Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 684198

Summary: /usr/bin/paster cannot work in /var/lib/luci/etc/ because of SELinux
Product: Red Hat Enterprise Linux 6 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.1CC: dwalsh, ksrot, mgrac, mgrepl
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-81.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-19 12:24:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Milos Malik 2011-03-11 12:51:26 UTC 
Description of problem:
The luci service (which is one of many cluster services executed in the automated test below) starts but something is blocked by SELinux.

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-78.el6.noarch
selinux-policy-targeted-3.7.19-78.el6.noarch
selinux-policy-doc-3.7.19-78.el6.noarch
selinux-policy-mls-3.7.19-78.el6.noarch
selinux-policy-minimum-3.7.19-78.el6.noarch

How reproducible:
always

Steps to Reproduce:
1) get a RHEL-6.1 machine with active targeted policy
2) log into the machine as root
3) run following commands:
# yum -y install audit cman cmirror corosync fence-agents grep initscripts kmod-cmirror libselinux libselinux-utils luci lvm2-cluster mktemp NetworkManager openais policycoreutils ricci sed selinux-policy selinux-policy-targeted setools setools-console
# yum -y install rh-tests-selinux-policy-Regression-bz271561-corosync-and-similar
# service auditd stop
# service auditd start
# cd /mnt/testarea/tests/selinux-policy/Regression/bz271561-corosync-and-similar
# make run
  
Actual results:
----
time->Fri Mar 11 07:30:15 2011
type=SYSCALL msg=audit(1299846615.180:9890): arch=40000003 syscall=5 success=yes exit=3 a0=890b020 a1=8241 a2=1b6 a3=8cd90f1 items=0 ppid=11574 pid=11595 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="paster" exe="/usr/bin/python" subj=unconfined_u:system_r:piranha_web_t:s0 key=(null)
type=AVC msg=audit(1299846615.180:9890): avc:  denied  { write } for  pid=11595 comm="paster" name="luci.ini" dev=dm-0 ino=919336 scontext=unconfined_u:system_r:piranha_web_t:s0 tcontext=unconfined_u:object_r:piranha_web_conf_t:s0 tclass=file
type=AVC msg=audit(1299846615.180:9890): avc:  denied  { create } for  pid=11595 comm="paster" name="luci.ini" scontext=unconfined_u:system_r:piranha_web_t:s0 tcontext=unconfined_u:object_r:piranha_web_conf_t:s0 tclass=file
type=AVC msg=audit(1299846615.180:9890): avc:  denied  { add_name } for  pid=11595 comm="paster" name="luci.ini" scontext=unconfined_u:system_r:piranha_web_t:s0 tcontext=system_u:object_r:piranha_web_conf_t:s0 tclass=dir
type=AVC msg=audit(1299846615.180:9890): avc:  denied  { write } for  pid=11595 comm="paster" name="etc" dev=dm-0 ino=919381 scontext=unconfined_u:system_r:piranha_web_t:s0 tcontext=system_u:object_r:piranha_web_conf_t:s0 tclass=dir
----

Expected results:
no AVCs
Comment 1 Daniel Walsh 2011-03-11 13:14:39 UTC 
Looks like the policy allows pirana_web_t to manage all files in /var/lib/luci except for files in /var/lib/luci/etc and /var/lib/luci/cert?

Should the web interface be allowed to edit those also?
Comment 2 Miroslav Grepl 2011-03-14 08:03:18 UTC 
Marek,
is this something new?


Milos,
could you add output of

# ls -lZR /var/lib/luci
Comment 3 Marek Grac 2011-03-14 08:43:33 UTC 
@Miroslav:

I believe that those AVC does not have anything common with pulse/piranha because they are not installed according to test case mentioned in comment 1
Comment 4 Karel Srot 2011-03-14 10:33:06 UTC 
[root@ibm-ls22-05 ~]# ls -lZR /var/lib/luci
/var/lib/luci:
drwxr-xr-x. luci luci system_u:object_r:piranha_web_data_t:s0 certs
drwxr-xr-x. luci luci system_u:object_r:piranha_web_data_t:s0 data
drwxr-xr-x. luci luci system_u:object_r:piranha_web_conf_t:s0 etc

/var/lib/luci/certs:
-rw-------. luci luci unconfined_u:object_r:piranha_web_data_t:s0 host.pem

/var/lib/luci/data:
-rw-r-----. luci luci unconfined_u:object_r:piranha_web_data_t:s0 luci.db

/var/lib/luci/etc:
-rw-r--r--. luci luci system_u:object_r:piranha_web_conf_t:s0 cacert.config
-rw-r-----. luci luci unconfined_u:object_r:piranha_web_conf_t:s0 luci.ini
Comment 5 Miroslav Grepl 2011-03-14 11:11:28 UTC 
Ok, I am also seeing this issue and luci.ini is created on the fly during starting luci service.

Ryan,
is this something new?


# rpm -ql luci |grep -E "luci\.ini"
/var/lib/luci/etc/luci.ini
Comment 6 Miroslav Grepl 2011-03-17 10:27:53 UTC 
Fixed in selinux-policy-3.7.19-79.el6
Comment 10 Miroslav Grepl 2011-04-05 19:09:24 UTC 
Fixed in selinux-policy-3.7.19-81.el6
Comment 12 errata-xmlrpc 2011-05-19 12:24:22 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0526.html