Summary: SELinux is preventing /usr/sbin/httpd from using potentially mislabeled files 9. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux has denied the httpd access to potentially mislabeled files 9. This means that SELinux will not allow httpd to use these files. If httpd should be allowed this access to these files you should change the file context to one of the following types, httpd_squirrelmail_t, squirrelmail_spool_t, httpd_rw_content, httpd_cache_t, httpd_tmpfs_t, httpd_tmp_t, httpd_bugzilla_content_rw_t, httpd_nagios_content_rw_t, httpd_sys_content_rw_t, httpd_sys_content_rw_t, httpd_cvs_content_rw_t, httpd_git_content_rw_t, httpd_nutups_cgi_content_rw_t, httpd_squid_content_rw_t, httpd_apcupsd_cgi_content_rw_t, httpd_prewikka_content_rw_t, httpd_awstats_content_rw_t, httpd_w3c_validator_content_rw_t, httpd_user_content_rw_t, httpdcontent, httpd_munin_content_rw_t. Many third party apps install html files in directories that SELinux policy cannot predict. These directories have to be labeled with a file context which httpd can access. Allowing Access: If you want to change the file context of 9 so that the httpd daemon can access it, you need to execute it using semanage fcontext -a -t FILE_TYPE '9'. where FILE_TYPE is one of the following: httpd_squirrelmail_t, squirrelmail_spool_t, httpd_rw_content, httpd_cache_t, httpd_tmpfs_t, httpd_tmp_t, httpd_bugzilla_content_rw_t, httpd_nagios_content_rw_t, httpd_sys_content_rw_t, httpd_sys_content_rw_t, httpd_cvs_content_rw_t, httpd_git_content_rw_t, httpd_nutups_cgi_content_rw_t, httpd_squid_content_rw_t, httpd_apcupsd_cgi_content_rw_t, httpd_prewikka_content_rw_t, httpd_awstats_content_rw_t, httpd_w3c_validator_content_rw_t, httpd_user_content_rw_t, httpdcontent, httpd_munin_content_rw_t. You can look at the httpd_selinux man page for additional information. Additional Information: Source Context unconfined_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:var_lib_t:s0 Target Objects 9 [ dir ] Source httpd Source Path /usr/sbin/httpd Port <Unknown> Host (removed) Source RPM Packages httpd-2.2.14-1.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-78.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name httpd_bad_labels Host Name (removed) Platform Linux (removed) 2.6.31.12-174.2.3.fc12.i686 #1 SMP Mon Jan 18 20:22:46 UTC 2010 i686 i686 Alert Count 1 First Seen Sun 31 Jan 2010 04:28:48 PM EET Last Seen Sun 31 Jan 2010 04:28:48 PM EET Local ID b27a0db8-e3db-4d9c-bd26-7ff4e287eb51 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1264948128.688:862): avc: denied { create } for pid=13605 comm="httpd" name="9" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir node=(removed) type=SYSCALL msg=audit(1264948128.688:862): arch=40000003 syscall=39 success=yes exit=0 a0=b64bae10 a1=1ff a2=b765f868 a3=b64af0d8 items=0 ppid=13602 pid=13605 auid=500 uid=48 gid=489 euid=48 suid=48 fsuid=48 egid=489 sgid=489 fsgid=489 tty=(none) ses=3 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) Hash String generated from selinux-policy-3.6.32-78.fc12,httpd_bad_labels,httpd,httpd_t,var_lib_t,dir,create audit2allow suggests: #============= httpd_t ============== allow httpd_t var_lib_t:dir create;
Background: I have fully set up Koji running on localhost.localdomain (all components) and otherwise Koji is working perfectly but I'm getting lots of SELinux alerts. I'll probably report few others soon, they'll all be related to Koji.
Summary: SELinux is preventing /usr/sbin/httpd from using potentially mislabeled files repodata. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux has denied the httpd access to potentially mislabeled files repodata. This means that SELinux will not allow httpd to use these files. If httpd should be allowed this access to these files you should change the file context to one of the following types, httpd_squirrelmail_t, squirrelmail_spool_t, httpd_rw_content, httpd_cache_t, httpd_tmpfs_t, httpd_tmp_t, httpd_bugzilla_content_rw_t, httpd_nagios_content_rw_t, httpd_sys_content_rw_t, httpd_sys_content_rw_t, httpd_cvs_content_rw_t, httpd_git_content_rw_t, httpd_nutups_cgi_content_rw_t, httpd_squid_content_rw_t, httpd_apcupsd_cgi_content_rw_t, httpd_prewikka_content_rw_t, httpd_awstats_content_rw_t, httpd_w3c_validator_content_rw_t, httpd_user_content_rw_t, httpdcontent, httpd_munin_content_rw_t. Many third party apps install html files in directories that SELinux policy cannot predict. These directories have to be labeled with a file context which httpd can access. Allowing Access: If you want to change the file context of repodata so that the httpd daemon can access it, you need to execute it using semanage fcontext -a -t FILE_TYPE 'repodata'. where FILE_TYPE is one of the following: httpd_squirrelmail_t, squirrelmail_spool_t, httpd_rw_content, httpd_cache_t, httpd_tmpfs_t, httpd_tmp_t, httpd_bugzilla_content_rw_t, httpd_nagios_content_rw_t, httpd_sys_content_rw_t, httpd_sys_content_rw_t, httpd_cvs_content_rw_t, httpd_git_content_rw_t, httpd_nutups_cgi_content_rw_t, httpd_squid_content_rw_t, httpd_apcupsd_cgi_content_rw_t, httpd_prewikka_content_rw_t, httpd_awstats_content_rw_t, httpd_w3c_validator_content_rw_t, httpd_user_content_rw_t, httpdcontent, httpd_munin_content_rw_t. You can look at the httpd_selinux man page for additional information. Additional Information: Source Context unconfined_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:var_lib_t:s0 Target Objects repodata [ dir ] Source httpd Source Path /usr/sbin/httpd Port <Unknown> Host (removed) Source RPM Packages httpd-2.2.14-1.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-78.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name httpd_bad_labels Host Name (removed) Platform Linux localhost.localdomain 2.6.31.12-174.2.3.fc12.i686 #1 SMP Mon Jan 18 20:22:46 UTC 2010 i686 i686 Alert Count 0 First Seen Sun 31 Jan 2010 04:31:38 PM EET Last Seen Sun 31 Jan 2010 04:31:38 PM EET Local ID beedf923-5d8d-4636-ae31-881dd844ea31 Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1264948298.356:875): avc: denied { create } for pid=13675 comm="httpd" name="repodata" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir node=localhost.localdomain type=SYSCALL msg=audit(1264948298.356:875): arch=40000003 syscall=39 success=yes exit=0 a0=b616fbc8 a1=1ff a2=b765f868 a3=87fdb0 items=0 ppid=13602 pid=13675 auid=500 uid=48 gid=489 euid=48 suid=48 fsuid=48 egid=489 sgid=489 fsgid=489 tty=(none) ses=3 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
As is probably obvious from the straces above, Koji is configured to use /var/lib/koji. Basically all Koji operations where httpd is accessing files under /var/lib/koji are generating alerts.
Koji also creates files on the fly under /etc/mock/koji with context which are being changed by restorecon: restorecon reset /etc/mock/koji/dist-foo-build-22-10.cfg context unconfined_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
Koji also creates files on the fly under /var/lib/mock with context which are being changed by restorecon: restorecon reset /var/lib/mock/dist-foo-build-22-10/root context system_u:object_r:root_t:s0->system_u:object_r:var_lib_t:s0
One more thing about the generated files under /var/lib/mock, this might be applicable to both mock and koji. When running restorecon for /var one sees: ... restorecon reset /var/lib/mock/dist-foo-build-26-15/root/dev/urandom context system_u:object_r:urandom_device_t:s0->system_u:object_r:var_lib_t:s0 restorecon reset /var/lib/mock/dist-foo-build-26-15/root/sbin context system_u:object_r:bin_t:s0->system_u:object_r:var_lib_t:s0 restorecon reset /var/lib/mock/dist-foo-build-26-15/root/sbin/fdisk context system_u:object_r:fsadm_exec_t:s0->system_u:object_r:var_lib_t:s0 ...
You need to set the labeling in such a way as httpd can write to these directories. # semanage fcontext -a -t httpd_sys_content_rw_t '/var/lib/koji(/.*)?' # restorecon -R -v /var/lib/koji # semanage fcontext -a -t httpd_sys_content_rw_t '/etc/mock/koji(/.*)?'
Thanks for the instructions, now after using my local Koji a while no more SELinux alerts are showing up. I'm CC'ing a Koji maintainer to see if he'd have any additional comments on this Koji/SELinux issue. Thanks!
Miroslav, can you set these as the default labels.
Fixed in selinux-policy-3.6.32-87.fc12
selinux-policy-3.6.32-89.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-89.fc12
selinux-policy-3.6.32-89.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1836
Please note that koji-hub DOES NOT use /var/lib/mock. That is something only the build daemon (kojid) does. Getting kojid to work properly under selinux is going to be more complicated than koji-hub because of the use of chroots. Also note that /var/lib/koji is NOT a standard dir for any part of koji to use. As the reporter sort of indicated in comment 3, this is a directory they configured, not the default. Despite this, it seems mgrepl included /var/lib/koji(/.*)? in the selinux-policy update. It seems incorrect to me to include policy rules specific to one person's custom configuration.
Ok, although if it is likely that this directory name would be used for this purpose and unlikely that it would be used for a different purpose it would not be a problem. We are working to get mock to work with SELinux now, and if we get that working, I would doubt we will have that much problem getting koji to work. As long as each mock environment is treated as a black box to the host system and all processes running in the box have the same access writes, then SELinux could block users putting jobs into koji that make it do evil stuff, like using the network to attack other machines.
I'd be very happy if mock worked under selinux. I think the big issue is making it work for all reasonable chroot contents, including, for example, old versions of rhel.
selinux-policy-3.6.32-89.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
(In reply to comment #15) > I'd be very happy if mock worked under selinux. I think the big issue is making > it work for all reasonable chroot contents, including, for example, old > versions of rhel. I'm happily building packages (mainly server type ones rather than desktop ones, mind) for EL-3,4,5,6beta on a contemporary Fedora builder running mock 1.1.1 with SELinux in enforcing mode. For example: http://mirror.city-fan.org/ftp/contrib/yum-repo/rhel3/x86_64/ If you've tried it, what difficulties did you encounter?