Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 626774 - SELinux is preventing /bin/cp "write" access on html.
SELinux is preventing /bin/cp "write" access on html.
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
13
x86_64 Linux
low Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:f9edddca3a2...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-08-24 07:45 EDT by Herman Grootaers
Modified: 2010-10-07 08:36 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-10-07 08:36:32 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Herman Grootaers 2010-08-24 07:45:40 EDT
Summary:

SELinux is preventing /bin/cp "write" access on html.

Detailed Description:

SELinux denied access requested by cp. It is not expected that this access is
required by cp and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:munin_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:munin_etc_t:s0
Target Objects                html [ dir ]
Source                        cp
Source Path                   /bin/cp
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           coreutils-8.4-8.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-47.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux Fedora01.grootaers-nl.com
                              2.6.33.6-147.2.4.fc13.x86_64 #1 SMP Fri Jul 23
                              17:14:44 UTC 2010 x86_64 x86_64
Alert Count                   1
First Seen                    Tue 24 Aug 2010 12:50:02 PM CEST
Last Seen                     Tue 24 Aug 2010 12:50:02 PM CEST
Local ID                      e99d15ea-6d1a-43e1-9289-521081941cf6
Line Numbers                  

Raw Audit Messages            

node=Fedora01.grootaers-nl.com type=AVC msg=audit(1282647002.38:37162): avc:  denied  { write } for  pid=11410 comm="cp" name="html" dev=sda2 ino=1574566 scontext=system_u:system_r:munin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:munin_etc_t:s0 tclass=dir

node=Fedora01.grootaers-nl.com type=SYSCALL msg=audit(1282647002.38:37162): arch=c000003e syscall=2 success=no exit=-13 a0=21c1920 a1=c1 a2=1a4 a3=2 items=0 ppid=11409 pid=11410 auid=486 uid=486 gid=472 euid=486 suid=486 fsuid=486 egid=472 sgid=472 fsgid=472 tty=(none) ses=2579 comm="cp" exe="/bin/cp" subj=system_u:system_r:munin_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  catchall,cp,munin_t,munin_etc_t,dir,write
audit2allow suggests:

#============= munin_t ==============
#!!!! The source type 'munin_t' can write to a 'dir' of the following type:
# munin_log_t
#!!!! The source type 'munin_t' can write to a 'dir' of the following types:
# munin_log_t, var_run_t
#!!!! The source type 'munin_t' can write to a 'dir' of the following types:
# munin_log_t, var_run_t, var_log_t
#!!!! The source type 'munin_t' can write to a 'dir' of the following types:
# munin_log_t, var_run_t, var_log_t, munin_var_lib_t
#!!!! The source type 'munin_t' can write to a 'dir' of the following types:
# munin_log_t, var_run_t, var_log_t, munin_var_lib_t, munin_var_run_t
#!!!! The source type 'munin_t' can write to a 'dir' of the following types:
# munin_log_t, var_run_t, var_log_t, munin_var_lib_t, munin_var_run_t, httpd_munin_content_t
#!!!! The source type 'munin_t' can write to a 'dir' of the following types:
# munin_log_t, var_run_t, var_log_t, munin_var_lib_t, munin_var_run_t, httpd_munin_content_t, tmp_t
#!!!! The source type 'munin_t' can write to a 'dir' of the following types:
# munin_log_t, var_run_t, var_log_t, munin_var_lib_t, munin_var_run_t, httpd_munin_content_t, tmp_t, munin_tmp_t
#!!!! The source type 'munin_t' can write to a 'dir' of the following types:
# munin_log_t, var_run_t, var_log_t, munin_var_lib_t, munin_var_run_t, httpd_munin_content_t, tmp_t, munin_tmp_t, root_t

allow munin_t munin_etc_t:dir write;
Comment 1 Daniel Walsh 2010-08-24 10:20:51 EDT
Where is the html directory located?  /etc/munin/html?

Looks like it needs a different context.
Comment 2 Herman Grootaers 2010-08-24 10:57:18 EDT
Yes, it is.

I like to set up my system(s) in a secure way so that I know where everything from an application is. Gives me less of a headache when something fails and I do not have to go hunting in my system.
Comment 3 Miroslav Grepl 2010-10-07 07:45:13 EDT
It doesn't look like this is by default. I guess you created /etc/munin/html directory.

I thought the '/var/www/html/munin' directory is used for that by default.
Comment 4 Daniel Walsh 2010-10-07 08:36:32 EDT
# semanage fcontext -a -t httpd_munin_content_t '/etc/munin/html(/.*)?'
# restorecon -R -v /etc/munin 

Should fix your problem.

Note You need to log in before you can comment on or make changes to this bug.