Bug 143688 - httpd_t craziness - locked out of X
httpd_t craziness - locked out of X
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-12-24 00:11 EST by Ivan Gyurdiev
Modified: 2007-11-30 17:10 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-01-07 09:03:11 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ivan Gyurdiev 2004-12-24 00:11:02 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041216 Firefox/1.0 Fedora/1.0-6

Description of problem:
audit(1103864512.212:0): avc:  denied  { entrypoint } for  pid=28502
exe=/usr/bin/gdm-binary path=/etc/X11/xdm/Xsession dev=dm-0 ino=667133
scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:etc_t
tclass=file

X refuses to start. Setting policy to permissive mode.

....

audit(1103864577.746:0): avc:  granted  { setenforce } for  pid=28449
exe=/bin/bash scontext=root:system_r:unconfined_t
tcontext=system_u:object_r:security_t tclass=security
audit(1103864583.999:0): avc:  denied  { entrypoint } for  pid=28531
exe=/usr/bin/gdm-binary path=/etc/X11/xdm/Xsession dev=dm-0 ino=667133
scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:etc_t
tclass=file
audit(1103864584.005:0): avc:  denied  { execute } for  pid=28531
exe=/bin/bash name=xinitrc-common dev=dm-0 ino=668536
scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:etc_t
tclass=file
audit(1103864584.007:0): avc:  denied  { write } for  pid=28541
exe=/usr/X11R6/bin/xsetroot name=X0 dev=dm-0 ino=827439
scontext=user_u:system_r:httpd_t tcontext=user_u:object_r:tmp_t
tclass=sock_file
audit(1103864584.007:0): avc:  denied  { connectto } for  pid=28541
exe=/usr/X11R6/bin/xsetroot path=/tmp/.X11-unix/X0
scontext=user_u:system_r:httpd_t tcontext=user_u:system_r:initrc_t
tclass=unix_stream_socket
audit(1103864584.007:0): avc:  denied  { read } for  pid=28541
exe=/usr/X11R6/bin/xsetroot name=.Xauthority dev=dm-2 ino=324562
scontext=user_u:system_r:httpd_t
tcontext=user_u:object_r:user_home_dir_t tclass=file
audit(1103864584.007:0): avc:  denied  { getattr } for  pid=28541
exe=/usr/X11R6/bin/xsetroot path=/home/phantom/.Xauthority dev=dm-2
ino=324562 scontext=user_u:system_r:httpd_t
tcontext=user_u:object_r:user_home_dir_t tclass=file
audit(1103864584.013:0): avc:  denied  { use } for  pid=28543
exe=/bin/bash path=pipe:[162381] dev=pipefs ino=162381
scontext=user_u:system_r:httpd_sys_script_t
tcontext=user_u:system_r:initrc_t tclass=fd
audit(1103864584.013:0): avc:  denied  { write } for  pid=28543
exe=/bin/bash path=pipe:[162381] dev=pipefs ino=162381
scontext=user_u:system_r:httpd_sys_script_t
tcontext=user_u:system_r:initrc_t tclass=fifo_file
audit(1103864584.056:0): avc:  denied  { search } for  pid=28558
exe=/usr/bin/ssh-agent name=selinux dev=dm-0 ino=667342
scontext=user_u:system_r:httpd_t
tcontext=system_u:object_r:selinux_config_t tclass=dir
audit(1103864584.056:0): avc:  denied  { read } for  pid=28558
exe=/usr/bin/ssh-agent name=config dev=dm-0 ino=668083
scontext=user_u:system_r:httpd_t
tcontext=system_u:object_r:selinux_config_t tclass=file
audit(1103864584.056:0): avc:  denied  { getattr } for  pid=28558
exe=/usr/bin/ssh-agent path=/etc/selinux/config dev=dm-0 ino=668083
scontext=user_u:system_r:httpd_t
tcontext=system_u:object_r:selinux_config_t tclass=file
audit(1103864584.057:0): avc:  denied  { create } for  pid=28558
exe=/usr/bin/ssh-agent name=agent.28558
scontext=user_u:system_r:httpd_t tcontext=user_u:object_r:httpd_tmp_t
tclass=sock_file
audit(1103864584.058:0): avc:  denied  { setrlimit } for  pid=28559
exe=/usr/bin/ssh-agent scontext=user_u:system_r:httpd_t
tcontext=user_u:system_r:httpd_t tclass=process
audit(1103864584.066:0): avc:  denied  { read } for  pid=28561
exe=/usr/bin/id name=config dev=dm-0 ino=668083
scontext=user_u:system_r:httpd_sys_script_t
tcontext=system_u:object_r:selinux_config_t tclass=file
audit(1103864584.066:0): avc:  denied  { getattr } for  pid=28561
exe=/usr/bin/id path=/etc/selinux/config dev=dm-0 ino=668083
scontext=user_u:system_r:httpd_sys_script_t
tcontext=system_u:object_r:selinux_config_t tclass=file
audit(1103864584.075:0): avc:  denied  { search } for  pid=28531
exe=/bin/bash name=spool dev=dm-0 ino=1168165
scontext=user_u:system_r:httpd_sys_script_t
tcontext=system_u:object_r:var_spool_t tclass=dir

... and more. 

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.19.15-5

How reproducible:
Didn't try


Additional info:
Comment 1 Ivan Gyurdiev 2004-12-27 19:25:13 EST
[phantom@cobra ~]$ id
uid=500(phantom) gid=500(phantom) groups=500(phantom),503(data)
context=user_u:system_r:httpd_sys_script_t
[phantom@cobra ~]$

??

If I su from root the context is correct.
Comment 2 Ivan Gyurdiev 2004-12-28 21:02:12 EST
[phantom@cobra home]$ su phantom
Password:
[phantom@cobra home]$ id
uid=500(phantom) gid=500(phantom) groups=500(phantom),503(data)
context=user_u:system_r:system_mail_t
[phantom@cobra home]$ su phantom
Password:
[phantom@cobra home]$ id
uid=500(phantom) gid=500(phantom) groups=500(phantom),503(data)
context=user_u:system_r:unconfined_t

???

What is going on...system_mail_t?

Comment 3 Daniel Walsh 2004-12-29 07:31:53 EST
We have been doing some experimenting with targeted policy.

We have added a lot of new targets, and have added a new "unconfined"
policy initrc_t.   So now daemons started by initrc_t or via the
service scripts will transition,  daemons started directly by
executing the daemon code will stay in unconfined_t.  This allows for
new developments 
on the desktop.  While doing this we broke the login programs (gdm,
sshd, crond, and sendmail).  Latest policy fixes these daemons to have
them run under unconfined_t, although you need to relabel those
packages.  

selinux-policy-targeted-1.19.15-11

Dan
Comment 4 Ivan Gyurdiev 2004-12-30 01:46:03 EST
What about those:

audit(1104389051.330:0): avc:  denied  { search } for  pid=3099
exe=/usr/libexec/gam_server name=.local dev=dm-2 ino=324598
scontext=user_u:system_r:httpd_sys_script_t 

I get lots of them.


Comment 5 Ivan Gyurdiev 2005-01-07 09:03:11 EST
Seems to have been fixed.

Note You need to log in before you can comment on or make changes to this bug.