Created attachment 584191 [details] full setroubleshoot output I'm packaging man2html for Fedora (review in bug 767985) and currently have man2html's CGI scripts set to httpd_unconfined_exec_t to work around SELinux restrictions. It would be nice to support it properly. Here are all the AVCs I get when I run it in permissive mode: type=AVC msg=audit(1336950060.636:253): avc: denied { search } for pid=7443 comm="httpd" name="man2html" dev="dm-1" ino=800029 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_unconfined_script_exec_t:s0 tclass=dir type=AVC msg=audit(1336948917.723:130): avc: denied { lock } for pid=7709 comm="whatis" path="/var/cache/man/local/index.db" dev="dm-9" ino=390734 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=file type=AVC msg=audit(1336948917.645:128): avc: denied { getattr } for pid=7705 comm="manwhatis" path="/var/cache/man/index.db" dev="dm-9" ino=390280 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=file type=AVC msg=audit(1336948917.642:127): avc: denied { getattr } for pid=7706 comm="manpath" path="/usr/local/share/man" dev="dm-1" ino=170 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=dir type=AVC msg=audit(1336948905.322:123): avc: denied { read } for pid=7458 comm="man2html" name="man1" dev="dm-1" ino=1062 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=dir type=AVC msg=audit(1336948905.322:123): avc: denied { open } for pid=7458 comm="man2html" name="man1" dev="dm-1" ino=1062 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=dir type=AVC msg=audit(1336948897.281:117): avc: denied { search } for pid=7450 comm="man2html" name="man" dev="dm-1" ino=170 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=dir The full setroubleshoot output is attached.
If man2html looks like some kind of cgi script, we need to write policy for it. cat man2html.te policy_module(man2html,1.0) apache_content_template(man2html) permissive httpd_man2html_script_t; miscfiles_read_man_pages(httpd_man2html_script_t) Then add httpd_man2html_script_exec_t to man2html
And attach AVC which you will get. You can compile/load this policy using # make -f /usr/share/selinux/devel/Makefile man2html.pp # semodule -i man2html.pp
Thanks for working on this! (In reply to comment #1) > If man2html looks like some kind of cgi script, we need to write policy for > it. man2html itself is just a binary that outputs HTML to stdout, but it comes with three CGI scripts that provide an easy interface to it. > cat man2html.te > <snip policy module stuff> No AVCs with that and these file context changes: /usr/lib/man2html/cgi-bin/man/man(2html|sec|whatis) needs httpd_man2html_script_exec_t /var/cache/man2html/ needs httpd_man2html_rw_content_t
Fixed in selinux-policy-3.10.0-127.fc17
selinux-policy-3.11.1-14.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-14.fc18
Package selinux-policy-3.11.1-14.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-14.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-12934/selinux-policy-3.11.1-14.fc18 then log in and leave karma (feedback).
(In reply to comment #4) > Fixed in selinux-policy-3.10.0-127.fc17 I'm still getting AVCs trying to use the CGI scripts on F17. % rpm -q selinux-policy selinux-policy-3.10.0-146.fc17.noarch % sudo ausearch -m avc -ts today ---- time->Fri Aug 31 17:02:58 2012 type=SYSCALL msg=audit(1346446978.646:218): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7fffbb2c0090 a2=90800 a3=0 items=0 ppid=8763 pid=8774 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="man2html" exe="/usr/lib/man2html/cgi-bin/man/man2html" subj=system_u:system_r:httpd_man2html_script_t:s0 key=(null) type=AVC msg=audit(1346446978.646:218): avc: denied { search } for pid=8774 comm="man2html" name="man" dev="xvda1" ino=666 scontext=system_u:system_r:httpd_man2html_script_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=dir ---- time->Fri Aug 31 17:02:58 2012 type=SYSCALL msg=audit(1346446978.646:219): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7fffbb2c0090 a2=90800 a3=0 items=0 ppid=8763 pid=8774 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="man2html" exe="/usr/lib/man2html/cgi-bin/man/man2html" subj=system_u:system_r:httpd_man2html_script_t:s0 key=(null) type=AVC msg=audit(1346446978.646:219): avc: denied { search } for pid=8774 comm="man2html" name="man" dev="xvda1" ino=666 scontext=system_u:system_r:httpd_man2html_script_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=dir ---- time->Fri Aug 31 17:02:58 2012 type=SYSCALL msg=audit(1346446978.646:220): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7fffbb2c0090 a2=90800 a3=0 items=0 ppid=8763 pid=8774 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="man2html" exe="/usr/lib/man2html/cgi-bin/man/man2html" subj=system_u:system_r:httpd_man2html_script_t:s0 