Bug 573418 - SELinux is preventing /usr/bin/mono from using potentially mislabeled files file.
Summary: SELinux is preventing /usr/bin/mono from using potentially mislabeled files f...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 12
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:977cfc38967...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-03-14 18:32 UTC by Pete Gale
Modified: 2010-03-30 02:10 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.6.32-106.fc12
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-03-30 02:10:59 UTC
Type: ---


Attachments (Terms of Use)

Description Pete Gale 2010-03-14 18:32:10 UTC
Summary:

SELinux is preventing /usr/bin/mono from using potentially mislabeled files
file.

Detailed Description:

[mono has a permissive type (httpd_t). This access was not denied.]

SELinux has denied the mono access to potentially mislabeled files file. This
means that SELinux will not allow httpd to use these files. If httpd should be
allowed this access to these files you should change the file context to one of
the following types, httpd_suexec_exec_t, application_exec_type,
httpd_nutups_cgi_htaccess_t, mailman_cgi_exec_t, gitosis_var_lib_t,
httpd_squid_htaccess_t, httpd_munin_htaccess_t, etc_runtime_t, ld_so_cache_t,
mailman_archive_t, httpd_var_lib_t, httpd_var_run_t, bin_t, cert_t, httpd_t,
lib_t, fail2ban_var_lib_t, httpd_awstats_htaccess_t, httpd_user_htaccess_t,
usr_t, chroot_exec_t, httpd_rotatelogs_exec_t, public_content_rw_t,
httpd_bugzilla_htaccess_t, httpd_cobbler_htaccess_t, nagios_etc_t, nagios_log_t,
sssd_public_t, httpd_keytab_t, mailman_data_t, httpd_apcupsd_cgi_htaccess_t,
system_dbusd_var_lib_t, httpd_cvs_htaccess_t, httpd_git_htaccess_t,
httpd_sys_htaccess_t, squirrelmail_spool_t, cluster_conf_t,
httpd_prewikka_htaccess_t, fonts_cache_t, httpd_exec_t, httpd_lock_t,
httpd_log_t, logfile, httpd_rw_content, ssh_exec_t, krb5_conf_t, ping_exec_t,
locale_t, httpd_unconfined_script_exec_t, etc_t, fonts_t, httpd_ro_content,
proc_t, src_t, sysfs_t, calamaris_www_t, krb5_keytab_t, httpd_cache_t,
httpd_tmpfs_t, abrt_var_run_t, iso9660_t, httpd_config_t, abrt_t, var_lib_t,
lib_t, sendmail_exec_t, configfile, sysctl_crypto_t, udev_tbl_t, user_tmp_t,
httpd_tmp_t, abrt_helper_exec_t, shell_exec_t, httpd_w3c_validator_htaccess_t,
mysqld_etc_t, cvs_data_t, httpd_helper_exec_t, dbusd_etc_t, textrel_shlib_t,
httpd_squirrelmail_t, user_home_t, httpd_php_exec_t, rpm_script_tmp_t,
httpd_nagios_htaccess_t, ld_so_t, samba_var_t, net_conf_t, rpm_tmp_t,
public_content_t, sysctl_kernel_t, httpd_modules_t, httpd_squid_content_ra_t,
httpd_squid_content_rw_t, httpd_prewikka_content_t, httpd_munin_content_t,
httpd_squid_content_t, httpd_awstats_script_exec_t, httpd_apcupsd_cgi_content_t,
httpd_cobbler_content_t, httpd_apcupsd_cgi_content_ra_t,
httpd_apcupsd_cgi_content_rw_t, httpd_nagios_script_exec_t, httpd_cvs_content_t,
httpd_sys_content_t, httpd_sys_content_t, public_content_rw_t, root_t,
httpd_munin_script_exec_t, httpd_w3c_validator_script_exec_t,
httpd_prewikka_content_ra_t, httpd_prewikka_content_rw_t,
httpd_user_script_exec_t, httpd_bugzilla_content_t, httpd_awstats_content_ra_t,
httpd_awstats_content_rw_t, krb5_host_rcache_t, httpd_bugzilla_script_exec_t,
httpd_apcupsd_cgi_script_exec_t, httpd_squid_script_exec_t,
httpd_w3c_validator_content_ra_t, httpd_w3c_validator_content_rw_t,
httpd_nutups_cgi_content_t, nfs_t, httpd_awstats_content_t,
httpd_sys_script_exec_t, httpd_user_content_ra_t, httpd_user_content_rw_t,
httpd_git_script_exec_t, httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t,
httpdcontent, httpd_cvs_script_exec_t, httpd_prewikka_script_exec_t,
httpd_munin_content_ra_t, httpd_munin_content_rw_t, user_home_t,
httpd_bugzilla_content_ra_t, httpd_bugzilla_content_rw_t,
httpd_nutups_cgi_script_exec_t, httpd_nagios_content_ra_t,
httpd_nagios_content_rw_t, httpd_nagios_content_t,
httpd_w3c_validator_content_t, httpd_sys_content_ra_t, httpd_sys_content_rw_t,
httpd_sys_content_rw_t, httpd_cvs_content_ra_t, httpd_cvs_content_rw_t,
httpd_git_content_ra_t, httpd_git_content_rw_t, httpd_cobbler_script_exec_t,
httpd_nutups_cgi_content_ra_t, httpd_nutups_cgi_content_rw_t,
httpd_git_content_t, httpd_user_content_t. Many third party apps install html
files in directories that SELinux policy cannot predict. These directories have
to be labeled with a file context which httpd can access.

