Bug 190764 - Semodule -i is denied access for { search }
Semodule -i is denied access for { search }
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
i386 Linux
medium Severity high
: ---
: ---
Assigned To: Daniel Walsh
Depends On:
  Show dependency treegraph
Reported: 2006-05-04 19:30 EDT by Penelope Fudd
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-03-28 16:02:04 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
A cgi script to exercise the error. (Connect/disconnect to postgres) (345 bytes, text/plain)
2006-05-04 19:30 EDT, Penelope Fudd
no flags Details

  None (edit)
Description Penelope Fudd 2006-05-04 19:30:04 EDT
Description of problem:
I'm trying to get a cgi script to work that connects to the postgres database. 
The script is /var/www/html/db/index.cgi, the postgres socket is
/tmp/.s.PGSQL.5432, the audit record for the rejection is:

time->Thu May  4 15:58:03 2006
type=PATH msg=audit(1146783483.583:1177): item=0 flags=1  inode=22249482
dev=fd:00 mode=0140777 ouid=26 ogid=26 rdev=00:00
type=SOCKETCALL msg=audit(1146783483.583:1177): nargs=3 a0=4 a1=8edbbc8 a2=6e
type=SOCKADDR msg=audit(1146783483.583:1177):
type=SYSCALL msg=audit(1146783483.583:1177): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bfc1c9b0 a2=25d374 a3=8edbba0 items=1 pid=17147
auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48
comm="index.cgi" exe="/usr/bin/perl"
type=AVC msg=audit(1146783483.583:1177): avc:  denied  { write } for  pid=17147
comm="index.cgi" name=".s.PGSQL.5432" dev=dm-0 ino=22249482
tcontext=system_u:object_r:postgresql_tmp_t:s0 tclass=sock_file

The command "audit2why < /tmp/audit.log | audit2allow > /tmp/dbcgi.pp" produces
the following output:
allow httpd_sys_script_t postgresql_tmp_t:sock_file write;

The command "semodule -i /tmp/dbcgi.pp" gives the following error:

semodule:  Could not read file '/tmp/dbcgi.pp':

Here is the output of ausearch -c semodule:

time->Thu May  4 16:31:00 2006
type=PATH msg=audit(1146785460.404:1335): item=0 name="/tmp/dbcgi.pp" flags=401
type=CWD msg=audit(1146785460.404:1335):  cwd="/home/croot"
type=SYSCALL msg=audit(1146785460.404:1335): arch=40000003 syscall=5 success=no
exit=-13 a0=94266a0 a1=0 a2=804a120 a3=4bbcc0 items=1 pid=17844 auid=0 uid=0
gid=501 euid=0 suid=0 fsuid=0 egid=501 sgid=501 fsgid=501 comm="semodule"
type=AVC msg=audit(1146785460.404:1335): avc:  denied  { search } for  pid=17844
comm="semodule" name="tmp" dev=dm-0 ino=22249473
scontext=user_u:system_r:semanage_t:s0 tcontext=system_u:object_r:tmp_t:s0

Version-Release number of selected component (if applicable):

How reproducible:
All the time.

Steps to Reproduce:
1. semodule -i dbcgi.pp
Actual results:
Permission denied.

Expected results:
It should just work.

Additional info:
This fc5 system was installed from scratch 4 days ago.  Everything's been going
smoothly up 'til now.
Comment 1 Penelope Fudd 2006-05-04 19:30:04 EDT
Created attachment 128641 [details]
A cgi script to exercise the error.  (Connect/disconnect to postgres)
Comment 2 Penelope Fudd 2006-05-04 19:43:53 EDT
Additionally, touching /.autorelabel and rebooting didn't help.
Comment 3 Penelope Fudd 2006-05-04 19:48:57 EDT
Output of id:
uid=0(root) gid=0(root)

Output of ls -Z dbcgi.pp
-rw-r--r--  root     501      user_u:object_r:tmp_t            dbcgi.pp

Comment 4 Penelope Fudd 2006-05-04 19:52:34 EDT
Whoops, I may have made some progress; running system-config-securitylevel and
setting selinux to permissive allowed me to run semodule.

Now the cgi script is giving a different error; time to repeat the process.
Comment 5 Penelope Fudd 2006-05-04 20:00:16 EDT
Ok, problems fixed.

Is semodule designed to not work in enforcing mode?  I don't know whether this
is a feature or a bug.  :-)
Comment 6 Penelope Fudd 2006-05-04 20:03:41 EDT
One more comment: I installed phpPgAdmin, and it didn't have a problem
connecting to /tmp/s.PGSQL.5432.  Does this mean that php scripts have lower
security than cgi scripts?
Comment 7 Daniel Walsh 2006-05-05 10:53:57 EDT
Fixed in 2.2.38-1.fc5
Comment 8 Bojan Smojver 2006-05-22 17:48:14 EDT
Hmm, I don't think this was quite fixed yet. I'm getting this when trying to
install a module for clamd:

type=AVC msg=audit(1148334195.071:111): avc:  denied  { rmdir } for  pid=2536
comm="semodule" name="modules" dev=dm-0 ino=480853
tcontext=user_u:object_r:selinux_config_t:s0 tclass=dir

The policy isn't allowing directories under /etc/selinux/targeted/modules to be
removed, so the install fails in enforcing mode.
Comment 9 Daniel Walsh 2007-03-28 16:02:04 EDT
Closing bugs

Note You need to log in before you can comment on or make changes to this bug.