key=(null) type=AVC msg=audit(1346446978.646:220): avc: denied { search } for pid=8774 comm="man2html" name="man" dev="xvda1" ino=666 scontext=system_u:system_r:httpd_man2html_script_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=dir ---- time->Fri Aug 31 17:02:58 2012 type=SYSCALL msg=audit(1346446978.646:221): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7fffbb2c0090 a2=90800 a3=0 items=0 ppid=8763 pid=8774 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="man2html" exe="/usr/lib/man2html/cgi-bin/man/man2html" subj=system_u:system_r:httpd_man2html_script_t:s0 key=(null) type=AVC msg=audit(1346446978.646:221): avc: denied { search } for pid=8774 comm="man2html" name="man" dev="xvda1" ino=666 scontext=system_u:system_r:httpd_man2html_script_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=dir ---- time->Fri Aug 31 17:02:58 2012 type=SYSCALL msg=audit(1346446978.647:222): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7fffbb2c0090 a2=90800 a3=0 items=0 ppid=8763 pid=8774 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="man2html" exe="/usr/lib/man2html/cgi-bin/man/man2html" subj=system_u:system_r:httpd_man2html_script_t:s0 key=(null) type=AVC msg=audit(1346446978.647:222): avc: denied { search } for pid=8774 comm="man2html" name="man" dev="xvda1" ino=666 scontext=system_u:system_r:httpd_man2html_script_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=dir ---- time->Fri Aug 31 17:02:58 2012 type=SYSCALL msg=audit(1346446978.647:223): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7fffbb2c0090 a2=90800 a3=0 items=0 ppid=8763 pid=8774 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="man2html" exe="/usr/lib/man2html/cgi-bin/man/man2html" subj=system_u:system_r:httpd_man2html_script_t:s0 key=(null) type=AVC msg=audit(1346446978.647:223): avc: denied { search } for pid=8774 comm="man2html" name="man" dev="xvda1" ino=666 scontext=system_u:system_r:httpd_man2html_script_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=dir ---- time->Fri Aug 31 17:02:58 2012 type=SYSCALL msg=audit(1346446978.647:224): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7fffbb2c0090 a2=90800 a3=0 items=0 ppid=8763 pid=8774 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="man2html" exe="/usr/lib/man2html/cgi-bin/man/man2html" subj=system_u:system_r:httpd_man2html_script_t:s0 key=(null) type=AVC msg=audit(1346446978.647:224): avc: denied { search } for pid=8774 comm="man2html" name="man" dev="xvda1" ino=666 scontext=system_u:system_r:httpd_man2html_script_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=dir ---- time->Fri Aug 31 17:02:58 2012 type=SYSCALL msg=audit(1346446978.647:225): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7fffbb2c0090 a2=90800 a3=0 items=0 ppid=8763 pid=8774 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="man2html" exe="/usr/lib/man2html/cgi-bin/man/man2html" subj=system_u:system_r:httpd_man2html_script_t:s0 key=(null) type=AVC msg=audit(1346446978.647:225): avc: denied { search } for pid=8774 comm="man2html" name="man" dev="xvda1" ino=666 scontext=system_u:system_r:httpd_man2html_script_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=dir ---- time->Fri Aug 31 17:02:58 2012 type=SYSCALL msg=audit(1346446978.647:226): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7fffbb2c0090 a2=90800 a3=0 items=0 ppid=8763 pid=8774 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="man2html" exe="/usr/lib/man2html/cgi-bin/man/man2html" subj=system_u:system_r:httpd_man2html_script_t:s0 key=(null) type=AVC msg=audit(1346446978.647:226): avc: denied { search } for pid=8774 comm="man2html" name="man" dev="xvda1" ino=666 scontext=system_u:system_r:httpd_man2html_script_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=dir ---- time->Fri Aug 31 17:02:58 2012 type=SYSCALL msg=audit(1346446978.647:227): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7fffbb2c0090 a2=90800 a3=0 items=0 ppid=8763 pid=8774 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="man2html" exe="/usr/lib/man2html/cgi-bin/man/man2html" subj=system_u:system_r:httpd_man2html_script_t:s0 key=(null) type=AVC msg=audit(1346446978.647:227): avc: denied { search } for pid=8774 comm="man2html" name="man" dev="xvda1" ino=63 scontext=system_u:system_r:httpd_man2html_script_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=dir ---- time->Fri Aug 31 17:02:58 2012 type=SYSCALL msg=audit(1346446978.663:228): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7fffbb2c0090 a2=90800 a3=0 items=0 ppid=8763 pid=8774 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="man2html" exe="/usr/lib/man2html/cgi-bin/man/man2html" subj=system_u:system_r:httpd_man2html_script_t:s0 key=(null) type=AVC msg=audit(1346446978.663:228): avc: denied { search } for