Bug 221280 - selinux errors with mythtv and mythweb applications (from atrpms)
selinux errors with mythtv and mythweb applications (from atrpms)
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
6
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-01-03 10:27 EST by Need Real Name
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-01-11 17:08:01 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Need Real Name 2007-01-03 10:27:12 EST
Description of problem:
I am running the mythtv application using the rpms installed from the atrpm
repo. I reported the following selinux conflict (under the 'targeted' policy) to
the maintainer, but their philosophy has been pretty much to ignore (i.e.,
turn-off) selinux. So, I was wondering what is the best way to resolve such
conflicts (other than just running audit2allow on the avc errors)

--------------------------------------------------------------------------------

First, libmythavcodec (which is called by both mythtvsetup and the mythbackend
daemon) has an selinux conflict when run under the (default) 'targeted'
selinux policy.

Specifically, I get the following "avc: denied" errors:

avc:  denied  { execmod } comm="mythbackend"
name="libmythavcodec-0.20.so.0.20.0" scontext=user_u:system_r:initrc_t:s0
tcontext=system_u:object_r:lib_t:s0 tclass=file
avc:  denied  { execmod } comm=mythtvsetup name=libmythavcodec-0.20.so.0.20.0
scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0
tclass=file
avc:  denied  { execmod } comm=ld-linux.so.2 name=libmythavcodec-0.20.so.0.20.0
scontext=system_u:system_r:prelink_t:s0-s0:c0.c1023
tcontext=system_u:object_r:lib_t:s0 tclass=file

audit2allow gives the following policy rules:

require {
        class file execmod;
        type initrc_t;
        type lib_t;
        type unconfined_t;
        role system_r;
};

allow initrc_t lib_t:file execmod;
allow unconfined_t lib_t:file execmod;
------------------------------------------------------------------------------

Second, mythweb gives the following selinux policy conflicts:

avc:  denied  { name_connect } comm=httpd scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
avc:  denied  { getattr } comm=sh name=hostname
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file
avc:  denied  { execute } comm=sh
name=hostnamescontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file
avc:  denied  { read } comm=sh name=hostname
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file
avc:  denied  { execute_no_trans } comm=sh name=hostname
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file
avc:  denied  { search } comm=httpd name=/ dev=dm-1 ino=2
scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=dir
avc:  denied  { getattr } comm=httpd name=/ dev=dm-1 ino=2
scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=dir
avc:  denied  { getattr } comm=httpd dev=dm-1
scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=file
avc:  denied  { read } comm=httpd dev=dm-1
scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=file

Audit2allow suggests the following policy changes:

require {
        class dir { getattr search };
        class file { execute execute_no_trans getattr read };
        class tcp_socket name_connect;
        type file_t;
        type hostname_exec_t;
        type httpd_t;
        type port_t;
        role system_r;
};

allow httpd_t file_t:dir { getattr search };
allow httpd_t file_t:file { getattr read };
allow httpd_t hostname_exec_t:file { execute execute_no_trans getattr read };
allow httpd_t port_t:tcp_socket name_connect;

------------------------------------------------------------------------------

In summary, I am looking for the best way to correct these conflicts that will
be helpful not just to me but to any user of these rather popular applications.
(I know that I can always fix it using audit2allow but I am not sure that is the
best or most user-friendly way).

Please let me know what is the best approach:
1. Fixing the Fedora Core selinux policy?
2. Making changes to the mythtv/mythweb apps themselves?
3. Adding application-specific policy rules to the mythtv/mythweb rpms?
4. Just running audit2allow and adding to my local policy file? (that is what I
am doing now)
5. Nothing -- the applications are real security risks?
6. Other?

Again, I am an selinux newbie (despite having read the HOWTO's :) so I am really
not sure what is the best way to fix such conflicts and I always worry that a
little knowledge here can be dangerous :)

Thanks,
Jeff
Comment 1 Daniel Walsh 2007-01-03 16:34:51 EST
chcon -t textrel_shlib_t libmythavcodec-0.20.so.0.20.0

Should fix the execmod problems.  Installing setroubleshoot will help diagnose
problems.

THe other problem seems to be a badly mislabeled file system.  You have a
file/directory that is not labeled.  This is what file_t indicates.  You can
either label the file system using restorecon on mount it using a -o context=
switch.

Make sure you are up2date on policy also.

Please send me the full path to the execmod libraries.  And attaching the
audit.log would make it easier to diagnose.
Comment 2 Need Real Name 2007-01-14 12:41:25 EST
Daniel,
Can you clarify whether these problems are best fixed by doing the 'chcon' in
the rpm spec file or by changing the 'base' policy?

Also, the paths to the library are:
/usr/lib/libmythavcodec-0.20.so.0 -> libmythavcodec-0.20.so.0.2
/usr/lib/libmythavcodec-0.20.so.0.20 -> libmythavcodec-0.20.so.0.20.0*
/usr/lib/libmythavcodec-0.20.so.0.20.0*

Comment 3 Daniel Walsh 2007-01-15 10:12:29 EST
I will change the base policy.  The best place to fix this is to just fix the
library.  The library should not require execmod and is probably compiled
incorrectly or should be coded differently.

Updaded base policy will be in selinux-policy-2.4.6-27
http://people.redhat.com/~drepper/selinux-mem.html

Explains what execmod means.

Note You need to log in before you can comment on or make changes to this bug.