915750 – SELinux is preventing graph.cgi from read access on the file /etc/passwd.

Bug 915750 - SELinux is preventing graph.cgi from read access on the file /etc/passwd.

Summary: SELinux is preventing graph.cgi from read access on the file /etc/passwd.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	17
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-02-26 12:47 UTC by Joel Uckelman
Modified:	2013-05-04 00:05 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-05-04 00:04:59 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Joel Uckelman 2013-02-26 12:47:16 UTC

Description of problem:

SELinux is preventing graph.cgi from read access on the file /etc/passwd.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that graph.cgi should be allowed read access on the passwd file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep graph.cgi /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:httpd_collectd_script_t:s0
Target Context                unconfined_u:object_r:passwd_file_t:s0
Target Objects                /etc/passwd [ file ]
Source                        graph.cgi
Source Path                   graph.cgi
Port                          <Unknown>
Host                          clio
Source RPM Packages           perl-5.14.3-221.fc17.x86_64
Target RPM Packages           setup-2.8.48-1.fc17.noarch
Policy RPM                    selinux-policy-3.10.0-167.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     clio
Platform                      Linux clio 3.7.9-101.fc17.x86_64 #1 SMP Mon Feb 18
                              22:04:06 UTC 2013 x86_64 x86_64
Alert Count                   674
First Seen                    2013-02-26 10:03:50 CET
Last Seen                     2013-02-26 10:30:31 CET
Local ID                      ffeec111-0f09-40de-a9a8-231209ffe4fa

Raw Audit Messages
type=AVC msg=audit(1361871031.989:5701): avc:  denied  { read } for  pid=14683 comm="graph.cgi" name="passwd" dev="dm-0" ino=41162085 scontext=system_u:system_r:httpd_collectd_script_t:s0 tcontext=unconfined_u:object_r:passwd_file_t:s0 tclass=file


type=SYSCALL msg=audit(1361871031.989:5701): arch=x86_64 syscall=open success=no exit=EACCES a0=7fb4c515b6ca a1=80000 a2=1b6 a3=238 items=0 ppid=10041 pid=14683 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm=graph.cgi exe=/usr/bin/perl subj=system_u:system_r:httpd_collectd_script_t:s0 key=(null)

Hash: graph.cgi,httpd_collectd_script_t,passwd_file_t,file,read

audit2allow

#============= httpd_collectd_script_t ==============
allow httpd_collectd_script_t passwd_file_t:file read;

audit2allow -R

#============= httpd_collectd_script_t ==============
allow httpd_collectd_script_t passwd_file_t:file read;


Version-Release number of selected component (if applicable):

selinux-policy-3.10.0-167.fc17.noarch

How reproducible:

Always.

Steps to Reproduce:
1. Install collectd, collectd-web.
2. Start collectd.
3. Load http://localhost/collectd/ to see some graphs.
  
Actual results:

Loading http://localhost/collectd/ produces a huge stream of SELinux denials.

Expected results:

No denials.

Additional info:

This is what I see in /var/log/httpd/error_log:

[Tue Feb 26 10:30:18 2013] [error] [client 192.168.178.21] (process:14291): GLib
-WARNING **: getpwuid_r(): failed due to: Permission denied., referer: http://cl
io/collectd/bin/index.cgi?plugin=conntrack&plugin=contextswitch&plugin=cpu&plugi
n=cpufreq&plugin=df&plugin=disk&plugin=interface&plugin=irq&plugin=load&plugin=m
emory&plugin=ntpd&plugin=protocols&plugin=sensors&plugin=swap&plugin=tcpconns&pl
ugin=thermal&plugin=uptime&plugin=users&plugin=vmem&timespan=3600&action=show_se
lection&ok_button=OK

It appears that graph.cgi is (indirectly) calling Perl's getpwuid, which in turn calls the C function getpwuid_r, which is what tries to read /etc/passwd.

When trying to view graphs, I get *hundreds* of duplicates of the denial reported here.

Comment 1 Daniel Walsh 2013-02-28 15:16:51 UTC

adebc37ddcad71dc5e728e1da99a532209104f25 fixes this in Rawhide.

Comment 2 Miroslav Grepl 2013-03-04 09:39:22 UTC

Backported.

Comment 3 Fedora Update System 2013-03-05 14:33:12 UTC

selinux-policy-3.10.0-168.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-168.fc17

Comment 4 Fedora Update System 2013-03-05 23:30:34 UTC

Package selinux-policy-3.10.0-168.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-168.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-3466/selinux-policy-3.10.0-168.fc17
then log in and leave karma (feedback).

Comment 5 Fedora Update System 2013-04-04 08:32:04 UTC

selinux-policy-3.10.0-169.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-169.fc17

Comment 6 Fedora Update System 2013-05-04 00:05:01 UTC

selinux-policy-3.10.0-169.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.