| Summary: | SELinux is preventing /usr/bin/perl from 'read' accesses on the file cpu-idle.rrd. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Stefan Hellermann <bugzilla.redhat.com> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 16 | CC: | dominick.grift, dwalsh, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i686 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:3ab526b424aced9b5ea70f41761146f0c848164c041feccd326c5f9169d94f22 | ||
| Fixed In Version: | selinux-policy-3.10.0-56.fc16 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-11-21 00:00:05 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
the first error for the directory /var/lib/collectd/:
SELinux is preventing /usr/bin/perl from read access on the directory collectd.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that perl should be allowed read access on the collectd directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep index.cgi /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Quellkontext system_u:system_r:httpd_collectd_script_t:s0
Zielkontext system_u:object_r:collectd_var_lib_t:s0
Zielobjekte collectd [ dir ]
Quelle index.cgi
Quellpfad /usr/bin/perl
Port <Unbekannt>
Host hel-stefan.lan
RPM-Pakete der Quelle perl-5.14.1-188.fc16
RPM-Pakete des Ziels
Richtlinien-RPM selinux-policy-3.10.0-51.fc16
SELinux aktiviert True
Richtlinientyp targeted
Enforcing-Modus Permissive
Rechnername hel-stefan.lan
Plattform Linux hel-stefan.lan 3.1.0-7.fc16.i686.PAE #1 SMP
Tue Nov 1 20:53:45 UTC 2011 i686 i686
Anzahl der Alarme 2
Zuerst gesehen Di 08 Nov 2011 21:35:18 CET
Zuletzt gesehen Di 08 Nov 2011 21:35:22 CET
Lokale ID 99937e2f-cc79-4fcb-8c92-880dd1425247
Raw-Audit-Meldungen
type=AVC msg=audit(1320784522.284:500): avc: denied { read } for pid=16804 comm="index.cgi" name="collectd" dev=sda6 ino=786870 scontext=system_u:system_r:httpd_collectd_script_t:s0 tcontext=system_u:object_r:collectd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1320784522.284:500): avc: denied { open } for pid=16804 comm="index.cgi" name="collectd" dev=sda6 ino=786870 scontext=system_u:system_r:httpd_collectd_script_t:s0 tcontext=system_u:object_r:collectd_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1320784522.284:500): arch=i386 syscall=openat success=yes exit=ESRCH a0=ffffff9c a1=8595170 a2=98800 a3=0 items=0 ppid=14000 pid=16804 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=index.cgi exe=/usr/bin/perl subj=system_u:system_r:httpd_collectd_script_t:s0 key=(null)
Hash: index.cgi,httpd_collectd_script_t,collectd_var_lib_t,dir,read
audit2allow
#============= httpd_collectd_script_t ==============
allow httpd_collectd_script_t collectd_var_lib_t:dir { read open };
audit2allow -R
#============= httpd_collectd_script_t ==============
allow httpd_collectd_script_t collectd_var_lib_t:dir { read open };
Fixed in selinux-policy-3.10.0-56.fc16 selinux-policy-3.10.0-56.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-56.fc16 Package selinux-policy-3.10.0-56.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-56.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-16003/selinux-policy-3.10.0-56.fc16 then log in and leave karma (feedback). There are more selinux errors, reported in #755055 selinux-policy-3.10.0-56.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. |
libreport version: 2.0.6 executable: /usr/bin/python hashmarkername: setroubleshoot kernel: 3.1.0-7.fc16.i686.PAE reason: SELinux is preventing /usr/bin/perl from 'read' accesses on the file cpu-idle.rrd. time: Tue Nov 8 21:41:26 2011 description: :The package collectd-web tries to open files from /var/lib/collectd/ but fails. :It should be allowed to read the files : :-- : :SELinux is preventing /usr/bin/perl from 'read' accesses on the file cpu-idle.rrd. : :***** Plugin catchall (100. confidence) suggests *************************** : :If you believe that perl should be allowed read access on the cpu-idle.rrd file by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep graph.cgi /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:httpd_collectd_script_t:s0 :Target Context system_u:object_r:collectd_var_lib_t:s0 :Target Objects cpu-idle.rrd [ file ] :Source graph.cgi :Source Path /usr/bin/perl :Port <Unbekannt> :Host (removed) :Source RPM Packages perl-5.14.1-188.fc16 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-51.fc16 :Selinux Enabled True :Policy Type targeted :Enforcing Mode Permissive :Host Name (removed) :Platform Linux (removed) 3.1.0-7.fc16.i686.PAE #1 SMP : Tue Nov 1 20:53:45 UTC 2011 i686 i686 :Alert Count 1 :First Seen Di 08 Nov 2011 21:35:22 CET :Last Seen Di 08 Nov 2011 21:35:22 CET :Local ID 7597b145-f508-4cd6-9acf-088fa1450a21 : :Raw Audit Messages :type=AVC msg=audit(1320784522.670:503): avc: denied { read } for pid=16809 comm="graph.cgi" name="cpu-idle.rrd" dev=sda6 ino=787640 scontext=system_u:system_r:httpd_collectd_script_t:s0 tcontext=system_u:object_r:collectd_var_lib_t:s0 tclass=file : : :type=AVC msg=audit(1320784522.670:503): avc: denied { open } for pid=16809 comm="graph.cgi" name="cpu-idle.rrd" dev=sda6 ino=787640 scontext=system_u:system_r:httpd_collectd_script_t:s0 tcontext=system_u:object_r:collectd_var_lib_t:s0 tclass=file : : :type=SYSCALL msg=audit(1320784522.670:503): arch=i386 syscall=open success=yes exit=ESRCH a0=8d6a618 a1=0 a2=1b6 a3=0 items=0 ppid=13997 pid=16809 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=graph.cgi exe=/usr/bin/perl subj=system_u:system_r:httpd_collectd_script_t:s0 key=(null) : :Hash: graph.cgi,httpd_collectd_script_t,collectd_var_lib_t,file,read : :audit2allow : :#============= httpd_collectd_script_t ============== :allow httpd_collectd_script_t collectd_var_lib_t:file { read open }; : :audit2allow -R : :#============= httpd_collectd_script_t ============== :allow httpd_collectd_script_t collectd_var_lib_t:file { read open }; :