Bug 138614 - types needed that allow for exmple mod_python to write to a specified file
Summary: types needed that allow for exmple mod_python to write to a specified file
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 3
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-11-10 09:07 UTC by Noa Resare
Modified: 2007-11-30 22:10 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2004-12-02 17:13:59 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
mod_python config file (508 bytes, text/plain)
2004-11-10 09:19 UTC, Noa Resare 		no flags Details
View All

Description Noa Resare 2004-11-10 09:07:46 UTC 
User-Agent:       
Build Identifier: 

I try to get a mod_python application that needs write access to certain files
to work with the targeted policy in fc3. I have tried to set the file type to
httpd_sys_script_rw_t as descripbed in
http://people.redhat.com/walters/selinux-apache-en/using-other-types.html but
since mod_python scripts is run in the httpd_t scontext and not
httpd_sys_script_t that still gives me a syslog message like this: 

Nov 10 10:05:20 molly kernel: audit(1100077520.457:0): avc:  denied  { write }
for  pid=8928 exe=/usr/sbin/httpd name=dicts.pickle dev=dm-0 ino=10076221
scontext=root:system_r:httpd_t tcontext=system_u:object_r:httpd_sys_content_t
tclass=file

Reproducible: Always
Steps to Reproduce:
1. Try to run a mod_python program that needs to write to files. My example is
MoinMoin installed in /opt/www/wiki with the attached configuration
Actual Results:  
Nov 10 10:05:20 molly kernel: audit(1100077520.457:0): avc:  denied  { write }
for  pid=8928 exe=/usr/sbin/httpd name=dicts.pickle dev=dm-0 ino=10076221
scontext=root:system_r:httpd_t tcontext=system_u:object_r:httpd_sys_content_t
tclass=file

Expected Results:  
The same as I get when I have run 'setenforce 0', a working wiki app

I suppose this applies to mod_perl as well, but I haven't tried.
Comment 1 Noa Resare 2004-11-10 09:19:50 UTC 
Created attachment 106399 [details]
mod_python config file
Comment 2 Russell Coker 2004-11-10 14:24:35 UTC 
The syslog entry indicates that the file type was not changed to 
httpd_sys_script_rw_t. 
 
But it seems that write access to httpd_sys_script_rw_t is not 
granted for httpd_t.  I think that we should enable such access.
Comment 3 Daniel Walsh 2004-11-11 13:44:28 UTC 
Fixed in selinux-policy-targeted-1.17.30-2.23

Available on ftp://people.redhat.com/dwalsh/SELinux/FC3
Comment 4 James Laska 2004-12-02 17:13:59 UTC 
Appears to be resolved in selinux-policy-targeted-1.17.30-2.35

/etc/selinux/targeted/src/policy/policy.conf:5759:allow httpd_t
httpd_sys_script_rw_t:dir { read getattr lock search ioctl };
/etc/selinux/targeted/src/policy/policy.conf:5761:allow httpd_t
httpd_sys_script_rw_t:file { read getattr lock ioctl };
/etc/selinux/targeted/src/policy/policy.conf:5763:allow httpd_t
httpd_sys_script_rw_t:lnk_file { getattr read };
/etc/selinux/targeted/src/policy/policy.conf:6839:allow httpd_t
httpd_sys_script_rw_t:dir { create read getattr lock setattr ioctl link unlink
rename search add_name remove_name reparent write rmdir };
/etc/selinux/targeted/src/policy/policy.conf:6841:allow httpd_t
httpd_sys_script_rw_t:file { create ioctl read getattr lock write setattr append
link unlink rename };
/etc/selinux/targeted/src/policy/policy.conf:6843:allow httpd_t
httpd_sys_script_rw_t:lnk_file { create read getattr setattr link unlink rename };

In a quick test of installing Moin, I do not see the selinux denials.

noa: please reopen this issue if a policy newer than comment#3 does
not resolve your issue.
Note You need to log in before you can comment on or make changes to this bug.