Bug 1299552 - SELinux prevents lighttpd from fstat()-ing inotifyfs
Summary: SELinux prevents lighttpd from fstat()-ing inotifyfs
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.8
Hardware: All
OS: Linux
low
low
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-01-18 15:37 UTC by Milos Malik
Modified: 2017-03-21 09:45 UTC (History)
7 users (show)

Fixed In Version: selinux-policy-3.7.19-294.el6
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-03-21 09:45:03 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:0627 0 normal SHIPPED_LIVE selinux-policy bug fix update 2017-03-21 12:29:23 UTC

Description Milos Malik 2016-01-18 15:37:43 UTC 
Description of problem:
 * when gam_server is installed and lighttpd is configured to use "fam" then at least 1 SELinux denials appears

Version-Release number of selected component (if applicable):
gamin-0.1.10-9.el6.x86_64
lighttpd-1.4.39-1.el6.x86_64
selinux-policy-3.7.19-287.el6.noarch
selinux-policy-doc-3.7.19-287.el6.noarch
selinux-policy-minimum-3.7.19-287.el6.noarch
selinux-policy-mls-3.7.19-287.el6.noarch
selinux-policy-targeted-3.7.19-287.el6.noarch

How reproducible:
always

Steps to Reproduce:
# grep "server.*fam" /etc/lighttpd/lighttpd.conf 
server.stat-cache-engine = "fam"
# service lighttpd start
# search for SELinux denials

Actual results (enforcing mode):
----
type=SYSCALL msg=audit(01/18/2016 15:25:42.640:669) : arch=x86_64 syscall=fstat success=no exit=-13(Permission denied) a0=0x4 a1=0x7fff7a5f6a90 a2=0x7fff7a5f6a90 a3=0x6 items=0 ppid=1 pid=29163 auid=root uid=lighttpd gid=lighttpd euid=lighttpd suid=lighttpd fsuid=lighttpd egid=lighttpd sgid=lighttpd fsgid=lighttpd tty=(none) ses=1 comm=gam_server exe=/usr/libexec/gam_server subj=unconfined_u:system_r:httpd_t:s0 key=(null) 
type=AVC msg=audit(01/18/2016 15:25:42.640:669) : avc:  denied  { getattr } for  pid=29163 comm=gam_server path=inotify dev=inotifyfs ino=1 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir 
----

Actual results (permissive mode):
----
type=SYSCALL msg=audit(01/18/2016 15:50:33.956:991) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x4 a1=0x7ffde167f5c0 a2=0x7ffde167f5c0 a3=0x6 items=0 ppid=1 pid=19743 auid=root uid=lighttpd gid=lighttpd euid=lighttpd suid=lighttpd fsuid=lighttpd egid=lighttpd sgid=lighttpd fsgid=lighttpd tty=(none) ses=1 comm=gam_server exe=/usr/libexec/gam_server subj=unconfined_u:system_r:httpd_t:s0 key=(null) 
type=AVC msg=audit(01/18/2016 15:50:33.956:991) : avc:  denied  { getattr } for  pid=19743 comm=gam_server path=inotify dev=inotifyfs ino=1 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir 
----

Expected results:
 * no SELinux denials
Comment 5 errata-xmlrpc 2017-03-21 09:45:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0627.html
Note You need to log in before you can comment on or make changes to this bug.