Bug 1655281 - Socket location not covered by SELinux Policy
Summary: Socket location not covered by SELinux Policy
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: fcgiwrap
Version: 29
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Andrew Bauer
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-12-02 10:49 UTC by Juan Orti Alcaine
Modified: 2018-12-31 03:11 UTC (History)
1 user (show)

Fixed In Version: fcgiwrap-1.1.0-8.20181108git99c942c.fc29 fcgiwrap-1.1.0-8.20181108git99c942c.fc28 fcgiwrap-1.1.0-9.20181108git99c942c.fc28 fcgiwrap-1.1.0-9.20181108git99c942c.fc29 fcgiwrap-1.1.0-9.20181108git99c942c.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-12-13 02:15:57 UTC
Type: Bug


Attachments (Terms of Use)

Description Juan Orti Alcaine 2018-12-02 10:49:32 UTC
Description of problem:
The default socket location in /run/fcgiwrap.sock is not writable by the Apache or Nginx servers because of the SELinux policy.

# ls -laZ /run/fcgiwrap.sock
srw-rw----. 1 nginx nginx system_u:object_r:var_run_t:s0 0 dic  2 11:40 /run/fcgiwrap.sock


AVC avc:  denied  { write } for  pid=16137 comm="nginx" name="fcgiwrap.sock" dev="tmpfs" ino=5404007 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0


Version-Release number of selected component (if applicable):
fcgiwrap-1.1.0-7.20181108git99c942c.fc29.x86_64

Comment 1 Andrew Bauer 2018-12-02 18:40:38 UTC
Thank you for reporting this. It's good to know someone besides myself is using this package.

Strange, I am not seeing this on my system. The web application I am using works well with fcgiwrap and nginx. I see no avc denials with the sock file.


I am far from an expert on selinux though so let me ask you, how might you expect this to be solved? 

I notice the fcgiwrap package you've got in Copr suggests one put the sock file under /run/nginx/fcgiwrap.sock. Do you get the same avc denial in this case?


Or should I file an selinux bug report to get this resolved?

I'll keep digging.

Comment 2 Juan Orti Alcaine 2018-12-03 08:53:00 UTC
Hi,

Thanks for the package, I still use it for gitweb. I'm currently putting the socket in /var/run/nginx so it's covered by the SELinux policy and is created with the httpd_var_run_t label.

These are the locations with that label:

# semanage fcontext -l | grep httpd_var_run_t
/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?      all files          system_u:object_r:httpd_var_run_t:s0 
/var/lib/php/session(/.*)?                         all files          system_u:object_r:httpd_var_run_t:s0 
/var/lib/php/wsdlcache(/.*)?                       all files          system_u:object_r:httpd_var_run_t:s0 
/var/opt/rh/rh-nginx18/run/nginx(/.*)?             all files          system_u:object_r:httpd_var_run_t:s0 
/var/run/apache.*                                  all files          system_u:object_r:httpd_var_run_t:s0 
/var/run/cherokee\.pid                             regular file       system_u:object_r:httpd_var_run_t:s0 
/var/run/dirsrv/admin-serv.*                       all files          system_u:object_r:httpd_var_run_t:s0 
/var/run/gcache_port                               socket             system_u:object_r:httpd_var_run_t:s0 
/var/run/httpd.*                                   all files          system_u:object_r:httpd_var_run_t:s0 
/var/run/lighttpd(/.*)?                            all files          system_u:object_r:httpd_var_run_t:s0 
/var/run/mod_.*                                    all files          system_u:object_r:httpd_var_run_t:s0 
/var/run/nginx.*                                   all files          system_u:object_r:httpd_var_run_t:s0 
/var/run/php-fpm(/.*)?                             all files          system_u:object_r:httpd_var_run_t:s0 
/var/run/thttpd\.pid                               regular file       system_u:object_r:httpd_var_run_t:s0 
/var/run/wsgi.*                                    socket             system_u:object_r:httpd_var_run_t:s0 
/var/www/openshift/broker/httpd/run(/.*)?          all files          system_u:object_r:httpd_var_run_t:s0 
/var/www/openshift/console/httpd/run(/.*)?         all files          system_u:object_r:httpd_var_run_t:s0

