Bug 596536 - SELinux is preventing /usr/bin/ruby "getattr" access on /usr/sbin/useradd.
Summary: SELinux is preventing /usr/bin/ruby "getattr" access on /usr/sbin/useradd.
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
(Show other bugs)
Version: 14
Hardware: x86_64 Linux
low
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:2b94638100c...
Keywords: Reopened
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-05-26 21:43 UTC by Cristian Ciupitu
Modified: 2010-11-11 22:17 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.9.7-10.fc14
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-11-11 22:17:26 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
audit.log (197 bytes, application/x-gzip)
2010-07-22 15:18 UTC, lejeczek
no flags Details
audit.log again (62.83 KB, application/x-bzip-compressed-tar)
2010-07-22 17:12 UTC, lejeczek
no flags Details

Description Cristian Ciupitu 2010-05-26 21:43:36 UTC
Summary:

This happened when I run "service puppetmaster start".
SELinux is preventing /usr/bin/ruby "getattr" access on /usr/sbin/useradd.

Detailed Description:

SELinux denied access requested by puppetmasterd. It is not expected that this
access is required by puppetmasterd and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:system_r:puppetmaster_t:s0
Target Context                system_u:object_r:useradd_exec_t:s0
Target Objects                /usr/sbin/useradd [ file ]
Source                        puppetmasterd
Source Path                   /usr/bin/ruby
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           ruby-1.8.6.399-1.fc13
Target RPM Packages           shadow-utils-4.1.4.2-5.fc13
Policy RPM                    selinux-policy-3.7.19-15.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.33.4-95.fc13.x86_64 #1 SMP Thu May 13 05:16:23
                              UTC 2010 x86_64 x86_64
Alert Count                   8
First Seen                    Thu 27 May 2010 12:39:07 AM EEST
Last Seen                     Thu 27 May 2010 12:39:07 AM EEST
Local ID                      7b78a6d3-b614-4aa0-badb-448d981ca882
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1274909947.709:43): avc:  denied  { getattr } for  pid=5626 comm="puppetmasterd" path="/usr/sbin/useradd" dev=dm-0 ino=306764 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:useradd_exec_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1274909947.709:43): arch=c000003e syscall=4 success=no exit=-13 a0=2d25e90 a1=7fff837a8d40 a2=7fff837a8d40 a3=81 items=0 ppid=5625 pid=5626 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)



Hash String generated from  catchall,puppetmasterd,puppetmaster_t,useradd_exec_t,file,getattr
audit2allow suggests:

#============= puppetmaster_t ==============
allow puppetmaster_t useradd_exec_t:file getattr;

Comment 1 Cristian Ciupitu 2010-05-26 21:44:37 UTC
I'm using puppet-server-0.25.4-1.fc13.noarch.rpm.

Comment 2 Miroslav Grepl 2010-05-27 09:08:30 UTC
It looks like there are changes for puppet-server. Can you execute

# semanage permissive -a  puppetmaster_t

Then restart puppetmaster service and use puppet

and see which other avc's are generated.

Comment 3 Cristian Ciupitu 2010-06-28 18:35:25 UTC
I removed everything from /var/lib/puppet/ and put only "node default {}" into /etc/puppet/manifests/site.pp. Then I run these commands:

[root@hermes ~]# service puppetmaster start
Starting puppetmaster:                                     [  OK  ]
[root@hermes ~]# service puppet start
Starting puppet:                                           [  OK  ]
[root@hermes ~]# puppetca --list

[root@hermes ~]# service puppet restart
Stopping puppet:                                           [  OK  ]
Starting puppet:                                           [  OK  ]
[root@hermes ~]# service puppetmaster stop
Stopping puppetmaster:                                     [  OK  ]
[root@hermes ~]# 

The following AVCs were generated:

