Description of problem: Just testing fedora rawhide. If I access the cacti log file /var/log/cacti/cacti.log I got an AVC denied error. It looks that this only affects rawhide (fc30). Version-Release number of selected component (if applicable): selinux-policy-3.14.3-10.fc30.noarch Actual results: type=AVC msg=audit(1540908811.470:21988): avc: denied { write } for pid=16834 comm="php-fpm" name="cacti.log" dev="sda3" ino=26194592 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=file permissive=1 Expected results: no avc denied error
Just testing with the latest selinux-policy and I still got some avc denied errors. I think we need rw permissions (httpd_sys_rw_content_t) to /var/lib/cacti/rra and /var/log/cacti. This should fix most of the issues. Version-Release number of selected component (if applicable): cacti-1.2.0-1.fc30.noarch selinux-policy-3.14.3-15.fc30.noarch type=AVC msg=audit(1546615177.344:204): avc: denied { write } for pid=1377 comm="php-fpm" name="cacti.log" dev="dm-0" ino=4325525 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=file permissive=1 There are also some other errors after upgrading from cacti-1.1.38 to the latest 1.2.0 release: type=AVC msg=audit(1546536362.641:384): avc: denied { create } for pid=1403 comm="php-fpm" name="738104805c2e45aa9d111.tmp" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 type=AVC msg=audit(1546536362.641:385): avc: denied { write } for pid=1403 comm="php-fpm" path="/usr/share/cacti/resource/snmp_queries/738104805c2e45aa9d111.tmp" dev="dm-0" ino=1836991 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 type=AVC msg=audit(1546536362.641:386): avc: denied { unlink } for pid=1403 comm="php-fpm" name="738104805c2e45aa9d111.tmp" dev="dm-0" ino=1836991 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 type=AVC msg=audit(1546536362.644:387): avc: denied { remove_name } for pid=1403 comm="php-fpm" name="17318346835c2e45aa9dc52.tmp" dev="dm-0" ino=4325596 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1546536362.644:388): avc: denied { unlink } for pid=1403 comm="php-fpm" name="17318346835c2e45aa9dc52.tmp" dev="dm-0" ino=4325596 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=file permissive=1 type=AVC msg=audit(1546536439.685:408): avc: denied { write } for pid=1403 comm="php-fpm" name="cacti.log" dev="dm-0" ino=4325525 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=file permissive=1 type=AVC msg=audit(1546536439.772:409): avc: denied { create } for pid=1403 comm="php-fpm" name="7945954045c2e45f7bcbc3.tmp" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 type=AVC msg=audit(1546536439.772:410): avc: denied { write } for pid=1403 comm="php-fpm" path="/usr/share/cacti/resource/snmp_queries/7945954045c2e45f7bcbc3.tmp" dev="dm-0" ino=1836991 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 type=AVC msg=audit(1546536439.772:411): avc: denied { unlink } for pid=1403 comm="php-fpm" name="7945954045c2e45f7bcbc3.tmp" dev="dm-0" ino=1836991 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 type=AVC msg=audit(1546536439.775:412): avc: denied { remove_name } for pid=1403 comm="php-fpm" name="18221949175c2e45f7bd73d.tmp" dev="dm-0" ino=4325596 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1546536439.775:413): avc: denied { unlink } for pid=1403 comm="php-fpm" name="18221949175c2e45f7bd73d.tmp" dev="dm-0" ino=4325596 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=file permissive=1 type=AVC msg=audit(1546536440.258:414): avc: denied { map } for pid=3079 comm="php" path="/var/lib/cacti/cli/convert_tables.php" dev="dm-0" ino=4326151 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1546536610.732:428): avc: denied { write } for pid=1403 comm="php-fpm" name="cacti.log" dev="dm-0" ino=4325525 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=file permissive=1 type=AVC msg=audit(1546536615.011:431): avc: denied { write } for pid=1402 comm="php-fpm" name="cacti.log" dev="dm-0" ino=4325525 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=file permissive=1 type=AVC msg=audit(1546536741.031:432): avc: denied { write } for pid=1405 comm="php-fpm" name="rra" dev="dm-0" ino=4326256 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1546536741.031:433): avc: denied { add_name } for pid=1405 comm="php-fpm" name="1852721045c2e472507f3d.tmp" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1546536741.032:434): avc: denied { create } for pid=1405 comm="php-fpm" name="1852721045c2e472507f3d.tmp" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1 type=AVC msg=audit(1546536741.032:435): avc: denied { write } for pid=1405 comm="php-fpm" path="/var/lib/cacti/rra/1852721045c2e472507f3d.tmp" dev="dm-0" ino=4328039 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1 type=AVC msg=audit(1546536741.032:436): avc: denied { remove_name } for pid=1405 comm="php-fpm" name="1852721045c2e472507f3d.tmp" dev="dm-0" ino=4328039 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1546536741.032:437): avc: denied { unlink } for pid=1405 comm="php-fpm" name="1852721045c2e472507f3d.tmp" dev="dm-0" ino=4328039 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1
*** Bug 1667665 has been marked as a duplicate of this bug. ***
This bug affects also F29.
