Bug 672080

Summary: SELinux prevented httpd (/usr/sbin/httpd) remove_name access to LDX.eyepackage.
Product: [Fedora] Fedora Reporter: ssabchew <ssabcew>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 13CC: dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:2b2a84500afd70cc802cf381f46a9c245d9d7e21ccb80897d7ff5f54d82acfc0
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-01-24 15:18:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description ssabchew 2011-01-23 19:23:37 UTC
Summary:

SELinux prevented httpd (/usr/sbin/httpd) remove_name access to LDX.eyepackage.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux prevented httpd remove_name access to LDX.eyepackage. httpd scripts are
not allowed to write to content without explicit labeling of all files. If
LDX.eyepackage is writable content. it needs to be labeled
httpd_sys_rw_content_t or if all you need is append you can label it
httpd_sys_ra_content_t. Please refer to 'man httpd_selinux' for more information
on setting up httpd and selinux.

Allowing Access:

You can alter the file context by executing chcon -R -t httpd_sys_rw_content_t
'LDX.eyepackage' You must also change the default file context files on the
system in order to preserve them even on a full relabel. "semanage fcontext -a
-t httpd_sys_rw_content_t 'LDX.eyepackage'"

Fix Command:

chcon -R -t httpd_sys_rw_content_t 'LDX.eyepackage'

Additional Information:

Source Context                unconfined_u:system_r:httpd_t:s0
Target Context                unconfined_u:object_r:httpd_sys_content_t:s0
Target Objects                LDX.eyepackage [ dir ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           httpd-2.2.17-1.fc13.1
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-76.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   httpd_write_content
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.34.7-66.fc13.x86_64 #1 SMP Wed Dec 15 07:04:30
                              UTC 2010 x86_64 x86_64
Alert Count                   22
First Seen                    Sun 23 Jan 2011 12:37:52 AM EET
Last Seen                     Sun 23 Jan 2011 01:53:20 AM EET
Local ID                      9b8863a3-f3d4-4318-9e8b-dd2d7f4c8ae4
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1295740400.554:963): avc:  denied  { remove_name } for  pid=1447 comm="httpd" name="LDX.eyepackage" dev=dm-1 ino=1737637 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir

node=(removed) type=AVC msg=audit(1295740400.554:963): avc:  denied  { rename } for  pid=1447 comm="httpd" name="LDX.eyepackage" dev=dm-1 ino=1737637 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1295740400.554:963): arch=c000003e syscall=82 success=yes exit=0 a0=7f1c04826f48 a1=7f1c04924c80 a2=3 a3=7f1c04943d28 items=0 ppid=15854 pid=1447 auid=500 uid=48 gid=487 euid=48 suid=48 fsuid=48 egid=487 sgid=487 fsgid=487 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)



Hash String generated from  httpd_write_content,httpd,httpd_t,httpd_sys_content_t,dir,remove_name
audit2allow suggests:

#============= httpd_t ==============
#!!!! This avc can be allowed using the boolean 'httpd_unified'

allow httpd_t httpd_sys_content_t:dir remove_name;
#!!!! This avc can be allowed using the boolean 'httpd_unified'

allow httpd_t httpd_sys_content_t:file rename;

Comment 1 Miroslav Grepl 2011-01-24 15:18:34 UTC

*** This bug has been marked as a duplicate of bug 672077 ***