Bug 729549

Summary: Adding systemd support to mod_ssl is causing AVC denials
Product: [Fedora] Fedora Reporter: Jan Kaluža <jkaluza>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: dominick.grift, dwalsh, mgrepl, tom
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-09-13 10:09:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 707917    
Attachments:
Description Flags
audit log none

Description Jan Kaluža 2011-08-10 06:30:35 UTC 
Description of problem:
I've just committed support for systemd into mod_ssl (see Bug #707917). When started, httpd now executes /usr/libexec/httpd-ssl-pass-dialog if SSL certificates are encrypted to get the password.

I would like to have this behaviour added in selinux-policy in rawhide.

Actual results:
I'm attaching messages that are generated after applying this change in F15 (I don't have any rawhide machine just now. I hope it's not problem, because I presume it should be the same in rawhide).
Comment 1 Jan Kaluža 2011-08-10 06:31:21 UTC 
Created attachment 517522 [details]
audit log
Comment 2 Daniel Walsh 2011-08-11 20:32:03 UTC 
Well first off how was /etc/localtime created, it has the wrong label on it.  

restorecon /etc/localtime

When httpd starts it executes /usr/libexec/http-ssl-pass-dialog?

I think we need to add policy to this application.  And should not add policy for all of httpd_t.
Comment 4 Tom Hughes 2011-08-11 23:03:49 UTC 
Yes, httpd will execute that script when mod_ssl needs to prompt for a password to unlock a private key.

Traditionally httpd has simple prompted on the console for the password, but with systemd than no longer works as it won't have a terminal to prompt on.

So the default configuration has been changed so it runs that script when it needs a password, and that script runs /bin/systemd-ask-password which does the necessary magic to prompt the user for a password in an appropriate way.
Comment 5 Jan Kaluža 2011-09-13 09:19:42 UTC 
I know the fix for this is already in rawhide. Would it be possible to include it also in F16. I would like to include my mod_ssl change in F16.
Comment 6 Miroslav Grepl 2011-09-13 10:09:29 UTC 
Should be there also because we have Rawhide == F16.