Bug 626774

Summary: SELinux is preventing /bin/cp "write" access on html.
Product: [Fedora] Fedora Reporter: Herman Grootaers <herman>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 13CC: dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:f9edddca3a2b0d7be6181976a23b2f840611594a16d1beedfe477ea7296fedbc
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-10-07 12:36:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Herman Grootaers 2010-08-24 11:45:40 UTC
Summary:

SELinux is preventing /bin/cp "write" access on html.

Detailed Description:

SELinux denied access requested by cp. It is not expected that this access is
required by cp and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:munin_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:munin_etc_t:s0
Target Objects                html [ dir ]
Source                        cp
Source Path                   /bin/cp
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           coreutils-8.4-8.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-47.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux Fedora01.grootaers-nl.com
                              2.6.33.6-147.2.4.fc13.x86_64 #1 SMP Fri Jul 23
                              17:14:44 UTC 2010 x86_64 x86_64
Alert Count                   1
First Seen                    Tue 24 Aug 2010 12:50:02 PM CEST
Last Seen                     Tue 24 Aug 2010 12:50:02 PM CEST
Local ID                      e99d15ea-6d1a-43e1-9289-521081941cf6
Line Numbers                  

Raw Audit Messages            

node=Fedora01.grootaers-nl.com type=AVC msg=audit(1282647002.38:37162): avc:  denied  { write } for  pid=11410 comm="cp" name="html" dev=sda2 ino=1574566 scontext=system_u:system_r:munin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:munin_etc_t:s0 tclass=dir

node=Fedora01.grootaers-nl.com type=SYSCALL msg=audit(1282647002.38:37162): arch=c000003e syscall=2 success=no exit=-13 a0=21c1920 a1=c1 a2=1a4 a3=2 items=0 ppid=11409 pid=11410 auid=486 uid=486 gid=472 euid=486 suid=486 fsuid=486 egid=472 sgid=472 fsgid=472 tty=(none) ses=2579 comm="cp" exe="/bin/cp" subj=system_u:system_r:munin_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  catchall,cp,munin_t,munin_etc_t,dir,write
audit2allow suggests:

#============= munin_t ==============
#!!!! The source type 'munin_t' can write to a 'dir' of the following type:
# munin_log_t
#!!!! The source type 'munin_t' can write to a 'dir' of the following types:
# munin_log_t, var_run_t
#!!!! The source type 'munin_t' can write to a 'dir' of the following types:
# munin_log_t, var_run_t, var_log_t
#!!!! The source type 'munin_t' can write to a 'dir' of the following types:
# munin_log_t, var_run_t, var_log_t, munin_var_lib_t
#!!!! The source type 'munin_t' can write to a 'dir' of the following types:
# munin_log_t, var_run_t, var_log_t, munin_var_lib_t, munin_var_run_t
#!!!! The source type 'munin_t' can write to a 'dir' of the following types:
# munin_log_t, var_run_t, var_log_t, munin_var_lib_t, munin_var_run_t, httpd_munin_content_t
#!!!! The source type 'munin_t' can write to a 'dir' of the following types:
# munin_log_t, var_run_t, var_log_t, munin_var_lib_t, munin_var_run_t, httpd_munin_content_t, tmp_t
#!!!! The source type 'munin_t' can write to a 'dir' of the following types:
# munin_log_t, var_run_t, var_log_t, munin_var_lib_t, munin_var_run_t, httpd_munin_content_t, tmp_t, munin_tmp_t
#!!!! The source type 'munin_t' can write to a 'dir' of the following types:
# munin_log_t, var_run_t, var_log_t, munin_var_lib_t, munin_var_run_t, httpd_munin_content_t, tmp_t, munin_tmp_t, root_t

allow munin_t munin_etc_t:dir write;

Comment 1 Daniel Walsh 2010-08-24 14:20:51 UTC
Where is the html directory located?  /etc/munin/html?

Looks like it needs a different context.

Comment 2 Herman Grootaers 2010-08-24 14:57:18 UTC
Yes, it is.

I like to set up my system(s) in a secure way so that I know where everything from an application is. Gives me less of a headache when something fails and I do not have to go hunting in my system.

Comment 3 Miroslav Grepl 2010-10-07 11:45:13 UTC
It doesn't look like this is by default. I guess you created /etc/munin/html directory.

I thought the '/var/www/html/munin' directory is used for that by default.

Comment 4 Daniel Walsh 2010-10-07 12:36:32 UTC
# semanage fcontext -a -t httpd_munin_content_t '/etc/munin/html(/.*)?'
# restorecon -R -v /etc/munin 

Should fix your problem.