Bug 951948 - SELinux is preventing /usr/sbin/httpd from 'unlink' accesses on the file sessionidc075d0b4ce9f36444b2ba81e2c3d695c_out_2aUHY8.
Summary: SELinux is preventing /usr/sbin/httpd from 'unlink' accesses on the file sess...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 18
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:a6c526fd19e2674e78c2e77b148...
: 951930 951931 951939 951940 951942 951945 951946 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-04-14 16:27 UTC by Niki Guldbrand
Modified: 2013-04-20 01:02 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-04-20 01:02:48 UTC


Attachments (Terms of Use)

Description Niki Guldbrand 2013-04-14 16:27:42 UTC
Description of problem:
Happens during login in the web interface of cobbler
SELinux is preventing /usr/sbin/httpd from 'unlink' accesses on the file sessionidc075d0b4ce9f36444b2ba81e2c3d695c_out_2aUHY8.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that httpd should be allowed unlink access on the sessionidc075d0b4ce9f36444b2ba81e2c3d695c_out_2aUHY8 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep /usr/sbin/httpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:cobbler_var_lib_t:s0
Target Objects                sessionidc075d0b4ce9f36444b2ba81e2c3d695c_out_2aUH
                              Y8 [ file ]
Source                        /usr/sbin/httpd
Source Path                   /usr/sbin/httpd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           httpd-2.4.4-2.fc18.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-87.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.8.6-203.fc18.x86_64 #1 SMP Tue
                              Apr 9 19:33:01 UTC 2013 x86_64 x86_64
Alert Count                   1
First Seen                    2013-04-14 18:12:02 CEST
Last Seen                     2013-04-14 18:12:02 CEST
Local ID                      05340e46-47b2-44ee-9797-e74439d8d218

Raw Audit Messages
type=AVC msg=audit(1365955922.714:397): avc:  denied  { unlink } for  pid=2385 comm="/usr/sbin/httpd" name="sessionidc075d0b4ce9f36444b2ba81e2c3d695c_out_2aUHY8" dev="dm-1" ino=666754 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cobbler_var_lib_t:s0 tclass=file


type=SYSCALL msg=audit(1365955922.714:397): arch=x86_64 syscall=unlink success=no exit=EACCES a0=7f1fe7495eb0 a1=1 a2=7f1fd45cca08 a3=20 items=0 ppid=1306 pid=2385 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm=/usr/sbin/httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: /usr/sbin/httpd,httpd_t,cobbler_var_lib_t,file,unlink

audit2allow

#============= httpd_t ==============
#!!!! This avc is allowed in the current policy

allow httpd_t cobbler_var_lib_t:file unlink;

audit2allow -R
require {
	type httpd_t;
}

#============= httpd_t ==============
cobbler_manage_lib_files(httpd_t)


Additional info:
hashmarkername: setroubleshoot
kernel:         3.8.6-203.fc18.x86_64
type:           libreport

Comment 1 Miroslav Grepl 2013-04-15 07:47:28 UTC
*** Bug 951946 has been marked as a duplicate of this bug. ***

Comment 2 Miroslav Grepl 2013-04-15 07:47:33 UTC
*** Bug 951945 has been marked as a duplicate of this bug. ***

Comment 3 Miroslav Grepl 2013-04-15 07:47:37 UTC
*** Bug 951942 has been marked as a duplicate of this bug. ***

Comment 4 Miroslav Grepl 2013-04-15 07:47:43 UTC
*** Bug 951940 has been marked as a duplicate of this bug. ***

Comment 5 Miroslav Grepl 2013-04-15 07:48:09 UTC
*** Bug 951939 has been marked as a duplicate of this bug. ***

Comment 6 Miroslav Grepl 2013-04-15 07:48:22 UTC
*** Bug 951930 has been marked as a duplicate of this bug. ***

Comment 7 Miroslav Grepl 2013-04-15 07:49:36 UTC
*** Bug 951931 has been marked as a duplicate of this bug. ***

Comment 8 Miroslav Grepl 2013-04-15 08:00:24 UTC
We had 

apache_content_template(cobbler)

in F17 but there were issues with this policy. I am thinking just add

httpd_run_cobbler

and allow manage these cobbler lib files.


Niki,
did you try to add a local policy to make this working?

Comment 9 Niki Guldbrand 2013-04-15 08:52:20 UTC
I have added this atm, and this part of cobbler seems to be working here now.
The commented out lines is because I at first forgot to enable the httpd_can_network_connect_cobbler boolean.

===============================
module net.guldbrand.ipa_cobbler-web_httpd 1.0;
require {
	type httpd_t;
#	type cobbler_port_t;
	type cobbler_var_lib_t;
#	class tcp_socket name_connect;
	class dir { write read add_name remove_name };
	class file { rename write create unlink };
}

#============= httpd_t ==============
#allow httpd_t cobbler_port_t:tcp_socket name_connect;
allow httpd_t cobbler_var_lib_t:dir { write read add_name remove_name };
allow httpd_t cobbler_var_lib_t:file { rename write create unlink };
===============================

There may be errors in this, as my knowledge of SELinux is quite limited to be honest.

But all httpd has to do is server static files from /var/lib/cobbler/, and that as far as I can see is something httpd always has to do for cobbler to work (That is if I have understood cobbler correctly).

Comment 10 Niki Guldbrand 2013-04-15 08:55:52 UTC
Just a thought, why not call it httpd_serve_cobbler_files (the boolean), it seems more descriptive to me :-)

Comment 11 Niki Guldbrand 2013-04-15 09:19:28 UTC
cobblerd also needs a cache folder in /var/cache/cobblerd, and it tries to create it if it's missing

Don't know if this line is correct, and I haven't figured out how to add it yet, if I should just dump the line at the end of /etc/selinux/targeted/modules/active/file_contexts, or how it all fits together

/var/cache/cobbler(/.*)?	system_u:object_r:cobbler_var_lib_t:s0

Would that line allow cobblerd to recreate the dir and all content in it that it needs ?

Comment 12 Daniel Walsh 2013-04-17 22:42:59 UTC
bf7a1621089a1044e5835f1ae15a617db13fa955 fixes this in git.

Comment 13 Fedora Update System 2013-04-18 12:51:34 UTC
selinux-policy-3.11.1-91.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-91.fc18

Comment 14 Fedora Update System 2013-04-19 04:49:08 UTC
Package selinux-policy-3.11.1-91.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-91.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-6018/selinux-policy-3.11.1-91.fc18
then log in and leave karma (feedback).

Comment 15 Fedora Update System 2013-04-20 01:02:50 UTC
selinux-policy-3.11.1-91.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.