GLPI package (webbapp) is in fedora repository and provide SElinux policy. Currently: semanage fcontext -a -s system_u -t httpd_sys_rw_content_t -r s0 "%{_sysconfdir}/%{name}(/.*)?" semanage fcontext -a -s system_u -t httpd_sys_content_t -r s0 "%{_datadir}/%{name}(/.*)?" semanage fcontext -a -s system_u -t httpd_log_t -r s0 "%{_localstatedir}/log/%{name}(/.*)?" semanage fcontext -a -s system_u -t httpd_sys_rw_content_t -r s0 "%{_localstatedir}/lib/%{name}(/.*)?" /etc/glpi must be writable as configuration is generated by the web UI. /usr/share/glpi is the application /var/lib/glpi must be writable, directory used to save various files (httpd_var_lib_t is not suitable as it prevent sub-directory creation) /var/log/glpi is for application log. Having those policy included in default policy will avoir having to run semanage and restorecon in the scriptlet. Is it possible to also include them in RHEL policy ? (GLPI is in EPEL)
Ok I just added +/etc/glpi(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/usr/share/glpi(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/var/lib/glpi(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +/var/log/glpi(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) 1f5d06e7894758fbd7394cd373a6c411a8cfef12 patch in git. Why is glpi writing to /etc/glpi? Can't this be written in /var/lib/glpi?
(In reply to Daniel Walsh from comment #1) Thanks > Why is glpi writing to /etc/glpi? Can't this be written in /var/lib/glpi? This is some configuration files (database credential ...), but which are created from the web UI.
From a comment on bug #1032995, I notice there is already a policy on /var/lib/glpi/files (cron_var_lib_t) I run some tests on RHEL-6: # ll -aZ /var/lib/glpi/files/_cron/ drwxr-x---. apache root system_u:object_r:httpd_sys_rw_content_t:s0 . drwxr-x---. apache root system_u:object_r:httpd_sys_rw_content_t:s0 .. -rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 test-20131122-092017 -rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 test-20131122-092201 The test-20131122-092017 file was created from an action triggered from the web UI. The test-20131122-092201 file was created from a cron action. Same tests on Fedora 19: # ll -aZ /var/lib/glpi/files/_cron/ drwxr-x---. apache root system_u:object_r:httpd_sys_rw_content_t:s0 . drwxr-x---. apache root system_u:object_r:httpd_sys_rw_content_t:s0 .. -rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 test-20131122-093120 -rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 test-20131122-093401 The test-20131122-093120 file was created from an action triggered from the web UI. The test-20131122-093401 file was created from a cron action. Can you please drop the policy on /var/lib/glpi/files (to be sure the policy on /var/lib/glpi will apply) ?
(In reply to Remi Collet from comment #3) > Can you please drop the policy on /var/lib/glpi/files (to be sure the policy > on /var/lib/glpi will apply) ? This is in the cron.fc file.
Ok that should be eliminated and we need to allow crond to write to the apache content.
Can you please check the changed applied in policy for Fedora 20+ and RHEL 7 ? httpd_var_lib_t is not suitable for /var/lib/glpi as it doesn't allow creation of sub directory (document are uploaded in /var/lib/glpi/files/XXX/AA, XXX/AA being dynamically created, XXX=doc type, AA=part of sha1 of the file content) So httpd_sys_rw_content_t is needed, as explained in the initial description.
on RHEL-7 type=SYSCALL msg=audit(1415321544.448:900): arch=c000003e syscall=83 success=no exit=-13 a0=7fc8238fa2b8 a1=1ff a2=8 a3=0 items=0 ppid=11936 pid=11938 auid=4294967295 uid=48 gid=48 euid=48 suid= 48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1415321544.448:901): avc: denied { search } for pid=11938 comm="httpd" name="files" dev="dm-1" ino=18198420 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r :cron_var_lib_t:s0 tclass=dir
More try. Fedora 21, everything works fine out of the box with httpd_var_lib_t So the issue is only on RHEL-7 which still have cron_var_lib_t for /var/lib/glpi/files (seems cron.fc haven't be cleaned) Do you want me to open a bug against selinux in RHEL-7 (so we can close this one) ?
commit fe6959d81b1ef7b747b310ee6d39e0d9c115d7c7 Author: Lukas Vrabec <lvrabec> Date: Thu Nov 13 13:14:31 2014 +0100 Remove label for /var/lib/glpi/ in cron policy. BZ(1033025) Fixed in F20. This will be also included in rhel7.
selinux-policy-3.12.1-195.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-195.fc20
Package selinux-policy-3.12.1-195.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-195.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-15552/selinux-policy-3.12.1-195.fc20 then log in and leave karma (feedback).
selinux-policy-3.12.1-195.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.