Bug 1004351 - SELinux is preventing /usr/sbin/httpd from 'search' accesses on the directory /var/lib/chrony.
SELinux is preventing /usr/sbin/httpd from 'search' accesses on the directory...
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: httpd (Show other bugs)
19
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Jan Kaluža
Fedora Extras Quality Assurance
abrt_hash:76737ffc91dd2d7a74d6a3f7531...
:
: 1004349 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-09-04 09:06 EDT by John Griffiths
Modified: 2014-08-21 04:48 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-08-21 04:48:57 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description John Griffiths 2013-09-04 09:06:41 EDT
Description of problem:
SELinux is preventing /usr/sbin/httpd from 'search' accesses on the directory /var/lib/chrony.

Do not know if this should be allowed or not.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that httpd should be allowed search access on the chrony directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep /usr/sbin/httpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:chronyd_var_lib_t:s0
Target Objects                /var/lib/chrony [ dir ]
Source                        /usr/sbin/httpd
Source Path                   /usr/sbin/httpd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           httpd-2.4.6-2.fc19.x86_64
Target RPM Packages           chrony-1.29-1.fc19.x86_64
Policy RPM                    selinux-policy-3.12.1-73.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.10.9-200.fc19.x86_64 #1 SMP Wed
                              Aug 21 19:27:58 UTC 2013 x86_64 x86_64
Alert Count                   1
First Seen                    2013-09-01 03:19:05 EDT
Last Seen                     2013-09-01 03:19:05 EDT
Local ID                      c64d99e1-eae1-4794-b000-0c282ea999cc

Raw Audit Messages
type=AVC msg=audit(1378019945.558:9797): avc:  denied  { search } for  pid=8317 comm="/usr/sbin/httpd" name="chrony" dev="dm-1" ino=6555924 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:chronyd_var_lib_t:s0 tclass=dir


type=SYSCALL msg=audit(1378019945.558:9797): arch=x86_64 syscall=stat success=no exit=EACCES a0=7f621bcb6680 a1=7fff913c40b0 a2=7fff913c40b0 a3=fffffe00 items=0 ppid=1407 pid=8317 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm=/usr/sbin/httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: /usr/sbin/httpd,httpd_t,chronyd_var_lib_t,dir,search

Additional info:
reporter:       libreport-2.1.6
hashmarkername: setroubleshoot
kernel:         3.10.10-200.fc19.x86_64
type:           libreport

Potential duplicate: bug 768472
Comment 1 Daniel Walsh 2013-09-04 09:09:02 EDT
Why is apache executing chrony?
Comment 2 John Griffiths 2013-09-04 09:30:41 EDT
I do not know.

I only changed the httpd.conf file to add my virtual domain information.
Comment 3 Daniel Walsh 2013-09-04 09:33:48 EDT
Well as bug 768472 shows we have had this problem before.  Seems some library or some config triggers apache to start searching all of this system
Comment 4 Joe Orton 2013-09-04 09:38:24 EDT
I'm still clueless about what might trigger this.

John, can you describe what web applications, languages, and any special configurations used on this machine?
Comment 5 Daniel Walsh 2013-09-04 09:40:36 EDT
*** Bug 1004349 has been marked as a duplicate of this bug. ***
Comment 6 John Griffiths 2013-09-04 10:32:54 EDT
I have a pretty full boat system. 

Apache is configured with Xbit hack and has several virtual domains. Run Glassfish and a third party Java based license server. Use PHP and CubeCart which is a PHP based shopping cart which is installed without using a package directly into the html code directory of the virtual domain that uses it. Also use phpBB forum software which is also installed directly. I use Bugzilla and WebSVN.