Allowing Access:

If you want to change the file context of file so that the httpd daemon can
access it, you need to execute it using semanage fcontext -a -t FILE_TYPE
'file'.
where FILE_TYPE is one of the following: httpd_suexec_exec_t,
application_exec_type, httpd_nutups_cgi_htaccess_t, mailman_cgi_exec_t,
gitosis_var_lib_t, httpd_squid_htaccess_t, httpd_munin_htaccess_t,
etc_runtime_t, ld_so_cache_t, mailman_archive_t, httpd_var_lib_t,
httpd_var_run_t, bin_t, cert_t, httpd_t, lib_t, fail2ban_var_lib_t,
httpd_awstats_htaccess_t, httpd_user_htaccess_t, usr_t, chroot_exec_t,
httpd_rotatelogs_exec_t, public_content_rw_t, httpd_bugzilla_htaccess_t,
httpd_cobbler_htaccess_t, nagios_etc_t, nagios_log_t, sssd_public_t,
httpd_keytab_t, mailman_data_t, httpd_apcupsd_cgi_htaccess_t,
system_dbusd_var_lib_t, httpd_cvs_htaccess_t, httpd_git_htaccess_t,
httpd_sys_htaccess_t, squirrelmail_spool_t, cluster_conf_t,
httpd_prewikka_htaccess_t, fonts_cache_t, httpd_exec_t, httpd_lock_t,
httpd_log_t, logfile, httpd_rw_content, ssh_exec_t, krb5_conf_t, ping_exec_t,
locale_t, httpd_unconfined_script_exec_t, etc_t, fonts_t, httpd_ro_content,
proc_t, src_t, sysfs_t, calamaris_www_t, krb5_keytab_t, httpd_cache_t,
httpd_tmpfs_t, abrt_var_run_t, iso9660_t, httpd_config_t, abrt_t, var_lib_t,
lib_t, sendmail_exec_t, configfile, sysctl_crypto_t, udev_tbl_t, user_tmp_t,
httpd_tmp_t, abrt_helper_exec_t, shell_exec_t, httpd_w3c_validator_htaccess_t,
mysqld_etc_t, cvs_data_t, httpd_helper_exec_t, dbusd_etc_t, textrel_shlib_t,
httpd_squirrelmail_t, user_home_t, httpd_php_exec_t, rpm_script_tmp_t,
httpd_nagios_htaccess_t, ld_so_t, samba_var_t, net_conf_t, rpm_tmp_t,
public_content_t, sysctl_kernel_t, httpd_modules_t, httpd_squid_content_ra_t,
httpd_squid_content_rw_t, httpd_prewikka_content_t, httpd_munin_content_t,
httpd_squid_content_t, httpd_awstats_script_exec_t, httpd_apcupsd_cgi_content_t,
httpd_cobbler_content_t, httpd_apcupsd_cgi_content_ra_t,
httpd_apcupsd_cgi_content_rw_t, httpd_nagios_script_exec_t, httpd_cvs_content_t,
httpd_sys_content_t, httpd_sys_content_t, public_content_rw_t, root_t,
httpd_munin_script_exec_t, httpd_w3c_validator_script_exec_t,
httpd_prewikka_content_ra_t, httpd_prewikka_content_rw_t,
httpd_user_script_exec_t, httpd_bugzilla_content_t, httpd_awstats_content_ra_t,
httpd_awstats_content_rw_t, krb5_host_rcache_t, httpd_bugzilla_script_exec_t,
httpd_apcupsd_cgi_script_exec_t, httpd_squid_script_exec_t,
httpd_w3c_validator_content_ra_t, httpd_w3c_validator_content_rw_t,
httpd_nutups_cgi_content_t, nfs_t, httpd_awstats_content_t,
httpd_sys_script_exec_t, httpd_user_content_ra_t, httpd_user_content_rw_t,
httpd_git_script_exec_t, httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t,
httpdcontent, httpd_cvs_script_exec_t, httpd_prewikka_script_exec_t,
httpd_munin_content_ra_t, httpd_munin_content_rw_t, user_home_t,
httpd_bugzilla_content_ra_t, httpd_bugzilla_content_rw_t,
httpd_nutups_cgi_script_exec_t, httpd_nagios_content_ra_t,
httpd_nagios_content_rw_t, httpd_nagios_content_t,
httpd_w3c_validator_content_t, httpd_sys_content_ra_t, httpd_sys_content_rw_t,
httpd_sys_content_rw_t, httpd_cvs_content_ra_t, httpd_cvs_content_rw_t,
httpd_git_content_ra_t, httpd_git_content_rw_t, httpd_cobbler_script_exec_t,
httpd_nutups_cgi_content_ra_t, httpd_nutups_cgi_content_rw_t,
httpd_git_content_t, httpd_user_content_t. You can look at the httpd_selinux man
page for additional information.

