Bug 801746 - SELinux AVC denial executing from /tmp
SELinux AVC denial executing from /tmp
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
17
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-03-09 06:08 EST by Pádraig Brady
Modified: 2016-01-04 09:43 EST (History)
3 users (show)

See Also:
Fixed In Version: selinux-policy-3.10.0-118.fc17
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-04-25 00:58:55 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Pádraig Brady 2012-03-09 06:08:21 EST
Note the related glance issue in bug #801330
Comment 1 Cole Robinson 2012-04-15 15:47:29 EDT
I can't quite figure out where this tmp access is coming from. It happens with first access to the dashboard, but before any login takes place. It's definitely not anything obvious in dashboard or horizon, maybe one of the client libs or django itself.
Comment 2 Cole Robinson 2012-04-15 17:35:42 EDT
Moving this to selinux-policy-targetted. There are a few other AVCs:

type=AVC msg=audit(1334516651.223:186): avc:  denied  { name_connect } for  pid=3303 comm="httpd" dest=5000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:commplex_port_t:s0 tclass=tcp_socket

Access port 5000, keystone public port.

type=AVC msg=audit(1334517812.850:214): avc:  denied  { name_connect } for  pid=3303 comm="httpd" dest=35357 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket

Access port 35357, keystone admin port.

type=AVC msg=audit(1334517476.384:205): avc:  denied  { name_connect } for  pid=3303 comm="httpd" dest=9292 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:hplip_port_t:s0 tclass=tcp_socket

Access port 9292, the default glance port.

type=AVC msg=audit(1334518011.512:220): avc:  denied  { name_connect } for  pid=846 comm="glance-api" dest=35357 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket

glance connecting to 35357, the keystone admin port.

Not sure why I didn't see it pop up, but the nova port 8774 should probably also be allowed.

selinux guys: openstack-dashboard is the openstack web UI. It's a django site that by default talks to all the openstack services on localhost, and is accessed at http://localhost/dashboard.

Lemme know if any more info is needed.
Comment 3 Miroslav Grepl 2012-04-16 04:55:21 EDT
I am adding a rule for 

type=AVC msg=audit(1334518011.512:220): avc:  denied  { name_connect } for 
pid=846 comm="glance-api" dest=35357 scontext=system_u:system_r:glance_api_t:s0
tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket

You will need to turn on 

httpd_can_network 

boolean for other name_connect AVC msgs.

Or add a new boolean .. something like httpd_use_openstack?
Comment 4 Cole Robinson 2012-04-16 08:27:20 EDT
Hmm, it would be nice to get this working out of the box, but only way would probably be to make a new http_use_openstack boolean and 'setsebool' it either at app startup or RPM install. But that sounds pretty hacky.

Anyone else have thoughts?
Comment 5 Miroslav Grepl 2012-04-16 09:23:03 EDT
Which is a way how other projects do it.
Comment 6 Daniel Walsh 2012-04-16 09:51:55 EDT
Why did glance pick ports in the ephermeral range?


It would probably be better if the init script turned the boolean on, rather then just installing the package change httpd to be able to connect to all ports.

I think httpd_use_openstack is the boolean it should turn on.  DO NOT turn the boolean off when you shut down the service and do not turn it on permanantly.
Comment 7 Cole Robinson 2012-04-16 09:55:30 EDT
> It would probably be better if the init script turned the boolean on, rather
> then just installing the package change httpd to be able to connect to all
> ports.
> 

horizon doesn't have an init script though, it's just a wsgi app launched by httpd. So I'm not sure where to stick the setsebool.

> I think httpd_use_openstack is the boolean it should turn on.  DO NOT turn the
> boolean off when you shut down the service and do not turn it on permanantly.

That sounds good (once I know where to trigger it).
Comment 8 Miroslav Grepl 2012-04-16 09:57:36 EDT
I rather thought to turn on httpd_use_openstack boolean on install. But yes, we can leave it turned on by default.
Comment 9 Daniel Walsh 2012-04-16 11:39:10 EDT
Cole is there instruction on turning this on, for instance enabling openstack in apache?  If yes then why not just document that you need to turn on the boolean?
Comment 10 Cole Robinson 2012-04-16 13:22:45 EDT
(In reply to comment #9)
> Cole is there instruction on turning this on, for instance enabling openstack
> in apache?  If yes then why not just document that you need to turn on the
> boolean?

Our dashboard packages only work with apache, this is separate from using apache to serve the various openstack APIs. We can document it on the wiki but it just means that out of the box openstack-dashboard doesn't work. But then again, openstack takes a decent amount of other config to get working so maybe it's not so bad.

If you guys can add the http openstack boolean that would be helpful, we can just document the setsebool command.
Comment 11 Daniel Walsh 2012-04-20 10:25:52 EDT
Cole why did keystone pick a port in the ephemeral range?  Can this be changed?
Comment 12 Daniel Walsh 2012-04-20 10:27:06 EDT
Added httpd_use_openstack to selinux-policy-3.10.0-117.fc17.noarch
Comment 13 Fedora Update System 2012-04-23 02:43:28 EDT
selinux-policy-3.10.0-117.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-117.fc17
Comment 14 Fedora Update System 2012-04-23 20:56:14 EDT
selinux-policy-3.10.0-118.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-118.fc17
Comment 15 Fedora Update System 2012-04-23 23:14:49 EDT
Package selinux-policy-3.10.0-118.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-118.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-6452/selinux-policy-3.10.0-118.fc17
then log in and leave karma (feedback).
Comment 16 Fedora Update System 2012-04-25 00:58:55 EDT
selinux-policy-3.10.0-118.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.