----
time->Mon Jun 28 21:31:04 2010
type=SYSCALL msg=audit(1277749864.928:400): arch=c000003e syscall=2 success=yes exit=6 a0=f5e4d0 a1=0 a2=1b6 a3=0 items=0 ppid=24276 pid=24277 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)
type=AVC msg=audit(1277749864.928:400): avc:  denied  { open } for  pid=24277 comm="puppetmasterd" name="file_contexts" dev=dm-0 ino=134810 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=unconfined_u:object_r:file_context_t:s0 tclass=file
type=AVC msg=audit(1277749864.928:400): avc:  denied  { read } for  pid=24277 comm="puppetmasterd" name="file_contexts" dev=dm-0 ino=134810 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=unconfined_u:object_r:file_context_t:s0 tclass=file
----
time->Mon Jun 28 21:31:04 2010
type=SYSCALL msg=audit(1277749864.931:401): arch=c000003e syscall=5 success=yes exit=0 a0=6 a1=7fffe760c590 a2=7fffe760c590 a3=7fffe760c290 items=0 ppid=24276 pid=24277 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)
type=AVC msg=audit(1277749864.931:401): avc:  denied  { getattr } for  pid=24277 comm="puppetmasterd" path="/etc/selinux/targeted/contexts/files/file_contexts" dev=dm-0 ino=134810 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=unconfined_u:object_r:file_context_t:s0 tclass=file
----
time->Mon Jun 28 21:31:05 2010
type=SYSCALL msg=audit(1277749865.130:402): arch=c000003e syscall=2 success=yes exit=6 a0=7fffe760d610 a1=2 a2=7fffe760d620 a3=fffffff8 items=0 ppid=24276 pid=24277 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)
type=AVC msg=audit(1277749865.130:402): avc:  denied  { read write } for  pid=24277 comm="puppetmasterd" name="context" dev=selinuxfs ino=5 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file
----
time->Mon Jun 28 21:31:05 2010
type=SYSCALL msg=audit(1277749865.130:403): arch=c000003e syscall=1 success=yes exit=34 a0=6 a1=14b1c80 a2=22 a3=7fffe760d390 items=0 ppid=24276 pid=24277 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)
type=AVC msg=audit(1277749865.130:403): avc:  denied  { check_context } for  pid=24277 comm="puppetmasterd" scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security
----
time->Mon Jun 28 21:31:05 2010
type=SYSCALL msg=audit(1277749865.619:404): arch=c000003e syscall=189 success=yes exit=0 a0=e60d90 a1=3862415689 a2=24c45d0 a3=26 items=0 ppid=24276 pid=24277 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)
type=AVC msg=audit(1277749865.619:404): avc:  denied  { relabelto } for  pid=24277 comm="puppetmasterd" name="state" dev=dm-2 ino=2767 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1277749865.619:404): avc:  denied  { relabelfrom } for  pid=24277 comm="puppetmasterd" name="state" dev=dm-2 ino=2767 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=unconfined_u:object_r:puppet_var_lib_t:s0 tclass=dir
----
time->Mon Jun 28 21:31:05 2010
type=SYSCALL msg=audit(1277749865.735:405): arch=c000003e syscall=189 success=yes exit=0 a0=2171a60 a1=3862415689 a2=b3b360 a3=22 items=0 ppid=24276 pid=24277 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)
type=AVC msg=audit(1277749865.735:405): avc:  denied  { relabelto } for  pid=24277 comm="puppetmasterd" name="masterhttp.log" dev=dm-2 ino=10824 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:puppet_log_t:s0 tclass=file
type=AVC msg=audit(1277749865.735:405): avc:  denied  { relabelfrom } for  pid=24277 comm="puppetmasterd" name="masterhttp.log" dev=dm-2 ino=10824 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=unconfined_u:object_r:puppet_log_t:s0 tclass=file
----
time->Mon Jun 28 21:31:06 2010
type=SYSCALL msg=audit(1277749866.066:406): arch=c000003e syscall=2 success=yes exit=6 a0=3860941f42 a1=0 a2=7 a3=319827b400 items=0 ppid=24276 pid=24277 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=52 sgid=0 fsgid=52 tty=pts3 ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)
type=AVC msg=audit(1277749866.066:406): avc:  denied  { read } for  pid=24277 comm="puppetmasterd" scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file

Comment 4 lejeczek 2010-07-22 12:28:56 UTC
I'm afraid is seems much worse for the whole ruby,
tried to run mongrel_cluster for application located in /var/www and created with default context??
that is a mess! mess!! and even permissive mode does not help??

just a bit of messages log:

