Bug 174301 - Targeted Policy Blocks Write Access to /etc/privoxy/user.action
Summary: Targeted Policy Blocks Write Access to /etc/privoxy/user.action
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 4
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-11-27 15:46 UTC by Carsten Clasohm
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version: 1.27.1-2.15
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-03-21 01:47:43 UTC
Type: ---


Attachments (Terms of Use)

Description Carsten Clasohm 2005-11-27 15:46:43 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.7.12) Gecko/20050922 Fedora/1.0.7-1.1.fc4 Firefox/1.0.7

Description of problem:
Privoxy allows users to customize its behaviour via the Web interface. Changes to the configuration are saved in /etc/privoxy/user.action. With the targeted SELinux policy, Privoxy is not allowed to write this file.


Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.27.1-2.11

How reproducible:
Always

Steps to Reproduce:
1. Enable the targeted SELinux policy in enforcing mode.
2. Start the privoxy service.
3. Configure your browser to use localhost 8118 as its HTTP proxy.
4. Go to http://config.privoxy.org/edit-actions-list?f=user
5. Add some URL pattern to the first action.


Actual Results:  Privoxy will report that it cannot modify /etc/privoxy/user.action, and /var/log/messages contains this message:

avc:  denied  { write } for  pid=30533 comm="privoxy" name="user.action" dev=dm-0 ino=197288 scontext=root:system_r:privoxy_t tcontext=root:object_r:etc_t tclass=file


Expected Results:  Privoxy should be allowed to modify /etc/privoxy/user.action.


Additional info:

To fix this, I added this to local.fc:

/etc/privoxy/user\.action   --	system_u:object_r:privoxy_rc_t

And this to local.te:

type privoxy_rc_t, file_type;
allow privoxy_t privoxy_rc_t:file { getattr read write };

This should be placed into the respective program files.

Comment 1 Daniel Walsh 2005-11-28 19:22:19 UTC
Fixed in selinux-policy-targeted- 1.27.1-2.15


Note You need to log in before you can comment on or make changes to this bug.