Bug 952404 - SELinux prevents access to mod_security temp files.
Summary: SELinux prevents access to mod_security temp files.
Alias: None
Product: Fedora
Classification: Fedora
Component: mod_security
Version: 17
Hardware: All
OS: Unspecified
Target Milestone: ---
Assignee: Othman Madjoudj
QA Contact: Fedora Extras Quality Assurance
Depends On: 957522
TreeView+ depends on / blocked
Reported: 2013-04-15 21:24 UTC by Mike Lilley
Modified: 2013-05-21 11:01 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2013-05-21 11:01:09 UTC
Type: Bug

Attachments (Terms of Use)

Description Mike Lilley 2013-04-15 21:24:03 UTC
Description of problem:
SELinux prevents access to new location /var/lib/mod_security/<file> where file is ip.dir, etc.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Install mod_security-2.7.3-1 on a machine with SELinux set to enforcing, and update the mod_security.conf in /etc/httpd/conf.d
2. Restart httpd service.
3. Access web server.
Actual results:
SELinux prevents access to the temporary files whose location was changed with this release.

Expected results:
SELinux policy for mod_security should be configured to allow this access.

Additional info:

Comment 1 Othman Madjoudj 2013-04-20 16:31:56 UTC
Hi Mike,

Can you attach the AVC message from troubleshooting gui or /var/log/audit/audit.log

Comment 2 Othman Madjoudj 2013-04-20 16:36:57 UTC
Also can you retry after running the following command:

chcon -R system_u:object_r:httpd_var_lib_t /var/lib/mod_security

Comment 3 Mike Lilley 2013-04-28 16:47:54 UTC
Here is the AVC (from the GUI):
Raw Audit Messages
type=AVC msg=audit(1367166517.82:2007): avc:  denied  { write } for  pid=13097 comm="httpd" name="ip.dir" dev="sdb3" ino=528654 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file

type=SYSCALL msg=audit(1367166517.82:2007): arch=x86_64 syscall=open success=no exit=EACCES a0=7f4d5f12e798 a1=80042 a2=1a0 a3=1468 items=0 ppid=24489 pid=13097 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)
And here is the output from the chcon:
chcon -R system_u:object_r:httpd_var_lib_t /var/lib/mod_security
chcon: failed to change context of `ip.pag' to `system_u:object_r:httpd_var_lib_t': Invalid argument
chcon: failed to change context of `global.pag' to `system_u:object_r:httpd_var_lib_t': Invalid argument
chcon: failed to change context of `ip.dir' to `system_u:object_r:httpd_var_lib_t': Invalid argument
chcon: failed to change context of `global.dir' to `system_u:object_r:httpd_var_lib_t': Invalid argument
chcon: failed to change context of `/var/lib/mod_security' to `system_u:object_r:httpd_var_lib_t': Invalid argument
So I switched it to "chcon -R -t httpd_var_lib_t /var/lib/mod_security" which seemed to clear up the problem.

Sorry about the response delay, I was called out of town abruptly.  Please let me know if you need anything else.

Comment 4 Othman Madjoudj 2013-04-28 18:09:32 UTC
Hi Mike,

I've filled a separate bug report[1] against selinux-policy.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=957522

Comment 5 Mike Lilley 2013-04-29 16:30:07 UTC
Thanks!  As soon as I see an update, I'll make sure and test it.

Comment 6 Mike Lilley 2013-05-11 17:22:42 UTC
Whoops - went to test the posted update, but it's only targeting Fedora 18 - I'm still on 17, so can't test it :-(

Note You need to log in before you can comment on or make changes to this bug.