Bug 807824 - cherokee, a web server in EPEL, runs as initrc_t instead of httpd_t
cherokee, a web server in EPEL, runs as initrc_t instead of httpd_t
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
All Linux
unspecified Severity unspecified
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
Depends On:
Blocks: 832330
  Show dependency treegraph
Reported: 2012-03-28 16:18 EDT by Russell Golden
Modified: 2014-06-17 10:07 EDT (History)
2 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-144.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-06-20 08:32:45 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Russell Golden 2012-03-28 16:18:04 EDT
Description of problem:

Cherokee from EPEL6 runs as initrc_t instead of httpd_t, which seems to grant it more freedoms.

I noticed this in Fedora around F15 release time, and it got fixed in Fedora, so I don't see why it didn't get fixed in RHEL.

Workaround: relabel the binaries, the /var/lib entries, and /etc/cherokee entries as httpd_<applicable>_t.
Comment 2 Miroslav Grepl 2012-03-29 03:10:21 EDT
Yes, we have Cherokee support in Fedora. Does it work for you correctly with your workaround?
Comment 3 Milos Malik 2012-03-29 04:22:46 EDT
# rpm -qa selinux-policy\*
# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted
# run_init service cherokee start
Authenticating root.
Starting cherokee:                                         [  OK  ]
# ps -efZ | grep cherokee
system_u:system_r:initrc_t:s0   root     21744     1  0 09:20 ?        00:00:00 /usr/sbin/cherokee -d -C /etc/cherokee/cherokee.conf
system_u:system_r:initrc_t:s0   cherokee 21747 21744  0 09:20 ?        00:00:00 /usr/sbin/cherokee-worker  -C /etc/cherokee/cherokee.conf
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 21769 21173  0 09:21 pts/0 00:00:00 grep cherokee
Comment 6 Russell Golden 2012-03-29 12:55:47 EDT
It works fine for me with my workaround, yes.
Comment 7 Milos Malik 2012-04-06 02:45:48 EDT
Following AVC appeared during "service cherokee restart":
time->Fri Apr  6 08:27:28 2012
type=SYSCALL msg=audit(1333693648.915:3671): arch=c000003e syscall=160 success=no exit=-13 a0=7 a1=7fff1e327cb0 a2=ff8c36 a3=7fff1e327a30 items=0 ppid=14265 pid=14267 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=206 comm="cherokee-worker" exe="/usr/sbin/cherokee-worker" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1333693648.915:3671): avc:  denied  { setrlimit } for  pid=14267 comm="cherokee-worker" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=process
Comment 8 Miroslav Grepl 2012-04-06 02:52:04 EDT
There should be the httpd_setrlimit boolean
Comment 9 Milos Malik 2012-04-06 02:59:54 EDT
You're right. I forgot to enable it.
Comment 12 errata-xmlrpc 2012-06-20 08:32:45 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.