Bug 821286 - support man2html
support man2html
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
18
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-05-13 19:29 EDT by T.C. Hollingsworth
Modified: 2012-09-17 19:33 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-09-12 19:51:18 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
full setroubleshoot output (17.31 KB, text/plain)
2012-05-13 19:29 EDT, T.C. Hollingsworth
no flags Details

  None (edit)
Description T.C. Hollingsworth 2012-05-13 19:29:41 EDT
Created attachment 584191 [details]
full setroubleshoot output

I'm packaging man2html for Fedora (review in bug 767985) and currently have man2html's CGI scripts set to httpd_unconfined_exec_t to work around SELinux restrictions.  It would be nice to support it properly.

Here are all the AVCs I get when I run it in permissive mode:

type=AVC msg=audit(1336950060.636:253): avc:  denied  { search } for  pid=7443 comm="httpd" name="man2html" dev="dm-1" ino=800029 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_unconfined_script_exec_t:s0 tclass=dir

type=AVC msg=audit(1336948917.723:130): avc:  denied  { lock } for  pid=7709 comm="whatis" path="/var/cache/man/local/index.db" dev="dm-9" ino=390734 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=file

type=AVC msg=audit(1336948917.645:128): avc:  denied  { getattr } for  pid=7705 comm="manwhatis" path="/var/cache/man/index.db" dev="dm-9" ino=390280 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=file

type=AVC msg=audit(1336948917.642:127): avc:  denied  { getattr } for  pid=7706 comm="manpath" path="/usr/local/share/man" dev="dm-1" ino=170 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=dir

type=AVC msg=audit(1336948905.322:123): avc:  denied  { read } for  pid=7458 comm="man2html" name="man1" dev="dm-1" ino=1062 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=dir

type=AVC msg=audit(1336948905.322:123): avc:  denied  { open } for  pid=7458 comm="man2html" name="man1" dev="dm-1" ino=1062 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=dir

type=AVC msg=audit(1336948897.281:117): avc:  denied  { search } for  pid=7450 comm="man2html" name="man" dev="dm-1" ino=170 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=dir


The full setroubleshoot output is attached.
Comment 1 Daniel Walsh 2012-05-15 23:19:28 EDT
If man2html looks like some kind of cgi script, we need to write policy for it.

cat man2html.te

policy_module(man2html,1.0)

apache_content_template(man2html)
permissive httpd_man2html_script_t;
miscfiles_read_man_pages(httpd_man2html_script_t)

Then add httpd_man2html_script_exec_t to man2html
Comment 2 Miroslav Grepl 2012-05-16 02:43:10 EDT
And attach AVC which you will get. You can compile/load this policy using

# make -f /usr/share/selinux/devel/Makefile man2html.pp
# semodule -i man2html.pp
Comment 3 T.C. Hollingsworth 2012-05-24 21:21:36 EDT
Thanks for working on this!

(In reply to comment #1)
> If man2html looks like some kind of cgi script, we need to write policy for
> it.

man2html itself is just a binary that outputs HTML to stdout, but it comes with three CGI scripts that provide an easy interface to it.

> cat man2html.te
> <snip policy module stuff>

No AVCs with that and these file context changes:
/usr/lib/man2html/cgi-bin/man/man(2html|sec|whatis) needs httpd_man2html_script_exec_t
/var/cache/man2html/ needs httpd_man2html_rw_content_t
Comment 4 Miroslav Grepl 2012-05-25 04:45:58 EDT
Fixed in selinux-policy-3.10.0-127.fc17
Comment 5 Fedora Update System 2012-08-29 07:51:08 EDT
selinux-policy-3.11.1-14.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-14.fc18
Comment 6 Fedora Update System 2012-08-29 14:44:17 EDT
Package selinux-policy-3.11.1-14.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-14.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-12934/selinux-policy-3.11.1-14.fc18
then log in and leave karma (feedback).
Comment 7 T.C. Hollingsworth 2012-08-31 18:01:10 EDT
(In reply to comment #4)
> Fixed in selinux-policy-3.10.0-127.fc17

I'm still getting AVCs trying to use the CGI scripts on F17.