The packages that are net and web related as far as I know are (some of the PHP packages may not be applicable and I may have missed some):

ant-apache-bcel-1.8.4-6.fc19.noarch
ant-apache-log4j-1.8.4-6.fc19.noarch
ant-apache-oro-1.8.4-6.fc19.noarch
ant-apache-regexp-1.8.4-6.fc19.noarch
ant-apache-resolver-1.8.4-6.fc19.noarch
apache-commons-beanutils-1.8.3-9.fc19.noarch
apache-commons-beanutils-javadoc-1.8.3-9.fc19.noarch
apache-commons-cli-1.2-9.fc19.noarch
apache-commons-codec-1.8-1.fc19.noarch
apache-commons-codec-javadoc-1.8-1.fc19.noarch
apache-commons-collections-3.2.1-16.fc19.noarch
apache-commons-collections-javadoc-3.2.1-16.fc19.noarch
apache-commons-compress-1.5-1.fc19.noarch
apache-commons-compress-javadoc-1.5-1.fc19.noarch
apache-commons-configuration-1.9-4.fc19.noarch
apache-commons-configuration-javadoc-1.9-4.fc19.noarch
apache-commons-daemon-1.0.13-1.fc19.x86_64
apache-commons-daemon-javadoc-1.0.13-1.fc19.noarch
apache-commons-dbcp-1.4-12.fc19.noarch
apache-commons-digester-1.8.1-14.fc19.noarch
apache-commons-digester-javadoc-1.8.1-14.fc19.noarch
apache-commons-discovery-0.5-7.fc19.noarch
apache-commons-discovery-javadoc-0.5-7.fc19.noarch
apache-commons-el-1.0-26.fc19.noarch
apache-commons-el-javadoc-1.0-26.fc19.noarch
apache-commons-exec-1.1-8.fc19.noarch
apache-commons-exec-javadoc-1.1-8.fc19.noarch
apache-commons-fileupload-1.2.2-11.fc19.noarch
apache-commons-fileupload-javadoc-1.2.2-11.fc19.noarch
apache-commons-io-2.4-9.fc19.noarch
apache-commons-io-javadoc-2.4-9.fc19.noarch
apache-commons-jexl-2.1.1-5.fc19.noarch
apache-commons-jxpath-1.3-15.fc19.noarch
apache-commons-lang-2.6-12.fc19.noarch
apache-commons-lang3-3.1-5.fc19.noarch
apache-commons-lang-javadoc-2.6-12.fc19.noarch
apache-commons-launcher-1.1-12.20100521svn936225.fc19.noarch
apache-commons-launcher-javadoc-1.1-12.20100521svn936225.fc19.noarch
apache-commons-logging-1.1.2-2.fc19.noarch
apache-commons-logging-javadoc-1.1.2-2.fc19.noarch
apache-commons-math-3.2-1.fc19.noarch
apache-commons-math-javadoc-3.2-1.fc19.noarch
apache-commons-modeler-2.0.1-11.fc19.noarch
apache-commons-net-3.2-4.fc19.noarch
apache-commons-net-javadoc-3.2-4.fc19.noarch
apache-commons-parent-26-5.fc19.noarch
apache-commons-pool-1.6-5.fc19.noarch
apache-commons-validator-1.4.0-4.fc19.noarch
apache-commons-vfs-2.0-10.fc19.noarch
apache-mime4j-0.7.2-7.fc19.noarch
apache-parent-10-10.fc19.noarch
apache-rat-0.8-10.fc19.noarch
apache-rat-core-0.8-10.fc19.noarch
apache-rat-plugin-0.8-10.fc19.noarch
apache-resource-bundles-2-9.fc19.noarch
