Description of problem: install lighttpd install smokeping copy smokeping_cgi to <www>/cgi-bin/smokeping.cgi browse http://www.example.com/cgi-bin/smokeping.cgi Additional info: libreport version: 2.0.18 kernel: 3.6.8-2.fc17.x86_64
Created attachment 657642 [details] File: type
Created attachment 657643 [details] File: hashmarkername
Wolfgang, could you attach AVC msgs?
I had thought the automatic reporting tool that offered to report the bug would include all the relevant info. Here is a cut and paste from sealert. SELinux is preventing /usr/bin/perl from getattr access on the directory /run/smokeping. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that perl should be allowed getattr access on the smokeping directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep perl /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:smokeping_var_run_t:s0 Target Objects /run/smokeping [ dir ] Source perl Source Path /usr/bin/perl Port <Unknown> Host arbol.wsrcc.com Source RPM Packages perl-5.14.3-217.fc17.x86_64 Target RPM Packages smokeping-2.6.8-1.fc17.noarch Policy RPM selinux-policy-3.10.0-161.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name arbol.wsrcc.com Platform Linux arbol.wsrcc.com 3.6.8-2.fc17.x86_64 #1 SMP Tue Nov 27 19:35:02 UTC 2012 x86_64 x86_64 Alert Count 16 First Seen 2012-12-04 03:53:26 PST Last Seen 2012-12-04 12:20:02 PST Local ID cf424e8c-0403-42d3-9c6d-94a420638aeb Raw Audit Messages type=AVC msg=audit(1354652402.932:276): avc: denied { getattr } for pid=3388 comm="perl" path="/run/smokeping" dev="tmpfs" ino=7039 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:smokeping_var_run_t:s0 tclass=dir type=SYSCALL msg=audit(1354652402.932:276): arch=x86_64 syscall=stat success=no exit=EACCES a0=10279e0 a1=fb6138 a2=fb6138 a3=0 items=0 ppid=1450 pid=3388 auid=4294967295 uid=993 gid=989 euid=993 suid=993 fsuid=993 egid=989 sgid=989 fsgid=989 tty=(none) ses=4294967295 comm=perl exe=/usr/bin/perl subj=system_u:system_r:httpd_t:s0 key=(null) Hash: perl,httpd_t,smokeping_var_run_t,dir,getattr audit2allow #============= httpd_t ============== allow httpd_t smokeping_var_run_t:dir getattr; audit2allow -R #============= httpd_t ============== allow httpd_t smokeping_var_run_t:dir getattr;
Here is a second one. This is the sealert that corresponds to the subject line. The one above is what I see after performing the audit2allow requested in the above sealert. SELinux is preventing /usr/bin/perl from write access on the directory /var/lib/smokeping/images. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that perl should be allowed write access on the images directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep perl /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:smokeping_var_lib_t:s0 Target Objects /var/lib/smokeping/images [ dir ] Source perl Source Path /usr/bin/perl Port <Unknown> Host arbol.wsrcc.com Source RPM Packages perl-5.14.3-217.fc17.x86_64 Target RPM Packages smokeping-2.6.8-1.fc17.noarch Policy RPM selinux-policy-3.10.0-161.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name arbol.wsrcc.com Platform Linux arbol.wsrcc.com 3.6.8-2.fc17.x86_64 #1 SMP Tue Nov 27 19:35:02 UTC 2012 x86_64 x86_64 Alert Count 12 First Seen 2012-12-04 08:00:24 PST Last Seen 2012-12-04 08:28:49 PST Local ID 928d6154-6cc0-451a-a862-b10340569124 Raw Audit Messages type=AVC msg=audit(1354638529.221:166): avc: denied { write } for pid=2686 comm="perl" name="images" dev="sda3" ino=786511 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:smokeping_var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1354638529.221:166): arch=x86_64 syscall=open success=no exit=EACCES a0=7fff8fd2a150 a1=241 a2=1b6 a3=238 items=0 ppid=1450 pid=2686 auid=4294967295 uid=993 gid=989 euid=993 