lert -l d6afe031-ad22-4b37-9314-2a2bfc427c72
Jul 22 13:16:11 develop setroubleshoot: SELinux is preventing the http daemon from reading users' home directories. For complete SELinux messages. run sealert -l cc5ea173-852c-4e3f-8cdc-37fe7a84d750
Jul 22 13:16:11 develop setroubleshoot: SELinux is preventing the http daemon from reading users' home directories. For complete SELinux messages. run sealert -l 70ae75e4-836a-4dda-968e-dd791af19eab
Jul 22 13:16:11 develop setroubleshoot: SELinux is preventing /bin/ps from using potentially mislabeled files /proc/<pid>. For complete SELinux messages. run sealert -l d0e31bb5-4bd8-4eee-8c91-5ad9585dc81a
Jul 22 13:16:12 develop setroubleshoot: SELinux is preventing /bin/ps from using potentially mislabeled files 1. For complete SELinux messages. run sealert -l a93cfe11-dbdc-4778-8cce-62017655facc
Jul 22 13:16:12 develop setroubleshoot: SELinux is preventing /bin/ps from using potentially mislabeled files /proc/<pid>. For complete SELinux messages. run sealert -l b87201f5-ff16-4e72-9495-7c69e42c6722
Jul 22 13:16:12 develop setroubleshoot: SELinux is preventing /bin/ps from using potentially mislabeled files 2. For complete SELinux messages. run sealert -l c3831940-fd01-4c4a-a079-f16911ca6c80
Jul 22 13:16:13 develop setroubleshoot: SELinux is preventing /bin/ps from using potentially mislabeled files 2. For complete SELinux messages. run sealert -l c3831940-fd01-4c4a-a079-f16911ca6c80
Jul 22 13:16:13 develop setroubleshoot: SELinux is preventing /bin/ps from using potentially mislabeled files 2. For complete SELinux messages. run sealert -l c3831940-fd01-4c4a-a079-f16911ca6c80
Jul 22 13:16:13 develop setroubleshoot: SELinux is preventing /bin/ps "sys_ptrace" access . For complete SELinux messages. run sealert -l 7f5782c0-885a-45e0-af16-dd0292346d1e
Jul 22 13:16:14 develop setroubleshoot: SELinux is preventing /bin/ps from using potentially mislabeled files /proc/<pid>. For complete SELinux messages. run sealert -l be1496ee-a1da-4ec9-a368-a1e40a5d413f
Jul 22 13:16:14 develop setroubleshoot: SELinux is preventing /bin/ps from using potentially mislabeled files #025R. For complete SELinux messages. run sealert -l 86989483-d938-4e9c-be05-1cb58548f3a5
Jul 22 13:16:15 develop setroubleshoot: SELinux is preventing /bin/ps from using potentially mislabeled files #025R. For complete SELinux messages. run sealert -l 86989483-d938-4e9c-be05-1cb58548f3a5
Jul 22 13:16:15 develop setroubleshoot: SELinux is preventing /bin/ps from using potentially mislabeled files #025R. For complete SELinux messages. run sealert -l 86989483-d938-4e9c-be05-1cb58548f3a5
Jul 22 13:16:15 develop setroubleshoot: SELinux is preventing /bin/ps from using potentially mislabeled files /proc/<pid>. For complete SELinux messages. run sealert -l 0eefed5c-19b7-496a-ab47-9ce0d855dbba
Jul 22 13:16:16 develop setroubleshoot: SELinux is preventing /bin/ps from using potentially mislabeled files #025T. For complete SELinux messages. run sealert -l f2aef7c0-2aeb-407b-9420-8cd7c1729511
Jul 22 13:16:16 develop setroubleshoot: SELinux is preventing /bin/ps from using potentially mislabeled files #025T. For complete SELinux messages. run sealert -l f2aef7c0-2aeb-407b-9420-8cd7c1729511
Jul 22 13:16:17 develop setroubleshoot: SELinux is preventing /bin/ps from using potentially mislabeled files #025T. For complete SELinux messages. run sealert -l f2aef7c0-2aeb-407b-9420-8cd7c1729511
Jul 22 13:16:17 develop setroubleshoot: SELinux is preventing /bin/ps from using potentially mislabeled files stat. For complete SELinux messages. run sealert -l 137aa39f-6af8-4775-82b9-6fe72f9081fd
Jul 22 13:16:18 develop setroubleshoot: SELinux is preventing /bin/ps from using potentially mislabeled files stat. For complete SELinux messages. run sealert -l 137aa39f-6af8-4775-82b9-6fe72f9081fd
Jul 22 13:16:18 develop setroubleshoot: SELinux is preventing /bin/ps from using potentially mislabeled files /proc/<pid>. For complete SELinux messages. run sealert -l 4fa271b0-ed07-4638-b026-1bd9193c1910
Jul 22 13:16:18 develop setroubleshoot: [avc.ERROR] Plugin Exception httpd_bad_labels #012Traceback (most recent call last):#012  File "/usr/lib64/python2.6/site-packages/setroubleshoot/analyze.py", line 148, in analyze_avc#012    report = plugin.analyze(avc)#012  File "/usr/share/setroubleshoot/plugins/httpd_bad_labels.py", line 63, in analyze#012    fix_description, self.fix_cmd)#012  File "/usr/lib64/python2.6/site-packages/setroubleshoot/Plugin.py", line 100, in report#012    safe_substitute(avc.template_substitutions)#012  File "/usr/lib64/python2.6/string.py", line 205, in safe_substitute#012    return self.pattern.sub(convert, self.template)#012UnicodeDecodeError: 'utf8' codec can't decode byte 0x95 in position 1: unexpected code byte
Jul 22 13:16:18 develop setroubleshoot: [avc.ERROR] Plugin Exception catchall #012Traceback (most recent call last):#012  File "/usr/lib64/python2.6/site-packages/setroubleshoot/analyze.py", line 148, in analyze_avc#012    report = plugin.analyze(avc)#012  File "/usr/share/setroubleshoot/plugins/catchall.py", line 58, in analyze#012    summary = self.summary + " on " + avc.tpath + "."#012UnicodeDecodeError: 'utf8' codec can't decode byte 0x95 in position 1: unexpected code byte

Comment 5 Daniel Walsh 2010-07-22 14:38:45 UTC
I don't think SELinux is blocking anything in permissive mode.  

Could you mail us your audit.log (compressed) dwalsh@redhat.com.  I would like to see what is blowing up setroubleshoot.

