Bug 848339 - SELinux is preventing /usr/bin/perl from 'read' accesses on the file /var/lightsquid/20120801/.features.
SELinux is preventing /usr/bin/perl from 'read' accesses on the file /var/lig...
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2012-08-15 05:54 EDT by Deepak Mahajan
Modified: 2012-11-19 21:57 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-11-19 21:57:41 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
File: description (7.06 KB, text/plain)
2012-08-15 05:54 EDT, Deepak Mahajan
no flags Details
Lightsquid revisited (2 bytes, patch)
2012-09-10 06:48 EDT, Dominick Grift
no flags Details | Diff
lightsquid patch (3.65 KB, patch)
2012-09-10 06:50 EDT, Dominick Grift
no flags Details | Diff
lightsquid patch v1 (3.74 KB, patch)
2012-09-10 07:06 EDT, Dominick Grift
no flags Details | Diff

  None (edit)
Description Deepak Mahajan 2012-08-15 05:54:42 EDT
libreport version: 2.0.10
executable:     /usr/bin/python2.7
hashmarkername: setroubleshoot
kernel:         3.4.2-1.fc16.x86_64
time:           Wednesday 15 August 2012 03:23:47 PM IST

description:    Text file, 7231 bytes
Comment 1 Deepak Mahajan 2012-08-15 05:54:46 EDT
Created attachment 604566 [details]
File: description
Comment 2 Daniel Walsh 2012-08-15 08:03:17 EDT
miroslav, I have added fixes for this in squid.* for Fedora 18.
Comment 3 Daniel Walsh 2012-08-15 08:08:14 EDT
lightsquid should really be using /var/lib/lightsquid or /var/cache/lightsquid, or /var/spool/lightsquid, depending on the content in the /var/lightsquid directory.
Comment 4 Miroslav Grepl 2012-08-20 04:14:51 EDT
Comment 5 Dominick Grift 2012-09-10 06:48:13 EDT
Created attachment 611395 [details]
Lightsquid revisited

I was just looking at this policy and i believe it needs to be rewritten (see my attached patch which is untested)



Some issues:

This app is basically a cron system entry that parses squid log and generates reports.

The lightsquid cgi webapp reads and displays the reports.

It is not a init daemon domain

/usr/sbin/logparser.pl can bin bin_t

/etc/cron.daily/lightsquid can be the entry point to the lightsquid domain

httpd_t doesnt have to read /var/lightsquid if you create a apache content template (lightsquid)

/var/lightsquid is not defined/labeled
Comment 6 Dominick Grift 2012-09-10 06:50:36 EDT
Created attachment 611396 [details]
lightsquid patch

something went wrong. see attached patch
Comment 7 Dominick Grift 2012-09-10 07:06:23 EDT
Created attachment 611400 [details]
lightsquid patch v1

Prveious patch had a small issue
Comment 8 Miroslav Grepl 2012-09-11 01:48:25 EDT
We treat it with the squid policy.

do you think a new policy is really needed?
Comment 9 Daniel Walsh 2012-09-18 12:08:59 EDT
I don't think we should add a new domain for this.  We have too many domains as it is.
Comment 10 Fedora Update System 2012-11-13 13:29:32 EST
selinux-policy-3.10.0-96.fc16 has been submitted as an update for Fedora 16.
Comment 11 Fedora Update System 2012-11-14 21:42:36 EST
Package selinux-policy-3.10.0-96.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-96.fc16'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
Comment 12 Fedora Update System 2012-11-19 21:57:43 EST
selinux-policy-3.10.0-96.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.