Bug 767195

Summary: SELinux is preventing httpd (namely Trac) from RO access on git files
Product: Red Hat Enterprise Linux 6 Reporter: Matěj Cepl <mcepl>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.2CC: dwalsh, ksrot, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 12:29:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
output of ausearch -m AVC -ts 14:45 (when I relabelled /srv) none

Description Matěj Cepl 2011-12-13 14:29:33 UTC 
Created attachment 546229 [details]
output of ausearch -m AVC -ts 14:45 (when I relabelled /srv)

Description of problem:
These are my local modifications

[root@luther ~]# semanage fcontext -l -C
SELinux fcontext                                   type               Context

/srv/trac(/.*)?                                    all files          system_u:object_r:httpd_sys_content_t:s0 
/srv/trac/.*/cgi-bin/.*gi                          all files          system_u:object_r:httpd_sys_script_exec_t:s0 
/srv/trac/.*/plugins/.*\.egg                       all files          system_u:object_r:httpd_sys_script_exec_t:s0 
/srv/trac/.*\.db                                   all files          system_u:object_r:httpd_sys_rw_content_t:s0 
/srv/trac/plugins/.*\.egg                          all files          system_u:object_r:httpd_sys_script_exec_t:s0 
/usr/share/statusnet/.*.php?                       all files          system_u:object_r:httpd_user_script_exec_t:s0 
/usr/share/wordpress/.*\.php$                      all files          system_u:object_r:httpd_sys_script_exec_t:s0 
/var/lib/dspam(/.*)?                               all files          system_u:object_r:httpd_sys_content_rw_t:s0 
/var/www/dav(/.*)?                                 all files          system_u:object_r:httpd_sys_rw_content_t:s0 

SELinux fcontext Equivalence 

/usr/share/wordpress/wp-content/upgrade(/.*)? = /usr/share/wordpress/wp-content/uploads/
/srv/mysql = /var/lib/mysql
/srv/mysql/mysql.sock = /var/lib/mysql/mysql.sock
/srv/trac/htdocs/ = /var/www/html/
[root@luther ~]# 

and this is the analysis of the log

[root@luther ~]# ausearch -m AVC -ts 14:45 |audit2allow 


#============= httpd_t ==============
allow httpd_t git_system_content_t:dir { read search open getattr };
allow httpd_t git_system_content_t:file { read getattr open };
allow httpd_t httpd_sys_script_exec_t:file write;
[root@luther ~]# 

Not sure about httpd_sys_script_exec_t (not sure what's the proper label for .egg files), but the rest is probably result of trac accessing (read-only) git files.

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-131.el6.noarch
Comment 2 Matěj Cepl 2011-12-13 16:06:15 UTC 
OK, with fixing issues with *.egg I am down to the additional module which says

module myTracGit 1.0;

require {
	type httpd_t;
	type git_system_content_t;
	class file { read getattr open };
	class dir { read search open getattr };
}

#============= httpd_t ==============
allow httpd_t git_system_content_t:dir { read search open getattr };
allow httpd_t git_system_content_t:file { read getattr open };

and now Trac seems to work.
Comment 3 Matěj Cepl 2011-12-13 16:06:53 UTC 
I am not sure what I want, whether this module should be included as it is, or whether it should be made into a seboolean.
Comment 4 Daniel Walsh 2011-12-13 19:43:54 UTC 
You probably should use


git_read_generic_system_content_files(httpd_t)
Comment 5 Daniel Walsh 2011-12-13 19:44:51 UTC 
Which we have in F16.
Comment 6 Miroslav Grepl 2011-12-14 11:22:47 UTC 
Yes, I need to backport it.
Comment 9 Karel Srot 2012-05-07 14:36:26 UTC 
Hi Matej, 
could you please test it with recent selinux-policy version?
Thank you in advance.
Comment 10 Matěj Cepl 2012-05-07 19:07:53 UTC 
(In reply to comment #9)
> could you please test it with recent selinux-policy version?

Sorry, I cannot I am afraid. After some more pieces of miserable experience with marketed as lightweight Trac (it's memory consumption is boundless) I went with blamed to be overweight bugzilla which works like charm with much less memory consumed and hugely bigger functionaity. Never underestimate smarts of Perl hackers !. But no, I won't be installing that beast back on my server just to find out that everything works fine (as I expect it to).
Comment 13 errata-xmlrpc 2012-06-20 12:29:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0780.html