Bug 834089
| Summary: | SELinux is preventing /usr/bin/perl from 'accept' accesses on the unix_stream_socket /run/mod_fcgid/2457.2. | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Jeff Raber <jeff.raber> | ||||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | unspecified | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 17 | CC: | dominick.grift, dwalsh, ikke, mgrepl | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | x86_64 | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | abrt_hash:f3c8d36ca2bb1be62a2188947a33175e7340c338ca669ec1d5926a44796569a1 | ||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2012-12-20 15:30:10 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
I also get an AVC for 'shutdown access' on the same unix_stream_socket. These AVC are generated when attempting to connect to the local smokeping webpage after upgrading to F17 (from F16). The smokeping page returns a 500 Internal Server Error. 'setenforce 0' allows the page to load and function normally. No additional AVCs are generate (besides the ones mentioned above) while running in permissive mode. When you put this in permissive mode do you get additional AVC messages? Created attachment 594534 [details]
output of 'grep smokeping.fcgi /var/log/audit/audit.log'
Attached a list of additional AVCs that are raised when running smokeping while in permissive mode.
Jeff, does it work with the following local policy
# cat mypol.te
policy_module(mypol,1.0)
require{
type httpd_smokeping_cgi_script_t;
type httpd_t;
}
allow httpd_smokeping_cgi_script_t httpd_t:unix_stream_socket { ioctl accept getattr };
auth_read_passwd(httpd_smokeping_cgi_script_t)
Execute:
# make -f /usr/share/selinux/devel/Makefile mypol.pp
# semoodule -i mypol.pp
and re-test with enforcing mode.
Created attachment 594831 [details]
AVCs generated after 'systemctl restart smokeping.service' (in permssive mode)
Miroslav,
It did not work with the policy you provided; I still received an AVC for 'shutdown' access on the socket.
I added 'shutdown' access to the mypol.te, recompiled and reapplied using:
# cat mypol.te
policy_module(mypol,1.0)
require{
type httpd_smokeping_cgi_script_t;
type httpd_t;
}
allow httpd_smokeping_cgi_script_t httpd_t:unix_stream_socket { ioctl accept getattr shutdown};
# make -f /usr/share/selinux/devel/Makefile mypol.pp
# semoodule -i mypol.pp
That worked better, but resulted in a new AVC. Oddly, when I switched to permissive mode the new AVC did not recur. I switched back to enforcing and it still did not recur. I am guessing this AVC was related to the SELinux policy having changed while the process was running.
At that point, my smokeping installation seemed to be working with the local policy installed, in enforcing mode, without generating any AVCs. Just to be thorough, I decided to restart the smokeping service, which resulted in a new AVC. I then switched to permissive mode, restated the smokeping service and received the attached AVCs.
Ok, try to add to your policy
require{
type smokeping_t;
}
corecmd_exec_bin(smokeping_t)
and recompile/reload your local policy.
commit 5c4671c1dd50dbe7c81273136b34cd2d5546b28e
Author: Miroslav Grepl <mgrepl>
Date: Wed Oct 17 10:48:59 2012 +0200
Allow smokeping to execute bin_t
selinux-policy-3.10.0-156.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-156.fc17 Package selinux-policy-3.10.0-156.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-156.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-16347/selinux-policy-3.10.0-156.fc17 then log in and leave karma (feedback). I also tried to get smokeping running, it seems my f17 doesn't work out of the box with fcgi. So I went ahead with plain cgi version of smokeping. I had to add these rules to get it working:
$ sudo grep smokeping /var/log/audit/audit.log | audit2allow
#============= httpd_smokeping_cgi_script_t ==============
#!!!! This avc is allowed in the current policy
allow httpd_smokeping_cgi_script_t self:capability net_raw;
#!!!! This avc is allowed in the current policy
allow httpd_smokeping_cgi_script_t self:rawip_socket create;
#============= smokeping_t ==============
#!!!! This avc is allowed in the current policy
allow smokeping_t bin_t:file { read execute open execute_no_trans };
unfortunately I found this bug only after doing those instead of just downloading the selinux-policy from testing.
selinux-policy-3.10.0-156.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. |
libreport version: 2.0.10 executable: /usr/bin/python2.7 hashmarkername: setroubleshoot kernel: 3.4.2-4.fc17.x86_64 time: Wed 20 Jun 2012 02:12:05 PM CDT description: :SELinux is preventing /usr/bin/perl from 'accept' accesses on the unix_stream_socket /run/mod_fcgid/2457.2. : :***** Plugin catchall (100. confidence) suggests *************************** : :If you believe that perl should be allowed accept access on the 2457.2 unix_stream_socket by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep smokeping.fcgi /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:httpd_smokeping_cgi_script_t:s0 :Target Context system_u:system_r:httpd_t:s0 :Target Objects /run/mod_fcgid/2457.2 [ unix_stream_socket ] :Source smokeping.fcgi :Source Path /usr/bin/perl :Port <Unknown> :Host (removed) :Source RPM Packages perl-5.14.2-212.fc17.x86_64 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-130.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) : 3.4.2-4.fc17.x86_64 #1 SMP Thu Jun 14 22:22:05 UTC : 2012 x86_64 x86_64 :Alert Count 1 :First Seen Wed 20 Jun 2012 02:08:43 PM CDT :Last Seen Wed 20 Jun 2012 02:08:43 PM CDT :Local ID 92961ac4-a649-4eb5-bf17-31cecabf4326 : :Raw Audit Messages :type=AVC msg=audit(1340219323.533:575): avc: denied { accept } for pid=24953 comm="smokeping.fcgi" path="/run/mod_fcgid/2457.2" scontext=system_u:system_r:httpd_smokeping_cgi_script_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=unix_stream_socket : : :type=SYSCALL msg=audit(1340219323.533:575): arch=x86_64 syscall=accept success=no exit=EACCES a0=0 a1=7fffa8fa5a40 a2=7fffa8fa59ac a3=2000 items=0 ppid=2457 pid=24953 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=smokeping.fcgi exe=/usr/bin/perl subj=system_u:system_r:httpd_smokeping_cgi_script_t:s0 key=(null) : :Hash: smokeping.fcgi,httpd_smokeping_cgi_script_t,httpd_t,unix_stream_socket,accept : :audit2allowunable to open /sys/fs/selinux/policy: Permission denied : : :audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied : :