Bug 715115

Summary: SELinux is preventing /usr/bin/eu-unstrip from 'read' accesses on the directory /usr/lib/httpd/modules.
Product: [Fedora] Fedora Reporter: mdeggers
Component: abrtAssignee: Jiri Moskovcak <jmoskovc>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 15CC: anton, dfediuck, dominick.grift, dvlasenk, dwalsh, iprikryl, jmoskovc, kklic, mgrepl, mtoman, npajkovs
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:cccc0881077c18ec17b74a16d6c01b8695439d14e43572e0a238c4c8ca7de2d5
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-10-10 13:39:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description mdeggers 2011-06-21 21:50:19 UTC 
SELinux is preventing /usr/bin/eu-unstrip from 'read' accesses on the directory /usr/lib/httpd/modules.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that eu-unstrip should be allowed read access on the modules directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep eu-unstrip /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:abrt_t:s0-s0:c0.c1023
Target Context                system_u:object_r:httpd_modules_t:s0
Target Objects                /usr/lib/httpd/modules [ dir ]
Source                        eu-unstrip
Source Path                   /usr/bin/eu-unstrip
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           elfutils-0.152-1.fc15
Target RPM Packages           httpd-2.2.17-10.fc15.1
Policy RPM                    selinux-policy-3.9.16-26.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 2.6.38.8-32.fc15.i686
                              #1 SMP Mon Jun 13 20:01:50 UTC 2011 i686 i686
Alert Count                   1
First Seen                    Tue 21 Jun 2011 02:33:35 PM PDT
Last Seen                     Tue 21 Jun 2011 02:33:35 PM PDT
Local ID                      6e1ee6e9-285a-4d02-b706-3c2ead69fbf7

Raw Audit Messages
type=AVC msg=audit(1308692015.434:724): avc:  denied  { read } for  pid=23709 comm="eu-unstrip" name="modules" dev=dm-0 ino=5767226 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:httpd_modules_t:s0 tclass=dir


type=SYSCALL msg=audit(1308692015.434:724): arch=i386 syscall=open success=yes exit=EMFILE a0=903a2c0 a1=8000 a2=0 a3=bf9c84c0 items=0 ppid=23706 pid=23709 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=eu-unstrip exe=/usr/bin/eu-unstrip subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)

Hash: eu-unstrip,abrt_t,httpd_modules_t,dir,read

audit2allow

#============= abrt_t ==============
allow abrt_t httpd_modules_t:dir read;

audit2allow -R

#============= abrt_t ==============
allow abrt_t httpd_modules_t:dir read;

I ran into this when I built a new Apache module (mod_jk) from source.

The steps to reproduce this are as follows:

1. Download tomcat-connectors-1.2.31-src from tomcat.apache.org
2. Unpack
3. cd to tomcat-connectors-1.2.31-src/native
4. configure with --with-apxs=/usr/sbin/apxs --with-java-home=/usr/java
(using Oracle's 1.6.0_26)
5. Install by copying (as root) to /etc/httpd/modules (bad model, I know)
6. Execute systemctl restart httpd.service

ls -Z shows that all modules have the same SELinux info:

-rwxr-xr-x. root root system_u:object_r:httpd_modules_t:s0 mod_jk.so
Comment 1 Daniel Walsh 2011-06-22 14:56:36 UTC 
Any idea why eu-unstrip is listing the contents of /etc/httpd/modules?
Comment 2 Nikola Pajkovsky 2011-06-22 15:19:31 UTC 
Looks to me that module fails and abrt tries to strip out debuginfo hash from .so
Comment 3 mdeggers 2011-06-22 16:32:45 UTC 
I just rebuilt and re-installed the module. My test web application (simple cluster application with three Tomcats) works as expected. Clustering works as expected.

I did see some unexpected segmentation faults from a few days ago, but nothing that directly relates to the installation. I imagine that this was possibly due to an Apache upgrade during preupgrade and I didn't rebuild this module.

I made a poor choice of policy names when I added the policy (httpdpol), but it doesn't seem to have created a name collision. Unloading it and rerunning the application doesn't raise an alert.

I think I'm going to chalk this up to bad install practice, although I don't see any difference in what was added to /usr/lib/httpd/modules by running make install.

I apologize for what appears to be a false alarm. Please close the bug.
Comment 4 Daniel Walsh 2011-06-22 18:23:21 UTC 
Miroslav I updated rawhide to allow this

cc6210ebfd15b3d3b480c7dc28744ed9bf0186b3

I think we should back port this to RHEL6 and F14, F15