we define a policy httpd_sensors_script_t to read the log file. Created attachment 151562 [details]
Type inforcement file for sensors cgi script
I am attaching a te and fc file which can be used to build a policy module for
the sensors cgi scripts.
Created attachment 151563 [details]
File context file for sensors cgi
I was not sure of the path for the sensors cgi.
If you extract this file (fc and the te file to a directory,)
Verify/fix the path in the sensors.fc file. Then execute the following
commands to build an selinux policy module.
#yum install selinux-policy-devel
#make -f /usr/share/selinux/devel/Makefile
#semodule -i sensors.pp
#restorecon PATHTOCGI
Now you should be able to run the cgi scripts. If other avc messages appear
you can use audit2allow to generate more te rules. Add these to the sensors.te
file, recompile and reload.
|
I have compiled and added the cgi scripts that come in the lm_sensors tarball (but are not included yet in the FC6 standard rpm, though they are included in some other repos like ATrpms). Running the cgi scripts generate the following avc: denied errors avc: denied { read } comm="sens_day.cgi" name="sensors.rrd" scontext=system_u\ :system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=\ file avc: denied { getattr } comm="sens_day.cgi" name="sensors.rrd" scontext=syste\ m_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:var_log_t:s0 tcla\ ss=file I can 'fix' it by adding them to my local.avc file but I was wondering whether this should be added more cleanly and generally to the selinux targeted policy. Thanks BTW, am I the only one who actually runs selinux in 'enforcing' mode and thus gets 'hit' by these denials? :)