Bug 807824 - cherokee, a web server in EPEL, runs as initrc_t instead of httpd_t
Summary: cherokee, a web server in EPEL, runs as initrc_t instead of httpd_t
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.2
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks: 832330
TreeView+ depends on / blocked
 
Reported: 2012-03-28 20:18 UTC by Russell Golden
Modified: 2014-06-17 14:07 UTC (History)
2 users (show)

Fixed In Version: selinux-policy-3.7.19-144.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-06-20 12:32:45 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2012:0780 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2012-06-19 20:34:59 UTC

Description Russell Golden 2012-03-28 20:18:04 UTC 
Description of problem:

Cherokee from EPEL6 runs as initrc_t instead of httpd_t, which seems to grant it more freedoms.

I noticed this in Fedora around F15 release time, and it got fixed in Fedora, so I don't see why it didn't get fixed in RHEL.

Workaround: relabel the binaries, the /var/lib entries, and /etc/cherokee entries as httpd_<applicable>_t.
Comment 2 Miroslav Grepl 2012-03-29 07:10:21 UTC 
Yes, we have Cherokee support in Fedora. Does it work for you correctly with your workaround?
Comment 3 Milos Malik 2012-03-29 08:22:46 UTC 
# rpm -qa selinux-policy\*
selinux-policy-doc-3.7.19-143.el6.noarch
selinux-policy-3.7.19-143.el6.noarch
selinux-policy-mls-3.7.19-143.el6.noarch
selinux-policy-minimum-3.7.19-143.el6.noarch
selinux-policy-targeted-3.7.19-143.el6.noarch
# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted
# run_init service cherokee start
Authenticating root.
Password: 
Starting cherokee:                                         [  OK  ]
# ps -efZ | grep cherokee
system_u:system_r:initrc_t:s0   root     21744     1  0 09:20 ?        00:00:00 /usr/sbin/cherokee -d -C /etc/cherokee/cherokee.conf
system_u:system_r:initrc_t:s0   cherokee 21747 21744  0 09:20 ?        00:00:00 /usr/sbin/cherokee-worker  -C /etc/cherokee/cherokee.conf
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 21769 21173  0 09:21 pts/0 00:00:00 grep cherokee
#
Comment 6 Russell Golden 2012-03-29 16:55:47 UTC 
It works fine for me with my workaround, yes.
Comment 7 Milos Malik 2012-04-06 06:45:48 UTC 
Following AVC appeared during "service cherokee restart":
----
time->Fri Apr  6 08:27:28 2012
type=SYSCALL msg=audit(1333693648.915:3671): arch=c000003e syscall=160 success=no exit=-13 a0=7 a1=7fff1e327cb0 a2=ff8c36 a3=7fff1e327a30 items=0 ppid=14265 pid=14267 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=206 comm="cherokee-worker" exe="/usr/sbin/cherokee-worker" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1333693648.915:3671): avc:  denied  { setrlimit } for  pid=14267 comm="cherokee-worker" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=process
----
Comment 8 Miroslav Grepl 2012-04-06 06:52:04 UTC 
There should be the httpd_setrlimit boolean
Comment 9 Milos Malik 2012-04-06 06:59:54 UTC 
You're right. I forgot to enable it.
Comment 12 errata-xmlrpc 2012-06-20 12:32:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0780.html
Note You need to log in before you can comment on or make changes to this bug.