Bug 737635
Summary: | AVC denial when starting luci | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Ryan McCabe <rmccabe> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.2 | CC: | dwalsh, jpokorny, mmalik, rsteiger, syeghiay |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.7.19-112.el6 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2011-12-06 10:18:42 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 747120 |
Description
Ryan McCabe
2011-09-12 18:55:06 UTC
If you execute # chcon -R -t piranha_web_var_run_t /var/run/luci does it work? Also is this default directory? (In reply to comment #1) > If you execute > > # chcon -R -t piranha_web_var_run_t /var/run/luci > > does it work? Yes, this fixes it. > > Also is this default directory? This is the directory where session information will always be stored. It's created when luci starts and is removed when it stops. What does # rpm -qf /var/run/luci I see this on my virtual machine: # rpm -qf /var/run/luci luci-0.23.0-24.el6.i686 # Looks like something recreated the /var/run/luci directory with out fixing the label? I just tried again on a clean install with a newly installed luci package, and I get the AVC when I try to connect to the server. [root@marge ~]# ls -RZ /var/lib/luci/ /var/lib/luci/: drwxr-xr-x. luci luci system_u:object_r:piranha_web_data_t:s0 certs drwxr-xr-x. luci luci system_u:object_r:piranha_web_data_t:s0 data drwxr-xr-x. luci luci system_u:object_r:piranha_web_conf_t:s0 etc /var/lib/luci/certs: -rw-------. luci luci unconfined_u:object_r:piranha_web_data_t:s0 host.pem /var/lib/luci/data: -rw-r-----. luci luci unconfined_u:object_r:piranha_web_data_t:s0 luci.db /var/lib/luci/etc: -rw-r--r--. luci luci system_u:object_r:piranha_web_conf_t:s0 cacert.config -rw-r-----. luci luci unconfined_u:object_r:piranha_web_conf_t:s0 luci.ini *** Bug 740333 has been marked as a duplicate of this bug. *** Created attachment 526322 [details] Patch to solve the issue on luci's side (covers also Radek's case) Based on Radek's observation, I think this issue is solely a luci's one. The attached patch is working well for me on RHEL 6.2, tested with both: selinux-policy-3.7.19-109.el6.noarch selinux-policy-3.7.19-114.el6.noarch The fix is based on Daniel's recommendation as per comment 6 (or https://bugzilla.redhat.com/show_bug.cgi?id=740333#c2 in a parallel bug). Inspecting the initscript and what happens "below luci", in the auxiliary libraries, I've actually found out that cache and sessions subdirectories of discussed /var/run/luci do not have to be created in the initscript as they are created with the correct/desired attributes (incl. SELinux) on demand by the framework luci uses (specifically, the Beaker library). Ok, it will be great to fix it on luci side. This bug is about adding labeling from the SELinux point of view which was added. Seen on 2 machines today: ---- time->Wed Oct 5 06:01:16 2011 type=SYSCALL msg=audit(1317808876.638:117044): arch=c000003e syscall=83 success=no exit=-13 a0=7f517c0ba720 a1=1e8 a2=7f519319adc8 a3=7f51836b3b50 items=0 ppid=1 pid=12844 auid=0 uid=141 gid=141 euid=141 suid=141 fsuid=141 egid=141 sgid=141 fsgid=141 tty=(none) ses=2 comm="paster" exe="/usr/bin/python" subj=unconfined_u:system_r:piranha_web_t:s0 key=(null) type=AVC msg=audit(1317808876.638:117044): avc: denied { create } for pid=12844 comm="paster" name="container_file" scontext=unconfined_u:system_r:piranha_web_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=dir ---- First machine has: selinux-policy-3.7.19-113.el6.noarch selinux-policy-targeted-3.7.19-113.el6.noarch Second machine has: selinux-policy-3.7.19-114.el6.noarch selinux-policy-targeted-3.7.19-114.el6.noarch I will wait till the updated version of luci is released and then I will retest it again. The patch is present as of luci-0.23.0-31.el6. When luci-0.23.0-31.el6 is installed I see no AVCs. Tested on -113.el6 and -114.el6 policy. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1511.html |