On 03/28/2010 03:16 PM, Daniel B. Thurman wrote:
> I am not sure what to make of this, so how can I fix it:
>
> ===================================
> Summary:
>
> SELinux is preventing /usr/bin/uptime from using potentially mislabeled
> files
> /var/run/utmp.
>
> Detailed Description:
>
> [SELinux is in permissive mode. This access was not denied.]
>
> SELinux has denied the uptime access to potentially mislabeled files
> /var/run/utmp. This means that SELinux will not allow httpd to use these
> files.
> If httpd should be allowed this access to these files you should change
> the file
> context to one of the following types, abrt_helper_exec_t,
> httpd_helper_exec_t,
> dbusd_etc_t, httpd_squirrelmail_t, httpd_php_exec_t,
> httpd_nagios_htaccess_t,
> textrel_shlib_t, rpm_script_tmp_t, samba_var_t, ld_so_t, net_conf_t,
> public_content_t, sysctl_kernel_t, httpd_modules_t, rpm_tmp_t,
> httpd_suexec_exec_t, application_exec_type, httpd_nutups_cgi_htaccess_t,
> mailman_cgi_exec_t, gitosis_var_lib_t, httpd_squid_htaccess_t,
> httpd_munin_htaccess_t, etc_runtime_t, mailman_archive_t, httpd_var_lib_t,
> httpd_var_run_t, bin_t, cert_t, ld_so_cache_t, httpd_t, fail2ban_var_lib_t,
> lib_t, httpd_awstats_htaccess_t, httpd_user_htaccess_t, usr_t,
> chroot_exec_t,
> httpd_rotatelogs_exec_t, public_content_rw_t, httpd_bugzilla_htaccess_t,
> httpd_cobbler_htaccess_t, nagios_etc_t, nagios_log_t, sssd_public_t,
> mailman_data_t, httpd_keytab_t, httpd_apcupsd_cgi_htaccess_t,
> system_dbusd_var_lib_t, httpd_cvs_htaccess_t, httpd_git_htaccess_t,
> httpd_sys_htaccess_t, squirrelmail_spool_t, cluster_conf_t,
> httpd_prewikka_htaccess_t, fonts_cache_t, httpd_exec_t, httpd_lock_t,
> httpd_log_t, logfile, httpd_rw_content, krb5_conf_t, locale_t,
> httpd_unconfined_script_exec_t, etc_t, fonts_t, httpd_ro_content,
> proc_t, src_t,
> sysfs_t, calamaris_www_t, krb5_keytab_t, httpd_cache_t, httpd_tmpfs_t,
> iso9660_t, httpd_config_t, var_lib_t, abrt_var_run_t, configfile,
> udev_tbl_t,
> abrt_t, httpd_tmp_t, lib_t, shell_exec_t, httpd_w3c_validator_htaccess_t,
> mysqld_etc_t, cvs_data_t, sysctl_crypto_t, httpd_bugzilla_content_ra_t,
> httpd_bugzilla_content_rw_t, httpd_nutups_cgi_script_exec_t,
> httpd_nagios_content_ra_t, httpd_nagios_content_rw_t,
> httpd_nagios_content_t,
> httpd_w3c_validator_content_t, httpd_sys_content_ra_t,
> httpd_sys_content_rw_t,
> httpd_sys_content_rw_t, httpd_cvs_content_ra_t, httpd_cvs_content_rw_t,
> httpd_git_content_ra_t, httpd_git_content_rw_t, httpd_cobbler_script_exec_t,
> httpd_nutups_cgi_content_ra_t, httpd_nutups_cgi_content_rw_t,
> httpd_git_content_t, httpd_user_content_t, httpd_squid_content_ra_t,
> httpd_squid_content_rw_t, httpd_prewikka_content_t, httpd_munin_content_t,
> httpd_squid_content_t, httpd_awstats_script_exec_t,
> httpd_apcupsd_cgi_content_t,
> httpd_cobbler_content_t, httpd_apcupsd_cgi_content_ra_t,
> httpd_apcupsd_cgi_content_rw_t, httpd_nagios_script_exec_t,
> httpd_cvs_content_t,
> httpd_sys_content_t, httpd_sys_content_t, root_t, httpd_munin_script_exec_t,
> httpd_w3c_validator_script_exec_t, httpd_prewikka_content_ra_t,
> httpd_prewikka_content_rw_t, httpd_user_script_exec_t,
> httpd_bugzilla_content_t,
> httpd_awstats_content_ra_t, httpd_awstats_content_rw_t,
> httpd_bugzilla_script_exec_t, httpd_apcupsd_cgi_script_exec_t,
> httpd_squid_script_exec_t, httpd_w3c_validator_content_ra_t,
> httpd_w3c_validator_content_rw_t, httpd_nutups_cgi_content_t,
> httpd_awstats_content_t, httpd_sys_script_exec_t, httpd_user_content_ra_t,
> httpd_user_content_rw_t, httpd_git_script_exec_t,
> httpd_cobbler_content_ra_t,
> httpd_cobbler_content_rw_t, httpdcontent, httpd_cvs_script_exec_t,
> httpd_prewikka_script_exec_t, httpd_munin_content_ra_t,
> httpd_munin_content_rw_t. Many third party apps install html files in
> directories that SELinux policy cannot predict. These directories have to be
> labeled with a file context which httpd can access.
