libreport version: 2.0.7 executable: /usr/bin/python hashmarkername: setroubleshoot kernel: 3.1.1-1.fc16.i686.PAE reason: SELinux is preventing /usr/bin/perl from 'search' accesses on the directory lib. time: Fr 18 Nov 2011 17:54:16 CET description: Text file, 4435 bytes
Created attachment 534442 [details] File: description
This bug follows on bug #752213 I installed selinux-policy-3.10.0-56.fc16 the package collectd-web throws the following error in apache logfile: [Fri Nov 18 17:49:51 2011] [error] [client 127.0.0.1] [Fri Nov 18 17:49:51 2011] index.cgi: opendir (/var/lib/collectd/): Permission denied at ../lib/Collectd/Graph/Common.pm line 265 [Fri Nov 18 17:49:51 2011] [error] [client 127.0.0.1] [Fri Nov 18 17:49:51 2011] index.cgi: \tCollectd::Graph::Common::get_all_hosts() called at ../lib/Collectd/Graph/Common.pm line 454 [Fri Nov 18 17:49:51 2011] [error] [client 127.0.0.1] [Fri Nov 18 17:49:51 2011] index.cgi: \tCollectd::Graph::Common::get_host_selection() called at /usr/share/collectd/collection3/bin/index.cgi line 167 [Fri Nov 18 17:49:51 2011] [error] [client 127.0.0.1] [Fri Nov 18 17:49:51 2011] index.cgi: \tmain::show_selector() called at /usr/share/collectd/collection3/bin/index.cgi line 221 [Fri Nov 18 17:49:51 2011] [error] [client 127.0.0.1] [Fri Nov 18 17:49:51 2011] index.cgi: \tmain::action_list_hosts() called at /usr/share/collectd/collection3/bin/index.cgi line 64
restorecon -R -v /var/lib You have a labeling problem.
RPM should have installed this with the correct label. Did you remove the directory and recreate it? If yes then you need to run restorecon on it, to make sure it has the correct label. If something else removes and recreates the directory or if this happens again, please reopen this bug.
I tried sudo restorecon -R -v /var/lib sudo yum reinstall collectd-web and then sudo /etc/init.d/httpd restart but the same selinux alert.
Fixed in selinux-policy-3.10.0-58.fc16
selinux-policy-3.10.0-59.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-59.fc16
Package selinux-policy-3.10.0-60.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-60.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-16371/selinux-policy-3.10.0-60.fc16 then log in and leave karma (feedback).
I don't think it's fixed: SELinux is preventing /usr/bin/perl from search access on the directory lib. ***** Plugin catchall_labels (83.8 confidence) suggests ******************** If you want to allow perl to have search access on the lib directory Then you need to change the label on lib Do # semanage fcontext -a -t FILE_TYPE 'lib' where FILE_TYPE is one of the following: nscd_var_run_t, public_content_t, abrt_var_run_t, httpd_collectd_script_t, home_root_t, httpd_sys_content_t, public_content_rw_t, httpd_collectd_content_t, sysctl_crypto_t, httpd_collectd_script_exec_t, setrans_var_run_t, bin_t, lib_t, httpd_collectd_ra_content_t, httpd_collectd_rw_content_t, device_t, usr_t, var_t, etc_t, sysctl_t, fonts_t, abrt_t, bin_t, lib_t, mnt_t, device_t, root_t, tmp_t, usr_t, var_t, etc_t, proc_t, sysfs_t, fonts_cache_t, httpd_log_t, textrel_shlib_t, rpm_script_tmp_t, security_t, httpd_script_exec_type, var_run_t, default_t, var_log_t, var_run_t, rpm_log_t, var_log_t, httpd_sys_content_t, lib_t, device_t, locale_t, usr_t, etc_t, proc_t. Then execute: restorecon -v 'lib' ***** Plugin catchall (17.1 confidence) suggests *************************** If you believe that perl should be allowed search access on the lib directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep index.cgi /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Quellkontext system_u:system_r:httpd_collectd_script_t:s0 Zielkontext system_u:object_r:var_lib_t:s0 Zielobjekte lib [ dir ] Quelle index.cgi Quellpfad /usr/bin/perl Port <Unbekannt> Host hel-stefan.lan RPM-Pakete der Quelle perl-5.14.2-190.fc16 RPM-Pakete des Ziels filesystem-2.4.44-1.fc16 Richtlinien-RPM selinux-policy-3.10.0-60.fc16 SELinux aktiviert True Richtlinientyp targeted Enforcing-Modus Enforcing Rechnername hel-stefan.lan Plattform Linux hel-stefan.lan 3.1.2-1.fc16.i686.PAE #1 SMP Tue Nov 22 08:49:46 UTC 2011 i686 i686 Anzahl der Alarme 11 Zuerst gesehen Fr 18 Nov 2011 17:31:29 CET Zuletzt gesehen Fr 25 Nov 2011 18:55:21 CET Lokale ID 8aa0f407-43f7-46b0-9756-79fe5b9f0833 Raw-Audit-Meldungen type=AVC msg=audit(1322243721.618:97): avc: denied { search } for pid=2345 comm="index.cgi" name="lib" dev=sda6 ino=786434 scontext=system_u:system_r:httpd_collectd_script_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1322243721.618:97): arch=i386 syscall=openat success=no exit=EACCES a0=ffffff9c a1=8d93778 a2=98800 a3=0 items=0 ppid=2333 pid=2345 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=index.cgi exe=/usr/bin/perl subj=system_u:system_r:httpd_collectd_script_t:s0 key=(null) Hash: index.cgi,httpd_collectd_script_t,var_lib_t,dir,search audit2allow #============= httpd_collectd_script_t ============== allow httpd_collectd_script_t var_lib_t:dir search; audit2allow -R #============= httpd_collectd_script_t ============== allow httpd_collectd_script_t var_lib_t:dir search; apache error log: [Fri Nov 25 18:55:21 2011] [error] [client 127.0.0.1] [Fri Nov 25 18:55:21 2011] index.cgi: opendir (/var/lib/collectd/): Permission denied at ../lib/Collectd/Graph/Common.pm line 265 [Fri Nov 25 18:55:21 2011] [error] [client 127.0.0.1] [Fri Nov 25 18:55:21 2011] index.cgi: \tCollectd::Graph::Common::get_all_hosts() called at ../lib/Collectd/Graph/Common.pm line 454 [Fri Nov 25 18:55:21 2011] [error] [client 127.0.0.1] [Fri Nov 25 18:55:21 2011] index.cgi: \tCollectd::Graph::Common::get_host_selection() called at /usr/share/collectd/collection3/bin/index.cgi line 167 [Fri Nov 25 18:55:21 2011] [error] [client 127.0.0.1] [Fri Nov 25 18:55:21 2011] index.cgi: \tmain::show_selector() called at /usr/share/collectd/collection3/bin/index.cgi line 221 [Fri Nov 25 18:55:21 2011] [error] [client 127.0.0.1] [Fri Nov 25 18:55:21 2011] index.cgi: \tmain::action_list_hosts() called at /usr/share/collectd/collection3/bin/index.cgi line 64
Package selinux-policy-3.10.0-61.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-61.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-16371/selinux-policy-3.10.0-61.fc16 then log in and leave karma (feedback).
You can allow it for now using # grep index.cgi /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Fixed in selinux-policy-3.10.0-62.fc16
selinux-policy-3.10.0-61.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.