Daniel J Walsh wrote:
> You are in permissive mode, if you were in enforcing these would show up
> as unlabeled_t.
>
> system:object_r:httpd_sys_script_exec_t:s0
> should be
> system_u:object_r:httpd_sys_script_exec_t:
>
> I think you did a chcon system:object_r:httpd_sys_script_exec_t:s0 -R
> /...apps/trac/<proj>/cgi-bin/
>
> Basically the kernel is telling you it has no idea what the user system
> is.
Looking through my (root's) history, no. I did an semanage. To be on the
positive side, in case I did a full reinstall, I did it again, and the
restorecon -v , which had no o/p. I then redid it, with a -m in place of
-a, and again the restorecon -v said nothing.
So, tail -f /var/log/messages, I went to the site, and here's more info:
it's complaining about access to ./db/trac.db. Should that be
ll -Z db
drwxr-xr-x. apache root system:object_r:httpd_sys_content_t:s0 ./
drwxr-xr-x. apache root system:object_r:httpd_sys_content_t:s0 ../
-rw-r--r--. apache root system:object_r:httpd_sys_content_t:s0
sqlite.26.1394654363.bak
-rw-r--r--. apache root system:object_r:httpd_sys_content_t:s0 trac.db
Or should the db directory and the trac.db have different contexts so that
selinux does not complain when trac wants to write to them, or create the
tempfile of db/trac.db-journal?
mark
>
>
> On 04/02/2014 09:53 AM, m.roth@xxxxxxxxx wrote:
>> Daniel J Walsh wrote:
>>> Mark could you send the actual AVC?
>>>
>>> On 04/01/2014 02:27 PM, m.roth@xxxxxxxxx wrote:
>>>> CentOS 6.5, current.
>>>>
>>>> ll -aZ /.../apps/trac/<proj>/cgi-bin/
>>>> drwxr-xr-x. apache root system:object_r:httpd_sys_script_exec_t:s0 .
>>>> drwxr-xr-x. apache root system:object_r:httpd_sys_content_t:s0 ..
>>>> -rwxr-xr-x. apache root system:object_r:httpd_sys_script_exec_t:s0
>>>> trac.cgi
>>>> -rwxr-xr-x. apache root system:object_r:httpd_sys_script_exec_t:s0
>>>> trac.fcgi
>>>> -rwxr-xr-x. apache root system:object_r:httpd_sys_script_exec_t:s0
>>>> trac.wsgi
>>>>
>>>> httpd_enable_cgi --> on
>>>>
>>>>
>>>> Name : selinux-policy-targeted
>>>> Version : 3.7.19
>>>> Release : 231.el6
>>>>
>>>> From the sealert:
>>>> SELinux is preventing /usr/bin/python from ioctl access on the file
>>>> /public/apps/trac/PLT/cgi-bin/trac.cgi.
>>>>
>>>> ***** Plugin restorecon (94.8 confidence) suggests
>>>> *************************
>>>>
>>>> If you want to fix the label.
>>>> /<...>/apps/trac/<...>/cgi-bin/trac.cgi default label should be
>>>> httpd_sys_script_exec_t.
>>>> Then you can run restorecon.
>>>> Do
>>>> # /sbin/restorecon -v /public/apps/trac/PLT/cgi-bin/trac.cgi
>> Ok... took me a bit to figure out which of the current AVCs resulted in
>> yesterday's. I *think* it's this:
>> type=AVC msg=audit(1396374681.854:721317): avc: denied { ioctl } for
>> pid=11906 comm="trac.cgi" path="/public/apps/trac/PLT/cgi-bin/trac.cgi"
>> dev=sda3 ino=10272821 scontext=unconfined_u:system_r:httpd_t:s0
>> tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
>>
>> Yes, grep AVC /var/log/audit/audit.log | grep trac.cgi | grep ioc | grep
>> -v unlabel
>> returns nothing. I *may* be getting closer, because, in the raw AVCs, I
>> also find:
>> type=AVC msg=audit(1396374115.280:721170): avc: denied { add_name }
>> for
>> pid=10822 comm="trac.cgi" name="trac.db-journal"
>> scontext=unconfined_u:system_r:httpd_t:s0
>> tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
>>
>> Let me say that the trac project directory has fcontexts of
>> drwxr-xr-x. apache root system:object_r:httpd_sys_content_t:s0 ./
>> drwxr-xr-x. apache root system:object_r:default_t:s0 ../
>> -rw-r--r--. apache root system:object_r:httpd_sys_content_t:s0 README
>> -rw-r--r--. apache root system:object_r:httpd_sys_content_t:s0 VERSION
>> drwxr-xr-x. apache root system:object_r:httpd_sys_content_t:s0
>> attachments/
>> drwxr-xr-x. apache root system:object_r:httpd_sys_script_exec_t:s0
>> cgi-bin/
>> drwxr-xr-x. apache root system:object_r:httpd_sys_content_t:s0 conf/
>> drwxr-xr-x. apache root system:object_r:httpd_sys_content_t:s0 db/
>> drwxr-xr-x. apache root system:object_r:httpd_sys_content_t:s0 htdocs/
>> drwxr-xr-x. apache root system:object_r:httpd_sys_content_t:s0 log/
>> drwxr-xr-x. apache root system:object_r:httpd_sys_content_t:s0 plugins/
>> drwxr-xr-x. apache root system:object_r:httpd_sys_content_t:s0
>> templates/
>>
>> I do *not* see a db/trac.db-journal (we're in permissive mode), so I'm
>> guessing it's a true temporary file - my first thought is to make
>> transactions atomic, and so roll-backable. There's also no log file -
>> something I've just taken care of via the apache setup.
>>
>> However, I'm concerned - I did set all those fcontexts using semanage,
>> not chcon. *What* is this "unlabelled" in the AVC?
>>
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