>
> Allowing Access:
>
> If you want to change the file context of /var/run/utmp so that the
> httpd daemon
> can access it, you need to execute it using semanage fcontext -a -t
> FILE_TYPE
> '/var/run/utmp'.
> where FILE_TYPE is one of the following: abrt_helper_exec_t,
> httpd_helper_exec_t, dbusd_etc_t, httpd_squirrelmail_t, httpd_php_exec_t,
> httpd_nagios_htaccess_t, textrel_shlib_t, rpm_script_tmp_t, samba_var_t,
> ld_so_t, net_conf_t, public_content_t, sysctl_kernel_t, httpd_modules_t,
> rpm_tmp_t, httpd_suexec_exec_t, application_exec_type,
> httpd_nutups_cgi_htaccess_t, mailman_cgi_exec_t, gitosis_var_lib_t,
> httpd_squid_htaccess_t, httpd_munin_htaccess_t, etc_runtime_t,
> mailman_archive_t, httpd_var_lib_t, httpd_var_run_t, bin_t, cert_t,
> ld_so_cache_t, httpd_t, fail2ban_var_lib_t, lib_t, httpd_awstats_htaccess_t,
> httpd_user_htaccess_t, usr_t, chroot_exec_t, httpd_rotatelogs_exec_t,
> public_content_rw_t, httpd_bugzilla_htaccess_t, httpd_cobbler_htaccess_t,
> nagios_etc_t, nagios_log_t, sssd_public_t, mailman_data_t, httpd_keytab_t,
> httpd_apcupsd_cgi_htaccess_t, system_dbusd_var_lib_t, httpd_cvs_htaccess_t,
> httpd_git_htaccess_t, httpd_sys_htaccess_t, squirrelmail_spool_t,
> cluster_conf_t, httpd_prewikka_htaccess_t, fonts_cache_t, httpd_exec_t,
> httpd_lock_t, httpd_log_t, logfile, httpd_rw_content, krb5_conf_t, locale_t,
> httpd_unconfined_script_exec_t, etc_t, fonts_t, httpd_ro_content,
> proc_t, src_t,
> sysfs_t, calamaris_www_t, krb5_keytab_t, httpd_cache_t, httpd_tmpfs_t,
> iso9660_t, httpd_config_t, var_lib_t, abrt_var_run_t, configfile,
> udev_tbl_t,
> abrt_t, httpd_tmp_t, lib_t, shell_exec_t, httpd_w3c_validator_htaccess_t,
> mysqld_etc_t, cvs_data_t, sysctl_crypto_t, httpd_bugzilla_content_ra_t,
> httpd_bugzilla_content_rw_t, httpd_nutups_cgi_script_exec_t,
> httpd_nagios_content_ra_t, httpd_nagios_content_rw_t,
> httpd_nagios_content_t,
> httpd_w3c_validator_content_t, httpd_sys_content_ra_t,
> httpd_sys_content_rw_t,
> httpd_sys_content_rw_t, httpd_cvs_content_ra_t, httpd_cvs_content_rw_t,
> httpd_git_content_ra_t, httpd_git_content_rw_t, httpd_cobbler_script_exec_t,
> httpd_nutups_cgi_content_ra_t, httpd_nutups_cgi_content_rw_t,
> httpd_git_content_t, httpd_user_content_t, httpd_squid_content_ra_t,
> httpd_squid_content_rw_t, httpd_prewikka_content_t, httpd_munin_content_t,
> httpd_squid_content_t, httpd_awstats_script_exec_t,
> httpd_apcupsd_cgi_content_t,
> httpd_cobbler_content_t, httpd_apcupsd_cgi_content_ra_t,
> httpd_apcupsd_cgi_content_rw_t, httpd_nagios_script_exec_t,
> httpd_cvs_content_t,
> httpd_sys_content_t, httpd_sys_content_t, root_t, httpd_munin_script_exec_t,
