Bug 572812 - SELinux is preventing /usr/sbin/httpd from using potentially mislabeled files apache_runtime_status.
Summary: SELinux is preventing /usr/sbin/httpd from using potentially mislabeled files...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 12
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:1d24dcf6dc4...
: 572817 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-03-12 04:25 UTC by Nikolay Bryskin
Modified: 2010-03-30 02:10 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-3.6.32-106.fc12
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-03-30 02:10:51 UTC
Type: ---


Attachments (Terms of Use)

Description Nikolay Bryskin 2010-03-12 04:25:38 UTC
Hash String generated from  httpd_bad_labels,piranha_gui,httpd_t,httpd_log_t,file,write
audit2allow suggests:

Comment 1 Daniel Walsh 2010-03-12 13:56:11 UTC
Please attach the full source of the data.  This looks like a bug in the paranha_gui which should only be appending to a log file not writing to it.

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

If it is blocking anything.

Comment 2 Nikolay Bryskin 2010-03-12 19:52:38 UTC
\u0421\u0432\u043e\u0434\u043a\u0430:

SELinux is preventing /usr/sbin/httpd from using potentially mislabeled files
apache_runtime_status.

\u041f\u043e\u0434\u0440\u043e\u0431\u043d\u043e\u0435 \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0435:

SELinux has denied the piranha_gui access to potentially mislabeled files
apache_runtime_status. This means that SELinux will not allow httpd to use these
files. If httpd should be allowed this access to these files you should change
the file context to one of the following types, httpd_tmp_t,
httpd_squirrelmail_t, httpd_var_lib_t, httpd_var_run_t, afs_cache_t, httpd_t,
squirrelmail_spool_t, httpd_lock_t, httpd_rw_content, httpd_cache_t,
httpd_tmpfs_t, httpdcontent, httpd_munin_content_rw_t,
httpd_bugzilla_content_rw_t, httpd_nagios_content_rw_t, httpd_sys_content_rw_t,
httpd_sys_content_rw_t, httpd_cvs_content_rw_t, httpd_git_content_rw_t,
httpd_nutups_cgi_content_rw_t, httpd_squid_content_rw_t,
httpd_apcupsd_cgi_content_rw_t, httpd_prewikka_content_rw_t,
httpd_awstats_content_rw_t, root_t, httpd_w3c_validator_content_rw_t,
httpd_user_content_rw_t. Many third party apps install html files in directories
that SELinux policy cannot predict. These directories have to be labeled with a
file context which httpd can access.

\u0420\u0430\u0437\u0440\u0435\u0448\u0435\u043d\u0438\u0435 \u0434\u043e\u0441\u0442\u0443\u043f\u0430:

If you want to change the file context of apache_runtime_status so that the
httpd daemon can access it, you need to execute it using semanage fcontext -a -t
FILE_TYPE 'apache_runtime_status'.
where FILE_TYPE is one of the following: httpd_tmp_t, httpd_squirrelmail_t,
httpd_var_lib_t, httpd_var_run_t, afs_cache_t, httpd_t, squirrelmail_spool_t,
httpd_lock_t, httpd_rw_content, httpd_cache_t, httpd_tmpfs_t, httpdcontent,
httpd_munin_content_rw_t, httpd_bugzilla_content_rw_t,
httpd_nagios_content_rw_t, httpd_sys_content_rw_t, httpd_sys_content_rw_t,
httpd_cvs_content_rw_t, httpd_git_content_rw_t, httpd_nutups_cgi_content_rw_t,
httpd_squid_content_rw_t, httpd_apcupsd_cgi_content_rw_t,
httpd_prewikka_content_rw_t, httpd_awstats_content_rw_t, root_t,
httpd_w3c_validator_content_rw_t, httpd_user_content_rw_t. You can look at the
httpd_selinux man page for additional information.

\u0414\u043e\u043f\u043e\u043b\u043d\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0435 \u0441\u0432\u0435\u0434\u0435\u043d\u0438\u044f:

\u0418\u0441\u0445\u043e\u0434\u043d\u044b\u0439 \u043a\u043e\u043d\u0442\u0435\u043a unconfined_u:system_r:httpd_t:s0
\u0426\u0435\u043b\u0435\u0432\u043e\u0439 \u043a\u043e\u043d\u0442\u0435\u043a\u0441 unconfined_u:object_r:httpd_log_t:s0
\u0426\u0435\u043b\u0435\u0432\u044b\u0435 \u041e\u0431\u044a\u0435\u043a\u0442\u044b apache_runtime_status [ file ]
\u0418\u0441\u0442\u043e\u0447\u043d\u0438\u043a              piranha_gui
\u041f\u0443\u0442\u044c \u043a \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\Uffffffff/usr/sbin/httpd
\u041f\u043e\u0440\u0442                      <\u041d\u0435\u0438\u0437\u0432\u0435\u0441\u0442\u043d\u043e>
\u0423\u0437\u0435\u043b                      nikicat-laptop.butovo
\u0418\u0441\u0445\u043e\u0434\u043d\u044b\u0435 \u043f\u0430\u043a\u0435\u0442\u044b httpd-2.2.14-1.fc12
\u0426\u0435\u043b\u0435\u0432\u044b\u0435 \u043f\u0430\u043a\u0435\u0442\u044b R 
RPM \u043f\u043e\u043b\u0438\u0442\u0438\u043a\u0438          selinux-policy-3.6.32-92.fc12
Selinux \u0430\u043a\u0442\u0438\u0432\u043d\u0430        True
\u0422\u0438\u043f \u043f\u043e\u043b\u0438\u0442\u0438\u043a\u0438       targeted
\u041f\u0440\u0438\u043d\u0443\u0434\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0439  Enforcing
\u0418\u043c\u044f \u0434\u043e\u043f.\u043c\u043e\u0434\u0443\u043b\u044f    httpd_bad_labels
\u0418\u043c\u044f \u0443\u0437\u043b\u0430               nikicat-laptop.butovo
\u041f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u0430            Linux nikicat-laptop.butovo
                              2.6.32.9-70.fc12.x86_64 #1 SMP Wed Mar 3 04:40:41
                              UTC 2010 x86_64 x86_64
\u0421\u0447\u0435\u0442\u0447\u0438\u043a \u0443\u0432\u0435\u0434\u043e\u043c\u043b 5
\u041f\u0435\u0440\u0432\u044b\u0439 \u0437\u0430\u043c\u0435\u0447\u0435\u043d\u043d \u041f\u0442\u043d 12 \u041c\u0430\u0440 2010 07:24:31
\u041f\u043e\u0441\u043b\u0435\u0434\u043d\u0438\u0439 \u0437\u0430\u043c\u0435\u0447 \u041f\u0442\u043d 12 \u041c\u0430\u0440 2010 07:31:43
\u041b\u043e\u043a\u0430\u043b\u044c\u043d\u044b\u0439 ID         500d59f0-814c-45c4-82eb-c2b6437b9ba3
\u041d\u043e\u043c\u0435\u0440\u0430 \u0441\u0442\u0440\u043e\u043a       

\u0421\u044b\u0440\u044b\u0435 \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u044f 

node=nikicat-laptop.butovo type=AVC msg=audit(1268368303.452:26188): avc:  denied  { write } for  pid=11531 comm="piranha_gui" name="apache_runtime_status" dev=dm-1 ino=4592401 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_log_t:s0 tclass=file

node=nikicat-laptop.butovo type=SYSCALL msg=audit(1268368303.452:26188): arch=c000003e syscall=2 success=no exit=-13 a0=7f0bedd99f80 a1=80001 a2=1b6 a3=7fffd1355a90 items=0 ppid=1 pid=11531 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="piranha_gui" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

Comment 3 Daniel Walsh 2010-03-12 20:12:35 UTC
What is the path to the log file  if you change it to httpd_sys_content_rw_t, it would allow the access.

Comment 4 Marek Grac 2010-03-20 19:50:23 UTC
Works correctly after:

semanage fcontext -a -t httpd_sys_content_rw_t '/var/log/piranha(/.*)?'

should I add it to the post install script or it can be part of selinux policy?

Comment 5 Marek Grac 2010-03-20 19:56:25 UTC
*** Bug 572817 has been marked as a duplicate of this bug. ***

Comment 6 Daniel Walsh 2010-03-22 15:48:35 UTC
Marek, does http need to "write" to these log files or should it only be appending to them?   Can you change the php code to open these files for append?

Comment 7 Marek Grac 2010-03-22 17:08:27 UTC
@Daniel:

I'm not aware that in PHP we work with these log files. They are default log files created by apache, only reason why there are in different place is fact that we run our own httpd server.

Comment 8 Daniel Walsh 2010-03-22 18:23:26 UTC
Ok a better label is 

/var/log/piranha(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)


chcon -t httpd_log_t /var/log/piranha


Miroslav can you update policy.

Comment 9 Miroslav Grepl 2010-03-23 12:02:33 UTC
Fixed in selinux-policy-3.6.32-106.fc12

Comment 10 Fedora Update System 2010-03-23 18:02:26 UTC
selinux-policy-3.6.32-106.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-106.fc12

Comment 11 Fedora Update System 2010-03-24 23:29:37 UTC
selinux-policy-3.6.32-106.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-106.fc12

Comment 12 Fedora Update System 2010-03-30 02:09:11 UTC
selinux-policy-3.6.32-106.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.