async-http-client-1.7.14-1.fc19.noarch
bugzilla-4.2.6-2.fc19.noarch
bugzilla-doc-4.2.6-2.fc19.noarch
bugzilla-contrib-4.2.6-2.fc19.noarch
gallery2-2.3.2-7.fc19.noarch
gallery2-ajaxian-2.3.2-7.fc19.noarch
gallery2-albumselect-2.3.2-7.fc19.noarch
gallery2-archiveupload-2.3.2-7.fc19.noarch
gallery2-captcha-2.3.2-7.fc19.noarch
gallery2-carbon-2.3.2-7.fc19.noarch
gallery2-cart-2.3.2-7.fc19.noarch
gallery2-classic-2.3.2-7.fc19.noarch
gallery2-colorpack-2.3.2-7.fc19.noarch
gallery2-comment-2.3.2-7.fc19.noarch
gallery2-customfield-2.3.2-7.fc19.noarch
gallery2-dcraw-2.3.2-7.fc19.noarch
gallery2-debug-2.3.2-7.fc19.noarch
gallery2-digibug-2.3.2-7.fc19.noarch
gallery2-dynamicalbum-2.3.2-7.fc19.noarch
gallery2-ecard-2.3.2-7.fc19.noarch
gallery2-exif-2.3.2-7.fc19.noarch
gallery2-ffmpeg-2.3.2-7.fc19.noarch
gallery2-flashvideo-2.3.2-7.fc19.noarch
gallery2-floatrix-2.3.2-7.fc19.noarch
gallery2-fotokasten-2.3.2-7.fc19.noarch
gallery2-gd-2.3.2-7.fc19.noarch
gallery2-getid3-2.3.2-7.fc19.noarch
gallery2-hidden-2.3.2-7.fc19.noarch
gallery2-httpauth-2.3.2-7.fc19.noarch
gallery2-hybrid-2.3.2-7.fc19.noarch
gallery2-icons-2.3.2-7.fc19.noarch
gallery2-imageblock-2.3.2-7.fc19.noarch
gallery2-imageframe-2.3.2-7.fc19.noarch
gallery2-imagemagick-2.3.2-7.fc19.noarch
gallery2-itemadd-2.3.2-7.fc19.noarch
gallery2-jpegtran-2.3.2-7.fc19.noarch
gallery2-keyalbum-2.3.2-7.fc19.noarch
gallery2-linkitem-2.3.2-7.fc19.noarch
gallery2-matrix-2.3.2-7.fc19.noarch
gallery2-members-2.3.2-7.fc19.noarch
gallery2-migrate-2.3.2-7.fc19.noarch
gallery2-mime-2.3.2-7.fc19.noarch
gallery2-mp3audio-2.3.2-7.fc19.noarch
gallery2-multilang-2.3.2-7.fc19.noarch
gallery2-multiroot-2.3.2-7.fc19.noarch
gallery2-netpbm-2.3.2-7.fc19.noarch
gallery2-newitems-2.3.2-7.fc19.noarch
gallery2-nokiaupload-2.3.2-7.fc19.noarch
gallery2-notification-2.3.2-7.fc19.noarch
gallery2-password-2.3.2-7.fc19.noarch
gallery2-permalinks-2.3.2-7.fc19.noarch
gallery2-photoaccess-2.3.2-7.fc19.noarch
gallery2-picasa-2.3.2-7.fc19.noarch
gallery2-publishxp-2.3.2-7.fc19.noarch
gallery2-quotas-2.3.2-7.fc19.noarch
gallery2-randomhighlight-2.3.2-7.fc19.noarch
gallery2-rating-2.3.2-7.fc19.noarch
gallery2-rearrange-2.3.2-7.fc19.noarch
gallery2-register-2.3.2-7.fc19.noarch
gallery2-replica-2.3.2-7.fc19.noarch
gallery2-reupload-2.3.2-7.fc19.noarch
gallery2-rewrite-2.3.2-7.fc19.noarch
gallery2-rss-2.3.2-7.fc19.noarch
gallery2-search-2.3.2-7.fc19.noarch
gallery2-shutterfly-2.3.2-7.fc19.noarch
gallery2-siriux-2.3.2-7.fc19.noarch
gallery2-sitemap-2.3.2-7.fc19.noarch
gallery2-sizelimit-2.3.2-7.fc19.noarch