Miroslav it looks like puppetmaster needs

allow puppetmaster_t puppet_log_t:file { relabelfrom relabelto };
allow puppetmaster_t puppet_var_lib_t:dir { relabelfrom relabelto };
kernel_read_kernel_sysctls(puppetmaster_t)
selinux_validate_context(puppetmaster_t)
seutil_read_file_contexts(puppetmaster_t)

Comment 6 lejeczek 2010-07-22 15:18:27 UTC
Created attachment 433732 [details]
audit.log

Comment 7 lejeczek 2010-07-22 15:19:56 UTC
should not be but is, that log's snippet comes while permissive

Comment 8 Daniel Walsh 2010-07-22 16:19:25 UTC
SELinux continues to output errors in permissive mode but the kernel does not block access.  So if anything is actually being blocked it is probably not an SELinux issue.

Comment 9 Daniel Walsh 2010-07-22 16:24:56 UTC
THe audit.log you attached seems to be corrupted.

Comment 10 lejeczek 2010-07-22 17:12:16 UTC
Created attachment 433761 [details]
audit.log again

Comment 11 Daniel Walsh 2010-07-22 20:45:45 UTC
The only thing I see in that log is that you should turn on the

allow_postfix_local_write_mail_spool boolean

setsebool -P allow_postfix_local_write_mail_spool 1

mount command somehow ran glusterfs which requires setrlimit, Miroslav can you add this.

Which we should also add.

The puppetmaster stuff must have roled into a backup audit.log.

Comment 12 Miroslav Grepl 2010-07-23 12:08:47 UTC
Fixed in selinux-policy-3.7.19-40.fc13.noarch

Comment 13 Fedora Update System 2010-07-28 15:10:46 UTC
selinux-policy-3.7.19-41.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-41.fc13

Comment 14 lejeczek 2010-07-29 10:29:51 UTC
ok, very box I fiddle around with has something mislabelled, I did ./autorelable

but original problem remains, never mind the glusterfs

it is mongrel_cluster that fails, regardless of what file context I label a rails application whole tree with, recursively, for instance: httpd_unconfined_script_exec_t (and with setsebool httpd_enable_cgi=1)

this is how mongrel_cluster start/stop.. etc fails:

Summary:

SELinux is preventing ps from using potentially mislabeled files /proc/<pid>.

Detailed Description:

