1890024 – SELinux prevents the fuser process from reading the /etc/httpd/run symlink

Bug 1890024 - SELinux prevents the fuser process from reading the /etc/httpd/run symlink

Summary: SELinux prevents the fuser process from reading the /etc/httpd/run symlink

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1900650
TreeView+	depends on / blocked

Reported:	2020-10-21 08:52 UTC by Milos Malik
Modified:	2021-01-07 18:19 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Clone Of:
Clones:	1900650 (view as bug list)
Environment:
Last Closed:	2021-01-07 18:19:03 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Milos Malik 2020-10-21 08:52:31 UTC

Description of problem:

Version-Release number of selected component (if applicable):
httpd-2.4.46-4.fc34.x86_64
httpd-filesystem-2.4.46-4.fc34.noarch
httpd-tools-2.4.46-4.fc34.x86_64
selinux-policy-3.14.7-5.fc34.noarch
selinux-policy-devel-3.14.7-5.fc34.noarch
selinux-policy-minimum-3.14.7-5.fc34.noarch
selinux-policy-mls-3.14.7-5.fc34.noarch
selinux-policy-targeted-3.14.7-5.fc34.noarch
tmpwatch-2.11-17.fc33.x86_64

How reproducible:
 * always

Steps to Reproduce:
1. get a Fedora Rawhide machine (targeted policy is active)
2. start the rsyslog service
3. start the httpd service
4. run the following automated TC:
 * /CoreOS/selinux-policy/Regression/tmpwatch-and-similar
5. search for SELinux denials

Actual results:
----
type=PROCTITLE msg=audit(10/21/2020 04:42:01.044:879) : proctitle=/usr/sbin/fuser -s ./file 
type=PATH msg=audit(10/21/2020 04:42:01.044:879) : item=0 name=/etc/httpd/run/cgisock.92668 nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(10/21/2020 04:42:01.044:879) : cwd=/tmp/test 
type=SYSCALL msg=audit(10/21/2020 04:42:01.044:879) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x55bbbb476550 a1=0x7ffe5eeae650 a2=0x7ffe5eeae650 a3=0x7f7bf640d3c0 items=1 ppid=101576 pid=101577 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=fuser exe=/usr/sbin/fuser subj=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(10/21/2020 04:42:01.044:879) : avc:  denied  { read } for  pid=101577 comm=fuser name=run dev="vda1" ino=271693 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:httpd_config_t:s0 tclass=lnk_file permissive=0 
----

Expected results:
 * no SELinux denials

Additional information:
# ls -lZ /etc/httpd/
total 12
drwxr-xr-x. 2 root root system_u:object_r:httpd_config_t:s0  4096 Oct 21 04:34 conf
drwxr-xr-x. 2 root root system_u:object_r:httpd_config_t:s0  4096 Oct 21 04:34 conf.d
drwxr-xr-x. 2 root root system_u:object_r:httpd_config_t:s0  4096 Oct 21 04:34 conf.modules.d
lrwxrwxrwx. 1 root root system_u:object_r:httpd_log_t:s0       19 Aug 27 13:05 logs -> ../../var/log/httpd
lrwxrwxrwx. 1 root root system_u:object_r:httpd_modules_t:s0   29 Aug 27 13:05 modules -> ../../usr/lib64/httpd/modules
lrwxrwxrwx. 1 root root system_u:object_r:httpd_config_t:s0    10 Aug 27 13:05 run -> /run/httpd
lrwxrwxrwx. 1 root root system_u:object_r:httpd_config_t:s0    19 Aug 27 13:05 state -> ../../var/lib/httpd
#

Comment 1 Zdenek Pytela 2020-10-21 08:56:30 UTC

This is the current state of file context settings:
/etc/httpd(/.*)?                                   all files          system_u:object_r:httpd_config_t:s0 
/etc/httpd/alias(/.*)?                             all files          system_u:object_r:cert_t:s0 
/etc/httpd/alias/ipasession.key                    regular file       system_u:object_r:ipa_cert_t:s0 
/etc/httpd/conf/keytab                             regular file       system_u:object_r:httpd_keytab_t:s0 
/etc/httpd/logs                                    all files          system_u:object_r:httpd_log_t:s0 
/etc/httpd/modules                                 all files          system_u:object_r:httpd_modules_t:s0

Comment 2 Milos Malik 2020-10-21 08:57:27 UTC

The only SELinux denial which appears in permissive mode is:
----
type=PROCTITLE msg=audit(10/21/2020 04:55:01.260:884) : proctitle=/usr/sbin/fuser -s ./file 
type=PATH msg=audit(10/21/2020 04:55:01.260:884) : item=0 name=/etc/httpd/run/cgisock.92668 inode=124588 dev=00:1a mode=socket,700 ouid=apache ogid=root rdev=00:00 obj=system_u:object_r:httpd_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(10/21/2020 04:55:01.260:884) : cwd=/tmp/test 
type=SYSCALL msg=audit(10/21/2020 04:55:01.260:884) : arch=x86_64 syscall=stat success=yes exit=0 a0=0x55e231546550 a1=0x7fffcb642d90 a2=0x7fffcb642d90 a3=0x7fa20c8763c0 items=1 ppid=110477 pid=110478 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=fuser exe=/usr/sbin/fuser subj=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(10/21/2020 04:55:01.260:884) : avc:  denied  { read } for  pid=110478 comm=fuser name=run dev="vda1" ino=271693 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:httpd_config_t:s0 tclass=lnk_file permissive=1 
----

Comment 5 Zdenek Pytela 2020-11-13 17:26:52 UTC

I wondered how tmpwatch got from /tmp to /etc and happened to find out fuser creates, among other things, internal list of processes listening on sockets on its startup. Apache httpd listens on /etc/httpd/run/cgisock.PID, so this AVC needs to be fixed in the policy unless the path in the code was changed.

Comment 6 Zdenek Pytela 2020-11-16 20:20:38 UTC

I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy-contrib/pull/366

Note You need to log in before you can comment on or make changes to this bug.