gallery2-slider-2.3.2-7.fc19.noarch
gallery2-slideshow-2.3.2-7.fc19.noarch
gallery2-snapgalaxy-2.3.2-7.fc19.noarch
gallery2-squarethumb-2.3.2-7.fc19.noarch
gallery2-thumbnail-2.3.2-7.fc19.noarch
gallery2-thumbpage-2.3.2-7.fc19.noarch
gallery2-tile-2.3.2-7.fc19.noarch
gallery2-useralbum-2.3.2-7.fc19.noarch
gallery2-watermark-2.3.2-7.fc19.noarch
gallery2-webcam-2.3.2-7.fc19.noarch
gallery2-webdav-2.3.2-7.fc19.noarch
gallery2-zipcart-2.3.2-7.fc19.noarch
glassfish-dtd-parser-1.2-0.6.20120120svn.fc19.noarch
graphviz-php-2.30.1-10.fc19.x86_64
httpcomponents-client-4.2.5-1.fc19.noarch
httpcomponents-core-4.2.4-3.fc19.noarch
httpcomponents-project-6-2.fc19.noarch
httpd-2.4.6-2.fc19.x86_64
httpd-devel-2.4.6-2.fc19.x86_64
httpd-manual-2.4.6-2.fc19.noarch
httpd-tools-2.4.6-2.fc19.x86_64
httpunit-1.7-11.fc19.noarch
iris-1.0.0-0.14.20110904svn812.fc19.x86_64
jakarta-commons-httpclient-3.1-13.fc19.noarch
jetty-http-9.0.3-3.fc19.noarch
jetty-server-9.0.3-3.fc19.noarch
jetty-webapp-9.0.3-3.fc19.noarch
jetty-websocket-api-9.0.3-3.fc19.noarch
jetty-websocket-common-9.0.3-3.fc19.noarch
jetty-websocket-server-9.0.3-3.fc19.noarch
jetty-websocket-servlet-9.0.3-3.fc19.noarch
kdewebdev-3.5.10-20.fc19.x86_64
kdewebdev-libs-3.5.10-20.fc19.x86_64
kwebkitpart-1.3.2-2.fc19.x86_64
libmicrohttpd-0.9.27-1.fc19.x86_64
libreport-plugin-bugzilla-2.1.6-2.fc19.x86_64
libreport-web-2.1.6-2.fc19.x86_64
libsocialweb-0.25.21-3.fc19.x86_64
libsocialweb-keys-0.25.21-3.fc19.noarch
libvncserver-0.9.9-7.fc19.x86_64
libwebp-0.3.1-1.fc19.x86_64
mod_perl-2.0.7-12.20130221svn1448242.fc19.x86_64
mod_perl-devel-2.0.7-12.20130221svn1448242.fc19.x86_64
mono-web-2.10.8-4.fc19.x86_64
obex-data-server-0.4.6-5.fc19.x86_64
objectweb-asm-3.3.1-7.fc19.noarch
objectweb-asm4-4.1-3.fc19.noarch
openssh-server-6.2p2-5.fc19.x86_64
perl-HTTP-Body-1.07-10.fc19.noarch
perl-HTTP-Cookies-6.01-5.fc19.noarch
perl-HTTP-Daemon-6.01-5.fc19.noarch
perl-HTTP-Date-6.02-5.fc19.noarch
perl-HTTP-Message-6.06-3.fc19.noarch
perl-HTTP-Negotiate-6.01-5.fc19.noarch
perl-HTTP-Server-Simple-0.44-6.fc19.noarch
perl-HTTP-Server-Simple-PSGI-0.14-7.fc19.noarch
perl-HTTP-Tiny-0.017-265.fc19.noarch
perl-Net-HTTP-6.06-1.fc19.noarch
perl-Net-Server-2.007-1.fc19.noarch
php-5.5.3-1.fc19.x86_64
php-cli-5.5.3-1.fc19.x86_64
php-common-5.5.3-1.fc19.x86_64
php-devel-5.5.3-1.fc19.x86_64
php-gd-5.5.3-1.fc19.x86_64
php-geshi-1.0.8.11-3.fc19.noarch
php-ldap-5.5.3-1.fc19.x86_64
php-mbstring-5.5.3-1.fc19.x86_64
php-mcrypt-5.5.3-1.fc19.x86_64
php-mysqlnd-5.5.3-1.fc19.x86_64
php-odbc-5.5.3-1.fc19.x86_64
php-pdo-5.5.3-1.fc19.x86_64