> httpd_w3c_validator_script_exec_t, httpd_prewikka_content_ra_t,
> httpd_prewikka_content_rw_t, httpd_user_script_exec_t,
> httpd_bugzilla_content_t,
> httpd_awstats_content_ra_t, httpd_awstats_content_rw_t,
> httpd_bugzilla_script_exec_t, httpd_apcupsd_cgi_script_exec_t,
> httpd_squid_script_exec_t, httpd_w3c_validator_content_ra_t,
> httpd_w3c_validator_content_rw_t, httpd_nutups_cgi_content_t,
> httpd_awstats_content_t, httpd_sys_script_exec_t, httpd_user_content_ra_t,
> httpd_user_content_rw_t, httpd_git_script_exec_t,
> httpd_cobbler_content_ra_t,
> httpd_cobbler_content_rw_t, httpdcontent, httpd_cvs_script_exec_t,
> httpd_prewikka_script_exec_t, httpd_munin_content_ra_t,
> httpd_munin_content_rw_t. You can look at the httpd_selinux man page for
> additional information.
>
> Additional Information:
>
> Source Context system_u:system_r:httpd_t:s0
> Target Context system_u:object_r:initrc_var_run_t:s0
> Target Objects /var/run/utmp [ file ]
> Source uptime
> Source Path /usr/bin/uptime
> Port<Unknown>
> Host host.domain.com
> Source RPM Packages procps-3.2.8-3.fc12
> Target RPM Packages initscripts-9.02.1-1
> Policy RPM selinux-policy-3.6.32-103.fc12
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Permissive
> Plugin Name httpd_bad_labels
> Host Name host.domain.com
> Platform Linux host.domain.com
> 2.6.32.9-70.fc12.i686 #1 SMP
> Wed Mar 3 05:14:32 UTC 2010 i686 i686
> Alert Count 2
> First Seen Sun 28 Mar 2010 12:04:45 PM PDT
> Last Seen Sun 28 Mar 2010 12:09:52 PM PDT
> Local ID 5f9c855c-31e3-42c9-83fd-9c9b6262cd00
> Line Numbers
>
> Raw Audit Messages
>
> node=host.domain.com type=AVC msg=audit(1269803392.422:30): avc:
> denied { open } for pid=4900 comm="uptime" name="utmp" dev=sdb10
> ino=206 scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
>
> node=host.domain.com type=SYSCALL msg=audit(1269803392.422:30):
> arch=40000003 syscall=5 success=yes exit=4 a0=3f5cb5 a1=88000 a2=430680
> a3=3f5cbb items=0 ppid=2613 pid=4900 auid=4294967295 uid=48 gid=489
> euid=48 suid=48 fsuid=48 egid=489 sgid=489 fsgid=489 tty=(none)
> ses=4294967295 comm="uptime" exe="/usr/bin/uptime"
> subj=system_u:system_r:httpd_t:s0 key=(null)
>
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>
If you want to allow apache to read the utmp file, just add the allow rules.
# grep httpd_t /var/log/audit/audit.log | audit2allow -M myhttpd
# semodule -i myhttpd.pp
You might have to do this a couple of times. Allowing this means a
compromised system would be able to see the users that have logged into
a system.
You can debate if this is worth preventing, but we do not want to allow
all http servers the ability to read this file.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