suid=993 fsuid=993 egid=989 sgid=989 fsgid=989 tty=(none) ses=4294967295 comm=perl exe=/usr/bin/perl subj=system_u:system_r:httpd_t:s0 key=(null) Hash: perl,httpd_t,smokeping_var_lib_t,dir,write audit2allow #============= httpd_t ============== #!!!! The source type 'httpd_t' can write to a 'dir' of the following types: # squirrelmail_spool_t, krb5_host_rcache_t, dirsrvadmin_config_t, var_lock_t, tmpfs_t, tmp_t, var_t, abrt_retrace_spool_t, user_tmp_t, jetty_log_t, httpd_tmp_t, httpd_log_t, jetty_cache_t, dirsrv_config_t, dirsrvadmin_tmp_t, httpd_squirrelmail_t, httpd_cache_t, httpd_tmpfs_t, var_log_t, var_lib_t, var_run_t, dirsrv_var_run_t, dirsrv_var_log_t, httpd_var_lib_t, httpd_var_run_t, zarafa_var_lib_t, jetty_var_lib_t, jetty_var_run_t, systemd_passwd_var_run_t, httpd_dspam_ra_content_t, httpd_dspam_rw_content_t, httpd_prewikka_ra_content_t, httpd_prewikka_rw_content_t, httpd_mediawiki_ra_content_t, httpd_mediawiki_rw_content_t, httpd_squid_ra_content_t, httpd_squid_rw_content_t, passenger_var_run_t, httpd_smokeping_cgi_ra_content_t, httpd_smokeping_cgi_rw_content_t, httpd_man2html_ra_content_t, httpd_man2html_rw_content_t, httpd_w3c_validator_ra_content_t, httpd_w3c_validator_rw_content_t, httpd_openshift_ra_content_t, httpd_openshift_rw_content_t, httpd_dirsrvadmin_ra_content_t, httpd_dirsrvadmin_rw_content_t, httpd_collectd_ra_content_t, httpd_collectd_rw_content_t, httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_zoneminder_ra_content_t, httpd_zoneminder_rw_content_t, root_t, httpd_cobbler_ra_content_t, httpd_cobbler_rw_content_t, httpd_awstats_ra_content_t, httpd_awstats_rw_content_t, httpd_munin_ra_content_t, httpd_munin_rw_content_t, httpd_mojomojo_ra_content_t, httpd_mojomojo_rw_content_t, httpd_bugzilla_ra_content_t, httpd_bugzilla_rw_content_t, passenger_tmp_t, httpd_cvs_ra_content_t, httpd_cvs_rw_content_t, httpd_git_ra_content_t, httpd_git_rw_content_t, httpd_sys_ra_content_t, httpd_sys_rw_content_t, httpd_apcupsd_cgi_ra_content_t, httpd_apcupsd_cgi_rw_content_t, httpd_nagios_ra_content_t, httpd_nagios_rw_content_t, httpd_nutups_cgi_ra_content_t, httpd_nutups_cgi_rw_content_t allow httpd_t smokeping_var_lib_t:dir write; audit2allow -R #============= httpd_t ============== #!!!! The source type 'httpd_t' can write to a 'dir' of the following types: # squirrelmail_spool_t, krb5_host_rcache_t, dirsrvadmin_config_t, var_lock_t, tmpfs_t, tmp_t, var_t, abrt_retrace_spool_t, user_tmp_t, jetty_log_t, httpd_tmp_t, httpd_log_t, jetty_cache_t, dirsrv_config_t, dirsrvadmin_tmp_t, httpd_squirrelmail_t, httpd_cache_t, httpd_tmpfs_t, var_log_t, var_lib_t, var_run_t, dirsrv_var_run_t, dirsrv_var_log_t, httpd_var_lib_t, httpd_var_run_t, zarafa_var_lib_t, jetty_var_lib_t, jetty_var_run_t, systemd_passwd_var_run_t, httpd_dspam_ra_content_t, httpd_dspam_rw_content_t, httpd_prewikka_ra_content_t, httpd_prewikka_rw_content_t, httpd_mediawiki_ra_content_t, httpd_mediawiki_rw_content_t, httpd_squid_ra_content_t, httpd_squid_rw_content_t, passenger_var_run_t, httpd_smokeping_cgi_ra_content_t, httpd_smokeping_cgi_rw_content_t, httpd_man2html_ra_content_t, httpd_man2html_rw_content_t, httpd_w3c_validator_ra_content_t, httpd_w3c_validator_rw_content_t, httpd_openshift_ra_content_t, httpd_openshift_rw_content_t, httpd_dirsrvadmin_ra_content_t, httpd_dirsrvadmin_rw_content_t, httpd_collectd_ra_content_t, httpd_collectd_rw_content_t, httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_zoneminder_ra_content_t, httpd_zoneminder_rw_content_t, root_t, httpd_cobbler_ra_content_t, httpd_cobbler_rw_content_t, httpd_awstats_ra_content_t, httpd_awstats_rw_content_t, httpd_munin_ra_content_t, httpd_munin_rw_content_t, httpd_mojomojo_ra_content_t, httpd_mojomojo_rw_content_t, httpd_bugzilla_ra_content_t, httpd_bugzilla_rw_content_t, passenger_tmp_t, httpd_cvs_ra_content_t, httpd_cvs_rw_content_t, httpd_git_ra_content_t, httpd_git_rw_content_t, httpd_sys_ra_content_t, httpd_sys_rw_content_t, httpd_apcupsd_cgi_ra_content_t, httpd_apcupsd_cgi_rw_content_t, httpd_nagios_ra_content_t, httpd_nagios_rw_content_t, httpd_nutups_cgi_ra_content_t, httpd_nutups_cgi_rw_content_t allow httpd_t smokeping_var_lib_t:dir write;
