Bug 725549

Summary: luci will not start due to SELinux in default (enforcing) mode [F14]
Product: [Fedora] Fedora Reporter: Jan Pokorný [poki] <jpokorny>
Component: luciAssignee: Jan Pokorný [poki] <jpokorny>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 14CC: cfeist, fdinitto, rmccabe
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: luci-0.25.0-1.fc14 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 725553 (view as bug list) Environment:
Last Closed: 2011-09-22 19:08:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 725553    

Description Jan Pokorný [poki] 2011-07-25 20:15:28 UTC 
Description of problem:
See summary + details (grep'd /var/log/audit/audit.log):

type=AVC msg=audit(1311599593.375:42): avc:  denied  { dac_override } for  pid=2239 comm="paster" capability=1  scontext=unconfined_u:system_r:piranha_web_t:s0 tcontext=unconfined_u:system_r:piranha_web_t:s0 tclass=capability
type=SYSCALL msg=audit(1311599593.375:42): arch=c000003e syscall=2 success=no exit=-13 a0=25a6810 a1=241 a2=1b6 a3=0 items=0 ppid=2214 pid=2239 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="paster" exe="/usr/bin/python" subj=unconfined_u:system_r:piranha_web_t:s0 key=(null)

Version-Release number of selected component (if applicable):
luci-0.24.0-2.fc14.x86_64

Steps to Reproduce:
0. (luci not installed, tested with fresh installation)
1. # yum install luci
2. # service luci start
  
Actual results:
Unable to create the luci base configuration file (`/var/lib/luci/etc/luci.ini').
Start luci...                                              [FAILED]

Expected results:
Luci will start, regardless SELinux mode.
Comment 1 Jan Pokorný [poki] 2011-07-25 20:45:21 UTC 
This should be fixed in http://git.fedorahosted.org/git/?p=luci.git;a=commit;h=a94f0fb84c12532edc373c3b878b3ef8ebea62c3

The fix came along with solving bug #632536.

Note: Python binary path is hard-coded, but this should be sufficient by now.
Comment 2 Jan Pokorný [poki] 2011-07-26 17:16:21 UTC 
It should be explicitly mentioned that stated commit completes the changes made in http://git.fedorahosted.org/git/?p=luci.git;a=commit;h=73f6bf3334e3c95ee4599ebebc4e4404aa04b780 (or "s/fixed in/fixed as of/" in previous comment)
Comment 3 Jan Pokorný [poki] 2011-07-26 17:41:51 UTC 
Additional info (if "SELinux vs. luci" case ever needs further investigation):

# rpm -q selinux-policy
selinux-policy-3.9.7-42.fc14.noarch

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted


And—under the line—another note which becomes interesting when
compared to the situation with Fedora 15
(https://bugzilla.redhat.com/show_bug.cgi?id=725553#c3):
> in order to start luci successfully, *all* "/usr/bin/paster" occurrences
> have to be preceded by "/usr/bin/python" (whether with -Es switch or not,
> see bug #632536), despite the fact that paster's shebang means (as far
> as I can say) the same