Bug 807824

Summary: cherokee, a web server in EPEL, runs as initrc_t instead of httpd_t
Product: Red Hat Enterprise Linux 6 Reporter: Russell Golden <niveusluna>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.2CC: dwalsh, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-144.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 12:32:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 832330    

Description Russell Golden 2012-03-28 20:18:04 UTC 
Description of problem:

Cherokee from EPEL6 runs as initrc_t instead of httpd_t, which seems to grant it more freedoms.

I noticed this in Fedora around F15 release time, and it got fixed in Fedora, so I don't see why it didn't get fixed in RHEL.

Workaround: relabel the binaries, the /var/lib entries, and /etc/cherokee entries as httpd_<applicable>_t.
Comment 2 Miroslav Grepl 2012-03-29 07:10:21 UTC 
Yes, we have Cherokee support in Fedora. Does it work for you correctly with your workaround?
Comment 3 Milos Malik 2012-03-29 08:22:46 UTC 
# rpm -qa selinux-policy\*
selinux-policy-doc-3.7.19-143.el6.noarch
selinux-policy-3.7.19-143.el6.noarch
selinux-policy-mls-3.7.19-143.el6.noarch
selinux-policy-minimum-3.7.19-143.el6.noarch
selinux-policy-targeted-3.7.19-143.el6.noarch
# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted
# run_init service cherokee start
Authenticating root.
Password: 
Starting cherokee:                                         [  OK  ]
# ps -efZ | grep cherokee
system_u:system_r:initrc_t:s0   root     21744     1  0 09:20 ?        00:00:00 /usr/sbin/cherokee -d -C /etc/cherokee/cherokee.conf
system_u:system_r:initrc_t:s0   cherokee 21747 21744  0 09:20 ?        00:00:00 /usr/sbin/cherokee-worker  -C /etc/cherokee/cherokee.conf
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 21769 21173  0 09:21 pts/0 00:00:00 grep cherokee
#
Comment 6 Russell Golden 2012-03-29 16:55:47 UTC 
It works fine for me with my workaround, yes.
Comment 7 Milos Malik 2012-04-06 06:45:48 UTC 
Following AVC appeared during "service cherokee restart":
----
time->Fri Apr  6 08:27:28 2012
type=SYSCALL msg=audit(1333693648.915:3671): arch=c000003e syscall=160 success=no exit=-13 a0=7 a1=7fff1e327cb0 a2=ff8c36 a3=7fff1e327a30 items=0 ppid=14265 pid=14267 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=206 comm="cherokee-worker" exe="/usr/sbin/cherokee-worker" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1333693648.915:3671): avc:  denied  { setrlimit } for  pid=14267 comm="cherokee-worker" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=process
----
Comment 8 Miroslav Grepl 2012-04-06 06:52:04 UTC 
There should be the httpd_setrlimit boolean
Comment 9 Milos Malik 2012-04-06 06:59:54 UTC 
You're right. I forgot to enable it.
Comment 12 errata-xmlrpc 2012-06-20 12:32:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0780.html