% rpm -q selinux-policy
selinux-policy-3.10.0-146.fc17.noarch
% sudo ausearch -m avc -ts today
----
time->Fri Aug 31 17:02:58 2012
type=SYSCALL msg=audit(1346446978.646:218): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7fffbb2c0090 a2=90800 a3=0 items=0 ppid=8763 pid=8774 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="man2html" exe="/usr/lib/man2html/cgi-bin/man/man2html" subj=system_u:system_r:httpd_man2html_script_t:s0 key=(null)
type=AVC msg=audit(1346446978.646:218): avc:  denied  { search } for  pid=8774 comm="man2html" name="man" dev="xvda1" ino=666 scontext=system_u:system_r:httpd_man2html_script_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=dir
----
time->Fri Aug 31 17:02:58 2012
type=SYSCALL msg=audit(1346446978.646:219): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7fffbb2c0090 a2=90800 a3=0 items=0 ppid=8763 pid=8774 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="man2html" exe="/usr/lib/man2html/cgi-bin/man/man2html" subj=system_u:system_r:httpd_man2html_script_t:s0 key=(null)
type=AVC msg=audit(1346446978.646:219): avc:  denied  { search } for  pid=8774 comm="man2html" name="man" dev="xvda1" ino=666 scontext=system_u:system_r:httpd_man2html_script_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=dir
----
time->Fri Aug 31 17:02:58 2012
type=SYSCALL msg=audit(1346446978.646:220): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7fffbb2c0090 a2=90800 a3=0 items=0 ppid=8763 pid=8774 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="man2html" exe="/usr/lib/man2html/cgi-bin/man/man2html" subj=system_u:system_r:httpd_man2html_script_t:s0 key=(null)
type=AVC msg=audit(1346446978.646:220): avc:  denied  { search } for  pid=8774 comm="man2html" name="man" dev="xvda1" ino=666 scontext=system_u:system_r:httpd_man2html_script_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=dir
----
time->Fri Aug 31 17:02:58 2012
type=SYSCALL msg=audit(1346446978.646:221): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7fffbb2c0090 a2=90800 a3=0 items=0 ppid=8763 pid=8774 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="man2html" exe="/usr/lib/man2html/cgi-bin/man/man2html" subj=system_u:system_r:httpd_man2html_script_t:s0 key=(null)
type=AVC msg=audit(1346446978.646:221): avc:  denied  { search } for  pid=8774 comm="man2html" name="man" dev="xvda1" ino=666 scontext=system_u:system_r:httpd_man2html_script_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=dir
----
time->Fri Aug 31 17:02:58 2012
type=SYSCALL msg=audit(1346446978.647:222): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7fffbb2c0090 a2=90800 a3=0 items=0 ppid=8763 pid=8774 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="man2html" exe="/usr/lib/man2html/cgi-bin/man/man2html" subj=system_u:system_r:httpd_man2html_script_t:s0 key=(null)
type=AVC msg=audit(1346446978.647:222): avc:  denied  { search } for  pid=8774 comm="man2html" name="man" dev="xvda1" ino=666 scontext=system_u:system_r:httpd_man2html_script_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=dir
----
time->Fri Aug 31 17:02:58 2012
type=SYSCALL msg=audit(1346446978.647:223): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7fffbb2c0090 a2=90800 a3=0 items=0 ppid=8763 pid=8774 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="man2html" exe="/usr/lib/man2html/cgi-bin/man/man2html" subj=system_u:system_r:httpd_man2html_script_t:s0 key=(null)
type=AVC msg=audit(1346446978.647:223): avc:  denied  { search } for  pid=8774 comm="man2html" name="man" dev="xvda1" ino=666 scontext=system_u:system_r:httpd_man2html_script_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=dir
----
time->Fri Aug 31 17:02:58 2012
