Bug 234266 - apcupsd web monitoring generates slew of avc denied errors
apcupsd web monitoring generates slew of avc denied errors
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
6
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-03-27 19:58 EDT by Need Real Name
Modified: 2007-12-21 09:30 EST (History)
3 users (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-22 10:12:37 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
apcupsd audits (728.81 KB, text/plain)
2007-04-12 14:23 EDT, Anthony Messina
no flags Details

  None (edit)
Description Need Real Name 2007-03-27 19:58:39 EDT
Running apcupsd-3.12.4-4.fc6 generates multiple avc: denied errors when
attempting to read the apc status via a web browser (using multimon.cgi or
upsstats.cgi). (This occurs even when viewing from localhost).

I had to add the following lines to my local.avc file to make it work (not I
stripped out generic info like pid or inode #)

avc:  denied  { create } comm="multimon.cgi" scontext=system_u:system_r:httpd_s\
ys_script_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=tcp_sock\
et
avc:  denied  { connect } comm="multimon.cgi" scontext=system_u:system_r:httpd_\
sys_script_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=tcp_soc\
ket
avc:  denied  { name_connect } comm="multimon.cgi" dest=3551 scontext=system_u:\
system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_\
socket
avc:  denied  { tcp_send } comm="multimon.cgi" saddr=127.0.0.1 src=51269 daddr=\
127.0.0.1 dest=3551 netif=lo scontext=system_u:system_r:httpd_sys_script_t:s0 t\
context=system_u:object_r:netif_t:s0 tclass=netif
avc:  denied  { tcp_send } comm="multimon.cgi" saddr=127.0.0.1 src=36872 daddr=\
127.0.0.1 dest=3551 netif=lo scontext=system_u:system_r:httpd_sys_script_t:s0 t\
context=system_u:object_r:node_t:s0 tclass=node
avc:  denied  { send_msg } comm="multimon.cgi" saddr=127.0.0.1 src=36875 daddr=\
127.0.0.1 dest=3551 netif=lo scontext=system_u:system_r:httpd_sys_script_t:s0 t\
context=system_u:object_r:port_t:s0 tclass=tcp_socket
avc:  denied  { tcp_recv } comm="multimon.cgi" saddr=127.0.0.1 src=3551 daddr=1\
27.0.0.1 dest=36878 netif=lo scontext=system_u:system_r:httpd_sys_script_t:s0 t\
context=system_u:object_r:netif_t:s0 tclass=netif
avc:  denied  { tcp_recv } comm="multimon.cgi" saddr=127.0.0.1 src=3551 daddr=1\
27.0.0.1 dest=36880 netif=lo scontext=system_u:system_r:httpd_sys_script_t:s0 t\
context=system_u:object_r:node_t:s0 tclass=node
avc:  denied { recv_msg } comm="multimon.cgi" saddr=127.0.0.1 src=3551 daddr=12\
7.0.0.1 dest=55171 netif=lo scontext=system_u:system_r:httpd_sys_script_t:s0 tc\
ontext=system_u:object_r:port_t:s0 tclass=tcp_socket
avc:  denied  { write } comm="multimon.cgi" dev=sockfs scontext=system_u:system\
_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclas\
s=tcp_socket
avc:  denied  { read } comm="multimon.cgi" dev=sockfs scontext=system_u:system_\
r:httpd_sys_script_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass\
=tcp_socket
Comment 1 Daniel Walsh 2007-04-10 14:50:44 EDT
Fixed in selinux-policy-2.4.6-54
Comment 2 Need Real Name 2007-04-11 13:09:35 EDT
Did you test this?
Because I still get avc: denied errors even on selinux-policy-targeted-2.4.6.5

Also, not only does the web display not work, but even the cli display
'apcaccess' doesn't work.