*** Bug 1670836 has been marked as a duplicate of this bug. ***
Hi, Thank you for reporting the issue. We need to see the full path of the files and directories to understand. Please note full path is not recorded by default, the following commands should be executed: # to delete the implicit rule for not auditing auditctl -d never,task # to enable full auditing auditctl -w /etc/shadow -p w -k shadow-write and the task reproduced while httpd_t is in permissive domain or the system in permissive mode. Then please share the full audit logs.
Is the information in bug 1670836 sufficient?
(In reply to Zdenek Pytela from comment #5) > Hi, > > Thank you for reporting the issue. We need to see the full path of the files > and directories to understand. Please note full path is not recorded by > default, the following commands should be executed: All right. Hopefully that will help. This does also effect RHEL7 and RHEL8. The biggest problem is that selinux prevents access to /var/log/cacti/cacti.log # auditctl -l -w /etc/shadow -p w -k shadow-write type=AVC msg=audit(1549891315.833:276): avc: denied { write } for pid=2410 comm="php-fpm" name="cacti.log" dev="dm-0" ino=4325873 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(1549891315.833:276): arch=c000003e syscall=257 success=yes exit=10 a0=ffffff9c a1=7ffdfd070f10 a2=2 a3=0 items=1 ppid=980 pid=2410 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="php-fpm" exe="/usr/sbin/php-fpm" subj=system_u:system_r:httpd_t:s0 key=(null)ARCH=x86_64 SYSCALL=openat AUID="unset" UID="apache" GID="apache" EUID="apache" SUID="apache" FSUID="apache" EGID="apache" SGID="apache" FSGID="apache" type=CWD msg=audit(1549891315.833:276): cwd="/usr/share/cacti" type=PATH msg=audit(1549891315.833:276): item=0 name="/var/log/cacti/cacti.log" inode=4325873 dev=fd:00 mode=0100664 ouid=48 ogid=48 rdev=00:00 obj=system_u:object_r:httpd_log_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0OUID="apache" OGID="apache" type=PROCTITLE msg=audit(1549891315.833:276): proctitle=7068702D66706D3A20706F6F6C20777777 type=AVC msg=audit(1549891315.988:277): avc: denied { unlink } for pid=2410 comm="php-fpm" name="2431232275c6176f3f174c.tmp" dev="dm-0" ino=4325572 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(1549891315.988:277): arch=c000003e syscall=87 success=yes exit=0 a0=7f9b7246c6f8 a1=1 a2=7f9b729c44c0 a3=7f9b729af660 items=2 ppid=980 pid=2410 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="php-fpm" exe="/usr/sbin/php-fpm" subj=system_u:system_r:httpd_t:s0 key=(null)ARCH=x86_64 SYSCALL=unlink AUID="unset" UID="apache" GID="apache" EUID="apache" SUID="apache" FSUID="apache" EGID="apache" SGID="apache" FSGID="apache" type=CWD msg=audit(1549891315.988:277): cwd="/usr/share/cacti" type=PATH msg=audit(1549891315.988:277): item=0 name="/usr/share/cacti/log/" inode=4326705 dev=fd:00 mode=040775 ouid=48 ogid=48 rdev=00:00 obj=system_u:object_r:httpd_log_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0OUID="apache" OGID="apache" type=PATH msg=audit(1549891315.988:277): item=1 name="/usr/share/cacti/log/2431232275c6176f3f174c.tmp" inode=4325572 dev=fd:00 mode=0100644 ouid=48 ogid=48 rdev=00:00 obj=system_u:object_r:httpd_log_t:s0 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0OUID="apache" OGID="apache" type=PROCTITLE msg=audit(1549891315.988:277): proctitle=7068702D66706D3A20706F6F6C20777777 type=AVC msg=audit(1549891440.912:278): avc: denied { map } for pid=2474 comm="php" path="/var/lib/cacti/cli/add_device.php" dev="dm-0" ino=4326591 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(1549891440.912:278): arch=c000003e syscall=9 success=yes exit=139632190590976 a0=0 a1=3a75 a2=1 a3=2 items=0 