2122886 – SELinux is preventing caddy from 'read' accesses on the file /proc/sys/net/core/somaxconn.

Bug 2122886 - SELinux is preventing caddy from 'read' accesses on the file /proc/sys/net/core/somaxconn.

Summary: SELinux is preventing caddy from 'read' accesses on the file /proc/sys/net/co...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	36
Hardware:	x86_64
OS:	Unspecified
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:aed5ab3616543b096d4dd124f48...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-08-31 07:37 UTC by Renich Bon Ciric
Modified:	2022-09-23 07:09 UTC (History)
CC List:	8 users (show)
Fixed In Version:	selinux-policy-36.15-1.fc36
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-09-22 01:17:25 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 1363	0	None	open	Allow httpd read network sysctls	2022-09-05 13:41:02 UTC

Description Renich Bon Ciric 2022-08-31 07:37:33 UTC

Description of problem:
I just started caddy.
SELinux is preventing caddy from 'read' accesses on the file /proc/sys/net/core/somaxconn.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that caddy should be allowed read access on the somaxconn file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'caddy' --raw | audit2allow -M my-caddy
# semodule -X 300 -i my-caddy.pp

Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:sysctl_net_t:s0
Target Objects                /proc/sys/net/core/somaxconn [ file ]
Source                        caddy
Source Path                   caddy
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-36.14-1.fc36.noarch
Local Policy RPM              selinux-policy-targeted-36.14-1.fc36.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.19.4-200.fc36.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Thu Aug 25 17:42:04 UTC 2022
                              x86_64 x86_64
Alert Count                   1
First Seen                    2022-08-31 02:34:49 CDT
Last Seen                     2022-08-31 02:34:49 CDT
Local ID                      151f5189-44ee-4e43-94f2-5b1fe1d77c3b

Raw Audit Messages
type=AVC msg=audit(1661931289.0:328): avc:  denied  { read } for  pid=1907 comm="caddy" name="somaxconn" dev="proc" ino=30819 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0


Hash: caddy,httpd_t,sysctl_net_t,file,read

Version-Release number of selected component:
selinux-policy-targeted-36.14-1.fc36.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.17.2
hashmarkername: setroubleshoot
kernel:         5.19.4-200.fc36.x86_64
type:           libreport

Comment 1 Zdenek Pytela 2022-08-31 11:31:13 UTC

Full denials:
----
type=PROCTITLE msg=audit(08/31/2022 07:28:15.374:315) : proctitle=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
type=PATH msg=audit(08/31/2022 07:28:15.374:315) : item=0 name=/proc/sys/net/core/somaxconn inode=18051 dev=00:16 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_net_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(08/31/2022 07:28:15.374:315) : cwd=/
type=SYSCALL msg=audit(08/31/2022 07:28:15.374:315) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0xc00036e160 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=1677 auid=unset uid=caddy gid=caddy euid=caddy suid=caddy fsuid=caddy egid=caddy sgid=caddy fsgid=caddy tty=(none) ses=unset comm=caddy exe=/usr/bin/caddy subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(08/31/2022 07:28:15.374:315) : avc:  denied  { read } for  pid=1677 comm=caddy name=somaxconn dev="proc" ino=18051 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0
----
type=PROCTITLE msg=audit(08/31/2022 07:29:44.819:320) : proctitle=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
type=PATH msg=audit(08/31/2022 07:29:44.819:320) : item=0 name=/proc/sys/net/core/somaxconn inode=18051 dev=00:16 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_net_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(08/31/2022 07:29:44.819:320) : cwd=/
type=SYSCALL msg=audit(08/31/2022 07:29:44.819:320) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0xc00028f480 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=1759 auid=unset uid=caddy gid=caddy euid=caddy suid=caddy fsuid=caddy egid=caddy sgid=caddy fsgid=caddy tty=(none) ses=unset comm=caddy exe=/usr/bin/caddy subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(08/31/2022 07:29:44.819:320) : avc:  denied  { open } for  pid=1759 comm=caddy path=/proc/sys/net/core/somaxconn dev="proc" ino=18051 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0

Comment 2 Milos Malik 2022-09-05 13:07:42 UTC

There are 2 services in the caddy package:

# rpm -ql caddy | grep service
/usr/lib/systemd/system/caddy-api.service
/usr/lib/systemd/system/caddy.service
#

Both of them trigger the same SELinux denials.

Enforcing mode:
----
type=PROCTITLE msg=audit(09/05/2022 15:03:21.222:435) : proctitle=/usr/bin/caddy run --environ --resume 
type=PATH msg=audit(09/05/2022 15:03:21.222:435) : item=0 name=/proc/sys/net/core/somaxconn inode=28391 dev=00:16 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_net_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/05/2022 15:03:21.222:435) : cwd=/ 
type=SYSCALL msg=audit(09/05/2022 15:03:21.222:435) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0xc00029cda0 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=1816 auid=unset uid=caddy gid=caddy euid=caddy suid=caddy fsuid=caddy egid=caddy sgid=caddy fsgid=caddy tty=(none) ses=unset comm=caddy exe=/usr/bin/caddy subj=system_u:system_r:httpd_t:s0 key=(null) 
type=AVC msg=audit(09/05/2022 15:03:21.222:435) : avc:  denied  { read } for  pid=1816 comm=caddy name=somaxconn dev="proc" ino=28391 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0 
----

Permissive mode:
----
type=PROCTITLE msg=audit(09/05/2022 15:03:53.634:444) : proctitle=/usr/bin/caddy run --environ --resume 
type=PATH msg=audit(09/05/2022 15:03:53.634:444) : item=0 name=/proc/sys/net/core/somaxconn inode=28391 dev=00:16 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_net_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/05/2022 15:03:53.634:444) : cwd=/ 
type=SYSCALL msg=audit(09/05/2022 15:03:53.634:444) : arch=x86_64 syscall=openat success=yes exit=8 a0=AT_FDCWD a1=0xc000098c80 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=1856 auid=unset uid=caddy gid=caddy euid=caddy suid=caddy fsuid=caddy egid=caddy sgid=caddy fsgid=caddy tty=(none) ses=unset comm=caddy exe=/usr/bin/caddy subj=system_u:system_r:httpd_t:s0 key=(null) 
type=AVC msg=audit(09/05/2022 15:03:53.634:444) : avc:  denied  { open } for  pid=1856 comm=caddy path=/proc/sys/net/core/somaxconn dev="proc" ino=28391 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1 
type=AVC msg=audit(09/05/2022 15:03:53.634:444) : avc:  denied  { read } for  pid=1856 comm=caddy name=somaxconn dev="proc" ino=28391 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1 
----

# rpm -qa selinux\* caddy\* | sort
caddy-2.4.6-4.fc36.x86_64
selinux-policy-36.14-1.fc36.noarch
selinux-policy-devel-36.14-1.fc36.noarch
selinux-policy-targeted-36.14-1.fc36.noarch
#

Comment 3 Fedora Update System 2022-09-14 16:33:05 UTC

FEDORA-2022-096f7730be has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-096f7730be

Comment 4 Fedora Update System 2022-09-15 02:21:31 UTC

FEDORA-2022-096f7730be has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-096f7730be`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-096f7730be

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 5 Fedora Update System 2022-09-22 01:17:25 UTC

FEDORA-2022-096f7730be has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.