Any suggestions?
(I'm assuming that a reboot wasn't required to get the new
selinux-policy-targeted to take effect)
Comment 3 Daniel Walsh 2007-04-11 13:54:07 EDT
I tested it somewhat on Rawhide.  What avc messages are you seeing.  You might
need to restart the service.
Comment 4 Anthony Messina 2007-04-12 14:02:39 EDT
I am using selinux-policy-2.4.6-54, and see the same issues as the OP.  It
appears as though selinux isn't favoring configs that are not standalone or the
monitoring of multiple ups.
Comment 5 Daniel Walsh 2007-04-12 14:17:32 EDT
What AVC messages are you seeing?
Comment 6 Anthony Messina 2007-04-12 14:23:38 EDT
Created attachment 152498 [details]
apcupsd audits

See attachment
Comment 7 Daniel Walsh 2007-04-12 15:55:26 EDT
FIxed in selinux-policy-2.4.6-56
Comment 8 Need Real Name 2007-04-20 00:15:05 EDT
OK. Some progress has been made in that starting/stopping the apcupsd service
and running apcaccess no longer generate errors.

However the cgi scripts such as multimon.cgi and upsstats.cgi still generate
slews of avc errors: (note these scripts are in the apcupsd-cgi rpm)

audit(1177041849.109:19): avc:  denied  { create } for  pid=14986 comm="multimo\
n.cgi" scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:system_r:\
httpd_sys_script_t:s0 tclass=tcp_socket
audit(1177041849.109:20): avc:  denied  { connect } for  pid=14986 comm="multim\
on.cgi" scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:system_r\
:httpd_sys_script_t:s0 tclass=tcp_socket
audit(1177041849.109:21): avc:  denied  { name_connect } for  pid=14986 comm="m\
ultimon.cgi" dest=3551 scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=\
system_u:object_r:apcupsd_port_t:s0 tclass=tcp_socket
audit(1177041849.109:22): avc:  denied  { tcp_send } for  pid=14986 comm="multi\
mon.cgi" saddr=127.0.0.1 src=39583 daddr=127.0.0.1 dest=3551 netif=lo scontext=\
user_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:netif_t:s0 tcl\
ass=netif
audit(1177041849.109:23): avc:  denied  { tcp_send } for  pid=14986 comm="multi\
mon.cgi" saddr=127.0.0.1 src=39583 daddr=127.0.0.1 dest=3551 netif=lo scontext=\
user_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:lo_node_t:s0 t\
class=node
audit(1177041849.109:24): avc:  denied  { send_msg } for  pid=14986 comm="multi\
mon.cgi" saddr=127.0.0.1 src=39583 daddr=127.0.0.1 dest=3551 netif=lo scontext=\
user_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:apcupsd_port_t\
:s0 tclass=tcp_socket
audit(1177041849.109:25): avc:  denied  { tcp_recv } for  pid=14986 comm="multi\
mon.cgi" saddr=127.0.0.1 src=3551 daddr=127.0.0.1 dest=39583 netif=lo scontext=\
user_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:netif_t:s0 tcl\
ass=netif
audit(1177041849.109:26): avc:  denied  { tcp_recv } for  pid=14986 comm="multi\
mon.cgi" saddr=127.0.0.1 src=3551 daddr=127.0.0.1 dest=39583 netif=lo scontext=\
user_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:lo_node_t:s0 t\
class=node
audit(1177041849.109:27): avc:  denied  { recv_msg } for  pid=14986 comm="multi\
mon.cgi" saddr=127.0.0.1 src=3551 daddr=127.0.0.1 dest=39583 netif=lo scontext=\
user_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:apcupsd_port_t\
:s0 tclass=tcp_socket
audit(1177041849.109:28): avc:  denied  { write } for  pid=14986 comm="multimon\
.cgi" name="[1745604]" dev=sockfs ino=1745604 scontext=user_u:system_r:httpd_sy\
s_script_t:s0 tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=tcp_socket
audit(1177041849.109:29): avc:  denied  { read } for  pid=14986 comm="multimon.\
cgi" name="[1745604]" dev=sockfs ino=1745604 scontext=user_u:system_r:httpd_sys\
_script_t:s0 tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=tcp_socket
audit(1177041911.763:30): avc:  denied  { create } for  pid=15081 comm="upsstat\
s.cgi" scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:system_r:\
httpd_sys_script_t:s0 tclass=tcp_socket
audit(1177041911.763:31): avc:  denied  { connect } for  pid=15081 comm="upssta\
ts.cgi" scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:system_r\
:httpd_sys_script_t:s0 tclass=tcp_socket
audit(1177041911.763:32): avc:  denied  { write } for  pid=15081 comm="upsstats\
.cgi" name="[1745800]" dev=sockfs ino=1745800 scontext=user_u:system_r:httpd_sy\
s_script_t:s0 tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=tcp_socket
audit(1177041911.763:33): avc:  denied  { read } for  pid=15081 comm="upsstats.\
cgi" name="[1745800]" dev=sockfs ino=1745800 scontext=user_u:system_r:httpd_sys\
_script_t:s0 tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=tcp_socket