SELinux has denied the ps access to potentially mislabeled files /proc/<pid>.
This means that SELinux will not allow httpd to use these files. If httpd should
be allowed this access to these files you should change the file context to one
of the following types, root_t, mysqld_var_run_t, httpd_sys_content_t, tmp_t,
usr_t, var_t, httpd_var_lib_t, httpd_var_run_t, httpd_squid_rw_content_t,
nscd_var_run_t, nslcd_var_run_t, sssd_var_lib_t, mysqld_db_t,
httpd_apcupsd_cgi_content_t, httpd_prewikka_content_t, gitosis_var_lib_t,
httpd_smokeping_cgi_rw_content_t, var_t, httpd_apcupsd_cgi_rw_content_t,
httpd_munin_content_t, httpd_squid_content_t, httpd_awstats_script_exec_t,
mailman_archive_t, httpd_smokeping_cgi_content_t, httpd_cvs_content_t,
httpd_sys_content_t, public_content_rw_t, kernel_t, var_lock_t, sysctl_t,
device_t, bin_t, cert_t, mailman_data_t, httpd_cobbler_content_t, httpd_t,
logfile, lib_t, httpd_munin_script_exec_t, mnt_t, etc_t,
httpd_w3c_validator_script_exec_t, system_dbusd_var_lib_t,
system_dbusd_var_run_t, httpd_prewikka_rw_content_t, httpd_user_script_exec_t,
proc_t, squirrelmail_spool_t, httpd_bugzilla_content_t, tmp_t, usr_t, var_t,
httpd_nagios_script_exec_t, rpm_script_tmp_t, httpd_apcupsd_cgi_script_exec_t,
cobbler_var_lib_t, nagios_etc_t, nagios_log_t, sssd_public_t, security_t,
httpd_awstats_rw_content_t, httpd_squid_script_exec_t, cluster_conf_t,
httpd_w3c_validator_rw_content_t, winbind_var_run_t, likewise_var_lib_t,
httpd_bugzilla_script_exec_t, autofs_t, fonts_cache_t, device_t, devpts_t,
locale_t, httpd_log_t, etc_t, fonts_t, rpm_tmp_t, var_run_t, proc_t, sysfs_t,
tmpfs_t, krb5_conf_t, httpd_awstats_content_t, httpd_user_rw_content_t,
httpd_nutups_cgi_content_t, sysctl_net_t, var_lib_t, httpd_config_t,
httpd_cobbler_rw_content_t, calamaris_www_t, httpd_prewikka_script_exec_t,
var_spool_t, httpd_cache_t, httpd_tmpfs_t, httpd_sys_script_exec_t, iso9660_t,
httpd_munin_rw_content_t, udev_tbl_t, httpd_tmp_t, httpd_git_script_exec_t,
smokeping_var_lib_t, var_lib_t, var_run_t, httpd_cvs_script_exec_t, rpm_log_t,
configfile, mysqld_etc_t, cvs_data_t, dbusd_etc_t, httpd_squirrelmail_t,
httpd_bugzilla_rw_content_t, httpd_nutups_cgi_script_exec_t, var_log_t,
samba_var_t, abrt_var_run_t, avahi_var_run_t, net_conf_t,
httpd_cvs_rw_content_t, httpd_git_rw_content_t, httpd_nagios_content_t,
httpd_sys_rw_content_t, httpd_w3c_validator_content_t,
httpd_nagios_rw_content_t, setrans_var_run_t, public_content_t,
httpd_nutups_cgi_rw_content_t, httpd_cobbler_script_exec_t, anon_inodefs_t,
sysctl_kernel_t, sysctl_crypto_t, home_root_t, httpd_modules_t,
httpd_smokeping_cgi_script_exec_t, httpd_git_content_t, httpd_user_content_t,
sysctl_t, abrt_t, bin_t, lib_t, mnt_t, httpd_squid_ra_content_t,
httpd_squid_rw_content_t, nscd_var_run_t, pcscd_var_run_t,
httpd_apcupsd_cgi_content_t, httpd_prewikka_content_t,
httpd_smokeping_cgi_ra_content_t, httpd_smokeping_cgi_rw_content_t, root_t,
httpd_apcupsd_cgi_ra_content_t, httpd_apcupsd_cgi_rw_content_t,
httpd_munin_content_t, httpd_squid_content_t, httpd_awstats_script_exec_t,
httpd_smokeping_cgi_content_t, httpd_cvs_content_t, httpd_sys_content_t,
httpd_cobbler_content_t, httpd_munin_script_exec_t,
httpd_w3c_validator_script_exec_t, httpd_prewikka_ra_content_t,
httpd_prewikka_rw_content_t, httpd_user_script_exec_t, httpd_bugzilla_content_t,
var_t, var_t, httpd_nagios_script_exec_t, httpd_apcupsd_cgi_script_exec_t,
httpd_awstats_ra_content_t, httpd_awstats_rw_content_t,
httpd_squid_script_exec_t, httpd_w3c_validator_ra_content_t,
httpd_w3c_validator_rw_content_t, httpd_bugzilla_script_exec_t,
httpd_awstats_content_t, httpd_user_ra_content_t, httpd_user_rw_content_t,
httpd_nutups_cgi_content_t, httpd_cobbler_ra_content_t,
httpd_cobbler_rw_content_t, httpd_prewikka_script_exec_t,
httpd_sys_script_exec_t, httpd_munin_ra_content_t, httpd_munin_rw_content_t,
httpd_git_script_exec_t, var_run_t, var_run_t, httpd_cvs_script_exec_t,
httpd_bugzilla_ra_content_t, httpd_bugzilla_rw_content_t,
httpd_nutups_cgi_script_exec_t, httpd_cvs_ra_content_t, httpd_cvs_rw_content_t,
httpd_git_ra_content_t, httpd_git_rw_content_t, httpd_nagios_content_t,
httpd_sys_ra_content_t, httpd_sys_rw_content_t, httpd_w3c_validator_content_t,
httpd_nagios_ra_content_t, httpd_nagios_rw_content_t,
httpd_nutups_cgi_ra_content_t, httpd_nutups_cgi_rw_content_t,
httpd_cobbler_script_exec_t, httpd_smokeping_cgi_script_exec_t,
httpd_git_content_t, httpd_user_content_t. Many third party apps install html
files in directories that SELinux policy cannot predict. These directories have
to be labeled with a file context which httpd can access.

Allowing Access:

