| Summary: | SELinux is preventing /usr/sbin/httpd from using potentially mislabeled files /var/lib/net-snmp. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Alexander Todorov <atodorov> | ||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
| Status: | CLOSED NOTABUG | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 6.0 | CC: | dwalsh, mgrepl | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2011-02-24 09:52:40 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Attachments: |
|
||||||
What is your version of selinux-policy? So you are seeing
allow httpd_t snmpd_var_lib_t:dir { write create add_name };
Could you add raw audit msgs from /var/log/audit/audit.log.
Do you use a snmp apache module?
(In reply to comment #1) > What is your version of selinux-policy? So you are seeing > See the attached XML file for full information. selinux-policy-3.7.19-54.el6_0.3.noarch > allow httpd_t snmpd_var_lib_t:dir { write create add_name }; > > Could you add raw audit msgs from /var/log/audit/audit.log. > type=AVC msg=audit(1298402602.297:29718): avc: denied { write } for pid=8840 comm="httpd" name="net-snmp" dev=dm-2 ino=414212 scontext=unconfined_u:system_r:httpd_t:s0 t context=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir type=AVC msg=audit(1298402602.297:29718): avc: denied { add_name } for pid=8840 comm="httpd" name="mib_indexes" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system _u:object_r:snmpd_var_lib_t:s0 tclass=dir type=AVC msg=audit(1298402602.297:29718): avc: denied { create } for pid=8840 comm="httpd" name="mib_indexes" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfin ed_u:object_r:snmpd_var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1298402602.297:29718): arch=40000003 syscall=39 success=yes exit=0 a0=bfadcc1c a1=1c0 a2=16a7cd8 a3=0 items=0 ppid=1 pid=8840 auid=500 uid=0 gid=0 eu id=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1298402602.299:29719): avc: denied { write } for pid=8840 comm="httpd" name="mib_indexes" dev=dm-2 ino=454221 scontext=unconfined_u:system_r:httpd_t:s 0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=dir type=AVC msg=audit(1298402602.299:29719): avc: denied { add_name } for pid=8840 comm="httpd" name="0" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:obj ect_r:snmpd_var_lib_t:s0 tclass=dir type=AVC msg=audit(1298402602.299:29719): avc: denied { create } for pid=8840 comm="httpd" name="0" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:objec t_r:snmpd_var_lib_t:s0 tclass=file > Do you use a snmp apache module? I don't think so. There's no sign of this module in my httpd.conf and I don't r remember installing it. Here are all related snmp packages installed on the system: $ rpm -qa | grep snmp php-snmp-5.3.2-6.el6_0.1.i686 net-snmp-5.5-27.el6_0.1.i686 net-snmp-devel-5.5-27.el6_0.1.i686 net-snmp-libs-5.5-27.el6_0.1.i686 Are you seeing this issue in enforcing mode? We have some dontaudit rules for this. I haven't seen this before and I've switched to Permissive mode just recently. Any reason why you switched to permissive mode? Do you have any other problem? You will not see these in enforcing so I think we can close this bug. I think also. (In reply to comment #5) > Any reason why you switched to permissive mode? I was testing some 3rd party software which doesn't work with SELinux in enforcing mode. > Do you have any other problem? Nope. Just reported the bug because it poped up in SELinux troubleshooter. Please report the 3rd party tool and we can work on making it work with SELinux in enforcing mode. |
Created attachment 480222 [details] description generated by SELinux troubleshooter Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux has denied the httpd access to potentially mislabeled files /var/lib/net-snmp. This means that SELinux will not allow httpd to use these files. If httpd should be allowed this access to these files you should change the file context to one of the following types, httpd_var_lib_t, httpd_var_run_t, var_lock_t, squirrelmail_spool_t, tmp_t, var_t, httpd_log_t, tmpfs_t, httpd_cache_t, httpd_tmpfs_t, httpd_tmp_t, var_lib_t, var_run_t, httpd_squirrelmail_t, var_log_t, mnt_t, httpd_nutups_cgi_ra_content_t, httpd_nutups_cgi_rw_content_t, httpd_squid_ra_content_t, httpd_squid_rw_content_t, httpd_smokeping_cgi_ra_content_t, httpd_smokeping_cgi_rw_content_t, httpd_apcupsd_cgi_ra_content_t, httpd_apcupsd_cgi_rw_content_t, httpd_sys_content_t, httpd_prewikka_ra_content_t, httpd_prewikka_rw_content_t, httpd_awstats_ra_content_t, httpd_awstats_rw_content_t, httpd_w3c_validator_ra_content_t, httpd_w3c_validator_rw_content_t, root_t, httpd_user_ra_content_t, httpd_user_rw_content_t, httpdcontent, httpd_cobbler_ra_content_t, httpd_cobbler_rw_content_t, httpd_munin_ra_content_t, httpd_munin_rw_content_t, httpd_bugzilla_ra_content_t, httpd_bugzilla_rw_content_t, httpd_cvs_ra_content_t, httpd_cvs_rw_content_t, httpd_git_ra_content_t, httpd_git_rw_content_t, httpd_sys_ra_content_t, httpd_sys_rw_content_t, httpd_sys_rw_content_t, httpd_nagios_ra_content_t, httpd_nagios_rw_content_t. Many third party apps install html files in directories that SELinux policy cannot predict. These directories have to be labeled with a file context which httpd can access.