Bug 143688 - httpd_t craziness - locked out of X
Summary: httpd_t craziness - locked out of X
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: rawhide
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-12-24 05:11 UTC by Ivan Gyurdiev
Modified: 2007-11-30 22:10 UTC (History)
0 users

(edit)
Clone Of:
(edit)
Last Closed: 2005-01-07 14:03:11 UTC


Attachments (Terms of Use)

Description Ivan Gyurdiev 2004-12-24 05:11:02 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041216 Firefox/1.0 Fedora/1.0-6

Description of problem:
audit(1103864512.212:0): avc:  denied  { entrypoint } for  pid=28502
exe=/usr/bin/gdm-binary path=/etc/X11/xdm/Xsession dev=dm-0 ino=667133
scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:etc_t
tclass=file

X refuses to start. Setting policy to permissive mode.

....

audit(1103864577.746:0): avc:  granted  { setenforce } for  pid=28449
exe=/bin/bash scontext=root:system_r:unconfined_t
tcontext=system_u:object_r:security_t tclass=security
audit(1103864583.999:0): avc:  denied  { entrypoint } for  pid=28531
exe=/usr/bin/gdm-binary path=/etc/X11/xdm/Xsession dev=dm-0 ino=667133
scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:etc_t
tclass=file
audit(1103864584.005:0): avc:  denied  { execute } for  pid=28531
exe=/bin/bash name=xinitrc-common dev=dm-0 ino=668536
scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:etc_t
tclass=file
audit(1103864584.007:0): avc:  denied  { write } for  pid=28541
exe=/usr/X11R6/bin/xsetroot name=X0 dev=dm-0 ino=827439
scontext=user_u:system_r:httpd_t tcontext=user_u:object_r:tmp_t
tclass=sock_file
audit(1103864584.007:0): avc:  denied  { connectto } for  pid=28541
exe=/usr/X11R6/bin/xsetroot path=/tmp/.X11-unix/X0
scontext=user_u:system_r:httpd_t tcontext=user_u:system_r:initrc_t
tclass=unix_stream_socket
audit(1103864584.007:0): avc:  denied  { read } for  pid=28541
exe=/usr/X11R6/bin/xsetroot name=.Xauthority dev=dm-2 ino=324562
scontext=user_u:system_r:httpd_t
tcontext=user_u:object_r:user_home_dir_t tclass=file
audit(1103864584.007:0): avc:  denied  { getattr } for  pid=28541
exe=/usr/X11R6/bin/xsetroot path=/home/phantom/.Xauthority dev=dm-2
ino=324562 scontext=user_u:system_r:httpd_t
tcontext=user_u:object_r:user_home_dir_t tclass=file
audit(1103864584.013:0): avc:  denied  { use } for  pid=28543
exe=/bin/bash path=pipe:[162381] dev=pipefs ino=162381
scontext=user_u:system_r:httpd_sys_script_t
tcontext=user_u:system_r:initrc_t tclass=fd
audit(1103864584.013:0): avc:  denied  { write } for  pid=28543
exe=/bin/bash path=pipe:[162381] dev=pipefs ino=162381
scontext=user_u:system_r:httpd_sys_script_t
tcontext=user_u:system_r:initrc_t tclass=fifo_file
audit(1103864584.056:0): avc:  denied  { search } for  pid=28558
exe=/usr/bin/ssh-agent name=selinux dev=dm-0 ino=667342
scontext=user_u:system_r:httpd_t
tcontext=system_u:object_r:selinux_config_t tclass=dir
audit(1103864584.056:0): avc:  denied  { read } for  pid=28558
exe=/usr/bin/ssh-agent name=config dev=dm-0 ino=668083
scontext=user_u:system_r:httpd_t
tcontext=system_u:object_r:selinux_config_t tclass=file
audit(1103864584.056:0): avc:  denied  { getattr } for  pid=28558
exe=/usr/bin/ssh-agent path=/etc/selinux/config dev=dm-0 ino=668083
scontext=user_u:system_r:httpd_t
tcontext=system_u:object_r:selinux_config_t tclass=file
audit(1103864584.057:0): avc:  denied  { create } for  pid=28558
exe=/usr/bin/ssh-agent name=agent.28558
scontext=user_u:system_r:httpd_t tcontext=user_u:object_r:httpd_tmp_t
tclass=sock_file
audit(1103864584.058:0): avc:  denied  { setrlimit } for  pid=28559
exe=/usr/bin/ssh-agent scontext=user_u:system_r:httpd_t
tcontext=user_u:system_r:httpd_t tclass=process
audit(1103864584.066:0): avc:  denied  { read } for  pid=28561
exe=/usr/bin/id name=config dev=dm-0 ino=668083
scontext=user_u:system_r:httpd_sys_script_t
tcontext=system_u:object_r:selinux_config_t tclass=file
audit(1103864584.066:0): avc:  denied  { getattr } for  pid=28561
exe=/usr/bin/id path=/etc/selinux/config dev=dm-0 ino=668083
scontext=user_u:system_r:httpd_sys_script_t
tcontext=system_u:object_r:selinux_config_t tclass=file
audit(1103864584.075:0): avc:  denied  { search } for  pid=28531
exe=/bin/bash name=spool dev=dm-0 ino=1168165
scontext=user_u:system_r:httpd_sys_script_t
tcontext=system_u:object_r:var_spool_t tclass=dir

... and more. 

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.19.15-5

How reproducible:
Didn't try


Additional info:

Comment 1 Ivan Gyurdiev 2004-12-28 00:25:13 UTC
[phantom@cobra ~]$ id
uid=500(phantom) gid=500(phantom) groups=500(phantom),503(data)
context=user_u:system_r:httpd_sys_script_t
[phantom@cobra ~]$

??

If I su from root the context is correct.


Comment 2 Ivan Gyurdiev 2004-12-29 02:02:12 UTC
[phantom@cobra home]$ su phantom
Password:
[phantom@cobra home]$ id
uid=500(phantom) gid=500(phantom) groups=500(phantom),503(data)
context=user_u:system_r:system_mail_t
[phantom@cobra home]$ su phantom
Password:
[phantom@cobra home]$ id
uid=500(phantom) gid=500(phantom) groups=500(phantom),503(data)
context=user_u:system_r:unconfined_t

???

What is going on...system_mail_t?



Comment 3 Daniel Walsh 2004-12-29 12:31:53 UTC
We have been doing some experimenting with targeted policy.

We have added a lot of new targets, and have added a new "unconfined"
policy initrc_t.   So now daemons started by initrc_t or via the
service scripts will transition,  daemons started directly by
executing the daemon code will stay in unconfined_t.  This allows for
new developments 
on the desktop.  While doing this we broke the login programs (gdm,
sshd, crond, and sendmail).  Latest policy fixes these daemons to have
them run under unconfined_t, although you need to relabel those
packages.  

selinux-policy-targeted-1.19.15-11

Dan

Comment 4 Ivan Gyurdiev 2004-12-30 06:46:03 UTC
What about those:

audit(1104389051.330:0): avc:  denied  { search } for  pid=3099
exe=/usr/libexec/gam_server name=.local dev=dm-2 ino=324598
scontext=user_u:system_r:httpd_sys_script_t 

I get lots of them.




Comment 5 Ivan Gyurdiev 2005-01-07 14:03:11 UTC
Seems to have been fixed.


Note You need to log in before you can comment on or make changes to this bug.