Bug 462318 - Multiple different specifications for /var/run/mod_fcgid(/.*)
Summary: Multiple different specifications for /var/run/mod_fcgid(/.*)
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: mod_fcgid
Version: 8
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Paul Howarth
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-09-15 11:43 UTC by Nicolas Chauvet (kwizart)
Modified: 2008-11-12 03:01 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2008-11-12 03:01:40 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Nicolas Chauvet (kwizart) 2008-09-15 11:43:55 UTC
Description of problem:On every Selinux related update I have this message (with mod_fcgid-selinux and mod_fcgid-selinux installed) on F-8 i386 :
-------------------
Téléchargement des paquetages :
(1/2): dhcpv6-0.10-52.fc8.i386.rpm                                                                               | 213 kB     00:00     
(2/2): dhcp-3.0.6-12.fc8.i386.rpm                                                                                | 866 kB     00:01     
----------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                   289 kB/s | 1.1 MB     00:03     
Lancement de rpm_check_debug
Lancement de la transaction de test
/etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /var/run/mod_fcgid(/.*)?  (system_u:object_r:httpd_fastcgi_var_run_t:s0 and system_u:object_r:httpd_var_run_t:s0).
Transaction de test terminée
-------------------


Version-Release number of selected component (if applicable): current version in stable F-8 repsotories (at least)


How reproducible: once every update or selinux action if mod_fcgid-selinux is installed.


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Paul Howarth 2008-09-15 13:10:00 UTC
Hmm, it looks like a context specification for /var/run/mod_fcgid(/.*)? has appeared in the main selinux-policy package that conflicts with the one in the mod_fcgid-selinux package. Whilst the message is harmless, it's annoying.

I see two options here:
1. Tweak mod_fcgid-selinux to specify the file contexts differently so that they silently override the base policy, or
2. Move towards incorporating the mod_fcgid-selinux policy into the base policy package, and obsolete mod_fcgid-selinux.

Given that mod_fcgid-selinux seems to be quite stable (though I've no idea how many people actually use it), I think the latter option would be the better one.

Thoughts Dan?

Comment 2 Daniel Walsh 2008-09-15 15:14:42 UTC
Yes lets role it into the base policy.

Comment 3 Paul Howarth 2008-09-15 15:33:24 UTC
OK, can you pull the module source from CVS (the mod_fcgid package), or do you want me to attach it to this ticket?

Let me know which package release this is going into and I'll do a version of mod_fcgid without the -selinux subpackage and add Obsoletes/Conflicts like:

Obsoletes: mod_fcgid-selinux < %{version}-%{release}
Conflicts: selinux-policy < version-release-containing-this-policy

Are you going to do updates for F8, F9, and Rawhide for this?

Comment 4 Daniel Walsh 2008-09-15 16:26:05 UTC
After looking at your policy, I am not sure we want to add it.  cgi scripts should run as httpd_sys_script_t whether they are run traditionally or in fastcgi.

So shouldn't fastcgi just be labeled httpd_sys_script_exec_t?

Comment 5 Paul Howarth 2008-09-15 22:07:07 UTC
It could be; I initially separated them out because FastCGI needed a few extra allow rules that weren't in the regular sys_script policy and it was an opportunity to separate the scripts I was using into different domains.

I've no objection to merging the two as long as the extra rules are included.

Comment 6 Daniel Walsh 2008-09-16 13:20:57 UTC
What are the extra rules?

I really am not an expert on apache or fast-cgi.  What would fast-cgi do if it came upon a script labeled httpd_bugzilla_script_exec_t, can we get it to transition to httpd_bugzilla_script_t, like httpd_t would?  Maybe with a boolean?

Comment 7 Paul Howarth 2008-09-16 13:46:15 UTC
FastCGI processes are like regular CGIs except that they are longer-lived and serve multiple requests. Instead of communicating with httpd over stdin, they use unix-domain sockets.

The rules I have that aren't directly cribbed from the httpd_sys_script policy (though some might be there now) are:

kernel_read_kernel_sysctls(httpd_fastcgi_script_t)

# Allow FastCGI applications to do DNS lookups
sysnet_dns_name_resolve(httpd_fastcgi_script_t)

==> those two might be in the regular policy by now?

