Bug 426767 - selinux problems running mythweb
selinux problems running mythweb
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
8
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-12-25 22:48 EST by Need Real Name
Modified: 2008-01-15 14:02 EST (History)
1 user (show)

See Also:
Fixed In Version: selinux-policy-3.0.8-57.fc8
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-15 14:02:08 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Need Real Name 2007-12-25 22:48:02 EST
I am using the ATrpms mythweb package from the mythtv suite. If you are not
familiar with it, mythweb is basically a web browser that allows you to remotely
control many aspects of mythtv over the web.

Mythtweb needs to connect to mythbackend (default on port 6543) and also
somewhere needs to run the command 'hostname' Both of these actions are creating
selinux errors as follows:

SELinux is preventing the http daemon from connecting to network port 6543
Detailed Description
    SELinux has denied the http daemon from connecting to 6543. An httpd script
    is trying to do a network connect to a remote port. If you did not setup
    httpd to network connections, this could signal a intrusion attempt.

avc: denied { name_connect } for comm=httpd dest=6543 egid=48 euid=48
exe=/usr/sbin/httpd exit=-13 fsgid=48 fsuid=48 gid=48 items=0 pid=2757
scontext=system_u:system_r:httpd_t:s0 sgid=48 subj=system_u:system_r:httpd_t:s0
suid=48 tclass=tcp_socket tcontext=system_u:object_r:port_t:s0 tty=(none) uid=48


Summary
    SELinux is preventing the sh from using potentially mislabeled files
    /bin/hostname (hostname_exec_t).

Detailed Description
    SELinux has denied the sh access to potentially mislabeled files
    /bin/hostname.  This means that SELinux will not allow httpd to use these
    files.  Many third party apps install html files in directories that SELinux
    policy cannot predict.  These directories have to be labeled with a file
    context which httpd can access.

avc: denied { getattr } for comm=sh dev=sda7 egid=48 euid=48 exe=/bin/bash
exit=-13 fsgid=48 fsuid=48 gid=48 items=0 path=/bin/hostname pid=5186
scontext=system_u:system_r:httpd_t:s0 sgid=48 subj=system_u:system_r:httpd_t:s0
suid=48 tclass=file tcontext=system_u:object_r:hostname_exec_t:s0 tty=(none)
uid=48

Is this something that you can fix in the targeted policy or is it something
that the mythtv packager should fix? (I am cc'ing Axel here)
Comment 1 Daniel Walsh 2007-12-31 07:16:34 EST
You can turn on the boolean

setsebool -P httpd_can_network_connect=1

To allow apache to connect to ports.

You can update policy for hostname by executing the following.
# audit2allow -M mypol -i /var/log/audit/audit.log 
# semodule -i mypol.pp

I will fix policy for hostname in selinux-policy-3.0.8-73.fc8

Note You need to log in before you can comment on or make changes to this bug.