You are in permissive mode, if you were in enforcing these would show up
as unlabeled_t.
system:object_r:httpd_sys_script_exec_t:s0
should be
system_u:object_r:httpd_sys_script_exec_t:
I think you did a chcon system:object_r:httpd_sys_script_exec_t:s0 -R
/...apps/trac/<proj>/cgi-bin/
Basically the kernel is telling you it has no idea what the user system is.
On 04/02/2014 09:53 AM, m.roth@xxxxxxxxx wrote:
> Daniel J Walsh wrote:
>> Mark could you send the actual AVC?
>>
>> On 04/01/2014 02:27 PM, m.roth@xxxxxxxxx wrote:
>>> CentOS 6.5, current.
>>>
>>> ll -aZ /.../apps/trac/<proj>/cgi-bin/
>>> drwxr-xr-x. apache root system:object_r:httpd_sys_script_exec_t:s0 .
>>> drwxr-xr-x. apache root system:object_r:httpd_sys_content_t:s0 ..
>>> -rwxr-xr-x. apache root system:object_r:httpd_sys_script_exec_t:s0
>>> trac.cgi
>>> -rwxr-xr-x. apache root system:object_r:httpd_sys_script_exec_t:s0
>>> trac.fcgi
>>> -rwxr-xr-x. apache root system:object_r:httpd_sys_script_exec_t:s0
>>> trac.wsgi
>>>
>>> httpd_enable_cgi --> on
>>>
>>>
>>> Name : selinux-policy-targeted
>>> Version : 3.7.19
>>> Release : 231.el6
>>>
>>> From the sealert:
>>> SELinux is preventing /usr/bin/python from ioctl access on the file
>>> /public/apps/trac/PLT/cgi-bin/trac.cgi.
>>>
>>> ***** Plugin restorecon (94.8 confidence) suggests
>>> *************************
>>>
>>> If you want to fix the label.
>>> /<...>/apps/trac/<...>/cgi-bin/trac.cgi default label should be
>>> httpd_sys_script_exec_t.
>>> Then you can run restorecon.
>>> Do
>>> # /sbin/restorecon -v /public/apps/trac/PLT/cgi-bin/trac.cgi
> Ok... took me a bit to figure out which of the current AVCs resulted in
> yesterday's. I *think* it's this:
> type=AVC msg=audit(1396374681.854:721317): avc: denied { ioctl } for
> pid=11906 comm="trac.cgi" path="/public/apps/trac/PLT/cgi-bin/trac.cgi"
> dev=sda3 ino=10272821 scontext=unconfined_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
>
> Yes, grep AVC /var/log/audit/audit.log | grep trac.cgi | grep ioc | grep
> -v unlabel
> returns nothing. I *may* be getting closer, because, in the raw AVCs, I
> also find:
> type=AVC msg=audit(1396374115.280:721170): avc: denied { add_name } for
> pid=10822 comm="trac.cgi" name="trac.db-journal"
> scontext=unconfined_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
>
> Let me say that the trac project directory has fcontexts of
> drwxr-xr-x. apache root system:object_r:httpd_sys_content_t:s0 ./
> drwxr-xr-x. apache root system:object_r:default_t:s0 ../
> -rw-r--r--. apache root system:object_r:httpd_sys_content_t:s0 README
> -rw-r--r--. apache root system:object_r:httpd_sys_content_t:s0 VERSION
> drwxr-xr-x. apache root system:object_r:httpd_sys_content_t:s0 attachments/
> drwxr-xr-x. apache root system:object_r:httpd_sys_script_exec_t:s0 cgi-bin/
> drwxr-xr-x. apache root system:object_r:httpd_sys_content_t:s0 conf/
> drwxr-xr-x. apache root system:object_r:httpd_sys_content_t:s0 db/
> drwxr-xr-x. apache root system:object_r:httpd_sys_content_t:s0 htdocs/
> drwxr-xr-x. apache root system:object_r:httpd_sys_content_t:s0 log/
> drwxr-xr-x. apache root system:object_r:httpd_sys_content_t:s0 plugins/
> drwxr-xr-x. apache root system:object_r:httpd_sys_content_t:s0 templates/
>
> I do *not* see a db/trac.db-journal (we're in permissive mode), so I'm
> guessing it's a true temporary file - my first thought is to make
> transactions atomic, and so roll-backable. There's also no log file -
> something I've just taken care of via the apache setup.
>
> However, I'm concerned - I did set all those fcontexts using semanage, not
> chcon. *What* is this "unlabelled" in the AVC?
>
> mark
>
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
