Bug 1033025 - Please include policy for GLPI
Please include policy for GLPI
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
20
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Lukas Vrabec
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-11-21 07:50 EST by Remi Collet
Modified: 2014-12-04 01:26 EST (History)
4 users (show)

See Also:
Fixed In Version: selinux-policy-3.12.1-195.fc20
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-12-04 01:26:28 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Remi Collet 2013-11-21 07:50:29 EST
GLPI package (webbapp) is in fedora repository and provide SElinux policy.

Currently:
semanage fcontext -a -s system_u -t httpd_sys_rw_content_t -r s0 "%{_sysconfdir}/%{name}(/.*)?"
semanage fcontext -a -s system_u -t httpd_sys_content_t    -r s0 "%{_datadir}/%{name}(/.*)?"
semanage fcontext -a -s system_u -t httpd_log_t            -r s0 "%{_localstatedir}/log/%{name}(/.*)?"
semanage fcontext -a -s system_u -t httpd_sys_rw_content_t -r s0 "%{_localstatedir}/lib/%{name}(/.*)?"

/etc/glpi       must be writable as configuration is generated by the web UI.
/usr/share/glpi is the application
/var/lib/glpi   must be writable, directory used to save various files (httpd_var_lib_t is not suitable as it prevent sub-directory creation)
/var/log/glpi   is for application log.

Having those policy included in default policy will avoir having to run semanage and restorecon in the scriptlet.


Is it possible to also include them in RHEL policy ? (GLPI is in EPEL)
Comment 1 Daniel Walsh 2013-11-21 10:30:27 EST
Ok I just added 
+/etc/glpi(/.*)?				gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/usr/share/glpi(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/lib/glpi(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/log/glpi(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)

1f5d06e7894758fbd7394cd373a6c411a8cfef12 patch in git.

Why is glpi writing to /etc/glpi?  Can't this be written in /var/lib/glpi?
Comment 2 Remi Collet 2013-11-21 10:37:15 EST
(In reply to Daniel Walsh from comment #1)

Thanks

> Why is glpi writing to /etc/glpi?  Can't this be written in /var/lib/glpi?

This is some configuration files (database credential ...), but which are created from the web UI.
Comment 3 Remi Collet 2013-11-22 03:39:35 EST
From a comment on bug #1032995, I notice there is already a policy on /var/lib/glpi/files (cron_var_lib_t)

I run some tests on RHEL-6:
# ll -aZ /var/lib/glpi/files/_cron/
drwxr-x---. apache root   system_u:object_r:httpd_sys_rw_content_t:s0 .
drwxr-x---. apache root   system_u:object_r:httpd_sys_rw_content_t:s0 ..
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 test-20131122-092017
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 test-20131122-092201

The test-20131122-092017 file was created from an action triggered from the web UI.
The test-20131122-092201 file was created from a cron action.

Same tests on Fedora 19:
# ll -aZ /var/lib/glpi/files/_cron/
drwxr-x---. apache root   system_u:object_r:httpd_sys_rw_content_t:s0 .
drwxr-x---. apache root   system_u:object_r:httpd_sys_rw_content_t:s0 ..
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 test-20131122-093120
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 test-20131122-093401


The test-20131122-093120 file was created from an action triggered from the web UI.
The test-20131122-093401 file was created from a cron action.


Can you please drop the policy on /var/lib/glpi/files (to be sure the policy on /var/lib/glpi will apply) ?
Comment 4 Remi Collet 2013-11-22 03:50:41 EST
(In reply to Remi Collet from comment #3)
> Can you please drop the policy on /var/lib/glpi/files (to be sure the policy
> on /var/lib/glpi will apply) ?

This is in the cron.fc file.
Comment 5 Daniel Walsh 2013-11-22 14:02:49 EST
Ok that should be eliminated and we need to allow crond to write to the apache content.
Comment 6 Remi Collet 2014-11-07 04:54:34 EST
Can you please check the changed applied in policy for Fedora 20+ and RHEL 7 ?

httpd_var_lib_t is not suitable for /var/lib/glpi as it doesn't allow creation of sub directory (document are uploaded in /var/lib/glpi/files/XXX/AA, XXX/AA being dynamically created, XXX=doc type, AA=part of sha1 of the file content)

So httpd_sys_rw_content_t is needed, as explained in the initial description.
Comment 7 Remi Collet 2014-11-07 07:40:45 EST
on RHEL-7

type=SYSCALL msg=audit(1415321544.448:900): arch=c000003e syscall=83 success=no exit=-13 a0=7fc8238fa2b8 a1=1ff a2=8 a3=0 items=0 ppid=11936 pid=11938 auid=4294967295 uid=48 gid=48 euid=48 suid=
48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1415321544.448:901): avc:  denied  { search } for  pid=11938 comm="httpd" name="files" dev="dm-1" ino=18198420 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r
:cron_var_lib_t:s0 tclass=dir
Comment 8 Remi Collet 2014-11-07 08:24:42 EST
More try.

Fedora 21, everything works fine out of the box with httpd_var_lib_t

So the issue is only on RHEL-7 which still have cron_var_lib_t for /var/lib/glpi/files (seems  cron.fc haven't be cleaned)


Do you want me to open a bug against selinux in RHEL-7 (so we can close this one) ?
Comment 9 Lukas Vrabec 2014-11-13 07:15:09 EST
commit fe6959d81b1ef7b747b310ee6d39e0d9c115d7c7
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Thu Nov 13 13:14:31 2014 +0100

    Remove label for /var/lib/glpi/ in cron policy. BZ(1033025)

Fixed in F20. This will be also included in rhel7.
Comment 10 Fedora Update System 2014-11-21 08:06:15 EST
selinux-policy-3.12.1-195.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-195.fc20
Comment 11 Fedora Update System 2014-11-22 07:45:33 EST
Package selinux-policy-3.12.1-195.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-195.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-15552/selinux-policy-3.12.1-195.fc20
then log in and leave karma (feedback).
Comment 12 Fedora Update System 2014-12-04 01:26:28 EST
selinux-policy-3.12.1-195.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.