Additional Information:

Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:anon_inodefs_t:s0
Target Objects                file [ file ]
Source                        mono
Source Path                   /usr/bin/mono
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           mono-core-2.4.3.1-1.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-99.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   httpd_bad_labels
Host Name                     (removed)
Platform                      Linux (removed) 2.6.32.9-70.fc12.x86_64
                              #1 SMP Wed Mar 3 04:40:41 UTC 2010 x86_64 x86_64
Alert Count                   1
First Seen                    Sun 14 Mar 2010 03:10:54 AM PDT
Last Seen                     Sun 14 Mar 2010 03:10:54 AM PDT
Local ID                      df55fcc8-b62e-47d1-b219-430f1c3e957a
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1268561454.454:42352): avc:  denied  { getattr } for  pid=6186 comm="mono" path="anon_inode:[eventpoll]" dev=anon_inodefs ino=3475 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1268561454.454:42352): arch=c000003e syscall=4 success=yes exit=73014444160 a0=7fff22b5ffe0 a1=7fff22b5ff50 a2=7fff22b5ff50 a3=ffffffff items=0 ppid=1 pid=6186 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="mono" exe="/usr/bin/mono" subj=system_u:system_r:httpd_t:s0 key=(null)



Hash String generated from  httpd_bad_labels,mono,httpd_t,anon_inodefs_t,file,getattr
audit2allow suggests:

#============= httpd_t ==============
allow httpd_t anon_inodefs_t:file getattr;

Comment 1 Daniel Walsh 2010-03-16 13:17:55 UTC
Miroslav, just add this access.

fs_read_anon_inodefs_files(httpd_t)

Comment 2 Daniel Walsh 2010-03-16 13:20:41 UTC
Eric, Steve What kind of security attack/information is availabel in anon_inodefs?

Comment 3 Eric Paris 2010-03-16 15:16:33 UTC
anon_inodefs is rather, ummm, special.  Its an entire filesystem that only has a single inode.  Given that it has a single inode we cannot do the usual inode based security checks.  In 2.6.34 SELinux will not do any security checks on anon_inodefs inodes.  That does not preclude us from using the fd use type checks to control anon_inodefs.  The current users of anon_inodefs are

inifiniband
eventfd2
eventpoll
fanotify
inotify
signalfd
timerfd
perf_event
kvm-vcpu
kvm-vm

Comment 4 Daniel Walsh 2010-03-16 18:30:07 UTC
So we add this for F12 and don't worry about it for F13.

Comment 5 Miroslav Grepl 2010-03-18 12:32:37 UTC
Fixed in selinux-policy-3.6.32-104.fc12

Comment 6 Fedora Update System 2010-03-23 18:02:36 UTC
selinux-policy-3.6.32-106.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-106.fc12

Comment 7 Fedora Update System 2010-03-24 23:29:47 UTC
selinux-policy-3.6.32-106.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-106.fc12

Comment 8 Fedora Update System 2010-03-30 02:09:20 UTC
selinux-policy-3.6.32-106.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.