Bug 1083111 - Upcoming varnish-4.0.0 release needs changes in selinux policy
Upcoming varnish-4.0.0 release needs changes in selinux policy
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
19
Unspecified Linux
unspecified Severity low
: ---
: ---
Assigned To: Lukas Vrabec
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2014-04-01 09:46 EDT by Ingvar Hagelund
Modified: 2014-06-26 22:22 EDT (History)
4 users (show)

See Also:
Fixed In Version: selinux-policy-3.12.1-74.26.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-26 22:22:59 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ingvar Hagelund 2014-04-01 09:46:41 EDT
Description of problem:
The Varnish cache project has released varnish-4.0.0-beta1, and I have started looking into packaging it for fedora and epel7, to be able to release varnish-4.0.0 with epel7.

When starting varnishd on fedora 19, selinux croaks
A scratch build of varnish-4.0.0-beta1 is available here:

http://koji.fedoraproject.org/koji/taskinfo?taskID=6695833

Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-74.19.fc19.noarch

How reproducible:
Always

Steps to Reproduce:
1. Install varnish-4.0.0-beta1
2. Start varnish with selinux in enforcing mode
3. Watch the logs

Actual results:
varnishd is not allowed to start

Expected results:
varnishd should be able to start

Additional info:

# rpm -q varnish
varnish-4.0.0-0.4.beta1.fc19.x86_64

# tail -f /var/log/audit/audit.log &

# systemctl start varnish.service
type=AVC msg=audit(1396358466.210:12278): avc:  denied  { chown } for  pid=27000 comm="varnishd" capability=0  scontext=system_u:system_r:varnishd_t:s0 tcontext=system_u:system_r:varnishd_t:s0 tclass=capability
type=SYSCALL msg=audit(1396358466.210:12278): arch=c000003e syscall=93 success=no exit=-1 a0=7 a1=3e1 a2=3dd a3=7fff0403fec0 items=0 ppid=1 pid=27000 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="varnishd" exe="/usr/sbin/varnishd" subj=system_u:system_r:varnishd_t:s0 key=(null)
Job for varnish.service failed. See 'systemctl status varnish.service' and 'journalctl -xn' for details.
type=SERVICE_START msg=audit(1396358466.288:12279): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="varnish" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'

[root@yum ~]# systemctl status varnish.service
varnish.service - Varnish a high-perfomance HTTP accelerator
   Loaded: loaded (/usr/lib/systemd/system/varnish.service; disabled)
   Active: failed (Result: exit-code) since ti. 2014-04-01 15:21:06 CEST; 13s ago
  Process: 27000 ExecStart=/usr/sbin/varnishd -P /var/run/varnish.pid -f $VARNISH_VCL_CONF -a ${VARNISH_LISTEN_ADDRESS}:${VARNISH_LISTEN_PORT} -T ${VARNISH_ADMIN_LISTEN_ADDRESS}:${VARNISH_ADMIN_LISTEN_PORT} -t $VARNISH_TTL -u $VARNISH_USER -g $VARNISH_GROUP -S $VARNISH_SECRET_FILE -s $VARNISH_STORAGE $DAEMON_OPTS (code=exited, status=2)
 Main PID: 31259 (code=exited, status=2)
   CGroup: name=systemd:/system/varnish.service

april 01 15:21:06 yum.linpro.no varnishd[27000]: Running VCC-compiler failed, exit 1
april 01 15:21:06 yum.linpro.no varnishd[27000]: VCL compilation failed
april 01 15:21:06 yum.linpro.no systemd[1]: varnish.service: control process exited, code=exited status=2
april 01 15:21:06 yum.linpro.no systemd[1]: Failed to start Varnish a high-perfomance HTTP accelerator.
april 01 15:21:06 yum.linpro.no systemd[1]: Unit varnish.service entered failed state.

[root@yum ~]# journalctl -xn
-- Logs begin at ti. 2014-01-07 17:46:19 CET, end at ti. 2014-04-01 15:21:06 CEST. --
april 01 15:21:06 yum.linpro.no setroubleshoot[31519]: SetroubleshootdClientConnectionHandler.default_request_handler: rpc_id=8 type=method {<?xml version="1.0" encoding="utf-
april 01 15:21:06 yum.linpro.no setroubleshoot[31519]: [395B blob data]
april 01 15:21:06 yum.linpro.no setroubleshoot[31519]: [395B blob data]
april 01 15:21:06 yum.linpro.no setroubleshoot[31519]: lookup_signature: found 1 matches with scores 1.00
april 01 15:21:06 yum.linpro.no setroubleshoot[31519]: find_filter_by_username ingvar
april 01 15:21:06 yum.linpro.no setroubleshoot[31519]: [166B blob data]
april 01 15:21:06 yum.linpro.no setroubleshoot[31519]: [170B blob data]
april 01 15:21:06 yum.linpro.no /usr/bin/sealert[31516]: [282B blob data]
april 01 15:21:06 yum.linpro.no /usr/bin/sealert[31516]: [318B blob data]
april 01 15:21:06 yum.linpro.no python[31519]: [459B blob data]
Comment 1 Miroslav Grepl 2014-04-02 06:31:16 EDT
commit 6d57ff778e441927d361d3b6ca1077f99d723574
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Wed Apr 2 12:30:32 2014 +0200

    varnishd wants chown capability
Comment 2 Ingvar Hagelund 2014-04-02 07:01:26 EDT
A little background:

The reason for the need to chown is that the top varnishd process starts as root, but forks off unprivileged worker and compiler children, which needs tempfiles.

cat -n varnish-4.0.0-beta1/bin/varnishd/mgt/mgt_vcc.c
 
   (...)
 
   241          /* Create temporary C source file */
   242          sfd = VFIL_tmpfile(sf);
   243          if (sfd < 0) {
   244                  VSB_printf(sb, "Failed to create %s: %s", sf, strerror(errno));
   245                  return (NULL);
   246          }
   247          (void)fchown(sfd, mgt_param.uid, mgt_param.gid);
   248          AZ(close(sfd));
 
   (...)
 
   275          i = open(of, O_WRONLY|O_CREAT|O_TRUNC, 0600);
   276          if (i < 0) {
   277                  VSB_printf(sb, "Failed to create %s: %s",
   278                      of, strerror(errno));
   279                  (void)unlink(sf);
   280                  return (NULL);
   281          }
   282          (void)fchown(i, mgt_param.uid, mgt_param.gid);
   283          AZ(close(i));
Comment 3 Fedora Update System 2014-05-07 12:25:45 EDT
selinux-policy-3.12.1-74.26.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.26.fc19
Comment 4 Fedora Update System 2014-05-08 05:59:17 EDT
Package selinux-policy-3.12.1-74.26.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.26.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-6075/selinux-policy-3.12.1-74.26.fc19
then log in and leave karma (feedback).
Comment 5 Fedora Update System 2014-06-26 22:22:59 EDT
selinux-policy-3.12.1-74.26.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.