pid=8774 comm="man2html" name="man" dev="xvda1" ino=63 scontext=system_u:system_r:httpd_man2html_script_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=dir ---- time->Fri Aug 31 17:02:58 2012 type=SYSCALL msg=audit(1346446978.663:229): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7fffbb2c0090 a2=90800 a3=0 items=0 ppid=8763 pid=8774 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="man2html" exe="/usr/lib/man2html/cgi-bin/man/man2html" subj=system_u:system_r:httpd_man2html_script_t:s0 key=(null) type=AVC msg=audit(1346446978.663:229): avc: denied { search } for pid=8774 comm="man2html" name="man" dev="xvda1" ino=63 scontext=system_u:system_r:httpd_man2html_script_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=dir ---- time->Fri Aug 31 17:02:58 2012 type=SYSCALL msg=audit(1346446978.663:230): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7fffbb2c0090 a2=90800 a3=0 items=0 ppid=8763 pid=8774 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="man2html" exe="/usr/lib/man2html/cgi-bin/man/man2html" subj=system_u:system_r:httpd_man2html_script_t:s0 key=(null) type=AVC msg=audit(1346446978.663:230): avc: denied { search } for pid=8774 comm="man2html" name="man" dev="xvda1" ino=63 scontext=system_u:system_r:httpd_man2html_script_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=dir ---- time->Fri Aug 31 17:02:58 2012 type=SYSCALL msg=audit(1346446978.663:231): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7fffbb2c0090 a2=90800 a3=0 items=0 ppid=8763 pid=8774 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="man2html" exe="/usr/lib/man2html/cgi-bin/man/man2html" subj=system_u:system_r:httpd_man2html_script_t:s0 key=(null) type=AVC msg=audit(1346446978.663:231): avc: denied { search } for pid=8774 comm="man2html" name="man" dev="xvda1" ino=63 scontext=system_u:system_r:httpd_man2html_script_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=dir ---- time->Fri Aug 31 17:02:58 2012 type=SYSCALL msg=audit(1346446978.664:232): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7fffbb2c0090 a2=90800 a3=0 items=0 ppid=8763 pid=8774 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="man2html" exe="/usr/lib/man2html/cgi-bin/man/man2html" subj=system_u:system_r:httpd_man2html_script_t:s0 key=(null) type=AVC msg=audit(1346446978.664:232): avc: denied { search } for pid=8774 comm="man2html" name="man" dev="xvda1" ino=63 scontext=system_u:system_r:httpd_man2html_script_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=dir ---- time->Fri Aug 31 17:02:58 2012 type=SYSCALL msg=audit(1346446978.664:233): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7fffbb2c0090 a2=90800 a3=0 items=0 ppid=8763 pid=8774 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="man2html" exe="/usr/lib/man2html/cgi-bin/man/man2html" subj=system_u:system_r:httpd_man2html_script_t:s0 key=(null) type=AVC msg=audit(1346446978.664:233): avc: denied { search } for pid=8774 comm="man2html" name="man" dev="xvda1" ino=63 scontext=system_u:system_r:httpd_man2html_script_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=dir ---- time->Fri Aug 31 17:02:58 2012 type=SYSCALL msg=audit(1346446978.664:234): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7fffbb2c0090 a2=90800 a3=0 items=0 ppid=8763 pid=8774 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="man2html" exe="/usr/lib/man2html/cgi-bin/man/man2html" subj=system_u:system_r:httpd_man2html_script_t:s0 key=(null) type=AVC msg=audit(1346446978.664:234): avc: denied { search } for pid=8774 comm="man2html" name="man" dev="xvda1" ino=63 scontext=system_u:system_r:httpd_man2html_script_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=dir ---- time->Fri Aug 31 17:02:58 2012 type=SYSCALL msg=audit(1346446978.664:235): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7fffbb2c0090 a2=90800 a3=0 items=0 ppid=8763 pid=8774 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="man2html" exe="/usr/lib/man2html/cgi-bin/man/man2html" subj=system_u:system_r:httpd_man2html_script_t:s0 key=(null) type=AVC msg=audit(1346446978.664:235): avc: denied { search } for pid=8774 comm="man2html" name="man" dev="xvda1" ino=63 scontext=system_u:system_r:httpd_man2html_script_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=dir
Makes sense. Added.
selinux-policy-3.11.1-18.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/FEDORA-2012-13554/selinux-policy-3.11.1-18.fc18
Package selinux-policy-3.11.1-18.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-18.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-13554/selinux-policy-3.11.1-18.fc18 then log in and leave karma (feedback).
selinux-policy-3.11.1-18.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
selinux-policy-3.11.1-14.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.