Description of problem: The message reports that access was not denied, when in fact there is no rule for such an action. Version-Release number of selected component (if applicable): setroubleshoot.x86_64 -> 2.2.91-1.fc13 setroubleshoot-plugins.noarch -> 2.1.52-1.fc13 setroubleshoot-server.x86_64 -> 2.2.91-1.fc13 How reproducible: Hard to reproduce. Steps to Reproduce: 1. Use a rrdtool webapp (cacti in my case, manually installed, not via yum). Actual results: Summary: SELinux is preventing /usr/bin/rrdtool from using potentially mislabeled files /var/cache/fontconfig. Detailed Description: [rrdtool has a permissive type (httpd_t). This access was not denied.] SELinux has denied the rrdtool access to potentially mislabeled files /var/cache/fontconfig. This means that SELinux will not allow httpd to use these files. If httpd should be allowed this access to these files you should change the file context to one of the following types, httpd_var_run_t, squirrelmail_spool_t, httpd_log_t, httpd_cache_t, httpd_tmpfs_t, httpd_tmp_t, httpd_squirrelmail_t, httpd_squid_rw_content_t, httpd_smokeping_cgi_rw_content_t, httpd_apcupsd_cgi_rw_content_t, httpd_prewikka_rw_content_t, httpd_awstats_rw_content_t, httpd_w3c_validator_rw_content_t, httpd_user_rw_content_t, httpdcontent, httpd_cobbler_rw_content_t, httpd_munin_rw_content_t, httpd_bugzilla_rw_content_t, httpd_cvs_rw_content_t, httpd_git_rw_content_t, httpd_sys_rw_content_t, httpd_sys_rw_content_t, httpd_nagios_rw_content_t, httpd_nutups_cgi_rw_content_t. Many third party apps install html files in directories that SELinux policy cannot predict. These directories have to be labeled with a file context which httpd can access. Allowing Access: If you want to change the file context of /var/cache/fontconfig so that the httpd daemon can access it, you need to execute it using semanage fcontext -a -t FILE_TYPE '/var/cache/fontconfig'. where FILE_TYPE is one of the following: httpd_var_run_t, squirrelmail_spool_t, httpd_log_t, httpd_cache_t, httpd_tmpfs_t, httpd_tmp_t, httpd_squirrelmail_t, httpd_squid_rw_content_t, httpd_smokeping_cgi_rw_content_t, httpd_apcupsd_cgi_rw_content_t, httpd_prewikka_rw_content_t, httpd_awstats_rw_content_t, httpd_w3c_validator_rw_content_t, httpd_user_rw_content_t, httpdcontent, httpd_cobbler_rw_content_t, httpd_munin_rw_content_t, httpd_bugzilla_rw_content_t, httpd_cvs_rw_content_t, httpd_git_rw_content_t, httpd_sys_rw_content_t, httpd_sys_rw_content_t, httpd_nagios_rw_content_t, httpd_nutups_cgi_rw_content_t. You can look at the httpd_selinux man page for additional information. Additional Information: Source Context unconfined_u:system_r:httpd_t:s0 Target Context system_u:object_r:fonts_cache_t:s0 Target Objects /var/cache/fontconfig [ dir ] Source rrdtool Source Path /usr/bin/rrdtool Port <Unknown> Host s1.retoric-alliance.net Source RPM Packages rrdtool-1.3.8-6.fc13 Target RPM Packages fontconfig-2.8.0-1.fc13 Policy RPM selinux-policy-3.7.19-39.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name httpd_bad_labels Host Name s1.retoric-alliance.net Platform Linux s1.retoric-alliance.net 2.6.33.6-147.fc13.x86_64 #1 SMP Tue Jul 6 22:32:17 UTC 2010 x86_64 x86_64 Alert Count 2843 First Seen Mon 02 Aug 2010 01:32:01 AM EEST Last Seen Mon 02 Aug 2010 03:44:26 PM EEST Local ID 9603702c-b7b8-4e33-913c-f99a1789323f Line Numbers Raw Audit Messages node=s1.retoric-alliance.net type=AVC msg=audit(1280753066.430:56489): avc: denied { setattr } for pid=17089 comm="rrdtool" name="fontconfig" dev=dm-0 ino=2622775 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:fonts_cache_t:s0 tclass=dir node=s1.retoric-alliance.net type=SYSCALL msg=audit(1280753066.430:56489): arch=c000003e syscall=90 success=yes exit=68719476864 a0=2550030 a1=1ed a2=d a3=10 items=0 ppid=5759 pid=17089 auid=0 uid=48 gid=489 euid=48 suid=48 fsuid=48 egid=489 sgid=489 fsgid=489 tty=(none) ses=1129 comm="rrdtool" exe="/usr/bin/rrdtool" subj=unconfined_u:system_r:httpd_t:s0 key=(null) Expected results: Summary: SELinux is preventing rrdtool from using potentially mislabeled files /var/cache/fontconfig. Detailed Description: SELinux has denied the rrdtool access to potentially mislabeled files /var/cache/fontconfig. This means that SELinux will not allow httpd to use these files. If httpd should be allowed this access to these files you should change the file context to one of the following types, httpd_var_run_t, squirrelmail_spool_t, httpd_log_t, httpd_cache_t, httpd_tmpfs_t, httpd_tmp_t, httpd_squirrelmail_t, httpd_squid_rw_content_t, httpd_smokeping_cgi_rw_content_t, httpd_apcupsd_cgi_rw_content_t, httpd_prewikka_rw_content_t, httpd_awstats_rw_content_t, httpd_w3c_validator_rw_content_t, httpd_user_rw_content_t, httpdcontent, httpd_cobbler_rw_content_t, httpd_munin_rw_content_t, httpd_bugzilla_rw_content_t, httpd_cvs_rw_content_t, httpd_git_rw_content_t, httpd_sys_rw_content_t, httpd_sys_rw_content_t, httpd_nagios_rw_content_t, httpd_nutups_cgi_rw_content_t. Many third party apps install html files in directories that SELinux policy cannot predict. These directories have to be labeled with a file context which httpd can access. Allowing Access: If you want to change the file context of /var/cache/fontconfig so that the httpd daemon can access it, you need to execute it using semanage fcontext -a -t FILE_TYPE '/var/cache/fontconfig'. where FILE_TYPE is one of the following: httpd_var_run_t, squirrelmail_spool_t, httpd_log_t, httpd_cache_t, httpd_tmpfs_t, httpd_tmp_t, httpd_squirrelmail_t, httpd_squid_rw_content_t, httpd_smokeping_cgi_rw_content_t, httpd_apcupsd_cgi_rw_content_t, httpd_prewikka_rw_content_t, httpd_awstats_rw_content_t, httpd_w3c_validator_rw_content_t, httpd_user_rw_content_t, httpdcontent, httpd_cobbler_rw_content_t, httpd_munin_rw_content_t, httpd_bugzilla_rw_content_t, httpd_cvs_rw_content_t, httpd_git_rw_content_t, httpd_sys_rw_content_t, httpd_sys_rw_content_t, httpd_nagios_rw_content_t, httpd_nutups_cgi_rw_content_t. You can look at the httpd_selinux man page for additional information. Additional Information: Source Context unconfined_u:system_r:httpd_t:s0 Target Context system_u:object_r:fonts_cache_t:s0 Target Objects /var/cache/fontconfig [ dir ] Source rrdtool Source Path /usr/bin/rrdtool Port <Unknown> Host s1.retoric-alliance.net Source RPM Packages Target RPM Packages fontconfig-2.8.0-1.fc13 Policy RPM selinux-policy-3.7.19-39.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name httpd_bad_labels Host Name s1.retoric-alliance.net Platform Linux s1.retoric-alliance.net 2.6.33.6-147.fc13.x86_64 #1 SMP Tue Jul 6 22:32:17 UTC 2010 x86_64 x86_64 Alert Count 2275 First Seen Mon 02 Aug 2010 01:32:01 AM EEST Last Seen Mon 02 Aug 2010 04:19:41 AM EEST Local ID 9603702c-b7b8-4e33-913c-f99a1789323f Line Numbers Raw Audit Messages node=s1.retoric-alliance.net type=AVC msg=audit(1280711981.884:49491): avc: denied { setattr } for pid=5747 comm="rrdtool" name="fontconfig" dev=dm-0 ino=2622775 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:fonts_cache_t:s0 tclass=dir Additional info: [root@s1 ~]# semanage permissive -l Builtin Permissive Types munin_mail_plugin_t munin_disk_plugin_t piranha_pulse_t munin_services_plugin_t showmount_t boinc_t accountsd_t shutdown_t munin_system_plugin_t piranha_fos_t piranha_lvs_t nagios_mail_plugin_t nagios_checkdisk_plugin_t nagios_services_plugin_t clogd_t mpd_t qpidd_t nagios_system_plugin_t nagios_admin_plugin_t certmonger_t cmirrord_t ncftool_t piranha_web_t Customized Permissive Types [root@s1 ~]# semanage permissive -d httpd_t libsemanage.semanage_direct_remove: Module permissive_httpd_t was not found. (No such file or directory). /usr/sbin/semanage: Could not remove permissive domain httpd_t (remove failed)
You are correct, the message is wrong and we should fix it to say something like While and AVC was created for this action the actual system call returned success. node=s1.retoric-alliance.net type=AVC msg=audit(1280753066.430:56489): avc: denied { setattr } for pid=17089 comm="rrdtool" name="fontconfig" dev=dm-0 ino=2622775 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:fonts_cache_t:s0 tclass=dir node=s1.retoric-alliance.net type=SYSCALL msg=audit(1280753066.430:56489): arch=c000003e syscall=90 success=yes exit=68719476864 a0=2550030 a1=1ed a2=d a3=10 items=0 ppid=5759 pid=17089 auid=0 uid=48 gid=489 euid=48 suid=48 fsuid=48 egid=489 sgid=489 fsgid=489 tty=(none) ses=1129 comm="rrdtool" exe="/usr/bin/rrdtool" subj=unconfined_u:system_r:httpd_t:s0 key=(null) If you read the above AVC you will notice that the SYSCALL record has a name value pair of success=yes, indicating that the system call returned success.
Upgrading to the F14/F15 version of setroubleshoot. Fixed in setroubleshoot-3.0.24-1.fc13
setroubleshoot-3.0.24-1.fc13 has been submitted as an update for Fedora 13. https://admin.fedoraproject.org/updates/setroubleshoot-3.0.24-1.fc13
setroubleshoot-3.0.24-1.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update setroubleshoot'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/setroubleshoot-3.0.24-1.fc13
setroubleshoot-3.0.24-1.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.