Bug 234267 - sens_day.cgi rrdtool scripts (from lm_sensors) generate avc: denied errors
Summary: sens_day.cgi rrdtool scripts (from lm_sensors) generate avc: denied errors
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
(Show other bugs)
Version: 6
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-03-28 00:10 UTC by Need Real Name
Modified: 2007-11-30 22:12 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-05-17 15:39:59 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Type inforcement file for sensors cgi script (175 bytes, application/octet-stream)
2007-04-03 14:01 UTC, Daniel Walsh
no flags Details
File context file for sensors cgi (97 bytes, application/octet-stream)
2007-04-03 14:05 UTC, Daniel Walsh
no flags Details

Description Need Real Name 2007-03-28 00:10:20 UTC
I have compiled and added the cgi scripts that come in the lm_sensors tarball
(but are not included yet in the FC6 standard rpm, though they are included in
some other repos like ATrpms).

Running the cgi scripts generate the following avc: denied errors

avc:  denied  { read } comm="sens_day.cgi" name="sensors.rrd" scontext=system_u\
:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=\
file
avc:  denied  { getattr } comm="sens_day.cgi" name="sensors.rrd" scontext=syste\
m_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:var_log_t:s0 tcla\
ss=file

I can 'fix' it by adding them to my local.avc file but I was wondering whether
this should be added more cleanly and generally to the selinux targeted policy.

Thanks

BTW, am I the only one who actually runs selinux in 'enforcing' mode and thus
gets 'hit' by these denials? :)

Comment 1 Daniel Walsh 2007-04-03 13:59:54 UTC
To make this work correctly we would need to define a policy for lm_sensors and
a type for sensors.rrd. Then we define a policy httpd_sensors_script_t to read
the log file.



Comment 2 Daniel Walsh 2007-04-03 14:01:26 UTC
Created attachment 151562 [details]
Type inforcement file for sensors cgi script

I am attaching a te and fc file which can be used to build a policy module for
the sensors cgi scripts.

Comment 3 Daniel Walsh 2007-04-03 14:05:25 UTC
Created attachment 151563 [details]
File context file for sensors cgi

I was not sure of the path for the sensors cgi.

If you extract this file (fc and the te file to a directory,)
Verify/fix the path in the sensors.fc file.  Then execute the following
commands to build an selinux policy module.

#yum install selinux-policy-devel
#make -f /usr/share/selinux/devel/Makefile
#semodule -i sensors.pp
#restorecon PATHTOCGI
Now you should be able to run the cgi scripts.	If other avc messages appear
you can use audit2allow to generate more te rules.  Add these to the sensors.te
file, recompile and reload.


Note You need to log in before you can comment on or make changes to this bug.