Bug 952404 - SELinux prevents access to mod_security temp files.
SELinux prevents access to mod_security temp files.
Product: Fedora
Classification: Fedora
Component: mod_security (Show other bugs)
All Unspecified
unspecified Severity medium
: ---
: ---
Assigned To: Athmane Madjoudj
Fedora Extras Quality Assurance
Depends On: 957522
  Show dependency treegraph
Reported: 2013-04-15 17:24 EDT by Mike Lilley
Modified: 2013-05-21 07:01 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-05-21 07:01:09 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Mike Lilley 2013-04-15 17:24:03 EDT
Description of problem:
SELinux prevents access to new location /var/lib/mod_security/<file> where file is ip.dir, etc.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Install mod_security-2.7.3-1 on a machine with SELinux set to enforcing, and update the mod_security.conf in /etc/httpd/conf.d
2. Restart httpd service.
3. Access web server.
Actual results:
SELinux prevents access to the temporary files whose location was changed with this release.

Expected results:
SELinux policy for mod_security should be configured to allow this access.

Additional info:
Comment 1 Athmane Madjoudj 2013-04-20 12:31:56 EDT
Hi Mike,

Can you attach the AVC message from troubleshooting gui or /var/log/audit/audit.log
Comment 2 Athmane Madjoudj 2013-04-20 12:36:57 EDT
Also can you retry after running the following command:

chcon -R system_u:object_r:httpd_var_lib_t /var/lib/mod_security
Comment 3 Mike Lilley 2013-04-28 12:47:54 EDT
Here is the AVC (from the GUI):
Raw Audit Messages
type=AVC msg=audit(1367166517.82:2007): avc:  denied  { write } for  pid=13097 comm="httpd" name="ip.dir" dev="sdb3" ino=528654 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file

type=SYSCALL msg=audit(1367166517.82:2007): arch=x86_64 syscall=open success=no exit=EACCES a0=7f4d5f12e798 a1=80042 a2=1a0 a3=1468 items=0 ppid=24489 pid=13097 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)
And here is the output from the chcon:
chcon -R system_u:object_r:httpd_var_lib_t /var/lib/mod_security
chcon: failed to change context of `ip.pag' to `system_u:object_r:httpd_var_lib_t': Invalid argument
chcon: failed to change context of `global.pag' to `system_u:object_r:httpd_var_lib_t': Invalid argument
chcon: failed to change context of `ip.dir' to `system_u:object_r:httpd_var_lib_t': Invalid argument
chcon: failed to change context of `global.dir' to `system_u:object_r:httpd_var_lib_t': Invalid argument
chcon: failed to change context of `/var/lib/mod_security' to `system_u:object_r:httpd_var_lib_t': Invalid argument
So I switched it to "chcon -R -t httpd_var_lib_t /var/lib/mod_security" which seemed to clear up the problem.

Sorry about the response delay, I was called out of town abruptly.  Please let me know if you need anything else.
Comment 4 Athmane Madjoudj 2013-04-28 14:09:32 EDT
Hi Mike,

I've filled a separate bug report[1] against selinux-policy.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=957522
Comment 5 Mike Lilley 2013-04-29 12:30:07 EDT
Thanks!  As soon as I see an update, I'll make sure and test it.
Comment 6 Mike Lilley 2013-05-11 13:22:42 EDT
Whoops - went to test the posted update, but it's only targeting Fedora 18 - I'm still on 17, so can't test it :-(

Note You need to log in before you can comment on or make changes to this bug.