type=SYSCALL msg=audit(1346446978.647:224): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7fffbb2c0090 a2=90800 a3=0 items=0 ppid=8763 pid=8774 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="man2html" exe="/usr/lib/man2html/cgi-bin/man/man2html" subj=system_u:system_r:httpd_man2html_script_t:s0 key=(null)
type=AVC msg=audit(1346446978.647:224): avc:  denied  { search } for  pid=8774 comm="man2html" name="man" dev="xvda1" ino=666 scontext=system_u:system_r:httpd_man2html_script_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=dir
----
time->Fri Aug 31 17:02:58 2012
type=SYSCALL msg=audit(1346446978.647:225): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7fffbb2c0090 a2=90800 a3=0 items=0 ppid=8763 pid=8774 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="man2html" exe="/usr/lib/man2html/cgi-bin/man/man2html" subj=system_u:system_r:httpd_man2html_script_t:s0 key=(null)
type=AVC msg=audit(1346446978.647:225): avc:  denied  { search } for  pid=8774 comm="man2html" name="man" dev="xvda1" ino=666 scontext=system_u:system_r:httpd_man2html_script_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=dir
----
time->Fri Aug 31 17:02:58 2012
type=SYSCALL msg=audit(1346446978.647:226): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7fffbb2c0090 a2=90800 a3=0 items=0 ppid=8763 pid=8774 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="man2html" exe="/usr/lib/man2html/cgi-bin/man/man2html" subj=system_u:system_r:httpd_man2html_script_t:s0 key=(null)
type=AVC msg=audit(1346446978.647:226): avc:  denied  { search } for  pid=8774 comm="man2html" name="man" dev="xvda1" ino=666 scontext=system_u:system_r:httpd_man2html_script_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=dir
----
time->Fri Aug 31 17:02:58 2012
type=SYSCALL msg=audit(1346446978.647:227): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7fffbb2c0090 a2=90800 a3=0 items=0 ppid=8763 pid=8774 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="man2html" exe="/usr/lib/man2html/cgi-bin/man/man2html" subj=system_u:system_r:httpd_man2html_script_t:s0 key=(null)
type=AVC msg=audit(1346446978.647:227): avc:  denied  { search } for  pid=8774 comm="man2html" name="man" dev="xvda1" ino=63 scontext=system_u:system_r:httpd_man2html_script_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=dir
----
time->Fri Aug 31 17:02:58 2012
type=SYSCALL msg=audit(1346446978.663:228): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7fffbb2c0090 a2=90800 a3=0 items=0 ppid=8763 pid=8774 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="man2html" exe="/usr/lib/man2html/cgi-bin/man/man2html" subj=system_u:system_r:httpd_man2html_script_t:s0 key=(null)
type=AVC msg=audit(1346446978.663:228): avc:  denied  { search } for  pid=8774 comm="man2html" name="man" dev="xvda1" ino=63 scontext=system_u:system_r:httpd_man2html_script_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=dir
----
time->Fri Aug 31 17:02:58 2012
type=SYSCALL msg=audit(1346446978.663:229): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7fffbb2c0090 a2=90800 a3=0 items=0 ppid=8763 pid=8774 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="man2html" exe="/usr/lib/man2html/cgi-bin/man/man2html" subj=system_u:system_r:httpd_man2html_script_t:s0 key=(null)
type=AVC msg=audit(1346446978.663:229): avc:  denied  { search } for  pid=8774 comm="man2html" name="man" dev="xvda1" ino=63 scontext=system_u:system_r:httpd_man2html_script_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=dir
----
time->Fri Aug 31 17:02:58 2012
type=SYSCALL msg=audit(1346446978.663:230): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7fffbb2c0090 a2=90800 a3=0 items=0 ppid=8763 pid=8774 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="man2html" exe="/usr/lib/man2html/cgi-bin/man/man2html" subj=system_u:system_r:httpd_man2html_script_t:s0 key=(null)
type=AVC msg=audit(1346446978.663:230): avc:  denied  { search } for  pid=8774 comm="man2html" name="man" dev="xvda1" ino=63 scontext=system_u:system_r:httpd_man2html_script_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=dir
