Hide Forgot
Description of problem: The Varnish cache project has released varnish-4.0.0-beta1, and I have started looking into packaging it for fedora and epel7, to be able to release varnish-4.0.0 with epel7. When starting varnishd on fedora 19, selinux croaks A scratch build of varnish-4.0.0-beta1 is available here: http://koji.fedoraproject.org/koji/taskinfo?taskID=6695833 Version-Release number of selected component (if applicable): selinux-policy-3.12.1-74.19.fc19.noarch How reproducible: Always Steps to Reproduce: 1. Install varnish-4.0.0-beta1 2. Start varnish with selinux in enforcing mode 3. Watch the logs Actual results: varnishd is not allowed to start Expected results: varnishd should be able to start Additional info: # rpm -q varnish varnish-4.0.0-0.4.beta1.fc19.x86_64 # tail -f /var/log/audit/audit.log & # systemctl start varnish.service type=AVC msg=audit(1396358466.210:12278): avc: denied { chown } for pid=27000 comm="varnishd" capability=0 scontext=system_u:system_r:varnishd_t:s0 tcontext=system_u:system_r:varnishd_t:s0 tclass=capability type=SYSCALL msg=audit(1396358466.210:12278): arch=c000003e syscall=93 success=no exit=-1 a0=7 a1=3e1 a2=3dd a3=7fff0403fec0 items=0 ppid=1 pid=27000 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="varnishd" exe="/usr/sbin/varnishd" subj=system_u:system_r:varnishd_t:s0 key=(null) Job for varnish.service failed. See 'systemctl status varnish.service' and 'journalctl -xn' for details. type=SERVICE_START msg=audit(1396358466.288:12279): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="varnish" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' [root@yum ~]# systemctl status varnish.service varnish.service - Varnish a high-perfomance HTTP accelerator Loaded: loaded (/usr/lib/systemd/system/varnish.service; disabled) Active: failed (Result: exit-code) since ti. 2014-04-01 15:21:06 CEST; 13s ago Process: 27000 ExecStart=/usr/sbin/varnishd -P /var/run/varnish.pid -f $VARNISH_VCL_CONF -a ${VARNISH_LISTEN_ADDRESS}:${VARNISH_LISTEN_PORT} -T ${VARNISH_ADMIN_LISTEN_ADDRESS}:${VARNISH_ADMIN_LISTEN_PORT} -t $VARNISH_TTL -u $VARNISH_USER -g $VARNISH_GROUP -S $VARNISH_SECRET_FILE -s $VARNISH_STORAGE $DAEMON_OPTS (code=exited, status=2) Main PID: 31259 (code=exited, status=2) CGroup: name=systemd:/system/varnish.service april 01 15:21:06 yum.linpro.no varnishd[27000]: Running VCC-compiler failed, exit 1 april 01 15:21:06 yum.linpro.no varnishd[27000]: VCL compilation failed april 01 15:21:06 yum.linpro.no systemd[1]: varnish.service: control process exited, code=exited status=2 april 01 15:21:06 yum.linpro.no systemd[1]: Failed to start Varnish a high-perfomance HTTP accelerator. april 01 15:21:06 yum.linpro.no systemd[1]: Unit varnish.service entered failed state. [root@yum ~]# journalctl -xn -- Logs begin at ti. 2014-01-07 17:46:19 CET, end at ti. 2014-04-01 15:21:06 CEST. -- april 01 15:21:06 yum.linpro.no setroubleshoot[31519]: SetroubleshootdClientConnectionHandler.default_request_handler: rpc_id=8 type=method {<?xml version="1.0" encoding="utf- april 01 15:21:06 yum.linpro.no setroubleshoot[31519]: [395B blob data] april 01 15:21:06 yum.linpro.no setroubleshoot[31519]: [395B blob data] april 01 15:21:06 yum.linpro.no setroubleshoot[31519]: lookup_signature: found 1 matches with scores 1.00 april 01 15:21:06 yum.linpro.no setroubleshoot[31519]: find_filter_by_username ingvar april 01 15:21:06 yum.linpro.no setroubleshoot[31519]: [166B blob data] april 01 15:21:06 yum.linpro.no setroubleshoot[31519]: [170B blob data] april 01 15:21:06 yum.linpro.no /usr/bin/sealert[31516]: [282B blob data] april 01 15:21:06 yum.linpro.no /usr/bin/sealert[31516]: [318B blob data] april 01 15:21:06 yum.linpro.no python[31519]: [459B blob data]
commit 6d57ff778e441927d361d3b6ca1077f99d723574 Author: Miroslav Grepl <mgrepl> Date: Wed Apr 2 12:30:32 2014 +0200 varnishd wants chown capability
A little background: The reason for the need to chown is that the top varnishd process starts as root, but forks off unprivileged worker and compiler children, which needs tempfiles. cat -n varnish-4.0.0-beta1/bin/varnishd/mgt/mgt_vcc.c (...) 241 /* Create temporary C source file */ 242 sfd = VFIL_tmpfile(sf); 243 if (sfd < 0) { 244 VSB_printf(sb, "Failed to create %s: %s", sf, strerror(errno)); 245 return (NULL); 246 } 247 (void)fchown(sfd, mgt_param.uid, mgt_param.gid); 248 AZ(close(sfd)); (...) 275 i = open(of, O_WRONLY|O_CREAT|O_TRUNC, 0600); 276 if (i < 0) { 277 VSB_printf(sb, "Failed to create %s: %s", 278 of, strerror(errno)); 279 (void)unlink(sf); 280 return (NULL); 281 } 282 (void)fchown(i, mgt_param.uid, mgt_param.gid); 283 AZ(close(i));
selinux-policy-3.12.1-74.26.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.26.fc19
Package selinux-policy-3.12.1-74.26.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.26.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-6075/selinux-policy-3.12.1-74.26.fc19 then log in and leave karma (feedback).
selinux-policy-3.12.1-74.26.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.