Description of problem: SELinux is preventing graph.cgi from read access on the file /etc/passwd. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that graph.cgi should be allowed read access on the passwd file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep graph.cgi /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:httpd_collectd_script_t:s0 Target Context unconfined_u:object_r:passwd_file_t:s0 Target Objects /etc/passwd [ file ] Source graph.cgi Source Path graph.cgi Port <Unknown> Host clio Source RPM Packages perl-5.14.3-221.fc17.x86_64 Target RPM Packages setup-2.8.48-1.fc17.noarch Policy RPM selinux-policy-3.10.0-167.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name clio Platform Linux clio 3.7.9-101.fc17.x86_64 #1 SMP Mon Feb 18 22:04:06 UTC 2013 x86_64 x86_64 Alert Count 674 First Seen 2013-02-26 10:03:50 CET Last Seen 2013-02-26 10:30:31 CET Local ID ffeec111-0f09-40de-a9a8-231209ffe4fa Raw Audit Messages type=AVC msg=audit(1361871031.989:5701): avc: denied { read } for pid=14683 comm="graph.cgi" name="passwd" dev="dm-0" ino=41162085 scontext=system_u:system_r:httpd_collectd_script_t:s0 tcontext=unconfined_u:object_r:passwd_file_t:s0 tclass=file type=SYSCALL msg=audit(1361871031.989:5701): arch=x86_64 syscall=open success=no exit=EACCES a0=7fb4c515b6ca a1=80000 a2=1b6 a3=238 items=0 ppid=10041 pid=14683 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm=graph.cgi exe=/usr/bin/perl subj=system_u:system_r:httpd_collectd_script_t:s0 key=(null) Hash: graph.cgi,httpd_collectd_script_t,passwd_file_t,file,read audit2allow #============= httpd_collectd_script_t ============== allow httpd_collectd_script_t passwd_file_t:file read; audit2allow -R #============= httpd_collectd_script_t ============== allow httpd_collectd_script_t passwd_file_t:file read; Version-Release number of selected component (if applicable): selinux-policy-3.10.0-167.fc17.noarch How reproducible: Always. Steps to Reproduce: 1. Install collectd, collectd-web. 2. Start collectd. 3. Load http://localhost/collectd/ to see some graphs. Actual results: Loading http://localhost/collectd/ produces a huge stream of SELinux denials. Expected results: No denials. Additional info: This is what I see in /var/log/httpd/error_log: [Tue Feb 26 10:30:18 2013] [error] [client 192.168.178.21] (process:14291): GLib -WARNING **: getpwuid_r(): failed due to: Permission denied., referer: http://cl io/collectd/bin/index.cgi?plugin=conntrack&plugin=contextswitch&plugin=cpu&plugi n=cpufreq&plugin=df&plugin=disk&plugin=interface&plugin=irq&plugin=load&plugin=m emory&plugin=ntpd&plugin=protocols&plugin=sensors&plugin=swap&plugin=tcpconns&pl ugin=thermal&plugin=uptime&plugin=users&plugin=vmem×pan=3600&action=show_se lection&ok_button=OK It appears that graph.cgi is (indirectly) calling Perl's getpwuid, which in turn calls the C function getpwuid_r, which is what tries to read /etc/passwd. When trying to view graphs, I get *hundreds* of duplicates of the denial reported here.
adebc37ddcad71dc5e728e1da99a532209104f25 fixes this in Rawhide.
Backported.
selinux-policy-3.10.0-168.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-168.fc17
Package selinux-policy-3.10.0-168.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-168.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-3466/selinux-policy-3.10.0-168.fc17 then log in and leave karma (feedback).
selinux-policy-3.10.0-169.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-169.fc17
selinux-policy-3.10.0-169.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.