Bug 884370 - SELinux is preventing /usr/bin/rrdtool from 'setattr' accesses on the directory /var/cache/fontconfig.
Summary: SELinux is preventing /usr/bin/rrdtool from 'setattr' accesses on the directo...
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 19
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Eric Paris
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:361651a1769b5ae89ce9e9bcd63...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-12-06 04:33 UTC by Ken Dreyer
Modified: 2015-05-08 15:28 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-03-26 14:27:29 UTC
Type: ---


Attachments (Terms of Use)

Description Ken Dreyer 2012-12-06 04:33:37 UTC
Description of problem:
Install Cacti from EPEL. Configure it using the default settings. The Cacti graphs do not display on the web.
SELinux is preventing /usr/bin/rrdtool from 'setattr' accesses on the directory /var/cache/fontconfig.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that rrdtool should be allowed setattr access on the fontconfig directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep rrdtool /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:fonts_cache_t:s0
Target Objects                /var/cache/fontconfig [ dir ]
Source                        rrdtool
Source Path                   /usr/bin/rrdtool
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           rrdtool-1.4.7-7.fc18.x86_64
Target RPM Packages           fontconfig-2.10.2-1.fc19.x86_64
Policy RPM                    selinux-policy-3.11.1-50.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.7.0-0.rc8.git0.1.fc19.x86_64 #1
                              SMP Tue Dec 4 15:05:25 UTC 2012 x86_64 x86_64
Alert Count                   28
First Seen                    2012-12-05 23:23:27 EST
Last Seen                     2012-12-05 23:30:20 EST
Local ID                      b6b52fd7-027a-497b-a645-d6f209e8929c

Raw Audit Messages
type=AVC msg=audit(1354768220.317:814): avc:  denied  { setattr } for  pid=4920 comm="rrdtool" name="fontconfig" dev="dm-0" ino=1042493 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:fonts_cache_t:s0 tclass=dir


type=SYSCALL msg=audit(1354768220.317:814): arch=x86_64 syscall=chmod success=no exit=EACCES a0=211f900 a1=1ed a2=1 a3=7fffe0d7af00 items=0 ppid=4375 pid=4920 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm=rrdtool exe=/usr/bin/rrdtool subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: rrdtool,httpd_t,fonts_cache_t,dir,setattr

audit2allow
audit2allow -R

Additional info:
hashmarkername: setroubleshoot
kernel:         3.7.0-0.rc8.git0.1.fc19.x86_64
type:           libreport

Comment 1 Ken Dreyer 2012-12-06 04:36:55 UTC
Er, and when I say "Cacti from EPEL", I meant "Cacti from Rawhide". Hopefully you get the idea :)

Comment 2 Daniel Walsh 2012-12-06 20:22:00 UTC
Settattr check should happen for DAC before it happens for SELinux.  Then this AVC would not happen.  Forces us to write bad policy.

Comment 3 Fedora End Of Life 2013-04-03 19:20:34 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.

(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19

Comment 4 Justin M. Forbes 2013-04-05 16:26:03 UTC
Is this still a problem with 3.9 based F19 kernels?

Comment 5 Justin M. Forbes 2013-04-23 17:28:10 UTC
This bug is being closed with INSUFFICIENT_DATA as there has not been a
response in 2 weeks.  If you are still experiencing this issue,
please reopen and attach the relevant data from the latest kernel you are
running and any data that might have been requested previously.

Comment 6 David Busby 2014-03-26 13:57:27 UTC
Affects: CentOS release 6.5 (Final)
Installed versions:

cacti-0.8.8b-3.el6.noarch
selinux-policy-3.7.19-231.el6_5.1.noarch
selinux-policy-minimum-3.7.19-231.el6_5.1.noarch
selinux-policy-targeted-3.7.19-231.el6_5.1.noarch
selinux-policy-mls-3.7.19-231.el6_5.1.noarch

SEStatus:

---
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted
---

Audit.log

---
type=AVC msg=audit(1395841586.356:6315): avc:  denied  { setattr } for  pid=20032 comm="rrdtool" name="fontconfig" dev=dm-0 ino=3670514 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:fonts_cache_t:s0 tclass=dir
---

Workaround .te file (allows RRD to setattr on dir; note this does not allow DAC override).

---
module rrdtool-setattr-fontcache 1.0;

require {
	type httpd_t;
	type fonts_cache_t;
	class dir setattr;
}

#============= httpd_t ==============
allow httpd_t fonts_cache_t:dir setattr;
---

Comment 7 Josh Boyer 2014-03-26 14:27:29 UTC
Please report that to CentOS then.  Fedora bugzilla reports aren't going to get anything fixed in CentOS.

Comment 8 Dan Yocum 2015-05-08 15:28:05 UTC
I can confirm that this bug exists in RHEL6.6 with rrdtool:

type=AVC msg=audit(1431098356.232:484315): avc:  denied  { setattr } for  pid=19745 comm="rrdtool" name="fontconfig" dev=sda5 ino=263339 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:fonts_cache_t:s0 tclass=dir


rrdtool-1.3.8-7.el6.x86_64
selinux-policy-3.7.19-260.el6_6.2.noarch
selinux-policy-targeted-3.7.19-260.el6_6.2.noarch


Please re-open this ticket.


Note You need to log in before you can comment on or make changes to this bug.