If you want to change the file context of /proc/<pid> so that the httpd daemon
can access it, you need to execute it using semanage fcontext -a -t FILE_TYPE
'/proc/<pid>'.
where FILE_TYPE is one of the following: root_t, mysqld_var_run_t,
httpd_sys_content_t, tmp_t, usr_t, var_t, httpd_var_lib_t, httpd_var_run_t,
httpd_squid_rw_content_t, nscd_var_run_t, nslcd_var_run_t, sssd_var_lib_t,
mysqld_db_t, httpd_apcupsd_cgi_content_t, httpd_prewikka_content_t,
gitosis_var_lib_t, httpd_smokeping_cgi_rw_content_t, var_t,
httpd_apcupsd_cgi_rw_content_t, httpd_munin_content_t, httpd_squid_content_t,
httpd_awstats_script_exec_t, mailman_archive_t, httpd_smokeping_cgi_content_t,
httpd_cvs_content_t, httpd_sys_content_t, public_content_rw_t, kernel_t,
var_lock_t, sysctl_t, device_t, bin_t, cert_t, mailman_data_t,
httpd_cobbler_content_t, httpd_t, logfile, lib_t, httpd_munin_script_exec_t,
mnt_t, etc_t, httpd_w3c_validator_script_exec_t, system_dbusd_var_lib_t,
system_dbusd_var_run_t, httpd_prewikka_rw_content_t, httpd_user_script_exec_t,
proc_t, squirrelmail_spool_t, httpd_bugzilla_content_t, tmp_t, usr_t, var_t,
httpd_nagios_script_exec_t, rpm_script_tmp_t, httpd_apcupsd_cgi_script_exec_t,
cobbler_var_lib_t, nagios_etc_t, nagios_log_t, sssd_public_t, security_t,
httpd_awstats_rw_content_t, httpd_squid_script_exec_t, cluster_conf_t,
httpd_w3c_validator_rw_content_t, winbind_var_run_t, likewise_var_lib_t,
httpd_bugzilla_script_exec_t, autofs_t, fonts_cache_t, device_t, devpts_t,
locale_t, httpd_log_t, etc_t, fonts_t, rpm_tmp_t, var_run_t, proc_t, sysfs_t,
tmpfs_t, krb5_conf_t, httpd_awstats_content_t, httpd_user_rw_content_t,
httpd_nutups_cgi_content_t, sysctl_net_t, var_lib_t, httpd_config_t,
httpd_cobbler_rw_content_t, calamaris_www_t, httpd_prewikka_script_exec_t,
var_spool_t, httpd_cache_t, httpd_tmpfs_t, httpd_sys_script_exec_t, iso9660_t,
httpd_munin_rw_content_t, udev_tbl_t, httpd_tmp_t, httpd_git_script_exec_t,
smokeping_var_lib_t, var_lib_t, var_run_t, httpd_cvs_script_exec_t, rpm_log_t,
configfile, mysqld_etc_t, cvs_data_t, dbusd_etc_t, httpd_squirrelmail_t,
httpd_bugzilla_rw_content_t, httpd_nutups_cgi_script_exec_t, var_log_t,
samba_var_t, abrt_var_run_t, avahi_var_run_t, net_conf_t,
httpd_cvs_rw_content_t, httpd_git_rw_content_t, httpd_nagios_content_t,
httpd_sys_rw_content_t, httpd_w3c_validator_content_t,
httpd_nagios_rw_content_t, setrans_var_run_t, public_content_t,
httpd_nutups_cgi_rw_content_t, httpd_cobbler_script_exec_t, anon_inodefs_t,
sysctl_kernel_t, sysctl_crypto_t, home_root_t, httpd_modules_t,
httpd_smokeping_cgi_script_exec_t, httpd_git_content_t, httpd_user_content_t,
sysctl_t, abrt_t, bin_t, lib_t, mnt_t, httpd_squid_ra_content_t,
httpd_squid_rw_content_t, nscd_var_run_t, pcscd_var_run_t,
httpd_apcupsd_cgi_content_t, httpd_prewikka_content_t,
httpd_smokeping_cgi_ra_content_t, httpd_smokeping_cgi_rw_content_t, root_t,
httpd_apcupsd_cgi_ra_content_t, httpd_apcupsd_cgi_rw_content_t,
httpd_munin_content_t, httpd_squid_content_t, httpd_awstats_script_exec_t,
httpd_smokeping_cgi_content_t, httpd_cvs_content_t, httpd_sys_content_t,
httpd_cobbler_content_t, httpd_munin_script_exec_t,
httpd_w3c_validator_script_exec_t, httpd_prewikka_ra_content_t,
httpd_prewikka_rw_content_t, httpd_user_script_exec_t, httpd_bugzilla_content_t,
var_t, var_t, httpd_nagios_script_exec_t, httpd_apcupsd_cgi_script_exec_t,
httpd_awstats_ra_content_t, httpd_awstats_rw_content_t,
httpd_squid_script_exec_t, httpd_w3c_validator_ra_content_t,
httpd_w3c_validator_rw_content_t, httpd_bugzilla_script_exec_t,
httpd_awstats_content_t, httpd_user_ra_content_t, httpd_user_rw_content_t,
httpd_nutups_cgi_content_t, httpd_cobbler_ra_content_t,
httpd_cobbler_rw_content_t, httpd_prewikka_script_exec_t,
httpd_sys_script_exec_t, httpd_munin_ra_content_t, httpd_munin_rw_content_t,
httpd_git_script_exec_t, var_run_t, var_run_t, httpd_cvs_script_exec_t,
httpd_bugzilla_ra_content_t, httpd_bugzilla_rw_content_t,
httpd_nutups_cgi_script_exec_t, httpd_cvs_ra_content_t, httpd_cvs_rw_content_t,
httpd_git_ra_content_t, httpd_git_rw_content_t, httpd_nagios_content_t,
httpd_sys_ra_content_t, httpd_sys_rw_content_t, httpd_w3c_validator_content_t,
httpd_nagios_ra_content_t, httpd_nagios_rw_content_t,
httpd_nutups_cgi_ra_content_t, httpd_nutups_cgi_rw_content_t,
httpd_cobbler_script_exec_t, httpd_smokeping_cgi_script_exec_t,
httpd_git_content_t, httpd_user_content_t. You can look at the httpd_selinux man
page for additional information.

