Bug 729549 - Adding systemd support to mod_ssl is causing AVC denials
Summary: Adding systemd support to mod_ssl is causing AVC denials
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
Depends On:
Blocks: 707917
TreeView+ depends on / blocked
Reported: 2011-08-10 06:30 UTC by Jan Kaluža
Modified: 2011-09-13 10:09 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2011-09-13 10:09:29 UTC
Type: ---

Attachments (Terms of Use)
audit log (9.91 KB, text/plain)
2011-08-10 06:31 UTC, Jan Kaluža
no flags Details

Description Jan Kaluža 2011-08-10 06:30:35 UTC
Description of problem:
I've just committed support for systemd into mod_ssl (see Bug #707917). When started, httpd now executes /usr/libexec/httpd-ssl-pass-dialog if SSL certificates are encrypted to get the password.

I would like to have this behaviour added in selinux-policy in rawhide.

Actual results:
I'm attaching messages that are generated after applying this change in F15 (I don't have any rawhide machine just now. I hope it's not problem, because I presume it should be the same in rawhide).

Comment 1 Jan Kaluža 2011-08-10 06:31:21 UTC
Created attachment 517522 [details]
audit log

Comment 2 Daniel Walsh 2011-08-11 20:32:03 UTC
Well first off how was /etc/localtime created, it has the wrong label on it.  

restorecon /etc/localtime

When httpd starts it executes /usr/libexec/http-ssl-pass-dialog?

I think we need to add policy to this application.  And should not add policy for all of httpd_t.

Comment 4 Tom Hughes 2011-08-11 23:03:49 UTC
Yes, httpd will execute that script when mod_ssl needs to prompt for a password to unlock a private key.

Traditionally httpd has simple prompted on the console for the password, but with systemd than no longer works as it won't have a terminal to prompt on.

So the default configuration has been changed so it runs that script when it needs a password, and that script runs /bin/systemd-ask-password which does the necessary magic to prompt the user for a password in an appropriate way.

Comment 5 Jan Kaluža 2011-09-13 09:19:42 UTC
I know the fix for this is already in rawhide. Would it be possible to include it also in F16. I would like to include my mod_ssl change in F16.

Comment 6 Miroslav Grepl 2011-09-13 10:09:29 UTC
Should be there also because we have Rawhide == F16.

Note You need to log in before you can comment on or make changes to this bug.