php-pear-1.9.4-20.fc19.noarch
php-pear-Mail-Mime-1.8.8-1.fc19.noarch
php-pear-Text-Diff-1.1.1-7.fc19.noarch
php-pecl-jsonc-1.3.1-1.fc19.x86_64
php-pecl-jsonc-devel-1.3.1-1.fc19.x86_64
php-pgsql-5.5.3-1.fc19.x86_64
php-process-5.5.3-1.fc19.x86_64
php-Smarty2-2.6.27-1.fc19.noarch
php-Smarty-3.1.14-1.fc19.noarch
php-xml-5.5.3-1.fc19.x86_64
python-bugzilla-0.9.0-1.fc19.noarch
python-httplib2-0.7.7-2.fc19.noarch
python-twisted-web-12.2.0-2.fc19.x86_64
pywebkitgtk-1.1.8-5.fc19.x86_64
qjdns-1.0.0-0.14.20110904svn812.fc19.x86_64
qtwebkit-2.3.2-1.fc19.x86_64
qtwebkit-devel-2.3.2-1.fc19.x86_64
system-config-httpd-1.5.5-5.fc19.noarch
tigervnc-server-1.3.0-3.fc19.x86_64
tigervnc-server-minimal-1.3.0-3.fc19.x86_64
vpnc-0.5.3-17.svn457.fc19.x86_64
vpnc-script-0.5.3-17.svn457.fc19.noarch
webalizer-2.23_05-7.fc19.x86_64
webkitgtk-2.0.4-1.fc19.x86_64
webkitgtk3-2.0.4-1.fc19.x86_64
webrtc-audio-processing-0.1-4.fc19.x86_64
websvn-2.3.3-5.fc19.noarch
xmlrpc-c-1.32.5-1901.svn2451.fc19.x86_64
xmlrpc-c-client-1.32.5-1901.svn2451.fc19.x86_64
Comment 7 Jan Kaluža 2013-10-10 06:38:42 EDT
Some of your applications running using httpd is trying to search /var/lib/chrony. Httpd itself has no reason and no code to do that.

The only recommendation I can give you is to try to find out when does that happen and be able to reproduce it. Once you are able to reproduce it, you could stop some of the applications (unload possible 3rd party modules or disable some virtual hosts) you have there for short time, reproduce it again and see if it changed anything.

In complex case like this I don't see any other way to find out what's causing this problem.
Comment 8 Daniel Walsh 2013-10-10 13:28:39 EDT
You could also add a dontaudit rule to ignore it, since it is not dangerous.

# grep chrony /var/log/audit/audit.log | audit2allow -D -m myhttp
# semodule -i myhttp.pp
Comment 9 Daniel Walsh 2013-10-10 13:30:38 EDT
Miroslav we see these often enough maybe we want to add a boolean that says 

httpd_dontaudit_search_dirs

And then allow users to

files_dontaudit_search_non_security_dirs(httpd_t)
Comment 10 Fedora Admin XMLRPC Client 2014-06-30 05:53:43 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 11 Jan Kaluža 2014-08-21 04:48:57 EDT
It has not been proved to be a bug in httpd and we are not able to reproduce it. I'm closing this bug as NOTABUG. If you will find simple way how to reproduce this bug with clean httpd installation, feel free to reopen.

Note You need to log in before you can comment on or make changes to this bug.