Additional Information:

Source Context                unconfined_u:system_r:httpd_t:s0
Target Context                system_u:system_r:dhcpc_t:s0
Target Objects                /proc/<pid> [ dir ]
Source                        ps
Source Path                   ps
Port                          <Unknown>
Host                          develop.biotechnology
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-39.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   httpd_bad_labels
Host Name                     develop.biotechnology
Platform                      Linux develop.biotechnology
                              2.6.33.6-147.fc13.x86_64 #1 SMP Tue Jul 6 22:32:17
                              UTC 2010 x86_64 x86_64
Alert Count                   1
First Seen                    Thu Jul 29 11:11:53 2010
Last Seen                     Thu Jul 29 11:11:53 2010
Local ID                      c155452d-6e42-4281-addb-12cb0c500814
Line Numbers                  

Raw Audit Messages            

node=develop.biotechnology type=AVC msg=audit(1280398313.745:35411): avc:  denied  { getattr } for  pid=14544 comm="ps" path="/proc/1446" dev=proc ino=14420 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:system_r:dhcpc_t:s0 tclass=dir

I can render custom module, fine, only checking here with you guys whether I am missing some booleans or file contexts?

regards

Comment 15 lejeczek 2010-07-29 11:20:07 UTC
ok, it is a file context, at least for me here,
just needed to follow the logs to figure out the correct one,
and inasmuch as mongrel_cluster starts now almost silently(selinux), when wanted to stop, then selinux produces these series of denials about /bin/ps


Additional Information:

Source Context                unconfined_u:system_r:httpd_t:s0
Target Context                system_u:system_r:kernel_t:s0
Target Objects                /proc/<pid> [ dir ]
Source                        ps
Source Path                   /bin/ps
Port                          <Unknown>
Host                          develop.biotechnology
Source RPM Packages           procps-3.2.8-7.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-39.fc13


.. and yet mongrel_cluster succeeds stopping, only plenty of denials logged and:
develop audispd: queue is full - dropping event

Comment 16 lejeczek 2010-07-29 11:27:55 UTC
and would it the difference between what's in logs:
httpd_sys_content_rw_t
and when ls'ed -Z
httpd_sys_rw_content_t
matter?

it's only that is see context httpd_sys_rw_content_t and yet selinux suggests to relabel it with httpd_sys_content_rw_t

cheers

Comment 17 Daniel Walsh 2010-07-29 13:39:50 UTC
httpd_sys_content_rw_t == httpd_sys_rw_content_t.  I will change the plugin to suggest the correct thing.

The problem with the reading of /proc can be solved by adding a custom policy module or


cat > myhttpd.te << _EOF
policy_module(myhttp, 1.0)
gen_require(`
         type httpd_t;
')
domain_read_all_domains_state(httpd_t)
_EOF
# make -f /usr/share/selinux/devel/Makefile
# semodule -i myhttp.pp

Comment 18 Fedora Update System 2010-07-30 08:39:09 UTC
selinux-policy-3.7.19-41.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-41.fc13

Comment 19 Fedora Update System 2010-08-05 23:39:04 UTC
selinux-policy-3.7.19-41.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 20 Cristian Ciupitu 2010-08-27 14:50:05 UTC
I'm still having this issue (with puppet-server-0.25.5-1.fc13.noarch.rpm):


Additional Information:

Source Context                unconfined_u:system_r:puppetmaster_t:s0
Target Context                system_u:object_r:useradd_exec_t:s0
Target Objects                /usr/sbin/useradd [ file ]
Source                        puppetmasterd
Source Path                   /usr/bin/ruby
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           ruby-1.8.6.399-6.fc13
Target RPM Packages           shadow-utils-4.1.4.2-8.fc13
Policy RPM                    selinux-policy-3.7.19-49.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.33.8-149.fc13.x86_64 #1 SMP Tue Aug 17
                              22:53:15 UTC 2010 x86_64 x86_64
Alert Count                   12
First Seen                    Fri 27 Aug 2010 05:40:06 PM EEST
Last Seen                     Fri 27 Aug 2010 05:40:06 PM EEST
Local ID                      d8299ac7-7e18-41c0-a9f5-46318dfe65fb
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1282920006.922:38817): avc:  denied  { getattr } for  pid=17260 comm="puppetmasterd" path="/usr/sbin/useradd" dev=dm-0 ino=273182 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:useradd_exec_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1282920006.922:38817): arch=c000003e syscall=4 success=no exit=-13 a0=2179c20 a1=7fff3f5b4b30 a2=7fff3f5b4b30 a3=81 items=0 ppid=1 pid=17260 auid=500 uid=52 gid=52 euid=52 suid=0 fsuid=52 egid=52 sgid=0 fsgid=52 tty=(none) ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)


Additional Information:

Source Context                unconfined_u:system_r:puppetmaster_t:s0
Target Context                system_u:object_r:useradd_exec_t:s0
Target Objects                /usr/sbin/useradd [ file ]
Source                        puppetmasterd
Source Path                   /usr/bin/ruby
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           ruby-1.8.6.399-6.fc13
Target RPM Packages           shadow-utils-4.1.4.2-8.fc13
Policy RPM                    selinux-policy-3.7.19-49.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.33.8-149.fc13.x86_64 #1 SMP Tue Aug 17
                              22:53:15 UTC 2010 x86_64 x86_64
Alert Count                   1
First Seen                    Fri 27 Aug 2010 05:48:51 PM EEST
Last Seen                     Fri 27 Aug 2010 05:48:51 PM EEST
Local ID                      34ea6b6e-674c-463b-898b-88c006890bc0
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1282920531.585:38820): avc:  denied  { execute } for  pid=17877 comm="puppetmasterd" name="useradd" dev=dm-0 ino=273182 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:useradd_exec_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1282920531.585:38820): arch=c000003e syscall=21 success=yes exit=0 a0=14eda60 a1=1 a2=0 a3=81 items=0 ppid=17876 pid=17877 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)

Comment 21 Cristian Ciupitu 2010-08-27 15:08:21 UTC
dgrift has suggested me to try the following policy and it seems to work fine for me:

policy_module(mypuppet, 1.0.0)
	gen_require(`
		type puppetmaster_t;
	')
usermanage_domtrans_useradd(puppetmaster_t)

Comment 22 Daniel Walsh 2010-08-27 15:18:52 UTC
Seems good to me.
Miroslav please add

optional_policy(`
	usermanage_domtrans_groupadd(puppetmaster_t)
	usermanage_domtrans_useradd(puppetmaster_t)
')

Comment 23 Miroslav Grepl 2010-08-30 17:46:48 UTC
Fixed in selinux-policy-3.7.19-52.fc13

Comment 24 Fedora Update System 2010-09-02 14:57:00 UTC
selinux-policy-3.7.19-54.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-54.fc13

Comment 25 Fedora Update System 2010-09-02 20:36:38 UTC
selinux-policy-3.7.19-54.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-54.fc13

Comment 26 Fedora Update System 2010-09-11 09:07:23 UTC
selinux-policy-3.7.19-54.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 27 Cristian Ciupitu 2010-11-09 20:41:31 UTC
I'm still having this problem with selinux-policy-targeted-3.9.7-7.fc14.noarch.rpm and puppet-server-0.25.5-1.fc14.noarch.rpm.

Comment 28 Cristian Ciupitu 2010-11-09 20:45:03 UTC
Here's what sealert shows me:

Summary:

SELinux is preventing /usr/bin/ruby "getattr" access on /usr/sbin/usermod.

Detailed Description:

SELinux denied access requested by puppetmasterd. It is not expected that this
access is required by puppetmasterd and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:system_r:puppetmaster_t:s0
Target Context                system_u:object_r:useradd_exec_t:s0
Target Objects                /usr/sbin/usermod [ file ]
Source                        puppetmasterd
Source Path                   /usr/bin/ruby
Port                          <Unknown>
Host                          hermes.lizeanunet.tld
Source RPM Packages           ruby-1.8.7.302-1.fc14
Target RPM Packages           shadow-utils-4.1.4.2-8.fc14
Policy RPM                    selinux-policy-3.9.7-7.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     hermes.lizeanunet.tld
Platform                      Linux hermes.lizeanunet.tld
                              2.6.35.6-48.fc14.x86_64 #1 SMP Fri Oct 22 15:36:08
                              UTC 2010 x86_64 x86_64
Alert Count                   24
First Seen                    Tue 09 Nov 2010 10:30:01 PM EET
Last Seen                     Tue 09 Nov 2010 10:42:25 PM EET
Local ID                      c822bd9a-ab8a-4ed6-9c8c-376eba2514a5
Line Numbers                  

Raw Audit Messages            

node=hermes.lizeanunet.tld type=AVC msg=audit(1289335345.138:509): avc:  denied  { getattr } for  pid=26483 comm="puppetmasterd" path="/usr/sbin/usermod" dev=dm-0 ino=264090 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:useradd_exec_t:s0 tclass=file

node=hermes.lizeanunet.tld type=SYSCALL msg=audit(1289335345.138:509): arch=c000003e syscall=4 success=no exit=-13 a0=1cf30f0 a1=7fff9833aeb0 a2=7fff9833aeb0 a3=2 items=0 ppid=26462 pid=26483 auid=500 uid=52 gid=52 euid=52 suid=0 fsuid=52 egid=52 sgid=0 fsgid=52 tty=(none) ses=4 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)

Comment 29 Daniel Walsh 2010-11-09 20:58:07 UTC
Oops it does not look like the fix made it into F14 and Rawhide.

Comment 30 Miroslav Grepl 2010-11-10 08:58:25 UTC
Fixed in selinux-policy-3.9.7-10.fc14

Comment 31 Fedora Update System 2010-11-10 15:55:58 UTC
selinux-policy-3.9.7-10.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-10.fc14

Comment 32 Fedora Update System 2010-11-10 21:49:27 UTC
selinux-policy-3.9.7-10.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-10.fc14

Comment 33 Fedora Update System 2010-11-11 22:16:45 UTC
selinux-policy-3.9.7-10.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.