Bug 1278269 - httpd_can_read_write_radicale boolean reset from 'on' to 'off' in upgrade from F21 to F23
Summary: httpd_can_read_write_radicale boolean reset from 'on' to 'off' in upgrade fro...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 23
Hardware: All
OS: All
medium
high
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 1278268
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-11-05 06:42 UTC by Adam Williamson
Modified: 2015-11-26 20:58 UTC (History)
7 users (show)

Fixed In Version: selinux-policy-3.13.1-155.fc23
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-11-26 20:58:17 UTC
Type: Bug

Attachments (Terms of Use)

Description Adam Williamson 2015-11-05 06:42:11 UTC 
After working around https://bugzilla.redhat.com/show_bug.cgi?id=1278268 , radicale still does not start correctly, because it tries to create /var/lib/radicale/.config and is not allowed to:

[Wed Nov 04 22:36:37.590756 2015] [wsgi:error] [pid 3056:tid 140258197124864] [remote 192.168.1.5:29639] PermissionError: [Errno 13] Permission denied: '/var/lib/radicale/.config'
[Wed Nov 04 22:36:39.260649 2015] [wsgi:error] [pid 3056:tid 140258197124864] [remote 72.143.234.5:29639] mod_wsgi (pid=3056): Exception occurred processing WSGI script '/usr/share/radicale/radicale.wsgi'.
[Wed Nov 04 22:36:39.260683 2015] [wsgi:error] [pid 3056:tid 140258197124864] [remote 72.143.234.5:29639] Traceback (most recent call last):
[Wed Nov 04 22:36:39.260720 2015] [wsgi:error] [pid 3056:tid 140258197124864] [remote 72.143.234.5:29639]   File "/usr/lib/python3.4/site-packages/radicale/__init__.py", line 332, in __call__
[Wed Nov 04 22:36:39.260724 2015] [wsgi:error] [pid 3056:tid 140258197124864] [remote 72.143.234.5:29639]     user)
[Wed Nov 04 22:36:39.260739 2015] [wsgi:error] [pid 3056:tid 140258197124864] [remote 72.143.234.5:29639]   File "/usr/lib/python3.4/site-packages/radicale/__init__.py", line 547, in propfind
[Wed Nov 04 22:36:39.260742 2015] [wsgi:error] [pid 3056:tid 140258197124864] [remote 72.143.234.5:29639]     environ["PATH_INFO"], content, collections, user)
[Wed Nov 04 22:36:39.261471 2015] [wsgi:error] [pid 3056:tid 140258197124864] [remote 72.143.234.5:29639]   File "/usr/lib/python3.4/site-packages/radicale/xmlutils.py", line 237, in propfind
[Wed Nov 04 22:36:39.261478 2015] [wsgi:error] [pid 3056:tid 140258197124864] [remote 72.143.234.5:29639]     response = _propfind_response(path, collection, props, user)
[Wed Nov 04 22:36:39.261498 2015] [wsgi:error] [pid 3056:tid 140258197124864] [remote 72.143.234.5:29639]   File "/usr/lib/python3.4/site-packages/radicale/xmlutils.py", line 248, in _propfind_response
[Wed Nov 04 22:36:39.261501 2015] [wsgi:error] [pid 3056:tid 140258197124864] [remote 72.143.234.5:29639]     collection_props = properties
[Wed Nov 04 22:36:39.261523 2015] [wsgi:error] [pid 3056:tid 140258197124864] [remote 72.143.234.5:29639]   File "/usr/lib64/python3.4/contextlib.py", line 66, in __exit__
[Wed Nov 04 22:36:39.261526 2015] [wsgi:error] [pid 3056:tid 140258197124864] [remote 72.143.234.5:29639]     next(self.gen)
[Wed Nov 04 22:36:39.261540 2015] [wsgi:error] [pid 3056:tid 140258197124864] [remote 72.143.234.5:29639]   File "/usr/lib/python3.4/site-packages/radicale/storage/filesystem.py", line 131, in props
[Wed Nov 04 22:36:39.261543 2015] [wsgi:error] [pid 3056:tid 140258197124864] [remote 72.143.234.5:29639]     self._create_dirs()
[Wed Nov 04 22:36:39.261554 2015] [wsgi:error] [pid 3056:tid 140258197124864] [remote 72.143.234.5:29639]   File "/usr/lib/python3.4/site-packages/radicale/storage/filesystem.py", line 77, in _create_dirs
[Wed Nov 04 22:36:39.261557 2015] [wsgi:error] [pid 3056:tid 140258197124864] [remote 72.143.234.5:29639]     os.makedirs(os.path.dirname(self._path))
[Wed Nov 04 22:36:39.261568 2015] [wsgi:error] [pid 3056:tid 140258197124864] [remote 72.143.234.5:29639]   File "/usr/lib64/python3.4/os.py", line 227, in makedirs
[Wed Nov 04 22:36:39.261571 2015] [wsgi:error] [pid 3056:tid 140258197124864] [remote 72.143.234.5:29639]     makedirs(head, mode, exist_ok)
[Wed Nov 04 22:36:39.261581 2015] [wsgi:error] [pid 3056:tid 140258197124864] [remote 72.143.234.5:29639]   File "/usr/lib64/python3.4/os.py", line 227, in makedirs
[Wed Nov 04 22:36:39.261584 2015] [wsgi:error] [pid 3056:tid 140258197124864] [remote 72.143.234.5:29639]     makedirs(head, mode, exist_ok)
[Wed Nov 04 22:36:39.261594 2015] [wsgi:error] [pid 3056:tid 140258197124864] [remote 72.143.234.5:29639]   File "/usr/lib64/python3.4/os.py", line 227, in makedirs
[Wed Nov 04 22:36:39.261600 2015] [wsgi:error] [pid 3056:tid 140258197124864] [remote 72.143.234.5:29639]     makedirs(head, mode, exist_ok)
[Wed Nov 04 22:36:39.261612 2015] [wsgi:error] [pid 3056:tid 140258197124864] [remote 72.143.234.5:29639]   File "/usr/lib64/python3.4/os.py", line 237, in makedirs
[Wed Nov 04 22:36:39.261614 2015] [wsgi:error] [pid 3056:tid 140258197124864] [remote 72.143.234.5:29639]     mkdir(name, mode)
Comment 1 Adam Williamson 2015-11-05 06:47:09 UTC 
I'm thinking the problem is that /var/lib/radicale is owned by radicale.radicale but the script is running as httpd user? not really sure.
Comment 2 Juan Orti 2015-11-05 08:09:36 UTC 
It should run with radicale:radicale if you configured it like in the example /etc/httpd/conf.d/radicale.conf:

WSGIDaemonProcess radicale user=radicale group=radicale threads=1 umask=0027

Please, make sure you have activated the SELinux boolean httpd_can_read_write_radicale:

setsebool -P httpd_can_read_write_radicale 1
Comment 3 Adam Williamson 2015-11-05 17:04:05 UTC 
Hmm. I had it right in radicale.conf , but getsebool shows the boolean as off, which is strange, because I'd previously turned it on:

[root@www srvad]# history | grep setseb
  787  setsebool -P httpd_can_read_write_radicale on

And indeed if I set it back to 'on', radicale starts working again.

somehow I guess SELinux flipped the boolean back to 'off' when I upgraded from F21 to F23? So re-assigning to something selinux-y...
Comment 4 Juan Orti 2015-11-05 19:45:40 UTC 
It's probably caused by the integration of the selinux policy in the main package, but I'm not sure why.
Comment 5 Juan Orti 2015-11-06 06:43:24 UTC 
Thinking more about it, the module is removed when the radicale-selinux is obsoleted and then re-installed, so that must be the cause of the booleans resetting to their defaults.
Comment 6 Miroslav Grepl 2015-11-09 08:28:29 UTC 
(In reply to Juan Orti from comment #5)
> Thinking more about it, the module is removed when the radicale-selinux is
> obsoleted and then re-installed, so that must be the cause of the booleans
> resetting to their defaults.

Ok so there was a radicale-selinux packcage, correct?
Comment 7 Juan Orti 2015-11-09 08:30:33 UTC 
Yes, I integrated the radicale-selinux package into the main radicale package.
Comment 8 Miroslav Grepl 2015-11-09 08:43:31 UTC 
Ok there needs to be an upgrade issue. I don't see how it could reset a default value of a boolean.
Comment 9 Daniel Walsh 2015-11-13 22:03:20 UTC 
Why is there a boolean?  I see no reason for this boolean, it would be better to fix this problem though labeling.
Comment 10 Miroslav Grepl 2015-11-20 13:25:08 UTC 
We added fixes to the policy spec file to keep local boolean modifications after upgrade.
Comment 11 Fedora Update System 2015-11-20 13:27:09 UTC 
selinux-policy-3.13.1-155.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-0d84d6c75f
Comment 12 Fedora Update System 2015-11-22 14:26:16 UTC 
selinux-policy-3.13.1-155.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update selinux-policy'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-0d84d6c75f
Comment 13 Fedora Update System 2015-11-26 20:57:33 UTC 
selinux-policy-3.13.1-155.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.