# Allow FastCGI applications to live alongside regular CGI apps
allow httpd_fastcgi_script_t httpd_sys_script_exec_t:dir { search_dir_perms };
allow httpd_fastcgi_script_t httpd_sys_content_t:dir { search_dir_perms };

==> Those shouldn't be needed if merging sys and fastcgi

# Allow FastCGI applications to read the routing table
allow httpd_fastcgi_script_t self:netlink_route_socket { r_netlink_socket_perms };

==> Virtually everything seems to need that...

# Allow httpd to create and use files and sockets for communicating with mod_fcgid
manage_files_pattern(httpd_t,httpd_fastcgi_var_run_t,httpd_fastcgi_var_run_t)
manage_sock_files_pattern(httpd_t,httpd_fastcgi_var_run_t,httpd_fastcgi_var_run_t)
setattr_dirs_pattern(httpd_t,httpd_fastcgi_var_run_t,httpd_fastcgi_var_run_t)

==> can map httpd_fastcgi_var_run_t to httpd_var_run_t and it should just work?

# Allow httpd to read httpd_fastcgi_content_t
allow httpd_t httpd_fastcgi_content_t:dir list_dir_perms;
read_files_pattern(httpd_t,httpd_fastcgi_content_t,httpd_fastcgi_content_t)
read_lnk_files_pattern(httpd_t,httpd_fastcgi_content_t,httpd_fastcgi_content_t)

==> should just work after mapping httpd_fastcgi_content_t to httpd_sys_content_t?

# Allow FastCGI applications to listen for FastCGI requests on their
# sockets and respond to them
allow httpd_fastcgi_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms };

==> At last, the "extra rules" ;-)

# These are probably leaked file descriptors
dontaudit httpd_t devpts_t:chr_file ioctl;
dontaudit httpd_fastcgi_script_t httpd_log_t:file ioctl;

==> Apache don't seem to regard these as bugs, do they?


Regarding bugzilla, a FastCGI version of it would be a different script, and would probably need the extra rules for FastCGI adding to the bugzilla policy too.

Comment 8 Nicolas Chauvet (kwizart) 2008-10-21 00:22:48 UTC
Any news on the status of this bug ?

Comment 9 Paul Howarth 2008-10-21 00:28:32 UTC
FastCGI policy is going to get merged into the standard httpd policy real soon now...

Comment 10 Daniel Walsh 2008-10-21 13:19:57 UTC
Fixed in selinux-policy-3.0.8-122.fc8

Comment 11 Paul Howarth 2008-10-21 13:26:38 UTC
I trust the same fix will be applied in F-9 and Rawhide too? I'd like to know the version/releases for those too so I can build new mod_fcgid packages without the -selinux subpackages and have them conflict with selinux-policy packages that don't contain the merged policy.

Comment 12 Daniel Walsh 2008-10-21 13:37:34 UTC
I am obsoleting your package, so I don't think you need to do anything.

Other then stop shipping it.

selinux-policy-3.5.13-3.fc10
selinux-policy-3.3.1-104.fc9

Comment 13 Paul Howarth 2008-10-21 14:10:59 UTC
I need to do a rebuild to remove the -selinux subpackage and to modify the SELinux advice currently in a README in that package (and move that README to the main package). The advice in that README will be wrong if the user has a version of selinux-policy prior to the ones with the fixes, hence my desire to add versioned conflicts. I can't add a versioned dependency instead because that would then require selinux-policy for a package that should work just fine on a system with no SELinux installed.

Comment 14 Daniel Walsh 2008-10-21 15:26:33 UTC
Yes, but selinux-policy-targeted will cause you -selinux package to be removed.

Comment 15 Paul Howarth 2008-10-21 15:39:06 UTC
Yes, but that's not the problem I'm trying to solve. I'm trying to avoid the situation where someone has got a system that's not fully up to date (e.g. fresh install) and just installs the new mod_fcgid package and expects it to work with SELinux, which it won't unless selinux-policy is updated. I'm trying to enforce a policy update but without actually adding a dependency on policy basically.

Will the change make it to EL-5 eventually? I have an EPEL-5 version that includes the policy module, which I guess will need to stay around a while yet.

Comment 16 Fedora Update System 2008-10-24 15:15:03 UTC
mod_fcgid-2.2-6.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/mod_fcgid-2.2-6.fc8

Comment 17 Fedora Update System 2008-10-24 23:51:50 UTC
mod_fcgid-2.2-6.fc8 has been pushed to the Fedora 8 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update mod_fcgid'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F8/FEDORA-2008-9164

Comment 18 Fedora Update System 2008-11-12 03:01:37 UTC
mod_fcgid-2.2-6.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.