Description of problem: I'm trying to get a cgi script to work that connects to the postgres database. The script is /var/www/html/db/index.cgi, the postgres socket is /tmp/.s.PGSQL.5432, the audit record for the rejection is: time->Thu May 4 15:58:03 2006 type=PATH msg=audit(1146783483.583:1177): item=0 flags=1 inode=22249482 dev=fd:00 mode=0140777 ouid=26 ogid=26 rdev=00:00 type=SOCKETCALL msg=audit(1146783483.583:1177): nargs=3 a0=4 a1=8edbbc8 a2=6e type=SOCKADDR msg=audit(1146783483.583:1177): saddr=01002F746D702F2E732E504753514C2E35343332000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 type=SYSCALL msg=audit(1146783483.583:1177): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfc1c9b0 a2=25d374 a3=8edbba0 items=1 pid=17147 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="index.cgi" exe="/usr/bin/perl" type=AVC msg=audit(1146783483.583:1177): avc: denied { write } for pid=17147 comm="index.cgi" name=".s.PGSQL.5432" dev=dm-0 ino=22249482 scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:postgresql_tmp_t:s0 tclass=sock_file The command "audit2why < /tmp/audit.log | audit2allow > /tmp/dbcgi.pp" produces the following output: allow httpd_sys_script_t postgresql_tmp_t:sock_file write; The command "semodule -i /tmp/dbcgi.pp" gives the following error: semodule: Could not read file '/tmp/dbcgi.pp': Here is the output of ausearch -c semodule: time->Thu May 4 16:31:00 2006 type=PATH msg=audit(1146785460.404:1335): item=0 name="/tmp/dbcgi.pp" flags=401 type=CWD msg=audit(1146785460.404:1335): cwd="/home/croot" type=SYSCALL msg=audit(1146785460.404:1335): arch=40000003 syscall=5 success=no exit=-13 a0=94266a0 a1=0 a2=804a120 a3=4bbcc0 items=1 pid=17844 auid=0 uid=0 gid=501 euid=0 suid=0 fsuid=0 egid=501 sgid=501 fsgid=501 comm="semodule" exe="/usr/sbin/semodule" type=AVC msg=audit(1146785460.404:1335): avc: denied { search } for pid=17844 comm="semodule" name="tmp" dev=dm-0 ino=22249473 scontext=user_u:system_r:semanage_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir Version-Release number of selected component (if applicable): policycoreutils-1.30.1-3.fc5 How reproducible: All the time. Steps to Reproduce: 1. semodule -i dbcgi.pp 2. 3. Actual results: Permission denied. Expected results: It should just work. Additional info: This fc5 system was installed from scratch 4 days ago. Everything's been going smoothly up 'til now.
Created attachment 128641 [details] A cgi script to exercise the error. (Connect/disconnect to postgres)
Additionally, touching /.autorelabel and rebooting didn't help.
Output of id: uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=user_u:system_r:unconfined_t Output of ls -Z dbcgi.pp -rw-r--r-- root 501 user_u:object_r:tmp_t dbcgi.pp
Whoops, I may have made some progress; running system-config-securitylevel and setting selinux to permissive allowed me to run semodule. Now the cgi script is giving a different error; time to repeat the process.
Ok, problems fixed. Is semodule designed to not work in enforcing mode? I don't know whether this is a feature or a bug. :-)
One more comment: I installed phpPgAdmin, and it didn't have a problem connecting to /tmp/s.PGSQL.5432. Does this mean that php scripts have lower security than cgi scripts?
Fixed in 2.2.38-1.fc5
Hmm, I don't think this was quite fixed yet. I'm getting this when trying to install a module for clamd: type=AVC msg=audit(1148334195.071:111): avc: denied { rmdir } for pid=2536 comm="semodule" name="modules" dev=dm-0 ino=480853 scontext=root:system_r:semanage_t:s0-s0:c0.c255 tcontext=user_u:object_r:selinux_config_t:s0 tclass=dir The policy isn't allowing directories under /etc/selinux/targeted/modules to be removed, so the install fails in enforcing mode.
Closing bugs