Bug 1023202 - luci: started python process has "unconfined_u:system_r:initrc_t:s0" label
luci: started python process has "unconfined_u:system_r:initrc_t:s0" label
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
All Linux
unspecified Severity unspecified
: rc
: ---
Assigned To: Lukas Vrabec
Milos Malik
Depends On: 1026374
  Show dependency treegraph
Reported: 2013-10-24 17:15 EDT by Jan Pokorný
Modified: 2014-10-14 03:57 EDT (History)
7 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-250.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1026374 (view as bug list)
Last Closed: 2014-10-14 03:57:24 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jan Pokorný 2013-10-24 17:15:36 EDT
See the subject, reproducer:

# yum install -y
# service luci start
# ps -Zp $(service luci status | awk '{print $5;}' )

In my case, both el6.4 and el6.5 reports something like this:
> LABEL                             PID TTY          TIME CMD
> unconfined_u:system_r:initrc_t:s0 6077 ?       00:00:00 python

The full command is:

> /usr/bin/python -Es /usr/bin/paster serve --daemon --user luci \
>  --group luci --log-file=/var/log/luci/luci.log \
>  --pid-file=/var/run/luci/luci.pid --server-name=init --app-name=init \
>  /var/lib/luci/etc/luci.ini

Was told this is not expected and I can also remember that in the past,
the luci-related things were labeled piranha*_t; see e.g. [bug 737635]
showing (if I interpret scontext ~ subject context correctly) that
expected process label should be:

> unconfined_u:system_r:piranha_web_t

Note: from what I can tell, not problem in enforcing mode so far

el6.4 details:
# rpm -q luci python python-paste-script selinux-policy

el6.5 details:
# rpm -q luci python python-paste-script selinux-policy
> luci-0.26.0-48.el6.x86_64
> python-2.6.6-51.el6.x86_64
> python-paste-script-1.7.3-5.el6_3.noarch
> selinux-policy-3.7.19-228.el6.noarch
Comment 3 Miroslav Grepl 2013-10-25 03:30:31 EDT
Ok, this is way how the paster is involved. Basically we did fixes in Fedora for this where we changed the way how to confine it.


This is a bug for RHEL6.6.
Comment 4 Jan Pokorný 2013-10-30 10:21:41 EDT
Note wrt. reproducer "smoothness":
- avoid python-repoze-who-friendlyform from EPEL
  (aged problem, cf. [bug 750474 comment 6])

If I read the referenced blog post correctly, we should rather provide
a custom "launcher" script just to fit the current expected phased
transition scheme involving paster (so as not to complicate the matters
in the policy)?
Comment 5 Miroslav Grepl 2013-11-04 09:10:19 EST
yes. We need to have a helper scripts for luci. Also I will need to back port piranha.te policy changes to RHEL6.6 to make it working.
Comment 6 Jan Pokorný 2013-11-04 09:23:27 EST
Ok, the script itself is a subject of [bug 1026374] (set as a blocker here).
Comment 7 Lukas Vrabec 2014-07-15 05:16:32 EDT
We need helper script for luci, to fix this issue as Miroslav wrote above.
Comment 15 Lukas Vrabec 2014-08-11 03:46:16 EDT
I'll send patch.

commit d6aa56214a2641cf611adbb598015aa8ebe211b4
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Mon Aug 11 09:44:54 2014 +0200

    Fix path to luci(/usr/sbin/luci) Resolves:1023202
Comment 16 Milos Malik 2014-08-11 11:05:51 EDT
jpokorny found following AVC, which appeared after selinux-policy update when luci service is restarted. My understanding is that the new luci instance (running as piranha_web_t) signals the old luci instance (running as initrc_t) to stop.
type=SYSCALL msg=audit(08/11/2014 16:21:36.486:4469) : arch=x86_64 syscall=kill success=no exit=-13(Permission denied) a0=0x1327 a1=SIG0 a2=0x1 a3=0x7ffff9251360 items=0 ppid=23175 pid=23176 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=luci exe=/usr/bin/python subj=unconfined_u:system_r:piranha_web_t:s0 key=(null) 
type=AVC msg=audit(08/11/2014 16:21:36.486:4469) : avc:  denied  { signull } for  pid=23176 comm=luci scontext=unconfined_u:system_r:piranha_web_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process 

# service luci restart
Stop luci...                                               [FAILED]
Start luci...                                              [  OK  ]

Unfortunately, the old luci instance stays running.
Comment 26 errata-xmlrpc 2014-10-14 03:57:24 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.