Maybe a good solution can be to create a directory /var/run/fcgiwrap and make it labeled as httpd_var_run_t. I don't know if it's enough to do in the package:

# semanage fcontext -a -t httpd_var_run_t '/var/run/fcgiwrap(/.*)?'

or the main SELinux policy package has to include this change.

With the directory in place, I'd create the socket with %i, to be able to have several instances:

ListenStream=/run/fcgiwrap/fcgiwrap-%i.sock

Comment 3 Andrew Bauer 2018-12-03 18:07:21 UTC
Good idea.

I've patched my local service file according to your suggestion and created a bug report against selinux-policy:
https://bugzilla.redhat.com/show_bug.cgi?id=1655702

I will push out a new package shortly, with the following changes:

1) Updated fcgiwrap@.socket
---------------------------

[Unit]
Description=fcgiwrap Socket

[Socket]
ListenStream=/var/run/fcgiwrap/fcgiwrap-%i.sock
SocketUser=%i
SocketMode=0660
RuntimeDirectory=fcgiwrap

[Install]
WantedBy=sockets.target

2) Add README.SELinux that instructs the end user to modify their local policy while we wait for this change to be approved and trickle down:

# semanage fcontext -a -t httpd_var_run_t '/var/run/fcgiwrap(/.*)?'

Comment 4 Fedora Update System 2018-12-04 14:08:10 UTC
fcgiwrap-1.1.0-8.20181108git99c942c.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-033cf7d73e

Comment 5 Fedora Update System 2018-12-04 14:17:00 UTC
fcgiwrap-1.1.0-8.20181108git99c942c.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-f1d6058782

Comment 6 Fedora Update System 2018-12-04 14:26:58 UTC
fcgiwrap-1.1.0-8.20181108git99c942c.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-2313a25f7d

Comment 7 Fedora Update System 2018-12-05 03:06:49 UTC
fcgiwrap-1.1.0-8.20181108git99c942c.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-f1d6058782

Comment 8 Fedora Update System 2018-12-05 03:54:16 UTC
fcgiwrap-1.1.0-8.20181108git99c942c.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-033cf7d73e

Comment 9 Fedora Update System 2018-12-05 03:59:06 UTC
fcgiwrap-1.1.0-8.20181108git99c942c.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-2313a25f7d

Comment 10 Fedora Update System 2018-12-13 02:15:57 UTC
fcgiwrap-1.1.0-8.20181108git99c942c.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2018-12-13 02:47:06 UTC
fcgiwrap-1.1.0-8.20181108git99c942c.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 12 Andrew Bauer 2018-12-15 02:53:42 UTC
Found and fixed a typo in the socket file. New packages are in testing.

Comment 13 Fedora Update System 2018-12-16 01:03:51 UTC
fcgiwrap-1.1.0-9.20181108git99c942c.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-d425be3696

Comment 14 Fedora Update System 2018-12-16 03:17:32 UTC
fcgiwrap-1.1.0-9.20181108git99c942c.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-5bcdf4082e

Comment 15 Fedora Update System 2018-12-16 03:57:51 UTC
fcgiwrap-1.1.0-9.20181108git99c942c.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-234ddd69fa

Comment 16 Fedora Update System 2018-12-24 01:48:34 UTC
fcgiwrap-1.1.0-9.20181108git99c942c.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 17 Fedora Update System 2018-12-24 06:07:17 UTC
fcgiwrap-1.1.0-9.20181108git99c942c.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Comment 18 Fedora Update System 2018-12-31 03:11:00 UTC
fcgiwrap-1.1.0-9.20181108git99c942c.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.