Hopefully third time will be the charm :)

Comment 9 Anthony Messina 2007-04-20 08:07:54 EDT
i do not get the errors in comment #8 when using selinux-policy-2.4.6-57.fc6.

however, i do get some trouble when issuing a "service apcupsd restart".
SELinux is preventing apcupsd (apcupsd_t) "signal" to <Unknown> (apcupsd_t).

avc: denied { signal } for comm="apcupsd" pid=7765
scontext=root:system_r:apcupsd_t:s0 tclass=process
tcontext=root:system_r:apcupsd_t:s0 

also, doing a restart changes the user on /var/lock/LCK.. from system_u to root
and changes the type from apcupsd_lock_t to var_lock_t

attempting a restorecon -v /var/lock/LCK.. alters the file to system_u and
var_lock_t

i do not get any of the above if the apcupsd daemon was started during boot. 
it's only when i try to restart the service.
Comment 10 Daniel Walsh 2007-04-20 09:21:15 EDT
Comment #8 seems that your cgi scripts are mislabled.  
ls -lZ /var/www/apcupsd/
-rwxr-xr-x  root root system_u:object_r:httpd_apcupsd_cgi_script_exec_t multimon.cgi
-rwxr-xr-x  root root system_u:object_r:httpd_apcupsd_cgi_script_exec_t
upsfstats.cgi
-rwxr-xr-x  root root system_u:object_r:httpd_apcupsd_cgi_script_exec_t upsimage.cgi
-rwxr-xr-x  root root system_u:object_r:httpd_apcupsd_cgi_script_exec_t upsstats.cgi

You can restorecon -R -v /var/www/apcupsd
I will add the signal to the next update.   Not sure what apcupsd is doing with
lock file.  user canging from system_u <--> root is not that important.  
As long as everything is functioning correctly.  If you want to add the signal
policy you can use grep apcupsd /var/log/audit/audit.log | audit2allow -M
myapcupsd and load the policy module.
Comment 11 Need Real Name 2007-04-20 11:42:33 EDT
Interesting, I indeed have:
-rwxr-xr-x  root   root   system_u:object_r:httpd_sys_content_t multimon.cgi*
-rwxr-xr-x  root   root   system_u:object_r:httpd_sys_content_t upsfstats.cgi*
-rwxr-xr-x  root   root   system_u:object_r:httpd_sys_content_t upsimage.cgi*
-rwxr-xr-x  root   root   system_u:object_r:httpd_sys_content_t upsstats.cgi*

I never touched these files so not sure why they would be mislabeled. Anyway I
reinstalled the packages and the labeling is now correct and the cgi scripts no
longer give errors.

Could the problem be that the selinux policy updates require me to do a
'restorecon -R'? Otherwise, not sure why my labeling was messed up.

My other problems are now resolved, but now I noticed the 'signal' problem too.

audit(1177076992.106:41): avc:  denied  { signal } for  pid=29175 comm="apcupsd"
scontext=user_u:system_r:apcupsd_t:s0 tcontext=user_u:system_r:apcupsd_t:s0 
tclass=process

I have not noticed any lock issues. I have the following selinux ownership (both
before and after restart)
-rw-r--r--  root root user_u:object_r:apcupsd_lock_t   /var/lock/LCK..
Comment 12 Daniel Walsh 2007-08-22 10:12:37 EDT
Fixed in current release
Comment 13 Milan Antonijevic 2007-12-12 13:03:31 EST
audit(1177041849.109:24): avc:  denied  { send_msg } for  pid=14986 comm="multi\
mon.cgi" saddr=127.0.0.1 src=39583 daddr=127.0.0.1 dest=3551 netif=lo scontext=\
user_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:apcupsd_port_t\
:s0 tclass=tcp_socket

I was looking into this bug (cgi scripts connecting to tcp port in particular),
because I was still having problems, (even after a full update, and restorecon)
and found something similar (bug #244008).

