Bug 729549
Summary: | Adding systemd support to mod_ssl is causing AVC denials | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Jan Kaluža <jkaluza> | ||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | rawhide | CC: | dominick.grift, dwalsh, mgrepl, tom | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2011-09-13 10:09:29 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 707917 | ||||||
Attachments: |
|
Description
Jan Kaluža
2011-08-10 06:30:35 UTC
Created attachment 517522 [details]
audit log
Well first off how was /etc/localtime created, it has the wrong label on it. restorecon /etc/localtime When httpd starts it executes /usr/libexec/http-ssl-pass-dialog? I think we need to add policy to this application. And should not add policy for all of httpd_t. Yes, httpd will execute that script when mod_ssl needs to prompt for a password to unlock a private key. Traditionally httpd has simple prompted on the console for the password, but with systemd than no longer works as it won't have a terminal to prompt on. So the default configuration has been changed so it runs that script when it needs a password, and that script runs /bin/systemd-ask-password which does the necessary magic to prompt the user for a password in an appropriate way. I know the fix for this is already in rawhide. Would it be possible to include it also in F16. I would like to include my mod_ssl change in F16. Should be there also because we have Rawhide == F16. |