Bug 701140

Summary: mirrormanager selinux denials on socket /var/run/mirrormanager/mirrorlist_server.sock
Product: [Fedora] Fedora Reporter: Matt Domsch <matt_domsch>
Component: mirrormanagerAssignee: Matt Domsch <matt_domsch>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 15CC: dwalsh, jonstanley, matt_domsch
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-07 17:02:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Matt Domsch 2011-05-01 14:31:32 UTC 
Description of problem:
MM 1.3.x or 1.4.x (development) throws an selinux denial when the apache wsgi process mirrorlist_client.wsgi tries to open the mirrorlist_server.py socket /var/run/mirrormanager/mirrorlist_server.sock.

Version-Release number of selected component (if applicable):
MM 1.3.8 or 1.4 branch in git

How reproducible:
easy

Steps to Reproduce:
1. install mirrormanager
2. start apache
3. connect to http://localhost/mirrorlist?repo=fedora-14&arch=i386
  
Actual results:
apache returns error 500 to user.  selinux denial has prevented the apache wsgi process from connecting to the socket to get the mirrorlist.

Expected results:
success

Additional info:
Comment 1 Matt Domsch 2011-05-01 14:31:55 UTC 
Dan, I need help understanding the best way to implement this in mirrormanager upstream, please.
Comment 2 Matt Domsch 2011-05-02 03:26:46 UTC 
Here are the actual AVCs.  In addition to the opening of and writing to mirrorlist_server.sock, the main mirrormanager.wsgi web UI application running under apache needs to be able to connect to its database (in this case, postgresql, but could be mysql or other).


type=AVC msg=audit(1303925847.010:89): avc:  denied  { name_connect } for  pid=10743 comm="httpd" dest=5432 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1303925847.010:89): arch=c000003e syscall=42 success=no exit=-13 a0=f a1=7f010d981250 a2=10 a3=7f01147cca94 items=0 ppid=10717 pid=10743 auid=500 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=MAC_CONFIG_CHANGE msg=audit(1303925958.442:90): bool=httpd_can_network_connect_db val=1 old_val=0 auid=500 ses=1
type=AVC msg=audit(1303944152.031:235): avc:  denied  { write } for  pid=16215 comm="httpd" name="mirrorlist_server.sock" dev=dm-0 ino=822600 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1303944152.031:235): arch=c000003e syscall=42 success=no exit=-13 a0=f a1=7f99291d22e0 a2=2f a3=1 items=0 ppid=16188 pid=16215 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1303944154.063:236): avc:  denied  { write } for  pid=16319 comm="httpd" name="mirrorlist_server.sock" dev=dm-0 ino=822600 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1303944154.063:236): arch=c000003e syscall=42 success=no exit=-13 a0=d a1=7f991e9bd2e0 a2=2f a3=0 items=0 ppid=16188 pid=16319 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1303944171.381:237): avc:  denied  { write } for  pid=16289 comm="httpd" name="mirrorlist_server.sock" dev=dm-0 ino=822600 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1303944171.381:237): arch=c000003e syscall=42 success=no exit=-13 a0=e a1=7f99269cd2e0 a2=2f a3=1 items=0 ppid=16188 pid=16289 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1303944571.587:239): avc:  denied  { connectto } for  pid=16232 comm="httpd" path="/var/run/mirrormanager/mirrorlist_server.sock" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
type=SYSCALL msg=audit(1303944571.587:239): arch=c000003e syscall=42 success=no exit=-13 a0=e a1=7f99299d32e0 a2=2f a3=1 items=0 ppid=16188 pid=16232 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1303944613.515:240): avc:  denied  { connectto } for  pid=16553 comm="httpd" path="/var/run/mirrormanager/mirrorlist_server.sock" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
type=SYSCALL msg=audit(1303944613.515:240): arch=c000003e syscall=42 success=no exit=-13 a0=e a1=7f25faed92e0 a2=2f a3=1 items=0 ppid=16527 pid=16553 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
Comment 3 Daniel Walsh 2011-05-02 14:40:50 UTC 
First turn on 
httpd_can_network_connect_db boolean.

setsebool -P httpd_can_network_connect_db 1
Comment 4 Fedora End Of Life 2012-08-07 17:02:07 UTC 
This message is a notice that Fedora 15 is now at end of life. Fedora
has stopped maintaining and issuing updates for Fedora 15. It is
Fedora's policy to close all bug reports from releases that are no
longer maintained. At this time, all open bugs with a Fedora 'version'
of '15' have been closed as WONTFIX.

(Please note: Our normal process is to give advanced warning of this
occurring, but we forgot to do that. A thousand apologies.)

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, feel free to reopen
this bug and simply change the 'version' to a later Fedora version.

Bug Reporter: Thank you for reporting this issue and we are sorry that
we were unable to fix it before Fedora 15 reached end of life. If you
would still like to see this bug fixed and are able to reproduce it
against a later version of Fedora, you are encouraged to click on
"Clone This Bug" (top right of this page) and open it against that
version of Fedora.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

The process we are following is described here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping