Bug 737635 - AVC denial when starting luci
Summary: AVC denial when starting luci
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.2
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
: 740333 (view as bug list)
Depends On:
Blocks: 747120
TreeView+ depends on / blocked
 
Reported: 2011-09-12 18:55 UTC by Ryan McCabe
Modified: 2012-11-23 21:07 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.7.19-112.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-12-06 10:18:42 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1511 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-12-06 00:39:17 UTC

Description Ryan McCabe 2011-09-12 18:55:06 UTC
Description of problem:

type=AVC msg=audit(1315853466.399:32084): avc:  denied  { create } for  pid=28757 comm="paster" name="container_file" scontext=unconfined_u:system_r:piranha_web_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=dir

When trying to create the directory /var/run/luci/sessions/container_file

Setting permissive mode allows proper startup to take place.

Version-Release number of selected component (if applicable):

luci-0.23.0-24.el6.x86_64
python-paste-1.7.4-1.el6.noarch
selinux-policy-3.7.19-110.el6.noarch
selinux-policy-targeted-3.7.19-110.el6.noarch

Comment 1 Miroslav Grepl 2011-09-12 19:11:42 UTC
If you execute

# chcon -R -t piranha_web_var_run_t /var/run/luci

does it work?

Also is this default directory?

Comment 3 Ryan McCabe 2011-09-13 15:39:35 UTC
(In reply to comment #1)
> If you execute
> 
> # chcon -R -t piranha_web_var_run_t /var/run/luci
> 
> does it work?

Yes, this fixes it.

> 
> Also is this default directory?

This is the directory where session information will always be stored. It's created when luci starts and is removed when it stops.

Comment 4 Miroslav Grepl 2011-09-15 14:27:43 UTC
What does

# rpm -qf /var/run/luci

Comment 5 Milos Malik 2011-09-15 14:39:59 UTC
I see this on my virtual machine:
# rpm -qf /var/run/luci
luci-0.23.0-24.el6.i686
#

Comment 6 Daniel Walsh 2011-09-15 15:30:19 UTC
Looks like something recreated the /var/run/luci directory with out fixing the label?

Comment 7 Ryan McCabe 2011-09-15 20:03:33 UTC
I just tried again on a clean install with a newly installed luci package, and I get the AVC when I try to connect to the server.

[root@marge ~]# ls -RZ /var/lib/luci/
/var/lib/luci/:
drwxr-xr-x. luci luci system_u:object_r:piranha_web_data_t:s0 certs
drwxr-xr-x. luci luci system_u:object_r:piranha_web_data_t:s0 data
drwxr-xr-x. luci luci system_u:object_r:piranha_web_conf_t:s0 etc

/var/lib/luci/certs:
-rw-------. luci luci unconfined_u:object_r:piranha_web_data_t:s0 host.pem

/var/lib/luci/data:
-rw-r-----. luci luci unconfined_u:object_r:piranha_web_data_t:s0 luci.db

/var/lib/luci/etc:
-rw-r--r--. luci luci system_u:object_r:piranha_web_conf_t:s0 cacert.config
-rw-r-----. luci luci unconfined_u:object_r:piranha_web_conf_t:s0 luci.ini

Comment 8 Ryan McCabe 2011-09-21 19:36:57 UTC
*** Bug 740333 has been marked as a duplicate of this bug. ***

Comment 13 Jan Pokorný [poki] 2011-10-04 20:32:33 UTC
Created attachment 526322 [details]
Patch to solve the issue on luci's side (covers also Radek's case)

Based on Radek's observation, I think this issue is solely a luci's one.
The attached patch is working well for me on RHEL 6.2, tested with both:

selinux-policy-3.7.19-109.el6.noarch
selinux-policy-3.7.19-114.el6.noarch

The fix is based on Daniel's recommendation as per comment 6
(or https://bugzilla.redhat.com/show_bug.cgi?id=740333#c2 in a parallel bug).

Inspecting the initscript and what happens "below luci", in the auxiliary
libraries, I've actually found out that cache and sessions subdirectories
of discussed /var/run/luci do not have to be created in the initscript
as they are created with the correct/desired attributes (incl. SELinux)
on demand by the framework luci uses (specifically, the Beaker library).

Comment 15 Miroslav Grepl 2011-10-05 05:28:19 UTC
Ok, it will be great to fix it on luci side.

This bug is about adding labeling from the SELinux point of view which was added.

Comment 16 Milos Malik 2011-10-05 10:14:52 UTC
Seen on 2 machines today:
----
time->Wed Oct  5 06:01:16 2011
type=SYSCALL msg=audit(1317808876.638:117044): arch=c000003e syscall=83 success=no exit=-13 a0=7f517c0ba720 a1=1e8 a2=7f519319adc8 a3=7f51836b3b50 items=0 ppid=1 pid=12844 auid=0 uid=141 gid=141 euid=141 suid=141 fsuid=141 egid=141 sgid=141 fsgid=141 tty=(none) ses=2 comm="paster" exe="/usr/bin/python" subj=unconfined_u:system_r:piranha_web_t:s0 key=(null)
type=AVC msg=audit(1317808876.638:117044): avc:  denied  { create } for  pid=12844 comm="paster" name="container_file" scontext=unconfined_u:system_r:piranha_web_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=dir
----

First machine has:
selinux-policy-3.7.19-113.el6.noarch
selinux-policy-targeted-3.7.19-113.el6.noarch

Second machine has:
selinux-policy-3.7.19-114.el6.noarch
selinux-policy-targeted-3.7.19-114.el6.noarch

I will wait till the updated version of luci is released and then I will retest it again.

Comment 17 Jan Pokorný [poki] 2011-10-05 16:53:41 UTC
The patch is present as of luci-0.23.0-31.el6.

Comment 18 Milos Malik 2011-10-06 08:05:48 UTC
When luci-0.23.0-31.el6 is installed I see no AVCs. Tested on -113.el6 and -114.el6 policy.

Comment 20 errata-xmlrpc 2011-12-06 10:18:42 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html


Note You need to log in before you can comment on or make changes to this bug.