What does # ls -lZ /usr/share/smokeping/cgi
[wolfgang@arbol ~]$ ls -lZ /usr/share/smokeping/cgi -rwxr-xr-x. root root system_u:object_r:httpd_smokeping_cgi_script_exec_t:s0 smokeping_cgi lrwxrwxrwx. root root system_u:object_r:httpd_smokeping_cgi_script_exec_t:s0 smokeping.fcgi -> smokeping_cgi And the actual httpd directory that the cgi executes out of: [wolfgang@arbol ~]$ ls -lZ /u/www/www.wsrcc.com/cgi-bin/ -rwxr-xr-x. root root unconfined_u:object_r:httpd_sys_script_exec_t:s0 smokeping.cgi
If you execute # chcon -Rt httpd_smokeping_cgi_script_exec_t /u/www/www.wsrcc.com/cgi-bin/ does it work then?
Software error: ERROR: /etc/smokeping/config, line 29: Directory '/var/run/smokeping' does not exist For help, please send mail to this site's webmaster, giving this error message and the time and date of the error. ----------- SELinux is preventing /usr/bin/perl from getattr access on the directory /run/smokeping. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that perl should be allowed getattr access on the smokeping directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep perl /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:smokeping_var_run_t:s0 Target Objects /run/smokeping [ dir ] Source perl Source Path /usr/bin/perl Port <Unknown> Host arbol.wsrcc.com Source RPM Packages perl-5.14.3-217.fc17.x86_64 Target RPM Packages smokeping-2.6.8-1.fc17.noarch Policy RPM selinux-policy-3.10.0-161.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name arbol.wsrcc.com Platform Linux arbol.wsrcc.com 3.6.9-2.fc17.x86_64 #1 SMP Tue Dec 4 13:26:04 UTC 2012 x86_64 x86_64 Alert Count 17 First Seen 2012-12-04 03:53:26 PST Last Seen 2012-12-06 07:54:12 PST Local ID cf424e8c-0403-42d3-9c6d-94a420638aeb Raw Audit Messages type=AVC msg=audit(1354809252.694:268): avc: denied { getattr } for pid=20869 comm="perl" path="/run/smokeping" dev="tmpfs" ino=9829 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:smokeping_var_run_t:s0 tclass=dir type=SYSCALL msg=audit(1354809252.694:268): arch=x86_64 syscall=stat success=no exit=EACCES a0=723800 a1=6b2138 a2=6b2138 a3=0 items=0 ppid=1440 pid=20869 auid=4294967295 uid=993 gid=989 euid=993 suid=993 fsuid=993 egid=989 sgid=989 fsgid=989 tty=(none) ses=4294967295 comm=perl exe=/usr/bin/perl subj=system_u:system_r:httpd_t:s0 key=(null) Hash: perl,httpd_t,smokeping_var_run_t,dir,getattr audit2allow #============= httpd_t ============== allow httpd_t smokeping_var_run_t:dir getattr; audit2allow -R #============= httpd_t ============== allow httpd_t smokeping_var_run_t:dir getattr;
Could you try to do # setenforce 0 re-test it # setenforce 1 # ausearch -m avc -ts recent
[root@arbol wolfgang]# setenforce 0 [root@arbol wolfgang]# setenforce 1 [root@arbol wolfgang]# ausearch -m avc -ts recent ---- time->Thu Dec 6 08:50:02 2012 type=SYSCALL msg=audit(1354812602.654:283): arch=c000003e syscall=2 success=yes exit=4 a0=7fff0df6dd70 a1=241 a2=1b6 a3=238 items=0 ppid=1440 pid=21525 auid=4294967295 uid=993 gid=989 euid=993 suid=993 fsuid=993 egid=989 sgid=989 fsgid=989 tty=(none) ses=4294967295 comm="perl" exe="/usr/bin/perl" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1354812602.654:283): avc: denied { write } for pid=21525 comm="perl" name="SONIC_mini.png" dev="sda3" ino=3413154 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:smokeping_var_lib_t:s0 tclass=file ---- time->Thu Dec 6 08:50:02 2012 type=SYSCALL msg=audit(1354812602.448:282): arch=c000003e syscall=4 success=yes exit=0 a0=1a69800 a1=19f8138 a2=19f8138 a3=0 items=0 ppid=1440 pid=21525 auid=4294967295 uid=993 gid=989 euid=993 suid=993 fsuid=993 egid=989 sgid=989 fsgid=989 tty=(none) ses=4294967295 comm="perl" exe="/usr/bin/perl" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1354812602.448:282): avc: denied { getattr } for pid=21525 comm="perl" path="/run/smokeping" dev="tmpfs" ino=9829 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:smokeping_var_run_t:s0 tclass=dir [
NB: the top avc should be ignored. It is a result of me running "smokeping --static" and this needs to have an alternate in-tree image directory. Using the distributed image directory that avc goes away. (see the 08:54:31 run with /etc/smokeping/config pointing [root@arbol wolfgang]# grep images /etc/smokeping/config imgcache = /var/lib/smokeping/images # imgcache = /u/www/www.wsrcc.com/smokeping/images imgurl = /smokeping/images [root@arbol wolfgang]# setenforce 0 [root@arbol wolfgang]# setenforce 1 [root@arbol wolfgang]# ausearch -m avc -ts recent ---- time->Thu Dec 6 08:50:02 2012 type=SYSCALL msg=audit(1354812602.654:283): arch=c000003e syscall=2 success=yes exit=4 a0=7fff0df6dd70 a1=241 a2=1b6 a3=238 items=0 ppid=1440 pid=21525 auid=4294967295 uid=993 gid=989 euid=993 suid=993 fsuid=993 egid=989 sgid=989 fsgid=989 tty=(none) ses=4294967295 comm="perl" exe="/usr/bin/perl" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1354812602.654:283): avc: denied { write } for pid=21525 comm="perl" name="SONIC_mini.png" dev="sda3" ino=3413154 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:smokeping_var_lib_t:s0 tclass=file ---- time->Thu Dec 6 08:50:02 2012 type=SYSCALL msg=audit(1354812602.448:282): arch=c000003e syscall=4 success=yes exit=0 a0=1a69800 a1=19f8138 a2=19f8138 a3=0 items=0 ppid=1440 pid=21525 auid=4294967295 uid=993 gid=989 euid=993 suid=993 fsuid=993 egid=989 sgid=989 fsgid=989 tty=(none) ses=4294967295 comm="perl" exe="/usr/bin/perl" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1354812602.448:282): avc: denied { getattr } for pid=21525 comm="perl" path="/run/smokeping" dev="tmpfs" ino=9829 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:smokeping_var_run_t:s0 tclass=dir ---- time->Thu Dec 6 08:54:31 2012 type=SYSCALL msg=audit(1354812871.892:287): arch=c000003e syscall=4 success=yes exit=0 a0=21ef8a0 a1=217e138 a2=217e138 a3=0 items=0 ppid=1440 pid=21655 auid=4294967295 uid=993 gid=989 euid=993 suid=993 fsuid=993 egid=989 sgid=989 fsgid=989 tty=(none) ses=4294967295 comm="perl" exe="/usr/bin/perl" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1354812871.892:287): avc: denied { getattr } for pid=21655 comm="perl" path="/run/smokeping" dev="tmpfs" ino=9829 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:smokeping_var_run_t:s0 tclass=dir [root@arbol wolfgang]#
This message is a reminder that Fedora 17 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 17. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '17'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 17's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 17 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior to Fedora 17's end of life. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
selinux-policy-3.10.0-171.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-171.fc17
Package selinux-policy-3.10.0-171.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-171.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-13082/selinux-policy-3.10.0-171.fc17 then log in and leave karma (feedback).
Fedora 17 changed to end-of-life (EOL) status on 2013-07-30. Fedora 17 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed.