Bug 140799 - Httpd, krb5_conf_t, mibs(?)
Httpd, krb5_conf_t, mibs(?)
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-11-24 19:05 EST by Ivan Gyurdiev
Modified: 2007-11-30 17:10 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-12-01 15:51:02 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ivan Gyurdiev 2004-11-24 19:05:29 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041114 Firefox/1.0

Description of problem:
audit(1101340776.038:0): avc:  denied  { getattr } for  pid=6016
exe=/usr/sbin/httpd path=/etc/krb5.conf dev=dm-0 ino=668442
scontext=root:system_r:httpd_t tcontext=system_u:object_r:krb5_conf_t
tclass=file

audit(1101341295.339:0): avc:  denied  { write } for  pid=6202
exe=/usr/sbin/httpd name=mibs dev=dm-0 ino=1119599
scontext=root:system_r:httpd_t tcontext=system_u:object_r:usr_t tclass=dir


Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.19.4-3

How reproducible:
Always

Steps to Reproduce:
See summary.

Additional info:
Comment 1 Daniel Walsh 2004-11-29 09:27:10 EST
Do you have allow_kerberos boolean set?  This should be set to allow
/etc/krb5.conf to be read?

audit(1101341295.339:0): avc:  denied  { write } for  pid=6202
exe=/usr/sbin/httpd name=mibs dev=dm-0 ino=1119599
scontext=root:system_r:httpd_t tcontext=system_u:object_r:usr_t tclass=dir

This looks like a mislable of some snmpd directories?

Dan
Comment 2 Ivan Gyurdiev 2004-11-29 09:38:41 EST
It seems on by default 
in the /etc/selinux/targeted/booleans file that you ship.

httpd_enable_cgi=1
httpd_enable_homedirs=1
httpd_ssi_exec=1
named_write_master_zones=0
httpd_unified=1
httpd_tty_comm=0
allow_ypbind=0
allow_kerberos=1

> This looks like a mislable of some snmpd directories?

Well, after the rpm script problems were fixed I ran restorecon
on basically everything, so all files should be policy compliant.
Where is this file exactly - I can check. 
Comment 3 Daniel Walsh 2004-11-29 10:46:01 EST
ls -lZ /usr/share/snmp/mibs/.index
-rw-r--r--  root     root     system_u:object_r:snmpd_var_lib_t
/usr/share/snmp/mibs/.index

Ok there is a bug in targeted policy for can_kerberos.  I will fix it
in  tonights policy.

Comment 4 Ivan Gyurdiev 2004-11-29 11:03:48 EST
[root@cobra ~]# ls -lZ /usr/share/snmp/mibs/.index
ls: /usr/share/snmp/mibs/.index: No such file or directory
[root@cobra ~]# ls -lZ /usr/share/snmp/mibs/ -d
drwxr-xr-x  root     root     system_u:object_r:usr_t         
/usr/share/snmp/mibs/
[root@cobra ~]# restorecon /usr/share/snmp/mibs
[root@cobra ~]# ls -lZ /usr/share/snmp/mibs/ -d
drwxr-xr-x  root     root     system_u:object_r:usr_t         
/usr/share/snmp/mibs/
[root@cobra ~]#
Comment 5 Daniel Walsh 2004-11-30 13:50:38 EST
Ok the kerberos problem is solved in selinux-policy-targeted-1.19.7-1

The second problem can be solved by starting and stopping snmpd.

I am not sure of a good way to fix this problem.  Basically the .index
file does not exist by default and the apache web server tries to
write to the directory, If the file exists it has a context of
snmpd_var_lib_t and apache is told to ignore it.  If it does not exist
apache tries to create it and gets an error writing to a usr_t directory.


Dan
Comment 6 Ivan Gyurdiev 2004-11-30 14:47:47 EST
Fix confirmed. Starting and stopping smpd fixes problem,
and also produces this:

audit(1101844222.807:0): avc:  denied  { listen } for  pid=2181
exe=/usr/sbin/snmpd lport=199 scontext=root:system_r:snmpd_t
tcontext=root:system_r:snmpd_t tclass=tcp_socket
Comment 7 Daniel Walsh 2004-11-30 17:08:36 EST
selinux-policy-targeted-1.19.8-1
should fix that.
Comment 8 Ivan Gyurdiev 2004-12-01 15:51:02 EST
Fix confirmed. 
Closing...

Note You need to log in before you can comment on or make changes to this bug.