Bug 788601

Summary: AVC denied for httpd_t on zarafa_var_lib_t if it's lnk_file
Product: Red Hat Enterprise Linux 6 Reporter: Robert Scheck <redhat-bugzilla>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.2CC: dwalsh, jrieden, mmalik, robert.scheck
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-149.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 12:31:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Robert Scheck 2012-02-08 15:05:23 UTC 
Description of problem:
AVC denied for httpd_t on zarafa_var_lib_t if it's lnk_file, which should
be allowed to support Zarafa + DRBD + drbdlinks proper, which makes sense
as session data should be on a DRBD device otherwise a server switch will
logout users etc.

type=AVC msg=audit(1328713034.274:57): avc:  denied  { read } for  pid=3651 comm="httpd" name="zarafa-webaccess" dev=vda1 ino=130674 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:zarafa_var_lib_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1328713034.274:57): arch=c000003e syscall=4 success=no exit=-13 a0=7f1f89982620 a1=7fff3207fc10 a2=7fff3207fc10 a3=7f1f899826e0 items=0 ppid=3648 pid=3651 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1328713034.274:58): avc:  denied  { read } for  pid=3651 comm="httpd" name="zarafa-webaccess" dev=vda1 ino=130674 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:zarafa_var_lib_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1328713034.274:58): arch=c000003e syscall=83 success=no exit=-13 a0=7f1f89982620 a1=1ff a2=8 a3=7f1f899826e0 items=0 ppid=3648 pid=3651 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1328713034.274:59): avc:  denied  { read } for  pid=3651 comm="httpd" name="zarafa-webaccess" dev=vda1 ino=130674 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:zarafa_var_lib_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1328713034.274:59): arch=c000003e syscall=4 success=no exit=-13 a0=7f1f89982620 a1=7fff3207fc10 a2=7fff3207fc10 a3=7f1f899826e0 items=0 ppid=3648 pid=3651 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-126.el6_2.4.noarch
selinux-policy-targeted-3.7.19-126.el6_2.4.noarch

How reproducible:
Everytime, install Zarafa and configure DRBD with drbdlinks and symlinks for
/var/lib/zarafa-webaccess/tmp.

Actual results:
AVC denied for httpd_t on zarafa_var_lib_t if it's lnk_file

Expected results:
No AVC denied.
Comment 2 Miroslav Grepl 2012-02-09 08:46:59 UTC 
Fixed in Fedora. Backporting to RHEL6.3.
Comment 3 Robert Scheck 2012-02-17 14:26:16 UTC 
Can you also please add "getattr", not only "read" - if not already done?
Comment 4 Daniel Walsh 2012-02-17 14:30:19 UTC 
We give both together.
Comment 5 Miroslav Grepl 2012-02-20 15:22:10 UTC 
Fixed in selinux-policy-3.7.19-137.el6

You can download pre-release from

http://people.redhat.com/dwalsh/SELinux/RHEL6/noarch/
Comment 8 Milos Malik 2012-03-30 13:15:30 UTC 
Could you also fix the following problem ?

# run_init service zarafa-indexer status
Authenticating root.
Password: 
zarafa-indexer is stopped
# restorecon -Rv /var
# run_init service zarafa-indexer start
Authenticating root.
Password: 
Starting zarafa-indexer:                                   [  OK  ]
# restorecon -Rv /var
restorecon reset /var/run/zarafa-indexer context system_u:object_r:zarafa_indexer_var_run_t:s0->system_u:object_r:var_run_t:s0
# ls -Z /var/run/zarafa-indexer*
srw-rw-rw-. root root system_u:object_r:var_run_t:s0   /var/run/zarafa-indexer
-rw-r--r--. root root system_u:object_r:zarafa_indexer_var_run_t:s0 /var/run/zarafa-indexer.pid
#

The file is not a regular file but it's a socket.

# grep zarafa-indexer /etc/selinux/targeted/contexts/files/file_contexts
/usr/bin/zarafa-indexer	--	system_u:object_r:zarafa_indexer_exec_t:s0
/var/run/zarafa-indexer	--	system_u:object_r:zarafa_indexer_var_run_t:s0
#
Comment 9 Miroslav Grepl 2012-04-02 10:12:02 UTC 
Ye, I am fixing it.
Comment 14 errata-xmlrpc 2012-06-20 12:31:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0780.html