----
time->Fri Aug 31 17:02:58 2012
type=SYSCALL msg=audit(1346446978.663:231): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7fffbb2c0090 a2=90800 a3=0 items=0 ppid=8763 pid=8774 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="man2html" exe="/usr/lib/man2html/cgi-bin/man/man2html" subj=system_u:system_r:httpd_man2html_script_t:s0 key=(null)
type=AVC msg=audit(1346446978.663:231): avc:  denied  { search } for  pid=8774 comm="man2html" name="man" dev="xvda1" ino=63 scontext=system_u:system_r:httpd_man2html_script_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=dir
----
time->Fri Aug 31 17:02:58 2012
type=SYSCALL msg=audit(1346446978.664:232): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7fffbb2c0090 a2=90800 a3=0 items=0 ppid=8763 pid=8774 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="man2html" exe="/usr/lib/man2html/cgi-bin/man/man2html" subj=system_u:system_r:httpd_man2html_script_t:s0 key=(null)
type=AVC msg=audit(1346446978.664:232): avc:  denied  { search } for  pid=8774 comm="man2html" name="man" dev="xvda1" ino=63 scontext=system_u:system_r:httpd_man2html_script_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=dir
----
time->Fri Aug 31 17:02:58 2012
type=SYSCALL msg=audit(1346446978.664:233): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7fffbb2c0090 a2=90800 a3=0 items=0 ppid=8763 pid=8774 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="man2html" exe="/usr/lib/man2html/cgi-bin/man/man2html" subj=system_u:system_r:httpd_man2html_script_t:s0 key=(null)
type=AVC msg=audit(1346446978.664:233): avc:  denied  { search } for  pid=8774 comm="man2html" name="man" dev="xvda1" ino=63 scontext=system_u:system_r:httpd_man2html_script_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=dir
----
time->Fri Aug 31 17:02:58 2012
type=SYSCALL msg=audit(1346446978.664:234): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7fffbb2c0090 a2=90800 a3=0 items=0 ppid=8763 pid=8774 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="man2html" exe="/usr/lib/man2html/cgi-bin/man/man2html" subj=system_u:system_r:httpd_man2html_script_t:s0 key=(null)
type=AVC msg=audit(1346446978.664:234): avc:  denied  { search } for  pid=8774 comm="man2html" name="man" dev="xvda1" ino=63 scontext=system_u:system_r:httpd_man2html_script_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=dir
----
time->Fri Aug 31 17:02:58 2012
type=SYSCALL msg=audit(1346446978.664:235): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7fffbb2c0090 a2=90800 a3=0 items=0 ppid=8763 pid=8774 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="man2html" exe="/usr/lib/man2html/cgi-bin/man/man2html" subj=system_u:system_r:httpd_man2html_script_t:s0 key=(null)
type=AVC msg=audit(1346446978.664:235): avc:  denied  { search } for  pid=8774 comm="man2html" name="man" dev="xvda1" ino=63 scontext=system_u:system_r:httpd_man2html_script_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=dir
Comment 8 Miroslav Grepl 2012-09-11 04:52:00 EDT
Makes sense. Added.
Comment 9 Fedora Update System 2012-09-12 08:27:33 EDT
selinux-policy-3.11.1-18.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/FEDORA-2012-13554/selinux-policy-3.11.1-18.fc18
Comment 10 Fedora Update System 2012-09-12 15:12:26 EDT
Package selinux-policy-3.11.1-18.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-18.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-13554/selinux-policy-3.11.1-18.fc18
then log in and leave karma (feedback).
Comment 11 Fedora Update System 2012-09-12 19:51:18 EDT
selinux-policy-3.11.1-18.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2012-09-17 19:33:54 EDT
selinux-policy-3.11.1-14.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.