737635 – AVC denial when starting luci

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 737635 - AVC denial when starting luci

Summary: AVC denial when starting luci

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.2
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	740333 (view as bug list)
Depends On:
Blocks:	747120
TreeView+	depends on / blocked

Reported:	2011-09-12 18:55 UTC by Ryan McCabe
Modified:	2012-11-23 21:07 UTC (History)
CC List:	5 users (show)
Fixed In Version:	selinux-policy-3.7.19-112.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-12-06 10:18:42 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2011:1511	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2011-12-06 00:39:17 UTC

Description Ryan McCabe 2011-09-12 18:55:06 UTC

Description of problem:

type=AVC msg=audit(1315853466.399:32084): avc:  denied  { create } for  pid=28757 comm="paster" name="container_file" scontext=unconfined_u:system_r:piranha_web_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=dir

When trying to create the directory /var/run/luci/sessions/container_file

Setting permissive mode allows proper startup to take place.

Version-Release number of selected component (if applicable):

luci-0.23.0-24.el6.x86_64
python-paste-1.7.4-1.el6.noarch
selinux-policy-3.7.19-110.el6.noarch
selinux-policy-targeted-3.7.19-110.el6.noarch

Comment 1 Miroslav Grepl 2011-09-12 19:11:42 UTC

If you execute

# chcon -R -t piranha_web_var_run_t /var/run/luci

does it work?

Also is this default directory?

Comment 3 Ryan McCabe 2011-09-13 15:39:35 UTC

(In reply to comment #1)
> If you execute
> 
> # chcon -R -t piranha_web_var_run_t /var/run/luci
> 
> does it work?

Yes, this fixes it.

> 
> Also is this default directory?

This is the directory where session information will always be stored. It's created when luci starts and is removed when it stops.

Comment 4 Miroslav Grepl 2011-09-15 14:27:43 UTC

What does

# rpm -qf /var/run/luci

Comment 5 Milos Malik 2011-09-15 14:39:59 UTC

I see this on my virtual machine:
# rpm -qf /var/run/luci
luci-0.23.0-24.el6.i686
#

Comment 6 Daniel Walsh 2011-09-15 15:30:19 UTC

Looks like something recreated the /var/run/luci directory with out fixing the label?

Comment 7 Ryan McCabe 2011-09-15 20:03:33 UTC

I just tried again on a clean install with a newly installed luci package, and I get the AVC when I try to connect to the server.

[root@marge ~]# ls -RZ /var/lib/luci/
/var/lib/luci/:
drwxr-xr-x. luci luci system_u:object_r:piranha_web_data_t:s0 certs
drwxr-xr-x. luci luci system_u:object_r:piranha_web_data_t:s0 data
drwxr-xr-x. luci luci system_u:object_r:piranha_web_conf_t:s0 etc

/var/lib/luci/certs:
-rw-------. luci luci unconfined_u:object_r:piranha_web_data_t:s0 host.pem

/var/lib/luci/data:
-rw-r-----. luci luci unconfined_u:object_r:piranha_web_data_t:s0 luci.db

/var/lib/luci/etc:
-rw-r--r--. luci luci system_u:object_r:piranha_web_conf_t:s0 cacert.config
-rw-r-----. luci luci unconfined_u:object_r:piranha_web_conf_t:s0 luci.ini

Comment 8 Ryan McCabe 2011-09-21 19:36:57 UTC

*** Bug 740333 has been marked as a duplicate of this bug. ***

Comment 13 Jan Pokorný [poki] 2011-10-04 20:32:33 UTC

Created attachment 526322 [details]
Patch to solve the issue on luci's side (covers also Radek's case)

Based on Radek's observation, I think this issue is solely a luci's one.
The attached patch is working well for me on RHEL 6.2, tested with both:

selinux-policy-3.7.19-109.el6.noarch
selinux-policy-3.7.19-114.el6.noarch

The fix is based on Daniel's recommendation as per comment 6
(or https://bugzilla.redhat.com/show_bug.cgi?id=740333#c2 in a parallel bug).

Inspecting the initscript and what happens "below luci", in the auxiliary
libraries, I've actually found out that cache and sessions subdirectories
of discussed /var/run/luci do not have to be created in the initscript
as they are created with the correct/desired attributes (incl. SELinux)
on demand by the framework luci uses (specifically, the Beaker library).

Comment 15 Miroslav Grepl 2011-10-05 05:28:19 UTC

Ok, it will be great to fix it on luci side.

This bug is about adding labeling from the SELinux point of view which was added.

Comment 16 Milos Malik 2011-10-05 10:14:52 UTC

Seen on 2 machines today:
----
time->Wed Oct  5 06:01:16 2011
type=SYSCALL msg=audit(1317808876.638:117044): arch=c000003e syscall=83 success=no exit=-13 a0=7f517c0ba720 a1=1e8 a2=7f519319adc8 a3=7f51836b3b50 items=0 ppid=1 pid=12844 auid=0 uid=141 gid=141 euid=141 suid=141 fsuid=141 egid=141 sgid=141 fsgid=141 tty=(none) ses=2 comm="paster" exe="/usr/bin/python" subj=unconfined_u:system_r:piranha_web_t:s0 key=(null)
type=AVC msg=audit(1317808876.638:117044): avc:  denied  { create } for  pid=12844 comm="paster" name="container_file" scontext=unconfined_u:system_r:piranha_web_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=dir
----

First machine has:
selinux-policy-3.7.19-113.el6.noarch
selinux-policy-targeted-3.7.19-113.el6.noarch

Second machine has:
selinux-policy-3.7.19-114.el6.noarch
selinux-policy-targeted-3.7.19-114.el6.noarch

I will wait till the updated version of luci is released and then I will retest it again.

Comment 17 Jan Pokorný [poki] 2011-10-05 16:53:41 UTC

The patch is present as of luci-0.23.0-31.el6.

Comment 18 Milos Malik 2011-10-06 08:05:48 UTC

When luci-0.23.0-31.el6 is installed I see no AVCs. Tested on -113.el6 and -114.el6 policy.

Comment 20 errata-xmlrpc 2011-12-06 10:18:42 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html

Note You need to log in before you can comment on or make changes to this bug.