Hide Forgot
Description of problem: MM 1.3.x or 1.4.x (development) throws an selinux denial when the apache wsgi process mirrorlist_client.wsgi tries to open the mirrorlist_server.py socket /var/run/mirrormanager/mirrorlist_server.sock. Version-Release number of selected component (if applicable): MM 1.3.8 or 1.4 branch in git How reproducible: easy Steps to Reproduce: 1. install mirrormanager 2. start apache 3. connect to http://localhost/mirrorlist?repo=fedora-14&arch=i386 Actual results: apache returns error 500 to user. selinux denial has prevented the apache wsgi process from connecting to the socket to get the mirrorlist. Expected results: success Additional info:
Dan, I need help understanding the best way to implement this in mirrormanager upstream, please.
Here are the actual AVCs. In addition to the opening of and writing to mirrorlist_server.sock, the main mirrormanager.wsgi web UI application running under apache needs to be able to connect to its database (in this case, postgresql, but could be mysql or other). type=AVC msg=audit(1303925847.010:89): avc: denied { name_connect } for pid=10743 comm="httpd" dest=5432 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1303925847.010:89): arch=c000003e syscall=42 success=no exit=-13 a0=f a1=7f010d981250 a2=10 a3=7f01147cca94 items=0 ppid=10717 pid=10743 auid=500 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) type=MAC_CONFIG_CHANGE msg=audit(1303925958.442:90): bool=httpd_can_network_connect_db val=1 old_val=0 auid=500 ses=1 type=AVC msg=audit(1303944152.031:235): avc: denied { write } for pid=16215 comm="httpd" name="mirrorlist_server.sock" dev=dm-0 ino=822600 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file type=SYSCALL msg=audit(1303944152.031:235): arch=c000003e syscall=42 success=no exit=-13 a0=f a1=7f99291d22e0 a2=2f a3=1 items=0 ppid=16188 pid=16215 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1303944154.063:236): avc: denied { write } for pid=16319 comm="httpd" name="mirrorlist_server.sock" dev=dm-0 ino=822600 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file type=SYSCALL msg=audit(1303944154.063:236): arch=c000003e syscall=42 success=no exit=-13 a0=d a1=7f991e9bd2e0 a2=2f a3=0 items=0 ppid=16188 pid=16319 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1303944171.381:237): avc: denied { write } for pid=16289 comm="httpd" name="mirrorlist_server.sock" dev=dm-0 ino=822600 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file type=SYSCALL msg=audit(1303944171.381:237): arch=c000003e syscall=42 success=no exit=-13 a0=e a1=7f99269cd2e0 a2=2f a3=1 items=0 ppid=16188 pid=16289 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1303944571.587:239): avc: denied { connectto } for pid=16232 comm="httpd" path="/var/run/mirrormanager/mirrorlist_server.sock" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=SYSCALL msg=audit(1303944571.587:239): arch=c000003e syscall=42 success=no exit=-13 a0=e a1=7f99299d32e0 a2=2f a3=1 items=0 ppid=16188 pid=16232 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1303944613.515:240): avc: denied { connectto } for pid=16553 comm="httpd" path="/var/run/mirrormanager/mirrorlist_server.sock" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=SYSCALL msg=audit(1303944613.515:240): arch=c000003e syscall=42 success=no exit=-13 a0=e a1=7f25faed92e0 a2=2f a3=1 items=0 ppid=16527 pid=16553 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
First turn on httpd_can_network_connect_db boolean. setsebool -P httpd_can_network_connect_db 1
This message is a notice that Fedora 15 is now at end of life. Fedora has stopped maintaining and issuing updates for Fedora 15. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At this time, all open bugs with a Fedora 'version' of '15' have been closed as WONTFIX. (Please note: Our normal process is to give advanced warning of this occurring, but we forgot to do that. A thousand apologies.) Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, feel free to reopen this bug and simply change the 'version' to a later Fedora version. Bug Reporter: Thank you for reporting this issue and we are sorry that we were unable to fix it before Fedora 15 reached end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged to click on "Clone This Bug" (top right of this page) and open it against that version of Fedora. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping