670864 – httpd denied read to /etc/cobbler/power

Bug 670864 - httpd denied read to /etc/cobbler/power

Summary: httpd denied read to /etc/cobbler/power

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	14
Hardware:	x86_64
OS:	Unspecified
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-01-19 15:07 UTC by Michael Cronenworth
Modified:	2011-01-25 20:58 UTC (History)
CC List:	2 users (show)
Fixed In Version:	selinux-policy-3.9.7-25.fc14
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-01-25 20:58:35 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Michael Cronenworth 2011-01-19 15:07:04 UTC

Description of problem:

type=AVC msg=audit(1295447557.479:1884): avc:  denied  { read } for  pid=22205 comm="httpd" name="power" dev=dm-2 ino=732899 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cobbler_etc_t:s0 tclass=dir
type=SYSCALL msg=audit(1295447557.479:1884): arch=c000003e syscall=2 success=no exit=-13 a0=7f6eaae68420 a1=90800 a2=0 a3=206562207473756d items=0 ppid=3410 pid=22205 auid=502 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=2 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

# restorecon -Rv /etc/cobbler
(produces no output)


Version-Release number of selected component (if applicable):
cobbler-2.0.10-1.fc14.noarch
selinux-policy-3.9.7-20.fc14.noarch
selinux-policy-targeted-3.9.7-20.fc14.noarch

How reproducible: Always


Steps to Reproduce:
1. Start cobblerd.
2. Attempt to login to cobbler via web interface.
3.
  
Additional info:

I've created a custom policy to allow this read.

Comment 1 Daniel Walsh 2011-01-19 15:55:39 UTC

Not sure why apache is trying to read this directory?  But I would guess this is ok.

Comment 2 Daniel Walsh 2011-01-19 16:08:05 UTC

The first two bugs look like we have marked them as fixed in policy.  We rely on the cobbler maintainers to make sure SELinux does not break when they update.  We can not know what is going to break and try to react as fast as possible.

Comment 3 Miroslav Grepl 2011-01-19 16:22:29 UTC

We have in policy

cobbler_list_config(httpd_t)

But we have a bug in this interface.

Fixed in selinux-policy-3.9.7-23.fc14

Comment 4 Fedora Update System 2011-01-20 16:04:21 UTC

selinux-policy-3.9.7-25.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-25.fc14

Comment 5 Fedora Update System 2011-01-20 19:54:44 UTC

selinux-policy-3.9.7-25.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-25.fc14

Comment 6 Fedora Update System 2011-01-25 20:57:43 UTC

selinux-policy-3.9.7-25.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.