Bug 232476 - allow httpd write access to /var/cache/mod_proxy/*
Summary: allow httpd write access to /var/cache/mod_proxy/*
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: selinux-policy-targeted
Version: 4.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-03-15 18:14 UTC by Joe Orton
Modified: 2007-11-30 22:07 UTC (History)
2 users (show)

Fixed In Version: RHBA-2007-0741
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-11-15 16:07:02 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
content from audit.log (4.51 KB, text/plain)
2007-10-09 00:11 UTC, Josef Kubin
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2007:0741 0 normal SHIPPED_LIVE selinux-policy bug fix update 2007-11-14 17:04:04 UTC

Description Joe Orton 2007-03-15 18:14:47 UTC
Description of problem:
The httpd process should be allowed write/search/read/etc/create- access within
/var/cache/mod_proxy/ - this directory can be configured for disk caching.

httpd will create subdirectories, delete subdirectories, create, read, write
files within there.

Comment 1 Daniel Walsh 2007-06-21 13:06:48 UTC
Fixed in selinux-policy-targeted-1.17.30-2.146

Comment 2 RHEL Program Management 2007-06-26 15:25:47 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 5 Josef Kubin 2007-10-09 00:11:29 UTC
Created attachment 220351 [details]
content from audit.log

It needs additional configuration in policy ...

# rpm -q selinux-policy-targeted
selinux-policy-targeted-1.17.30-2.148.noarch

Comment 6 Daniel Walsh 2007-10-15 13:51:22 UTC
The directory is still mislabeled.  restorecon -R -v /var/cache/mod_proxy should
fix.

Comment 7 Josef Kubin 2007-10-16 21:21:13 UTC
Yes, it fixes the problem. But it isn't good solution - the scriptlet in rpm
package should reliably autorelabel filesystem to avoid a such situation ...

Comment 8 Josef Kubin 2007-10-16 21:49:19 UTC
BTW rpm postinstall scriptlet contains bug:

... && fixfiles -l /dev/null -C /etc/s....

fixfiles for RHEL4 doesn't have switches -l and -C

The bug apparently appears in case of missing or empty
/etc/selinux/targeted/src/policy/Makefile

Comment 10 Josef Kubin 2007-10-16 22:16:23 UTC
OOPS! `man fixfiles` should be updated for RHEL4.
see https://bugzilla.redhat.com/show_bug.cgi?id=335441

Comment 11 Daniel Walsh 2007-10-17 04:20:21 UTC
So do we have a bug or not?

Comment 13 errata-xmlrpc 2007-11-15 16:07:02 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0741.html



Note You need to log in before you can comment on or make changes to this bug.