Bug 684198

Summary: /usr/bin/paster cannot work in /var/lib/luci/etc/ because of SELinux
Product: Red Hat Enterprise Linux 6 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.1CC: dwalsh, ksrot, mgrac, mgrepl
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-81.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-19 12:24:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Milos Malik 2011-03-11 12:51:26 UTC 
Description of problem:
The luci service (which is one of many cluster services executed in the automated test below) starts but something is blocked by SELinux.

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-78.el6.noarch
selinux-policy-targeted-3.7.19-78.el6.noarch
selinux-policy-doc-3.7.19-78.el6.noarch
selinux-policy-mls-3.7.19-78.el6.noarch
selinux-policy-minimum-3.7.19-78.el6.noarch

How reproducible:
always

Steps to Reproduce:
1) get a RHEL-6.1 machine with active targeted policy
2) log into the machine as root
3) run following commands:
# yum -y install audit cman cmirror corosync fence-agents grep initscripts kmod-cmirror libselinux libselinux-utils luci lvm2-cluster mktemp NetworkManager openais policycoreutils ricci sed selinux-policy selinux-policy-targeted setools setools-console
# yum -y install rh-tests-selinux-policy-Regression-bz271561-corosync-and-similar
# service auditd stop
# service auditd start
# cd /mnt/testarea/tests/selinux-policy/Regression/bz271561-corosync-and-similar
# make run
  
Actual results:
----
time->Fri Mar 11 07:30:15 2011
type=SYSCALL msg=audit(1299846615.180:9890): arch=40000003 syscall=5 success=yes exit=3 a0=890b020 a1=8241 a2=1b6 a3=8cd90f1 items=0 ppid=11574 pid=11595 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="paster" exe="/usr/bin/python" subj=unconfined_u:system_r:piranha_web_t:s0 key=(null)
type=AVC msg=audit(1299846615.180:9890): avc:  denied  { write } for  pid=11595 comm="paster" name="luci.ini" dev=dm-0 ino=919336 scontext=unconfined_u:system_r:piranha_web_t:s0 tcontext=unconfined_u:object_r:piranha_web_conf_t:s0 tclass=file
type=AVC msg=audit(1299846615.180:9890): avc:  denied  { create } for  pid=11595 comm="paster" name="luci.ini" scontext=unconfined_u:system_r:piranha_web_t:s0 tcontext=unconfined_u:object_r:piranha_web_conf_t:s0 tclass=file
type=AVC msg=audit(1299846615.180:9890): avc:  denied  { add_name } for  pid=11595 comm="paster" name="luci.ini" scontext=unconfined_u:system_r:piranha_web_t:s0 tcontext=system_u:object_r:piranha_web_conf_t:s0 tclass=dir
type=AVC msg=audit(1299846615.180:9890): avc:  denied  { write } for  pid=11595 comm="paster" name="etc" dev=dm-0 ino=919381 scontext=unconfined_u:system_r:piranha_web_t:s0 tcontext=system_u:object_r:piranha_web_conf_t:s0 tclass=dir
----

Expected results:
no AVCs
Comment 1 Daniel Walsh 2011-03-11 13:14:39 UTC 
Looks like the policy allows pirana_web_t to manage all files in /var/lib/luci except for files in /var/lib/luci/etc and /var/lib/luci/cert?

Should the web interface be allowed to edit those also?
Comment 2 Miroslav Grepl 2011-03-14 08:03:18 UTC 
Marek,
is this something new?


Milos,
could you add output of

# ls -lZR /var/lib/luci
Comment 3 Marek Grac 2011-03-14 08:43:33 UTC 
@Miroslav:

I believe that those AVC does not have anything common with pulse/piranha because they are not installed according to test case mentioned in comment 1
Comment 4 Karel Srot 2011-03-14 10:33:06 UTC 
[root@ibm-ls22-05 ~]# ls -lZR /var/lib/luci
/var/lib/luci:
drwxr-xr-x. luci luci system_u:object_r:piranha_web_data_t:s0 certs
drwxr-xr-x. luci luci system_u:object_r:piranha_web_data_t:s0 data
drwxr-xr-x. luci luci system_u:object_r:piranha_web_conf_t:s0 etc

/var/lib/luci/certs:
-rw-------. luci luci unconfined_u:object_r:piranha_web_data_t:s0 host.pem

/var/lib/luci/data:
-rw-r-----. luci luci unconfined_u:object_r:piranha_web_data_t:s0 luci.db

/var/lib/luci/etc:
-rw-r--r--. luci luci system_u:object_r:piranha_web_conf_t:s0 cacert.config
-rw-r-----. luci luci unconfined_u:object_r:piranha_web_conf_t:s0 luci.ini
Comment 5 Miroslav Grepl 2011-03-14 11:11:28 UTC 
Ok, I am also seeing this issue and luci.ini is created on the fly during starting luci service.

Ryan,
is this something new?


# rpm -ql luci |grep -E "luci\.ini"
/var/lib/luci/etc/luci.ini
Comment 6 Miroslav Grepl 2011-03-17 10:27:53 UTC 
Fixed in selinux-policy-3.7.19-79.el6
Comment 10 Miroslav Grepl 2011-04-05 19:09:24 UTC 
Fixed in selinux-policy-3.7.19-81.el6
Comment 12 errata-xmlrpc 2011-05-19 12:24:22 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0526.html