Bug 138614 - types needed that allow for exmple mod_python to write to a specified file
types needed that allow for exmple mod_python to write to a specified file
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
3
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-11-10 04:07 EST by Noa Resare
Modified: 2007-11-30 17:10 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-12-02 12:13:59 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
mod_python config file (508 bytes, text/plain)
2004-11-10 04:19 EST, Noa Resare
no flags Details

  None (edit)
Description Noa Resare 2004-11-10 04:07:46 EST
User-Agent:       
Build Identifier: 

I try to get a mod_python application that needs write access to certain files
to work with the targeted policy in fc3. I have tried to set the file type to
httpd_sys_script_rw_t as descripbed in
http://people.redhat.com/walters/selinux-apache-en/using-other-types.html but
since mod_python scripts is run in the httpd_t scontext and not
httpd_sys_script_t that still gives me a syslog message like this: 

Nov 10 10:05:20 molly kernel: audit(1100077520.457:0): avc:  denied  { write }
for  pid=8928 exe=/usr/sbin/httpd name=dicts.pickle dev=dm-0 ino=10076221
scontext=root:system_r:httpd_t tcontext=system_u:object_r:httpd_sys_content_t
tclass=file

Reproducible: Always
Steps to Reproduce:
1. Try to run a mod_python program that needs to write to files. My example is
MoinMoin installed in /opt/www/wiki with the attached configuration
Actual Results:  
Nov 10 10:05:20 molly kernel: audit(1100077520.457:0): avc:  denied  { write }
for  pid=8928 exe=/usr/sbin/httpd name=dicts.pickle dev=dm-0 ino=10076221
scontext=root:system_r:httpd_t tcontext=system_u:object_r:httpd_sys_content_t
tclass=file

Expected Results:  
The same as I get when I have run 'setenforce 0', a working wiki app

I suppose this applies to mod_perl as well, but I haven't tried.
Comment 1 Noa Resare 2004-11-10 04:19:50 EST
Created attachment 106399 [details]
mod_python config file
Comment 2 Russell Coker 2004-11-10 09:24:35 EST
The syslog entry indicates that the file type was not changed to 
httpd_sys_script_rw_t. 
 
But it seems that write access to httpd_sys_script_rw_t is not 
granted for httpd_t.  I think that we should enable such access. 
Comment 3 Daniel Walsh 2004-11-11 08:44:28 EST
Fixed in selinux-policy-targeted-1.17.30-2.23

Available on ftp://people.redhat.com/dwalsh/SELinux/FC3
Comment 4 James Laska 2004-12-02 12:13:59 EST
Appears to be resolved in selinux-policy-targeted-1.17.30-2.35

/etc/selinux/targeted/src/policy/policy.conf:5759:allow httpd_t
httpd_sys_script_rw_t:dir { read getattr lock search ioctl };
/etc/selinux/targeted/src/policy/policy.conf:5761:allow httpd_t
httpd_sys_script_rw_t:file { read getattr lock ioctl };
/etc/selinux/targeted/src/policy/policy.conf:5763:allow httpd_t
httpd_sys_script_rw_t:lnk_file { getattr read };
/etc/selinux/targeted/src/policy/policy.conf:6839:allow httpd_t
httpd_sys_script_rw_t:dir { create read getattr lock setattr ioctl link unlink
rename search add_name remove_name reparent write rmdir };
/etc/selinux/targeted/src/policy/policy.conf:6841:allow httpd_t
httpd_sys_script_rw_t:file { create ioctl read getattr lock write setattr append
link unlink rename };
/etc/selinux/targeted/src/policy/policy.conf:6843:allow httpd_t
httpd_sys_script_rw_t:lnk_file { create read getattr setattr link unlink rename };

In a quick test of installing Moin, I do not see the selinux denials.

noa@resare.com: please reopen this issue if a policy newer than comment#3 does
not resolve your issue.

Note You need to log in before you can comment on or make changes to this bug.