Bug 952404

Summary: SELinux prevents access to mod_security temp files.
Product: [Fedora] Fedora Reporter: Mike Lilley <lilley.rpm>
Component: mod_securityAssignee: Othman Madjoudj <athmanem>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 17CC: athmanem, dkopecek, pvrabec
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-05-21 11:01:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 957522    
Bug Blocks:    

Description Mike Lilley 2013-04-15 21:24:03 UTC 
Description of problem:
SELinux prevents access to new location /var/lib/mod_security/<file> where file is ip.dir, etc.

Version-Release number of selected component (if applicable):
2.7.3-1

How reproducible:
Always.

Steps to Reproduce:
1. Install mod_security-2.7.3-1 on a machine with SELinux set to enforcing, and update the mod_security.conf in /etc/httpd/conf.d
2. Restart httpd service.
3. Access web server.
  
Actual results:
SELinux prevents access to the temporary files whose location was changed with this release.

Expected results:
SELinux policy for mod_security should be configured to allow this access.

Additional info:
Comment 1 Othman Madjoudj 2013-04-20 16:31:56 UTC 
Hi Mike,

Can you attach the AVC message from troubleshooting gui or /var/log/audit/audit.log
Comment 2 Othman Madjoudj 2013-04-20 16:36:57 UTC 
Also can you retry after running the following command:

chcon -R system_u:object_r:httpd_var_lib_t /var/lib/mod_security
Comment 3 Mike Lilley 2013-04-28 16:47:54 UTC 
Here is the AVC (from the GUI):
------------------------------------
Raw Audit Messages
type=AVC msg=audit(1367166517.82:2007): avc:  denied  { write } for  pid=13097 comm="httpd" name="ip.dir" dev="sdb3" ino=528654 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file


type=SYSCALL msg=audit(1367166517.82:2007): arch=x86_64 syscall=open success=no exit=EACCES a0=7f4d5f12e798 a1=80042 a2=1a0 a3=1468 items=0 ppid=24489 pid=13097 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)
-------------------------------------
And here is the output from the chcon:
---------------------------------------
chcon -R system_u:object_r:httpd_var_lib_t /var/lib/mod_security
chcon: failed to change context of `ip.pag' to `system_u:object_r:httpd_var_lib_t': Invalid argument
chcon: failed to change context of `global.pag' to `system_u:object_r:httpd_var_lib_t': Invalid argument
chcon: failed to change context of `ip.dir' to `system_u:object_r:httpd_var_lib_t': Invalid argument
chcon: failed to change context of `global.dir' to `system_u:object_r:httpd_var_lib_t': Invalid argument
chcon: failed to change context of `/var/lib/mod_security' to `system_u:object_r:httpd_var_lib_t': Invalid argument
---------------------------------------
So I switched it to "chcon -R -t httpd_var_lib_t /var/lib/mod_security" which seemed to clear up the problem.

Sorry about the response delay, I was called out of town abruptly.  Please let me know if you need anything else.
Comment 4 Othman Madjoudj 2013-04-28 18:09:32 UTC 
Hi Mike,

I've filled a separate bug report[1] against selinux-policy.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=957522
Comment 5 Mike Lilley 2013-04-29 16:30:07 UTC 
Thanks!  As soon as I see an update, I'll make sure and test it.
Comment 6 Mike Lilley 2013-05-11 17:22:42 UTC 
Whoops - went to test the posted update, but it's only targeting Fedora 18 - I'm still on 17, so can't test it :-(