Description of problem: I'm trying to reprovision my existing web development environment on f20 (it's been working on f19). SELinux is preventing /usr/bin/perl from 'read' accesses on the directory cpu. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that perl should be allowed read access on the cpu directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep index.cgi /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:httpd_sys_script_t:s0 Target Context system_u:object_r:sysfs_t:s0 Target Objects cpu [ dir ] Source index.cgi Source Path /usr/bin/perl Port <Unknown> Host (removed) Source RPM Packages perl-5.18.1-288.fc20.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-90.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.11.6-301.fc20.x86_64 #1 SMP Mon Oct 21 21:54:19 UTC 2013 x86_64 x86_64 Alert Count 2 First Seen 2013-10-31 10:21:04 EST Last Seen 2013-10-31 10:22:03 EST Local ID 5bff7d2a-1f7a-4e78-9c86-c91d1b382595 Raw Audit Messages type=AVC msg=audit(1383175323.483:709): avc: denied { read } for pid=4488 comm="index.cgi" name="cpu" dev="sysfs" ino=37 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir type=SYSCALL msg=audit(1383175323.483:709): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffffffffffff9c a1=33acf7a67c a2=90800 a3=0 items=0 ppid=3697 pid=4488 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=4294967295 tty=(none) comm=index.cgi exe=/usr/bin/perl subj=system_u:system_r:httpd_sys_script_t:s0 key=(null) Hash: index.cgi,httpd_sys_script_t,sysfs_t,dir,read Additional info: reporter: libreport-2.1.9 hashmarkername: setroubleshoot kernel: 3.11.6-301.fc20.x86_64 type: libreport
I tried running: # grep index.cgi /var/log/audit/audit.log | audit2allow -M mypol as suggested and got: # grep index.cgi /var/log/audit/audit.log | audit2allow -M mypol compilation failed: sh: /usr/bin/checkmodule: No such file or directory Running # grep index.cgi /var/log/audit/audit.log works fine (at least it outputs stuff)
yum install checkpolicy Will fix that problem. What is the location of the index.cgi? Is this something you wrote?
index.cgi is a perl script I've written and have been using for some 10 years now (with the occasional alteration, but most unchanged). I can provide you with the script if you like. I don't know what the 'directory cpu' is. I'm assuming it's a directory called cpu, but I haven't made this, so I assumed this was a perl running on fedora issue.
/sys/bus/cpu /sys/bus/event_source/devices/cpu /sys/devices/cpu /sys/devices/system/cpu Is what it is trying to read. It could be an upgrade to perl which now checks one of these files. Did your script work correctly?
Yeah, the script works fine. I had switched to Permissive, but switching back to Enforcing it still works and there's nothing in the httpd log files that suggests it's an issue.
I added dev_list_sysfs(httpd_sys_script_t) to .git.
4340e59155b7f34de781bc269429f14f919dd8de fixes this in git.
selinux-policy-3.12.1-116.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-116.fc20
Package selinux-policy-3.12.1-116.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-116.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-0806/selinux-policy-3.12.1-116.fc20 then log in and leave karma (feedback).
selinux-policy-3.12.1-116.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.