Bug 140799 - Httpd, krb5_conf_t, mibs(?)
Summary: Httpd, krb5_conf_t, mibs(?)
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: rawhide
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-11-25 00:05 UTC by Ivan Gyurdiev
Modified: 2007-11-30 22:10 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2004-12-01 20:51:02 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Ivan Gyurdiev 2004-11-25 00:05:29 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041114 Firefox/1.0

Description of problem:
audit(1101340776.038:0): avc:  denied  { getattr } for  pid=6016
exe=/usr/sbin/httpd path=/etc/krb5.conf dev=dm-0 ino=668442
scontext=root:system_r:httpd_t tcontext=system_u:object_r:krb5_conf_t
tclass=file

audit(1101341295.339:0): avc:  denied  { write } for  pid=6202
exe=/usr/sbin/httpd name=mibs dev=dm-0 ino=1119599
scontext=root:system_r:httpd_t tcontext=system_u:object_r:usr_t tclass=dir


Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.19.4-3

How reproducible:
Always

Steps to Reproduce:
See summary.

Additional info:

Comment 1 Daniel Walsh 2004-11-29 14:27:10 UTC
Do you have allow_kerberos boolean set?  This should be set to allow
/etc/krb5.conf to be read?

audit(1101341295.339:0): avc:  denied  { write } for  pid=6202
exe=/usr/sbin/httpd name=mibs dev=dm-0 ino=1119599
scontext=root:system_r:httpd_t tcontext=system_u:object_r:usr_t tclass=dir

This looks like a mislable of some snmpd directories?

Dan

Comment 2 Ivan Gyurdiev 2004-11-29 14:38:41 UTC
It seems on by default 
in the /etc/selinux/targeted/booleans file that you ship.

httpd_enable_cgi=1
httpd_enable_homedirs=1
httpd_ssi_exec=1
named_write_master_zones=0
httpd_unified=1
httpd_tty_comm=0
allow_ypbind=0
allow_kerberos=1

> This looks like a mislable of some snmpd directories?

Well, after the rpm script problems were fixed I ran restorecon
on basically everything, so all files should be policy compliant.
Where is this file exactly - I can check. 

Comment 3 Daniel Walsh 2004-11-29 15:46:01 UTC
ls -lZ /usr/share/snmp/mibs/.index
-rw-r--r--  root     root     system_u:object_r:snmpd_var_lib_t
/usr/share/snmp/mibs/.index

Ok there is a bug in targeted policy for can_kerberos.  I will fix it
in  tonights policy.



Comment 4 Ivan Gyurdiev 2004-11-29 16:03:48 UTC
[root@cobra ~]# ls -lZ /usr/share/snmp/mibs/.index
ls: /usr/share/snmp/mibs/.index: No such file or directory
[root@cobra ~]# ls -lZ /usr/share/snmp/mibs/ -d
drwxr-xr-x  root     root     system_u:object_r:usr_t         
/usr/share/snmp/mibs/
[root@cobra ~]# restorecon /usr/share/snmp/mibs
[root@cobra ~]# ls -lZ /usr/share/snmp/mibs/ -d
drwxr-xr-x  root     root     system_u:object_r:usr_t         
/usr/share/snmp/mibs/
[root@cobra ~]#


Comment 5 Daniel Walsh 2004-11-30 18:50:38 UTC
Ok the kerberos problem is solved in selinux-policy-targeted-1.19.7-1

The second problem can be solved by starting and stopping snmpd.

I am not sure of a good way to fix this problem.  Basically the .index
file does not exist by default and the apache web server tries to
write to the directory, If the file exists it has a context of
snmpd_var_lib_t and apache is told to ignore it.  If it does not exist
apache tries to create it and gets an error writing to a usr_t directory.


Dan

Comment 6 Ivan Gyurdiev 2004-11-30 19:47:47 UTC
Fix confirmed. Starting and stopping smpd fixes problem,
and also produces this:

audit(1101844222.807:0): avc:  denied  { listen } for  pid=2181
exe=/usr/sbin/snmpd lport=199 scontext=root:system_r:snmpd_t
tcontext=root:system_r:snmpd_t tclass=tcp_socket

Comment 7 Daniel Walsh 2004-11-30 22:08:36 UTC
selinux-policy-targeted-1.19.8-1
should fix that.

Comment 8 Ivan Gyurdiev 2004-12-01 20:51:02 UTC
Fix confirmed. 
Closing...



Note You need to log in before you can comment on or make changes to this bug.