Solution was simple, and worked for me:

setsebool -P httpd_can_network_connect=1

Hope it helps,
Milan
Comment 14 Anthony Messina 2007-12-12 17:33:01 EST
On F7, I have:
httpd_can_network_connect --> on
but still see this issue occaisionally: once each time the cgi is called.
Comment 15 Milan Antonijevic 2007-12-13 02:42:14 EST
(In reply to comment #14)
> On F7, I have:
> httpd_can_network_connect --> on
> but still see this issue occaisionally: once each time the cgi is called.

I think I have a f7 somewhere, so I will check when I find the time.

I tried solving the matter before on my boxes using audit2allow, so I'm not 100%
sure what exact steps led to solving the problem.

as for the multimon.cgi, is it working properly?
Comment 16 Anthony Messina 2007-12-13 06:18:21 EST
The function of all the cgi files seems to be unaffected -- they work properly 
as far as I can tell. But the socket audit error happens each time the cgi is 
accessed.
Comment 17 Need Real Name 2007-12-18 11:17:52 EST
Seems to all work for me with the latest policy updates.
Comment 18 Milan Antonijevic 2007-12-20 09:08:02 EST
Just checked it on an updated F7, which is already a web server.

selinux is Enforcing
httpd_can_network_connect is off. (?!?)

I just installed latest version of apcupsd* from yum repository

[root@station110 apcupsd]# rpm -qa |grep apc
apcupsd-3.14.2-1.fc7
apcupsd-gui-3.14.2-1.fc7
apcupsd-cgi-3.14.2-1.fc7

Configured access in /etc/httpd/conf.d/apcupsd.conf, and everything is working.
It is a network slave to apcupsd, but it still connects trough the localhost port.

I am not getting any errors, except from some attempt of apcupsd to send mail:

type=AVC msg=audit(1198154272.689:47): avc:  denied  { read } for  pid=7820
comm="sendmail" name="RsGvfZKe" dev=dm-0 ino=448253
scontext=user_u:system_r:system_mail_t:s0
tcontext=user_u:object_r:apcupsd_tmp_t:s0 tclass=file
type=AVC msg=audit(1198155495.047:48): avc:  denied  { read } for  pid=7869
comm="sendmail" name="RsCpzK7V" dev=dm-0 ino=448253
scontext=user_u:system_r:system_mail_t:s0
tcontext=user_u:object_r:apcupsd_tmp_t:s0 tclass=file

But that is another issue.

@amessina: which version of apcupsd and policy are you using?

Here is my version of policy:
[root@station110 ~]# rpm -qa | grep selinux-policy
selinux-policy-2.6.4-42.fc7
selinux-policy-targeted-2.6.4-42.fc7

Comment 19 Anthony Messina 2007-12-21 09:30:38 EST
apcupsd-3.14.2-1.fc7
selinux-policy-targeted-2.6.4-61.fc7

after the update this morning:
Dec 21 08:02:08 Updated: bind-libs - 31:9.4.2-2.fc7.x86_64
Dec 21 08:02:13 Updated: policycoreutils - 2.0.16-16.fc7.x86_64
Dec 21 08:02:15 Updated: bind - 31:9.4.2-2.fc7.x86_64
Dec 21 08:02:16 Updated: libexif - 0.6.15-3.fc7.x86_64
Dec 21 08:02:17 Updated: policycoreutils-gui - 2.0.16-16.fc7.x86_64
Dec 21 08:02:20 Updated: logwatch - 7.3.4-9.fc7.noarch
Dec 21 08:02:21 Updated: bind-utils - 31:9.4.2-2.fc7.x86_64
Dec 21 08:02:21 Updated: caching-nameserver - 31:9.4.2-2.fc7.x86_64

i don't seem to get the socket errors.  i AM using this cgi to monitor more 
that just the local mcahine, using apcupsd's hosts.conf

Note You need to log in before you can comment on or make changes to this bug.