Description of problem: SELinux prevents the apcupsd cgi scripts from working Version-Release number of selected component (if applicable): selinux-policy-3.12.1-149.fc20 apcupsd-cgi-3.14.10-13.fc20 How reproducible: Always with SELinux enabled Steps to Reproduce: 1. Install httpd, apcupsd and apcupsd-cgi 2. Start the apcupsd (systemctl start apcupsd) 3. Restart httpd 4. Load http://localhost/apcupsd Actual results: 500 Internal Server Error (in error logs: "End of script output before headers: upsstats.cgi") Expected results: UPS status page should be displayed. Additional info: audit2allow shows some of the denials, but not all (some are dontaudit). In order to enable the CGI to function correctly, the following needs to be added to the current SELinux policy (after running semodule -DB and setenforce 0): allow httpd_t httpd_apcupsd_cgi_script_t:process signull; allow httpd_apcupsd_cgi_script_t httpd_t:unix_stream_socket { getattr read write }; NOTE: the error above appears when using mod_cgid (using apache worker threads), I didn't try under mod_cgi.
commit 17029ce9ef7538adb4166edd6feaba3efb6c9826 Author: Miroslav Grepl <mgrepl> Date: Mon Apr 14 09:12:14 2014 +0200 Allow httpd to send signull to apache script domains and don't audit leaks
selinux-policy-3.12.1-158.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-158.fc20
Package selinux-policy-3.12.1-158.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-158.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-5660/selinux-policy-3.12.1-158.fc20 then log in and leave karma (feedback).
Tried the new selinux-policy, the process signull appears fixed, but I'm still getting denials on the unix_stream_socket (still only visible with semodule -DB) Still need to add the following to get the cgi to work with mod_{f}cgid: allow httpd_apcupsd_cgi_script_t httpd_t:unix_stream_socket { getattr read write };
selinux-policy-3.12.1-158.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
Not sure why this was closed. As comment #4 describes, -158 didn't entirely fix the issue.
Scott does the app not work now? IE Does the apcupsd_cgi script really need access to the unit_stream_socket?
I still get 500 Internal Server Error with the policy above. Did you test with mod_{f}cgid or just mod_cgi? I think the daemon cgi mods communicate with the application via sockets (mod_cgid uses ScriptSock, mod_fcgid uses sockets created in FcgidIPCDir), so stdin/stdout are probably attached to the sockets.
commit 3ebfa1e06eb8b5fa56e5d21260e3c613c8a3a4f0 fixes this in git.
Backported.
selinux-policy-3.12.1-161.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-161.fc20
Excellent! 3.12.1-161 works perfectly.
Package selinux-policy-3.12.1-161.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-161.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-6084/selinux-policy-3.12.1-161.fc20 then log in and leave karma (feedback).
selinux-policy-3.12.1-163.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.