When running Pootle with SELinux enabled I get these two issues: 1) Potentially mislabled files 2) Need network access Background ========== Pootle is a Python web based translation tool running using mod_wsgi under Apache. 1) Mislabled files ================== Pootle writes translation files to /var/lib/pootle/po - this space is used to store files before they are pushed into the database. 2) Need network access ====================== Pootle uses memcached to boost performance. In Fedora it is a dependency and thus requires TCP access to localhost's memcached. I've been able to solve this with: setsebool -P httpd_can_network_connect 1 This seems like overkill though since Pootle only needs access to memcached on the local machine.
Summary: SELinux is preventing /usr/sbin/httpd from using potentially mislabeled files /var/lib/pootle/po/tutorial/af/tutorial.po. Detailed Description: SELinux has denied the httpd access to potentially mislabeled files /var/lib/pootle/po/tutorial/af/tutorial.po. This means that SELinux will not allow httpd to use these files. If httpd should be allowed this access to these files you should change the file context to one of the following types, httpd_squirrelmail_t, user_cron_spool_t, httpd_var_lib_t, httpd_var_run_t, httpd_t, squirrelmail_spool_t, afs_cache_t, httpd_lock_t, httpd_cache_t, httpd_tmpfs_t, httpd_tmp_t, httpd_bugzilla_rw_content_t, httpd_cvs_rw_content_t, httpd_git_rw_content_t, httpd_sys_rw_content_t, httpd_nagios_rw_content_t, httpd_nutups_cgi_rw_content_t, httpd_squid_rw_content_t, httpd_smokeping_cgi_rw_content_t, root_t, httpd_apcupsd_cgi_rw_content_t, httpd_prewikka_rw_content_t, httpd_awstats_rw_content_t, httpd_w3c_validator_rw_content_t, httpd_user_rw_content_t, httpd_cobbler_rw_content_t, httpd_munin_rw_content_t. Many third party apps install html files in directories that SELinux policy cannot predict. These directories have to be labeled with a file context which httpd can access. Allowing Access: If you want to change the file context of /var/lib/pootle/po/tutorial/af/tutorial.po so that the httpd daemon can access it, you need to execute it using semanage fcontext -a -t FILE_TYPE '/var/lib/pootle/po/tutorial/af/tutorial.po'. where FILE_TYPE is one of the following: httpd_squirrelmail_t, user_cron_spool_t, httpd_var_lib_t, httpd_var_run_t, httpd_t, squirrelmail_spool_t, afs_cache_t, httpd_lock_t, httpd_cache_t, httpd_tmpfs_t, httpd_tmp_t, httpd_bugzilla_rw_content_t, httpd_cvs_rw_content_t, httpd_git_rw_content_t, httpd_sys_rw_content_t, httpd_nagios_rw_content_t, httpd_nutups_cgi_rw_content_t, httpd_squid_rw_content_t, httpd_smokeping_cgi_rw_content_t, root_t, httpd_apcupsd_cgi_rw_content_t, httpd_prewikka_rw_content_t, httpd_awstats_rw_content_t, httpd_w3c_validator_rw_content_t, httpd_user_rw_content_t, httpd_cobbler_rw_content_t, httpd_munin_rw_content_t. You can look at the httpd_selinux man page for additional information. Additional Information: Source Context unconfined_u:system_r:httpd_t:s0 Target Context system_u:object_r:var_lib_t:s0 Target Objects /var/lib/pootle/po/tutorial/af/tutorial.po [ file ] Source httpd Source Path /usr/sbin/httpd Port <Unknown> Host Oxf13.scrye.com Source RPM Packages httpd-2.2.16-1.fc13 Target RPM Packages pootle-2.1.0-3.fc13 Policy RPM selinux-policy-3.7.19-51.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name httpd_bad_labels Host Name Oxf13.scrye.com Platform Linux Oxf13.scrye.com 2.6.34.6-47.fc13.x86_64 #1 SMP Fri Aug 27 08:56:01 UTC 2010 x86_64 x86_64 Alert Count 2 First Seen Fri Sep 3 03:45:08 2010 Last Seen Fri Sep 3 04:22:43 2010 Local ID fef719ad-bc4f-43dd-bafc-3ce6fcc19c1d Line Numbers Raw Audit Messages node=Oxf13.scrye.com type=AVC msg=audit(1283509363.364:773): avc: denied { write } for pid=4613 comm="httpd" name="tutorial.po" dev=dm-0 ino=940398 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file node=Oxf13.scrye.com type=SYSCALL msg=audit(1283509363.364:773): arch=c000003e syscall=2 success=no exit=-13 a0=7fc70687ff30 a1=241 a2=1b6 a3=0 items=0 ppid=4608 pid=4613 auid=117615 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=36 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
Summary: SELinux is preventing /usr/sbin/httpd "name_connect" access on <Unknown>. Detailed Description: SELinux denied access requested by httpd. The current boolean settings do not allow this access. If you have not setup httpd to require this access this may signal an intrusion attempt. If you do intend this access you need to change the booleans on this system to allow the access. Allowing Access: One of the following booleans is set incorrectly: httpd_can_network_relay, httpd_can_network_connect Fix Command: Choose one of the following to allow access: Allow httpd to act as a relay # setsebool -P httpd_can_network_relay 1 Allow HTTPD scripts and modules to connect to the network using TCP. # setsebool -P httpd_can_network_connect 1 Additional Information: Source Context unconfined_u:system_r:httpd_t:s0 Target Context system_u:object_r:memcache_port_t:s0 Target Objects None [ tcp_socket ] Source httpd Source Path /usr/sbin/httpd Port 11211 Host Oxf13.scrye.com Source RPM Packages httpd-2.2.16-1.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-51.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall_boolean Host Name Oxf13.scrye.com Platform Linux Oxf13.scrye.com 2.6.34.6-47.fc13.x86_64 #1 SMP Fri Aug 27 08:56:01 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Fri Sep 3 04:25:06 2010 Last Seen Fri Sep 3 04:25:06 2010 Local ID 16018962-523a-403d-870b-710dba8ba212 Line Numbers Raw Audit Messages node=Oxf13.scrye.com type=AVC msg=audit(1283509506.272:775): avc: denied { name_connect } for pid=4617 comm="httpd" dest=11211 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket node=Oxf13.scrye.com type=SYSCALL msg=audit(1283509506.272:775): arch=c000003e syscall=42 success=no exit=-13 a0=b a1=7fff3616c820 a2=10 a3=9 items=0 ppid=4608 pid=4617 auid=117615 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=36 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
A better solution would be to create a custom policy module for this. using audit2allow. # grep memcache /var/log/audit/audit.log | audit2allow -M myhttp # semodule -i myhttp.pp Might have to add a boolean for this, although it would be much nicer if memcache and poodle could communicate over unix domain sockets. chcon -R -t httpd_sys_content_rw_t /var/lib/pootle/po Will fix your other problem. I will add this as default labeling.
Miroslav, you probably want to add this to F13 also. /var/lib/poodle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
setsebool -P httpd_can_network_relay 1 Would also work and open less ports.
Added ## <desc> ## <p> ## Allow httpd to connect to memcache server ## </p> ## </desc> gen_tunable(httpd_can_network_memcache, false) tunable_policy(`httpd_can_network_memcache',` corenet_tcp_connect_memcache_port(httpd_t) ') Fixed in selinux-policy-3.9.2-2.fc14
(In reply to comment #4) > Miroslav, you probably want to add this to F13 also. > > /var/lib/poodle/po(/.*)? > gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) /var/lib/pootle/po(/.*)?
(In reply to comment #3) > A better solution would be to create a custom policy module for this. using > audit2allow. > > # grep memcache /var/log/audit/audit.log | audit2allow -M myhttp > # semodule -i myhttp.pp Sorry I should have been clearer, I'm packaging Pootle on Fedora. I'm trying to avoid having to create a policy, but if that is what's needed then I can do that, but I assume there might be a better approach. > Might have to add a boolean for this, although it would be much nicer if > memcache and poodle could communicate over unix domain sockets. I took a look at that using sockets. The unfortunate thing is that memcached runs either over TCP or Sockets not both. I've documented it as an option but I can't use it by default. > chcon -R -t httpd_sys_content_rw_t /var/lib/pootle/po > > Will fix your other problem. > > I will add this as default labeling. Thank you.
selinux-policy-3.9.3-4.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.3-4.fc14
selinux-policy-3.9.3-4.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.3-4.fc14
selinux-policy-3.9.3-4.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.