Bug 737635

Summary: AVC denial when starting luci
Product: Red Hat Enterprise Linux 6 Reporter: Ryan McCabe <rmccabe>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.2CC: dwalsh, jpokorny, mmalik, rsteiger, syeghiay
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-112.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-06 10:18:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 747120    

Description Ryan McCabe 2011-09-12 18:55:06 UTC 
Description of problem:

type=AVC msg=audit(1315853466.399:32084): avc:  denied  { create } for  pid=28757 comm="paster" name="container_file" scontext=unconfined_u:system_r:piranha_web_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=dir

When trying to create the directory /var/run/luci/sessions/container_file

Setting permissive mode allows proper startup to take place.

Version-Release number of selected component (if applicable):

luci-0.23.0-24.el6.x86_64
python-paste-1.7.4-1.el6.noarch
selinux-policy-3.7.19-110.el6.noarch
selinux-policy-targeted-3.7.19-110.el6.noarch
Comment 1 Miroslav Grepl 2011-09-12 19:11:42 UTC 
If you execute

# chcon -R -t piranha_web_var_run_t /var/run/luci

does it work?

Also is this default directory?
Comment 3 Ryan McCabe 2011-09-13 15:39:35 UTC 
(In reply to comment #1)
> If you execute
> 
> # chcon -R -t piranha_web_var_run_t /var/run/luci
> 
> does it work?

Yes, this fixes it.

> 
> Also is this default directory?

This is the directory where session information will always be stored. It's created when luci starts and is removed when it stops.
Comment 4 Miroslav Grepl 2011-09-15 14:27:43 UTC 
What does

# rpm -qf /var/run/luci
Comment 5 Milos Malik 2011-09-15 14:39:59 UTC 
I see this on my virtual machine:
# rpm -qf /var/run/luci
luci-0.23.0-24.el6.i686
#
Comment 6 Daniel Walsh 2011-09-15 15:30:19 UTC 
Looks like something recreated the /var/run/luci directory with out fixing the label?
Comment 7 Ryan McCabe 2011-09-15 20:03:33 UTC 
I just tried again on a clean install with a newly installed luci package, and I get the AVC when I try to connect to the server.

[root@marge ~]# ls -RZ /var/lib/luci/
/var/lib/luci/:
drwxr-xr-x. luci luci system_u:object_r:piranha_web_data_t:s0 certs
drwxr-xr-x. luci luci system_u:object_r:piranha_web_data_t:s0 data
drwxr-xr-x. luci luci system_u:object_r:piranha_web_conf_t:s0 etc

/var/lib/luci/certs:
-rw-------. luci luci unconfined_u:object_r:piranha_web_data_t:s0 host.pem

/var/lib/luci/data:
-rw-r-----. luci luci unconfined_u:object_r:piranha_web_data_t:s0 luci.db

/var/lib/luci/etc:
-rw-r--r--. luci luci system_u:object_r:piranha_web_conf_t:s0 cacert.config
-rw-r-----. luci luci unconfined_u:object_r:piranha_web_conf_t:s0 luci.ini
Comment 8 Ryan McCabe 2011-09-21 19:36:57 UTC 
*** Bug 740333 has been marked as a duplicate of this bug. ***
Comment 13 Jan Pokorný [poki] 2011-10-04 20:32:33 UTC 
Created attachment 526322 [details]
Patch to solve the issue on luci's side (covers also Radek's case)

Based on Radek's observation, I think this issue is solely a luci's one.
The attached patch is working well for me on RHEL 6.2, tested with both:

selinux-policy-3.7.19-109.el6.noarch
selinux-policy-3.7.19-114.el6.noarch

The fix is based on Daniel's recommendation as per comment 6
(or https://bugzilla.redhat.com/show_bug.cgi?id=740333#c2 in a parallel bug).

Inspecting the initscript and what happens "below luci", in the auxiliary
libraries, I've actually found out that cache and sessions subdirectories
of discussed /var/run/luci do not have to be created in the initscript
as they are created with the correct/desired attributes (incl. SELinux)
on demand by the framework luci uses (specifically, the Beaker library).
Comment 15 Miroslav Grepl 2011-10-05 05:28:19 UTC 
Ok, it will be great to fix it on luci side.

This bug is about adding labeling from the SELinux point of view which was added.
Comment 16 Milos Malik 2011-10-05 10:14:52 UTC 
Seen on 2 machines today:
----
time->Wed Oct  5 06:01:16 2011
type=SYSCALL msg=audit(1317808876.638:117044): arch=c000003e syscall=83 success=no exit=-13 a0=7f517c0ba720 a1=1e8 a2=7f519319adc8 a3=7f51836b3b50 items=0 ppid=1 pid=12844 auid=0 uid=141 gid=141 euid=141 suid=141 fsuid=141 egid=141 sgid=141 fsgid=141 tty=(none) ses=2 comm="paster" exe="/usr/bin/python" subj=unconfined_u:system_r:piranha_web_t:s0 key=(null)
type=AVC msg=audit(1317808876.638:117044): avc:  denied  { create } for  pid=12844 comm="paster" name="container_file" scontext=unconfined_u:system_r:piranha_web_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=dir
----

First machine has:
selinux-policy-3.7.19-113.el6.noarch
selinux-policy-targeted-3.7.19-113.el6.noarch

Second machine has:
selinux-policy-3.7.19-114.el6.noarch
selinux-policy-targeted-3.7.19-114.el6.noarch

I will wait till the updated version of luci is released and then I will retest it again.
Comment 17 Jan Pokorný [poki] 2011-10-05 16:53:41 UTC 
The patch is present as of luci-0.23.0-31.el6.
Comment 18 Milos Malik 2011-10-06 08:05:48 UTC 
When luci-0.23.0-31.el6 is installed I see no AVCs. Tested on -113.el6 and -114.el6 policy.
Comment 20 errata-xmlrpc 2011-12-06 10:18:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html