Hide Forgot
See the subject, reproducer: # yum install -y # service luci start # ps -Zp $(service luci status | awk '{print $5;}' ) In my case, both el6.4 and el6.5 reports something like this: > LABEL PID TTY TIME CMD > unconfined_u:system_r:initrc_t:s0 6077 ? 00:00:00 python The full command is: > /usr/bin/python -Es /usr/bin/paster serve --daemon --user luci \ > --group luci --log-file=/var/log/luci/luci.log \ > --pid-file=/var/run/luci/luci.pid --server-name=init --app-name=init \ > /var/lib/luci/etc/luci.ini Was told this is not expected and I can also remember that in the past, the luci-related things were labeled piranha*_t; see e.g. [bug 737635] showing (if I interpret scontext ~ subject context correctly) that expected process label should be: > unconfined_u:system_r:piranha_web_t Note: from what I can tell, not problem in enforcing mode so far el6.4 details: # rpm -q luci python python-paste-script selinux-policy luci-0.26.0-37.el6_4.1.x86_64 python-2.6.6-36.el6.x86_64 python-paste-script-1.7.3-5.el6_3.noarch selinux-policy-3.7.19-195.el6.noarch el6.5 details: # rpm -q luci python python-paste-script selinux-policy > luci-0.26.0-48.el6.x86_64 > python-2.6.6-51.el6.x86_64 > python-paste-script-1.7.3-5.el6_3.noarch > selinux-policy-3.7.19-228.el6.noarch
Ok, this is way how the paster is involved. Basically we did fixes in Fedora for this where we changed the way how to confine it. http://mgrepl.wordpress.com/2012/06/20/how-would-tools-like-paster-work-with-selinux/ This is a bug for RHEL6.6.
Note wrt. reproducer "smoothness": - avoid python-repoze-who-friendlyform from EPEL (aged problem, cf. [bug 750474 comment 6]) If I read the referenced blog post correctly, we should rather provide a custom "launcher" script just to fit the current expected phased transition scheme involving paster (so as not to complicate the matters in the policy)?
Jan, yes. We need to have a helper scripts for luci. Also I will need to back port piranha.te policy changes to RHEL6.6 to make it working.
Ok, the script itself is a subject of [bug 1026374] (set as a blocker here).
Jan, We need helper script for luci, to fix this issue as Miroslav wrote above.
I'll send patch. commit d6aa56214a2641cf611adbb598015aa8ebe211b4 Author: Lukas Vrabec <lvrabec> Date: Mon Aug 11 09:44:54 2014 +0200 Fix path to luci(/usr/sbin/luci) Resolves:1023202
jpokorny found following AVC, which appeared after selinux-policy update when luci service is restarted. My understanding is that the new luci instance (running as piranha_web_t) signals the old luci instance (running as initrc_t) to stop. ---- type=SYSCALL msg=audit(08/11/2014 16:21:36.486:4469) : arch=x86_64 syscall=kill success=no exit=-13(Permission denied) a0=0x1327 a1=SIG0 a2=0x1 a3=0x7ffff9251360 items=0 ppid=23175 pid=23176 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=luci exe=/usr/bin/python subj=unconfined_u:system_r:piranha_web_t:s0 key=(null) type=AVC msg=audit(08/11/2014 16:21:36.486:4469) : avc: denied { signull } for pid=23176 comm=luci scontext=unconfined_u:system_r:piranha_web_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process ---- # service luci restart Stop luci... [FAILED] Start luci... [ OK ] # Unfortunately, the old luci instance stays running.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1568.html