Bug 234267 - sens_day.cgi rrdtool scripts (from lm_sensors) generate avc: denied errors
sens_day.cgi rrdtool scripts (from lm_sensors) generate avc: denied errors
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
6
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-03-27 20:10 EDT by Need Real Name
Modified: 2007-11-30 17:12 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-05-17 11:39:59 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Type inforcement file for sensors cgi script (175 bytes, application/octet-stream)
2007-04-03 10:01 EDT, Daniel Walsh
no flags Details
File context file for sensors cgi (97 bytes, application/octet-stream)
2007-04-03 10:05 EDT, Daniel Walsh
no flags Details

  None (edit)
Description Need Real Name 2007-03-27 20:10:20 EDT
I have compiled and added the cgi scripts that come in the lm_sensors tarball
(but are not included yet in the FC6 standard rpm, though they are included in
some other repos like ATrpms).

Running the cgi scripts generate the following avc: denied errors

avc:  denied  { read } comm="sens_day.cgi" name="sensors.rrd" scontext=system_u\
:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=\
file
avc:  denied  { getattr } comm="sens_day.cgi" name="sensors.rrd" scontext=syste\
m_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:var_log_t:s0 tcla\
ss=file

I can 'fix' it by adding them to my local.avc file but I was wondering whether
this should be added more cleanly and generally to the selinux targeted policy.

Thanks

BTW, am I the only one who actually runs selinux in 'enforcing' mode and thus
gets 'hit' by these denials? :)
Comment 1 Daniel Walsh 2007-04-03 09:59:54 EDT
To make this work correctly we would need to define a policy for lm_sensors and
a type for sensors.rrd. Then we define a policy httpd_sensors_script_t to read
the log file.

Comment 2 Daniel Walsh 2007-04-03 10:01:26 EDT
Created attachment 151562 [details]
Type inforcement file for sensors cgi script

I am attaching a te and fc file which can be used to build a policy module for
the sensors cgi scripts.
Comment 3 Daniel Walsh 2007-04-03 10:05:25 EDT
Created attachment 151563 [details]
File context file for sensors cgi

I was not sure of the path for the sensors cgi.

If you extract this file (fc and the te file to a directory,)
Verify/fix the path in the sensors.fc file.  Then execute the following
commands to build an selinux policy module.

#yum install selinux-policy-devel
#make -f /usr/share/selinux/devel/Makefile
#semodule -i sensors.pp
#restorecon PATHTOCGI
Now you should be able to run the cgi scripts.	If other avc messages appear
you can use audit2allow to generate more te rules.  Add these to the sensors.te
file, recompile and reload.

Note You need to log in before you can comment on or make changes to this bug.