Bug 1310297 - SELinux is preventing /usr/sbin/lighttpd from 'create' accesses on the sock_file mirdesign.sock-0.
SELinux is preventing /usr/sbin/lighttpd from 'create' accesses on the sock_f...
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: lighttpd (Show other bugs)
23
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Gwyn Ciesla
Fedora Extras Quality Assurance
abrt_hash:abde6c036fc7778dc0b1e796f98...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-02-20 00:46 EST by Guillaume Poirier-Morency
Modified: 2016-06-28 14:00 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-06-28 14:00:46 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch for lighttpd.conf (95 bytes, text/plain)
2016-02-22 21:12 EST, Guillaume Poirier-Morency
no flags Details

  None (edit)
Description Guillaume Poirier-Morency 2016-02-20 00:46:39 EST
Description of problem:
Lighttpd should be allowed to create socket in /var/lib/lighttpd/sockets.
SELinux is preventing /usr/sbin/lighttpd from 'create' accesses on the sock_file mirdesign.sock-0.

*****  Plugin catchall (100. confidence) suggests   **************************

If vous pensez que lighttpd devrait être autorisé à accéder create sur mirdesign.sock-0 sock_file par défaut.
Then vous devriez rapporter ceci en tant qu'anomalie.
Vous pouvez générer un module de stratégie local pour autoriser cet accès.
Do
autoriser cet accès pour le moment en exécutant :
# grep lighttpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:httpd_var_lib_t:s0
Target Objects                mirdesign.sock-0 [ sock_file ]
Source                        lighttpd
Source Path                   /usr/sbin/lighttpd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    <Unknown>
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.3.5-300.fc23.x86_64 #1 SMP Mon
                              Feb 1 03:18:41 UTC 2016 x86_64 x86_64
Alert Count                   4
First Seen                    2016-02-20 00:35:38 EST
Last Seen                     2016-02-20 00:42:54 EST
Local ID                      88228f11-e43a-4409-b59e-2e5fe3998043

Raw Audit Messages
type=AVC msg=audit(1455946974.142:970): avc:  denied  { create } for  pid=1962 comm="lighttpd" name="mirdesign.sock-0" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_var_lib_t:s0 tclass=sock_file permissive=0


type=SYSCALL msg=audit(1455946974.142:970): arch=x86_64 syscall=bind success=no exit=EACCES a0=5 a1=7ffe385e5100 a2=2c a3=ffffffff items=0 ppid=1 pid=1962 auid=4294967295 uid=970 gid=967 euid=970 suid=970 fsuid=970 egid=967 sgid=967 fsgid=967 tty=(none) ses=4294967295 comm=lighttpd exe=/usr/sbin/lighttpd subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: lighttpd,httpd_t,httpd_var_lib_t,sock_file,create


Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.3.5-300.fc23.x86_64
type:           libreport
Comment 1 Daniel Walsh 2016-02-20 05:47:04 EST
No reason to block this, although sock files should really go under /run rather then in /var/lib.
Comment 2 Guillaume Poirier-Morency 2016-02-20 09:53:11 EST
In the default configuration, sockets end-up in home_dir + "/sockets" rather that state_dir + "/sockets".

SELinux seems fine for sockets in /var/run/lighttpd/sockets.
Comment 3 Daniel Walsh 2016-02-22 17:04:46 EST
Right so we should fix lighttpd to put its sockets into /run by default.
Comment 4 Guillaume Poirier-Morency 2016-02-22 21:12 EST
Created attachment 1129597 [details]
Patch for lighttpd.conf
Comment 5 Guillaume Poirier-Morency 2016-02-22 21:13:49 EST
That's the best thing to do!
Comment 6 Lukas Vrabec 2016-02-25 09:22:54 EST
Hi, 
As Dan wrote, this is more lighttpd issue then SELinux policy issue. Could you move sockets into /run by default? 

Thank you!.
Comment 7 Guillaume Poirier-Morency 2016-02-27 16:16:57 EST
Just a rectification, sockets should end-up in '/run/lighttpd/sockets' and I would advise to move 'lighttpd.pid' in '/run/lighttpd' for more consistency.

Note You need to log in before you can comment on or make changes to this bug.