Daniel J Walsh wrote:
> Mark could you send the actual AVC?
>
> On 04/01/2014 02:27 PM, m.roth@xxxxxxxxx wrote:
>> CentOS 6.5, current.
>>
>> ll -aZ /.../apps/trac/<proj>/cgi-bin/
>> drwxr-xr-x. apache root system:object_r:httpd_sys_script_exec_t:s0 .
>> drwxr-xr-x. apache root system:object_r:httpd_sys_content_t:s0 ..
>> -rwxr-xr-x. apache root system:object_r:httpd_sys_script_exec_t:s0
>> trac.cgi
>> -rwxr-xr-x. apache root system:object_r:httpd_sys_script_exec_t:s0
>> trac.fcgi
>> -rwxr-xr-x. apache root system:object_r:httpd_sys_script_exec_t:s0
>> trac.wsgi
>>
>> httpd_enable_cgi --> on
>>
>>
>> Name : selinux-policy-targeted
>> Version : 3.7.19
>> Release : 231.el6
>>
>> From the sealert:
>> SELinux is preventing /usr/bin/python from ioctl access on the file
>> /public/apps/trac/PLT/cgi-bin/trac.cgi.
>>
>> ***** Plugin restorecon (94.8 confidence) suggests
>> *************************
>>
>> If you want to fix the label.
>> /<...>/apps/trac/<...>/cgi-bin/trac.cgi default label should be
>> httpd_sys_script_exec_t.
>> Then you can run restorecon.
>> Do
>> # /sbin/restorecon -v /public/apps/trac/PLT/cgi-bin/trac.cgi
Ok... took me a bit to figure out which of the current AVCs resulted in
yesterday's. I *think* it's this:
type=AVC msg=audit(1396374681.854:721317): avc: denied { ioctl } for
pid=11906 comm="trac.cgi" path="/public/apps/trac/PLT/cgi-bin/trac.cgi"
dev=sda3 ino=10272821 scontext=unconfined_u:system_r:httpd_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
Yes, grep AVC /var/log/audit/audit.log | grep trac.cgi | grep ioc | grep
-v unlabel
returns nothing. I *may* be getting closer, because, in the raw AVCs, I
also find:
type=AVC msg=audit(1396374115.280:721170): avc: denied { add_name } for
pid=10822 comm="trac.cgi" name="trac.db-journal"
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
Let me say that the trac project directory has fcontexts of
drwxr-xr-x. apache root system:object_r:httpd_sys_content_t:s0 ./
drwxr-xr-x. apache root system:object_r:default_t:s0 ../
-rw-r--r--. apache root system:object_r:httpd_sys_content_t:s0 README
-rw-r--r--. apache root system:object_r:httpd_sys_content_t:s0 VERSION
drwxr-xr-x. apache root system:object_r:httpd_sys_content_t:s0 attachments/
drwxr-xr-x. apache root system:object_r:httpd_sys_script_exec_t:s0 cgi-bin/
drwxr-xr-x. apache root system:object_r:httpd_sys_content_t:s0 conf/
drwxr-xr-x. apache root system:object_r:httpd_sys_content_t:s0 db/
drwxr-xr-x. apache root system:object_r:httpd_sys_content_t:s0 htdocs/
drwxr-xr-x. apache root system:object_r:httpd_sys_content_t:s0 log/
drwxr-xr-x. apache root system:object_r:httpd_sys_content_t:s0 plugins/
drwxr-xr-x. apache root system:object_r:httpd_sys_content_t:s0 templates/
I do *not* see a db/trac.db-journal (we're in permissive mode), so I'm
guessing it's a true temporary file - my first thought is to make
transactions atomic, and so roll-backable. There's also no log file -
something I've just taken care of via the apache setup.
However, I'm concerned - I did set all those fcontexts using semanage, not
chcon. *What* is this "unlabelled" in the AVC?
mark
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
