1586352 – python: SELinux is preventing /usr/sbin/httpd from write access on the file /etc/letsencrypt/.certbot.lock

Bug 1586352 - python: SELinux is preventing /usr/sbin/httpd from write access on the file /etc/letsencrypt/.certbot.lock

Summary: python: SELinux is preventing /usr/sbin/httpd from write access on the file /...

Keywords:
Status:	CLOSED EOL
Alias:	None
Product:	Fedora EPEL
Classification:	Fedora
Component:	certbot
Sub Component:
Version:	epel7
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Nick Bebout
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1729813 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-06-06 04:48 UTC by Sergio Basto
Modified:	2024-07-09 02:24 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2024-07-09 02:24:09 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)
var_log_messages.txt (1.41 MB, text/plain) 2018-06-07 04:17 UTC, Sergio Basto	no flags	Details
ausearch.txt (1.11 MB, text/plain) 2018-06-07 04:18 UTC, Sergio Basto	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1385167	0	unspecified	CLOSED	Httpd can't read files created by certbot when started from /etc/crontab	2023-09-23 00:59:42 UTC

Description Sergio Basto 2018-06-06 04:48:15 UTC

Description of problem:

just run: certbot --apache and check /var/log/messages



Version-Release number of selected component (if applicable):
certbot-0.24.0-1.el7.noarch


More info :
ausearch -x /usr/sbin/httpd --raw | audit2allow -D -M my-httpd

Suggests (I think) : 
semanage fcontext -a -t httpd_var_lib_t /var/lib/letsencrypt/.certbot.lock
restorecon -R -v /var/lib/letsencrypt/.certbot.lock

Comment 1 Eli Young 2018-06-06 15:46:22 UTC

What uservare you trying to run certbot as?

Comment 2 Eli Young 2018-06-06 20:55:53 UTC

To provide some context for my question, certbot normally expects to run as root. Furthermore, httpd normally won't be invoking certbot, so this shouldn't be a problem. What are you doing that causes this to happen?

Comment 3 Sergio Basto 2018-06-06 21:57:02 UTC

(In reply to Eli Young from comment #1)
> What uservare you trying to run certbot as?

root ,  sorry for the delay

Comment 4 Sergio Basto 2018-06-07 00:33:02 UTC

to be clear I run as root : 
certbot --apache 

I have httpd running with a super simple configuration 
/etc/httpd/conf.d/site.conf 

<VirtualHost *:80>
    ServerName site.name.country
    ErrorLog logs/site.name.country-error_log
    CustomLog logs/site.name.country-access_log common
</VirtualHost>

Comment 5 Eli Young 2018-06-07 04:03:27 UTC

Could you post the syslog and audit messages you’re seeing that illustrate the error?

Comment 6 Sergio Basto 2018-06-07 04:17:07 UTC

Created attachment 1448593 [details]
var_log_messages.txt

cat /var/log/messages | grep SELinux > var_log_messages.txt

Comment 7 Sergio Basto 2018-06-07 04:18:04 UTC

Created attachment 1448594 [details]
ausearch.txt

ausearch -x /usr/sbin/httpd --raw > ausearch.txt

is enough ?

Comment 8 Sergio Basto 2018-07-27 12:12:07 UTC

more info 

found 5 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing /usr/sbin/httpd from write access on the file /etc/letsencrypt/.certbot.lock.

*****  Plugin leaks (86.2 confidence) suggests   *****************************

If you want to ignore httpd trying to write access the .certbot.lock file, because you believe it should not need this access.
Then you should report this as a bug.  
You can generate a local policy module to dontaudit this access.
Do
# ausearch -x /usr/sbin/httpd --raw | audit2allow -D -M my-httpd
# semodule -i my-httpd.pp

*****  Plugin catchall (14.7 confidence) suggests   **************************

If you believe that httpd should be allowed write access on the .certbot.lock file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'httpd' --raw | audit2allow -M my-httpd
# semodule -i my-httpd.pp


Additional Information:
Source Context                unconfined_u:system_r:httpd_t:s0
Target Context                unconfined_u:object_r:etc_t:s0
Target Objects                /etc/letsencrypt/.certbot.lock [ file ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           httpd-2.4.6-80.el7.centos.1.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-192.el7_5.4.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     xxxx
Platform                      Linux xxxx 3.10.0-862.3.2.el7.x86_64
                              #1 SMP Mon May 21 23:36:36 UTC 2018 x86_64 x86_64
Alert Count                   20
First Seen                    2018-04-27 17:19:26 WEST
Last Seen                     2018-07-27 12:47:43 WEST
Local ID                      0c2ad820-6b7b-4ba9-a422-7a59ac577708

Raw Audit Messages
type=AVC msg=audit(1532692063.265:5968): avc:  denied  { write } for  pid=3915 comm="httpd" path="/etc/letsencrypt/.certbot.lock" dev="dm-0" ino=583456 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file


type=AVC msg=audit(1532692063.265:5968): avc:  denied  { write } for  pid=3915 comm="httpd" path="/var/log/letsencrypt/.certbot.lock" dev="dm-0" ino=25547078 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file


type=AVC msg=audit(1532692063.265:5968): avc:  denied  { write } for  pid=3915 comm="httpd" path="/var/lib/letsencrypt/.certbot.lock" dev="dm-0" ino=8528454 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:cert_t:s0 tclass=file


type=SYSCALL msg=audit(1532692063.265:5968): arch=x86_64 syscall=execve success=yes exit=0 a0=16eb330 a1=16e6cb0 a2=16e7f90 a3=7fff91aff700 items=0 ppid=3913 pid=3915 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=585 comm=httpd exe=/usr/sbin/httpd subj=unconfined_u:system_r:httpd_t:s0 key=(null)

Hash: httpd,httpd_t,etc_t,file,write

Comment 9 Eli Young 2019-07-19 19:36:11 UTC

*** Bug 1729813 has been marked as a duplicate of this bug. ***

Comment 10 Fedora Admin user for bugzilla script actions 2020-11-03 02:53:47 UTC

This package has changed maintainer in the Fedora.
Reassigning to the new maintainer of this component.

Comment 11 Troy Dawson 2024-07-09 02:24:09 UTC

EPEL 7 entered end-of-life (EOL) status on 2024-06-30.\n\nEPEL 7 is no longer maintained, which means that it\nwill not receive any further security or bug fix updates.\n As a result we are closing this bug.

Note You need to log in before you can comment on or make changes to this bug.