|Summary:||Adding systemd support to mod_ssl is causing AVC denials|
|Product:||[Fedora] Fedora||Reporter:||Jan Kaluža <jkaluza>|
|Component:||selinux-policy||Assignee:||Miroslav Grepl <mgrepl>|
|Status:||CLOSED RAWHIDE||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Version:||rawhide||CC:||dominick.grift, dwalsh, mgrepl, tom|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2011-09-13 10:09:29 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:|
Description Jan Kaluža 2011-08-10 06:30:35 UTC
Description of problem: I've just committed support for systemd into mod_ssl (see Bug #707917). When started, httpd now executes /usr/libexec/httpd-ssl-pass-dialog if SSL certificates are encrypted to get the password. I would like to have this behaviour added in selinux-policy in rawhide. Actual results: I'm attaching messages that are generated after applying this change in F15 (I don't have any rawhide machine just now. I hope it's not problem, because I presume it should be the same in rawhide).
Comment 2 Daniel Walsh 2011-08-11 20:32:03 UTC
Well first off how was /etc/localtime created, it has the wrong label on it. restorecon /etc/localtime When httpd starts it executes /usr/libexec/http-ssl-pass-dialog? I think we need to add policy to this application. And should not add policy for all of httpd_t.
Comment 4 Tom Hughes 2011-08-11 23:03:49 UTC
Yes, httpd will execute that script when mod_ssl needs to prompt for a password to unlock a private key. Traditionally httpd has simple prompted on the console for the password, but with systemd than no longer works as it won't have a terminal to prompt on. So the default configuration has been changed so it runs that script when it needs a password, and that script runs /bin/systemd-ask-password which does the necessary magic to prompt the user for a password in an appropriate way.
Comment 5 Jan Kaluža 2011-09-13 09:19:42 UTC
I know the fix for this is already in rawhide. Would it be possible to include it also in F16. I would like to include my mod_ssl change in F16.
Comment 6 Miroslav Grepl 2011-09-13 10:09:29 UTC
Should be there also because we have Rawhide == F16.