Bug 1644324 - avc denied php-fpm cacti logfile
Summary: avc denied php-fpm cacti logfile
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: cacti
Version: rawhide
Hardware: Unspecified
OS: Unspecified
medium
low
Target Milestone: ---
Assignee: Morten Stevens
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1667665 1670836 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-10-30 14:19 UTC by Morten Stevens
Modified: 2019-03-06 15:28 UTC (History)
9 users (show)

Fixed In Version: cacti-1.2.2-1.fc29 cacti-1.2.2-1.fc28
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-03-06 06:58:00 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Morten Stevens 2018-10-30 14:19:06 UTC
Description of problem:

Just testing fedora rawhide. If I access the cacti log file /var/log/cacti/cacti.log I got an AVC denied error.

It looks that this only affects rawhide (fc30).

Version-Release number of selected component (if applicable):

selinux-policy-3.14.3-10.fc30.noarch

Actual results:

type=AVC msg=audit(1540908811.470:21988): avc:  denied  { write } for  pid=16834 comm="php-fpm" name="cacti.log" dev="sda3" ino=26194592 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=file permissive=1


Expected results:

no avc denied error

Comment 1 Morten Stevens 2019-01-04 15:40:17 UTC
Just testing with the latest selinux-policy and I still got some avc denied errors. I think we need rw permissions (httpd_sys_rw_content_t) to /var/lib/cacti/rra and /var/log/cacti. This should fix most of the issues.

Version-Release number of selected component (if applicable):
cacti-1.2.0-1.fc30.noarch
selinux-policy-3.14.3-15.fc30.noarch

type=AVC msg=audit(1546615177.344:204): avc:  denied  { write } for  pid=1377 comm="php-fpm" name="cacti.log" dev="dm-0" ino=4325525 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=file permissive=1

There are also some other errors after upgrading from cacti-1.1.38 to the latest 1.2.0 release:

type=AVC msg=audit(1546536362.641:384): avc:  denied  { create } for  pid=1403 comm="php-fpm" name="738104805c2e45aa9d111.tmp" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
type=AVC msg=audit(1546536362.641:385): avc:  denied  { write } for  pid=1403 comm="php-fpm" path="/usr/share/cacti/resource/snmp_queries/738104805c2e45aa9d111.tmp" dev="dm-0" ino=1836991 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
type=AVC msg=audit(1546536362.641:386): avc:  denied  { unlink } for  pid=1403 comm="php-fpm" name="738104805c2e45aa9d111.tmp" dev="dm-0" ino=1836991 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
type=AVC msg=audit(1546536362.644:387): avc:  denied  { remove_name } for  pid=1403 comm="php-fpm" name="17318346835c2e45aa9dc52.tmp" dev="dm-0" ino=4325596 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1546536362.644:388): avc:  denied  { unlink } for  pid=1403 comm="php-fpm" name="17318346835c2e45aa9dc52.tmp" dev="dm-0" ino=4325596 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=file permissive=1
type=AVC msg=audit(1546536439.685:408): avc:  denied  { write } for  pid=1403 comm="php-fpm" name="cacti.log" dev="dm-0" ino=4325525 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=file permissive=1
type=AVC msg=audit(1546536439.772:409): avc:  denied  { create } for  pid=1403 comm="php-fpm" name="7945954045c2e45f7bcbc3.tmp" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
type=AVC msg=audit(1546536439.772:410): avc:  denied  { write } for  pid=1403 comm="php-fpm" path="/usr/share/cacti/resource/snmp_queries/7945954045c2e45f7bcbc3.tmp" dev="dm-0" ino=1836991 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
type=AVC msg=audit(1546536439.772:411): avc:  denied  { unlink } for  pid=1403 comm="php-fpm" name="7945954045c2e45f7bcbc3.tmp" dev="dm-0" ino=1836991 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
type=AVC msg=audit(1546536439.775:412): avc:  denied  { remove_name } for  pid=1403 comm="php-fpm" name="18221949175c2e45f7bd73d.tmp" dev="dm-0" ino=4325596 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1546536439.775:413): avc:  denied  { unlink } for  pid=1403 comm="php-fpm" name="18221949175c2e45f7bd73d.tmp" dev="dm-0" ino=4325596 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=file permissive=1
type=AVC msg=audit(1546536440.258:414): avc:  denied  { map } for  pid=3079 comm="php" path="/var/lib/cacti/cli/convert_tables.php" dev="dm-0" ino=4326151 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1546536610.732:428): avc:  denied  { write } for  pid=1403 comm="php-fpm" name="cacti.log" dev="dm-0" ino=4325525 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=file permissive=1
type=AVC msg=audit(1546536615.011:431): avc:  denied  { write } for  pid=1402 comm="php-fpm" name="cacti.log" dev="dm-0" ino=4325525 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=file permissive=1
type=AVC msg=audit(1546536741.031:432): avc:  denied  { write } for  pid=1405 comm="php-fpm" name="rra" dev="dm-0" ino=4326256 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1546536741.031:433): avc:  denied  { add_name } for  pid=1405 comm="php-fpm" name="1852721045c2e472507f3d.tmp" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1546536741.032:434): avc:  denied  { create } for  pid=1405 comm="php-fpm" name="1852721045c2e472507f3d.tmp" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1
type=AVC msg=audit(1546536741.032:435): avc:  denied  { write } for  pid=1405 comm="php-fpm" path="/var/lib/cacti/rra/1852721045c2e472507f3d.tmp" dev="dm-0" ino=4328039 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1
type=AVC msg=audit(1546536741.032:436): avc:  denied  { remove_name } for  pid=1405 comm="php-fpm" name="1852721045c2e472507f3d.tmp" dev="dm-0" ino=4328039 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1546536741.032:437): avc:  denied  { unlink } for  pid=1405 comm="php-fpm" name="1852721045c2e472507f3d.tmp" dev="dm-0" ino=4328039 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1

