Bug 1310297 - SELinux is preventing /usr/sbin/lighttpd from 'create' accesses on the sock_file mirdesign.sock-0.
Summary: SELinux is preventing /usr/sbin/lighttpd from 'create' accesses on the sock_f...
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: lighttpd
Version: 23
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Gwyn Ciesla
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:abde6c036fc7778dc0b1e796f98...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-02-20 05:46 UTC by Guillaume Poirier-Morency
Modified: 2016-06-28 18:00 UTC (History)
6 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2016-06-28 18:00:46 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
Patch for lighttpd.conf (95 bytes, text/plain)
2016-02-23 02:12 UTC, Guillaume Poirier-Morency
no flags Details

Description Guillaume Poirier-Morency 2016-02-20 05:46:39 UTC
Description of problem:
Lighttpd should be allowed to create socket in /var/lib/lighttpd/sockets.
SELinux is preventing /usr/sbin/lighttpd from 'create' accesses on the sock_file mirdesign.sock-0.

*****  Plugin catchall (100. confidence) suggests   **************************

If vous pensez que lighttpd devrait être autorisé à accéder create sur mirdesign.sock-0 sock_file par défaut.
Then vous devriez rapporter ceci en tant qu'anomalie.
Vous pouvez générer un module de stratégie local pour autoriser cet accès.
Do
autoriser cet accès pour le moment en exécutant :
# grep lighttpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:httpd_var_lib_t:s0
Target Objects                mirdesign.sock-0 [ sock_file ]
Source                        lighttpd
Source Path                   /usr/sbin/lighttpd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    <Unknown>
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.3.5-300.fc23.x86_64 #1 SMP Mon
                              Feb 1 03:18:41 UTC 2016 x86_64 x86_64
Alert Count                   4
First Seen                    2016-02-20 00:35:38 EST
Last Seen                     2016-02-20 00:42:54 EST
Local ID                      88228f11-e43a-4409-b59e-2e5fe3998043

Raw Audit Messages
type=AVC msg=audit(1455946974.142:970): avc:  denied  { create } for  pid=1962 comm="lighttpd" name="mirdesign.sock-0" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_var_lib_t:s0 tclass=sock_file permissive=0


type=SYSCALL msg=audit(1455946974.142:970): arch=x86_64 syscall=bind success=no exit=EACCES a0=5 a1=7ffe385e5100 a2=2c a3=ffffffff items=0 ppid=1 pid=1962 auid=4294967295 uid=970 gid=967 euid=970 suid=970 fsuid=970 egid=967 sgid=967 fsgid=967 tty=(none) ses=4294967295 comm=lighttpd exe=/usr/sbin/lighttpd subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: lighttpd,httpd_t,httpd_var_lib_t,sock_file,create


Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.3.5-300.fc23.x86_64
type:           libreport

Comment 1 Daniel Walsh 2016-02-20 10:47:04 UTC
No reason to block this, although sock files should really go under /run rather then in /var/lib.

Comment 2 Guillaume Poirier-Morency 2016-02-20 14:53:11 UTC
In the default configuration, sockets end-up in home_dir + "/sockets" rather that state_dir + "/sockets".

SELinux seems fine for sockets in /var/run/lighttpd/sockets.

Comment 3 Daniel Walsh 2016-02-22 22:04:46 UTC
Right so we should fix lighttpd to put its sockets into /run by default.

Comment 4 Guillaume Poirier-Morency 2016-02-23 02:12:51 UTC
Created attachment 1129597 [details]
Patch for lighttpd.conf

Comment 5 Guillaume Poirier-Morency 2016-02-23 02:13:49 UTC
That's the best thing to do!

Comment 6 Lukas Vrabec 2016-02-25 14:22:54 UTC
Hi, 
As Dan wrote, this is more lighttpd issue then SELinux policy issue. Could you move sockets into /run by default? 

Thank you!.

Comment 7 Guillaume Poirier-Morency 2016-02-27 21:16:57 UTC
Just a rectification, sockets should end-up in '/run/lighttpd/sockets' and I would advise to move 'lighttpd.pid' in '/run/lighttpd' for more consistency.


Note You need to log in before you can comment on or make changes to this bug.