ppid=2470 pid=2474 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="php" exe="/usr/bin/php" subj=system_u:system_r:httpd_t:s0 key=(null)ARCH=x86_64 SYSCALL=mmap AUID="unset" UID="apache" GID="apache" EUID="apache" SUID="apache" FSUID="apache" EGID="apache" SGID="apache" FSGID="apache" type=MMAP msg=audit(1549891440.912:278): fd=4 flags=0x2 type=PROCTITLE msg=audit(1549891440.912:278): proctitle=2F62696E2F706870002D71002F7573722F73686172652F63616374692F636C692F6164645F6465766963652E706870002D2D6465736372697074696F6E3D4C6F63616C204C696E7578204D616368696E65002D2D69703D6C6F63616C686F7374002D2D74656D706C6174653D33002D2D6E6F7465733D496E697469616C204361 type=AVC msg=audit(1549891441.272:279): avc: denied { getattr } for pid=2476 comm="df" path="/sys/kernel/config" dev="configfs" ino=18315 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir permissive=1 type=SYSCALL msg=audit(1549891441.272:279): arch=c000003e syscall=4 success=yes exit=0 a0=559df3443880 a1=7ffe4d6682c0 a2=7ffe4d6682c0 a3=7ffe4d667dd0 items=1 ppid=2475 pid=2476 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="df" exe="/usr/bin/df" subj=system_u:system_r:httpd_t:s0 key=(null)ARCH=x86_64 SYSCALL=stat AUID="unset" UID="apache" GID="apache" EUID="apache" SUID="apache" FSUID="apache" EGID="apache" SGID="apache" FSGID="apache" type=CWD msg=audit(1549891441.272:279): cwd="/usr/share/cacti" type=PATH msg=audit(1549891441.272:279): item=0 name="/sys/kernel/config" inode=18315 dev=00:27 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:configfs_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0OUID="root" OGID="root" type=PROCTITLE msg=audit(1549891441.272:279): proctitle=2F62696E2F6466002D50002D6B002D6C type=AVC msg=audit(1549891614.599:280): avc: denied { write } for pid=2413 comm="php-fpm" name="cacti.log" dev="dm-0" ino=4325873 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(1549891614.599:280): arch=c000003e syscall=257 success=yes exit=10 a0=ffffff9c a1=7ffdfd070f10 a2=2 a3=0 items=1 ppid=980 pid=2413 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="php-fpm" exe="/usr/sbin/php-fpm" subj=system_u:system_r:httpd_t:s0 key=(null)ARCH=x86_64 SYSCALL=openat AUID="unset" UID="apache" GID="apache" EUID="apache" SUID="apache" FSUID="apache" EGID="apache" SGID="apache" FSGID="apache" type=CWD msg=audit(1549891614.599:280): cwd="/usr/share/cacti" type=PATH msg=audit(1549891614.599:280): item=0 name="/var/log/cacti/cacti.log" inode=4325873 dev=fd:00 mode=0100664 ouid=48 ogid=48 rdev=00:00 obj=system_u:object_r:httpd_log_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0OUID="apache" OGID="apache" type=PROCTITLE msg=audit(1549891614.599:280): proctitle=7068702D66706D3A20706F6F6C20777777
Update: Most of the selinux related issues with cacti 1.2.x have been fixed with my commit here https://github.com/Cacti/cacti/pull/2420/commits/3fc790673c6dd0dd44e5f5a7794ff14ba61d9d29 In addition, I have optimized the package a bit with some selinux improvements. See: https://src.fedoraproject.org/rpms/cacti/c/9e12056612c46062de116fd61452917990a3e401?branch=master
cacti-1.2.2-1.fc29 cacti-spine-1.2.2-1.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-d3d8213c73
cacti-1.2.2-1.fc28 cacti-spine-1.2.2-1.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2019-ab4e584ee2
cacti-1.2.2-1.fc28, cacti-spine-1.2.2-1.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-ab4e584ee2
cacti-1.2.2-1.fc29, cacti-spine-1.2.2-1.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-d3d8213c73
cacti-1.2.2-1.fc29, cacti-spine-1.2.2-1.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.
cacti-1.2.2-1.fc28, cacti-spine-1.2.2-1.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.