> On 03/05/2010 02:32 PM, Daniel B. Thurman wrote:
>>> On 03/05/2010 01:08 PM, Daniel B. Thurman wrote:
>>>> Seems to me, that httpd should not be looking at
>>>> /usr/share/snmp/.../.index
>>>> files? Notice that the .index file appears and for some reason httpd
>>>> thinks
>>>> it should be looking at it!?!? I don't know what to make of it.
>>>>
>>>> Here is what I got from selinuxtool:
>>>> ================================================
>>>> Summary:
>>>>
>>>> SELinux is preventing /usr/sbin/httpd "write" access to
>>>> /usr/share/snmp/mibs/.index.
>>>>
>>>> Detailed Description:
>>>>
>>>> SELinux denied access requested by httpd. /usr/share/snmp/mibs/.index
>>>> may be a
>>>> mislabeled. /usr/share/snmp/mibs/.index default SELinux type is
>>>> snmpd_var_lib_t,
>>>> but its current type is usr_t. Changing this file back to the default
>>>> type, may
>>>> fix your problem.
>>>>
>>>> File contexts can be assigned to a file in the following ways.
>>>>
>>>> * Files created in a directory receive the file context of the
>>>> parent
>>>> directory by default.
>>>> * The SELinux policy might override the default label inherited
>>>> from the
>>>> parent directory by specifying a process running in context A
>>>> which
>>>> creates
>>>> a file in a directory labeled B will instead create the file
>>>> with
>>>> label C.
>>>> An example of this would be the dhcp client running with the
>>>> dhclient_t type
>>>> and creating a file in the directory /etc. This file would
>>>> normally
>>>> receive
>>>> the etc_t type due to parental inheritance but instead the
>>>> file is
>>>> labeled
>>>> with the net_conf_t type because the SELinux policy specifies
>>>> this.
>>>> * Users can change the file context on a file using tools such as
>>>> chcon, or
>>>> restorecon.
>>>>
>>>> This file could have been mislabeled either by user error, or if an
>>>> normally
>>>> confined application was run under the wrong domain.
>>>>
>>>> However, this might also indicate a bug in SELinux because the file
>>>> should not
>>>> have been labeled with this type.
>>>>
>>>> If you believe this is a bug, please file a bug report against this
>>>> package.
>>>>
>>>> Allowing Access:
>>>>
>>>> You can restore the default system context to this file by
>>>> executing the
>>>> restorecon command. restorecon '/usr/share/snmp/mibs/.index', if this
>>>> file is a
>>>> directory, you can recursively restore using restorecon -R
>>>> '/usr/share/snmp/mibs/.index'.
>>>>
>>>> Fix Command:
>>>>
>>>> /sbin/restorecon '/usr/share/snmp/mibs/.index'
>>>>
>>>> Additional Information:
>>>>
>>>> Source Context system_u:system_r:httpd_t:s0
>>>> Target Context unconfined_u:object_r:usr_t:s0
>>>> Target Objects /usr/share/snmp/mibs/.index [ file ]
>>>> Source httpd
>>>> Source Path /usr/sbin/httpd
>>>> Port<Unknown>
>>>> Host gold.cdkkt.com
>>>> Source RPM Packages httpd-2.2.14-1.fc12
>>>> Target RPM Packages
>>>> Policy RPM selinux-policy-3.6.32-89.fc12
>>>> Selinux Enabled True
>>>> Policy Type targeted
>>>> Enforcing Mode Enforcing
>>>> Plugin Name restorecon
>>>> Host Name gold.cdkkt.com
>>>> Platform Linux gold.cdkkt.com
>>>> 2.6.31.12-174.2.22.fc12.i686
>>>> #1 SMP Fri Feb 19 19:26:06 UTC 2010
>>>> i686 i686
>>>> Alert Count 1
>>>> First Seen Tue 02 Mar 2010 02:35:14 PM PST
>>>> Last Seen Tue 02 Mar 2010 02:35:14 PM PST
>>>> Local ID 985d0293-7cc2-401b-85b0-d8273b14364e
>>>> Line Numbers
>>>>
>>>> Raw Audit Messages
>>>>
>>>> node=gold.cdkkt.com type=AVC msg=audit(1267569314.169:39991): avc:
>>>> denied { write } for pid=2133 comm="httpd" name=".index" dev=sdb8
>>>> ino=520318 scontext=system_u:system_r:httpd_t:s0
>>>> tcontext=unconfined_u:object_r:usr_t:s0 tclass=file
>>>>
>>>> node=gold.cdkkt.com type=SYSCALL msg=audit(1267569314.169:39991):
>>>> arch=40000003 syscall=5 success=no exit=-13 a0=bfe6fa10 a1=8241 a2=1b6
>>>> a3=b7181e7f items=0 ppid=1 pid=2133 auid=4294967295 uid=0 gid=0 euid=0
>>>> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
>>>> comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0
>>>> key=(null)
>>>>
>>>>
>>>> --
>>>> selinux mailing list
>>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>
>>>>
>>> That file is owned by snmp
>>>
>>> I think some snmp library is causing httpd to write there.
>>>
>>> The problem is that it is mislabeled.
>>>
>>> matchpathcon /usr/share/snmp/mibs/.index
>>> /usr/share/snmp/mibs/.index system_u:object_r:snmpd_var_lib_t:s0
>>>
>>> If you fix the label, I believe the avc will go away.
>> 1) How did the label get set this way in the first place?
>> 2) Perhaps I should do:
>> # touch /.autorelabel OR
>> restorecon -R /
>> And that should update the latest policies on all (mislabled)
>> files?
>>
>> For now, I did:
>> # chcon -u system_u -t snmpd_var_lib_t /usr/share/snmp/mibs/.index
>>
>> --
>> selinux mailing list
>> selinux@xxxxxxxxxxxxxxxxxxxxxxx
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
> No just the restorecon will be fine. That file probably did not exist
> originally and some unconfined app created it with the wrong label.
> Once you run restorecon on it, the label should stay. If it becomes
> mislabeled again, please contact me.
Ok, I changed .index to the old setting and ran
`restorecon .index' and it properly restored the
attributes.
Thanks!
Dan
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