Comment 2 Morten Stevens 2019-01-19 15:26:32 UTC
*** Bug 1667665 has been marked as a duplicate of this bug. ***

Comment 3 Morten Stevens 2019-01-19 15:28:36 UTC
This bug affects also F29.

Comment 4 Morten Stevens 2019-01-30 13:46:51 UTC
*** Bug 1670836 has been marked as a duplicate of this bug. ***

Comment 5 Zdenek Pytela 2019-02-08 15:31:13 UTC
Hi,

Thank you for reporting the issue. We need to see the full path of the files and directories to understand. Please note full path is not recorded by default, the following commands should be executed:

# to delete the implicit rule for not auditing
auditctl -d never,task
# to enable full auditing
auditctl -w /etc/shadow -p w -k shadow-write

and the task reproduced while httpd_t is in permissive domain or the system in permissive mode. Then please share the full audit logs.

Comment 7 Russell Odom 2019-02-08 18:17:13 UTC
Is the information in bug 1670836 sufficient?

Comment 8 Morten Stevens 2019-02-11 13:37:14 UTC

(In reply to Zdenek Pytela from comment #5)
> Hi,
> 
> Thank you for reporting the issue. We need to see the full path of the files
> and directories to understand. Please note full path is not recorded by
> default, the following commands should be executed:

All right. Hopefully that will help. This does also effect RHEL7 and RHEL8.

The biggest problem is that selinux prevents access to /var/log/cacti/cacti.log

# auditctl -l
-w /etc/shadow -p w -k shadow-write

type=AVC msg=audit(1549891315.833:276): avc:  denied  { write } for  pid=2410 comm="php-fpm" name="cacti.log" dev="dm-0" ino=4325873 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1549891315.833:276): arch=c000003e syscall=257 success=yes exit=10 a0=ffffff9c a1=7ffdfd070f10 a2=2 a3=0 items=1 ppid=980 pid=2410 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="php-fpm" exe="/usr/sbin/php-fpm" subj=system_u:system_r:httpd_t:s0 key=(null)ARCH=x86_64 SYSCALL=openat AUID="unset" UID="apache" GID="apache" EUID="apache" SUID="apache" FSUID="apache" EGID="apache" SGID="apache" FSGID="apache"
type=CWD msg=audit(1549891315.833:276): cwd="/usr/share/cacti"
type=PATH msg=audit(1549891315.833:276): item=0 name="/var/log/cacti/cacti.log" inode=4325873 dev=fd:00 mode=0100664 ouid=48 ogid=48 rdev=00:00 obj=system_u:object_r:httpd_log_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0OUID="apache" OGID="apache"
type=PROCTITLE msg=audit(1549891315.833:276): proctitle=7068702D66706D3A20706F6F6C20777777
type=AVC msg=audit(1549891315.988:277): avc:  denied  { unlink } for  pid=2410 comm="php-fpm" name="2431232275c6176f3f174c.tmp" dev="dm-0" ino=4325572 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1549891315.988:277): arch=c000003e syscall=87 success=yes exit=0 a0=7f9b7246c6f8 a1=1 a2=7f9b729c44c0 a3=7f9b729af660 items=2 ppid=980 pid=2410 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="php-fpm" exe="/usr/sbin/php-fpm" subj=system_u:system_r:httpd_t:s0 key=(null)ARCH=x86_64 SYSCALL=unlink AUID="unset" UID="apache" GID="apache" EUID="apache" SUID="apache" FSUID="apache" EGID="apache" SGID="apache" FSGID="apache"
type=CWD msg=audit(1549891315.988:277): cwd="/usr/share/cacti"
type=PATH msg=audit(1549891315.988:277): item=0 name="/usr/share/cacti/log/" inode=4326705 dev=fd:00 mode=040775 ouid=48 ogid=48 rdev=00:00 obj=system_u:object_r:httpd_log_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0OUID="apache" OGID="apache"
type=PATH msg=audit(1549891315.988:277): item=1 name="/usr/share/cacti/log/2431232275c6176f3f174c.tmp" inode=4325572 dev=fd:00 mode=0100644 ouid=48 ogid=48 rdev=00:00 obj=system_u:object_r:httpd_log_t:s0 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0OUID="apache" OGID="apache"
type=PROCTITLE msg=audit(1549891315.988:277): proctitle=7068702D66706D3A20706F6F6C20777777

type=AVC msg=audit(1549891440.912:278): avc:  denied  { map } for  pid=2474 comm="php" path="/var/lib/cacti/cli/add_device.php" dev="dm-0" ino=4326591 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1549891440.912:278): arch=c000003e syscall=9 success=yes exit=139632190590976 a0=0 a1=3a75 a2=1 a3=2 items=0 ppid=2470 pid=2474 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="php" exe="/usr/bin/php" subj=system_u:system_r:httpd_t:s0 key=(null)ARCH=x86_64 SYSCALL=mmap AUID="unset" UID="apache" GID="apache" EUID="apache" SUID="apache" FSUID="apache" EGID="apache" SGID="apache" FSGID="apache"
type=MMAP msg=audit(1549891440.912:278): fd=4 flags=0x2
type=PROCTITLE msg=audit(1549891440.912:278): proctitle=2F62696E2F706870002D71002F7573722F73686172652F63616374692F636C692F6164645F6465766963652E706870002D2D6465736372697074696F6E3D4C6F63616C204C696E7578204D616368696E65002D2D69703D6C6F63616C686F7374002D2D74656D706C6174653D33002D2D6E6F7465733D496E697469616C204361
type=AVC msg=audit(1549891441.272:279): avc:  denied  { getattr } for  pid=2476 comm="df" path="/sys/kernel/config" dev="configfs" ino=18315 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir permissive=1
type=SYSCALL msg=audit(1549891441.272:279): arch=c000003e syscall=4 success=yes exit=0 a0=559df3443880 a1=7ffe4d6682c0 a2=7ffe4d6682c0 a3=7ffe4d667dd0 items=1 ppid=2475 pid=2476 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="df" exe="/usr/bin/df" subj=system_u:system_r:httpd_t:s0 key=(null)ARCH=x86_64 SYSCALL=stat AUID="unset" UID="apache" GID="apache" EUID="apache" SUID="apache" FSUID="apache" EGID="apache" SGID="apache" FSGID="apache"
type=CWD msg=audit(1549891441.272:279): cwd="/usr/share/cacti"
type=PATH msg=audit(1549891441.272:279): item=0 name="/sys/kernel/config" inode=18315 dev=00:27 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:configfs_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0OUID="root" OGID="root"
type=PROCTITLE msg=audit(1549891441.272:279): proctitle=2F62696E2F6466002D50002D6B002D6C

type=AVC msg=audit(1549891614.599:280): avc:  denied  { write } for  pid=2413 comm="php-fpm" name="cacti.log" dev="dm-0" ino=4325873 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1549891614.599:280): arch=c000003e syscall=257 success=yes exit=10 a0=ffffff9c a1=7ffdfd070f10 a2=2 a3=0 items=1 ppid=980 pid=2413 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="php-fpm" exe="/usr/sbin/php-fpm" subj=system_u:system_r:httpd_t:s0 key=(null)ARCH=x86_64 SYSCALL=openat AUID="unset" UID="apache" GID="apache" EUID="apache" SUID="apache" FSUID="apache" EGID="apache" SGID="apache" FSGID="apache"
type=CWD msg=audit(1549891614.599:280): cwd="/usr/share/cacti"
type=PATH msg=audit(1549891614.599:280): item=0 name="/var/log/cacti/cacti.log" inode=4325873 dev=fd:00 mode=0100664 ouid=48 ogid=48 rdev=00:00 obj=system_u:object_r:httpd_log_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0OUID="apache" OGID="apache"
type=PROCTITLE msg=audit(1549891614.599:280): proctitle=7068702D66706D3A20706F6F6C20777777

Comment 9 Morten Stevens 2019-02-25 12:59:14 UTC
Update:

Most of the selinux related issues with cacti 1.2.x have been fixed with my commit here https://github.com/Cacti/cacti/pull/2420/commits/3fc790673c6dd0dd44e5f5a7794ff14ba61d9d29
In addition, I have optimized the package a bit with some selinux improvements. See: https://src.fedoraproject.org/rpms/cacti/c/9e12056612c46062de116fd61452917990a3e401?branch=master

Comment 10 Fedora Update System 2019-02-25 13:01:36 UTC
cacti-1.2.2-1.fc29 cacti-spine-1.2.2-1.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-d3d8213c73

Comment 11 Fedora Update System 2019-02-25 13:03:16 UTC
cacti-1.2.2-1.fc28 cacti-spine-1.2.2-1.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2019-ab4e584ee2

Comment 12 Fedora Update System 2019-02-26 02:12:01 UTC
cacti-1.2.2-1.fc28, cacti-spine-1.2.2-1.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-ab4e584ee2

Comment 13 Fedora Update System 2019-02-26 04:11:11 UTC
cacti-1.2.2-1.fc29, cacti-spine-1.2.2-1.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-d3d8213c73

Comment 14 Fedora Update System 2019-03-06 06:58:00 UTC
cacti-1.2.2-1.fc29, cacti-spine-1.2.2-1.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2019-03-06 15:28:02 UTC
cacti-1.2.2-1.fc28, cacti-spine-1.2.2-1.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.